From 6f6d3b73828a8d4f6739c398186067b109575e7a Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 9 Feb 2022 17:00:06 +0100
Subject: [PATCH] Update to 2022-02-09 17:00

---
 roles/nginx/tasks/conf.yml                    |  4 +-
 roles/nginx/tasks/facts.yml                   | 16 ++---
 .../ansible_conf.d/09-cacheable.conf.j2       |  3 +-
 roles/system_proxy/defaults/main.yml          | 11 ++++
 roles/system_proxy/tasks/Debian.yml           | 17 +++++
 roles/system_proxy/tasks/RedHat.yml           | 20 ++++++
 roles/system_proxy/tasks/main.yml             | 66 +++----------------
 roles/system_proxy/templates/proxy.sh.j2      | 10 ++-
 roles/system_proxy/templates/systemd.conf.j2  |  2 +-
 9 files changed, 75 insertions(+), 74 deletions(-)
 create mode 100644 roles/system_proxy/tasks/Debian.yml
 create mode 100644 roles/system_proxy/tasks/RedHat.yml

diff --git a/roles/nginx/tasks/conf.yml b/roles/nginx/tasks/conf.yml
index 6c6e8fd..66bf137 100644
--- a/roles/nginx/tasks/conf.yml
+++ b/roles/nginx/tasks/conf.yml
@@ -20,7 +20,7 @@
     - ansible_conf.d/10-ssl.conf
     - ansible_conf.d/30-vhosts.conf
   notify: reload nginx
-  tags: [web,conf]
+  tags: web,conf,quickweb
 
 - name: Remove naxsi configuration
   file: path=/etc/nginx/{{ item }} state=absent
@@ -37,7 +37,7 @@
     - ansible_conf.d/10-filter.conf
     - ansible_conf.d/headers.inc
   notify: reload nginx
-  tags: [web,conf]
+  tags: web,conf
 
   # TODO make it configurable
 - name: Create dummy white and blacklist files for nginx
diff --git a/roles/nginx/tasks/facts.yml b/roles/nginx/tasks/facts.yml
index be1e11d..ca365c5 100644
--- a/roles/nginx/tasks/facts.yml
+++ b/roles/nginx/tasks/facts.yml
@@ -1,32 +1,32 @@
 ---
 - name: List http ports
   set_fact: nginx_ports={{ nginx_ports + (nginx_vhosts | selectattr('port','defined') | map(attribute='port') | list) | flatten | unique }}
-  tags: [firewall,web]
+  tags: firewall,web,quickweb
 
 - name: List https ports
   set_fact: nginx_ssl_ports={{ nginx_ssl_ports + (nginx_vhosts | selectattr('ssl','defined') | selectattr('ssl.port','defined') | map(attribute='ssl.port') | list) | flatten | unique }}
-  tags: [firewall,web]
+  tags: firewall,web,quickweb
 
 - set_fact: nginx_cert_path={{ '/var/lib/dehydrated/certificates/certs/' + nginx_letsencrypt_cert + '/fullchain.pem' }}
   when: nginx_letsencrypt_cert is defined
-  tags: [web,conf]
+  tags: web,conf,quickweb
 - set_fact: nginx_key_path={{ '/var/lib/dehydrated/certificates/certs/' + nginx_letsencrypt_cert + '/privkey.pem' }}
   when: nginx_letsencrypt_cert is defined
-  tags: [web,conf]
+  tags: web,conf,quickweb
 
 - name: Merge vhosts settings with defaults
   set_fact: nginx_vhosts_conf={{ nginx_vhosts_conf | default([]) + [ nginx_default_vhost | combine(item, recursive=True) ] }}
   with_items: "{{ nginx_vhosts }}"
-  tags: [web,conf]
+  tags: web,conf,quickweb
 - set_fact: nginx_vhosts={{ nginx_vhosts_conf | default([]) }}
-  tags: [web,conf]
+  tags: web,conf,quickweb
 
 - name: Check if Lemonldap::NG is installed
   stat: path=/etc/lemonldap-ng/lemonldap-ng.ini
   register: nginx_llng
-  tags: web
+  tags: web,quickweb
 
 - name: Check if llng_header.inc conf is installed
   stat: path=/etc/nginx/ansible_conf.d/llng_headers.inc
   register: nginx_llng_headers
-  tags: web
+  tags: web,quickweb
diff --git a/roles/nginx/templates/ansible_conf.d/09-cacheable.conf.j2 b/roles/nginx/templates/ansible_conf.d/09-cacheable.conf.j2
index 6e31474..26e8267 100644
--- a/roles/nginx/templates/ansible_conf.d/09-cacheable.conf.j2
+++ b/roles/nginx/templates/ansible_conf.d/09-cacheable.conf.j2
@@ -10,6 +10,7 @@ map $sent_http_content_type $is_client_cacheable {
   application/font-sfnt               1;
   font/ttf                            1;
   font/opentype                       1;
+  font/woff                           1;
   font/woff2                          1;
   application/font-woff               1;
   application/vnd.ms-fontobject       1;
@@ -21,6 +22,6 @@ map $request_uri $is_proxy_cacheable {
   ~*\.(png|jpe?g|bmp|gif|webp)$       1;
   ~*\.(js|css|txt)$                   1;
   ~*\.(pdf)$                          1;
-  ~*\.(ttf|ott|woff2)$                1;
+  ~*\.(ttf|ott|woff?2)$               1;
   ~*\.(mp3|mp4|avi|mpe?g|mov|flv)$    1;
 }
diff --git a/roles/system_proxy/defaults/main.yml b/roles/system_proxy/defaults/main.yml
index b3a9f5d..22f6bac 100644
--- a/roles/system_proxy/defaults/main.yml
+++ b/roles/system_proxy/defaults/main.yml
@@ -1,10 +1,21 @@
 ---
 
+# System proxy to use. If undefined or set to an empty string
+# proxy will be disabled
 # system_proxy: http://proxyout.example.org:3128
+
+# List of hosts for which no proxy should be used
 system_proxy_base_no_proxy:
   - 127.0.0.1
   - localhost
   - "{{ inventory_hostname | regex_replace('^([^.]+)\\..*','\\1') }}"
   - "{{ inventory_hostname }}"
+# Can be used to add no_proxy hosts without overriding the default ones
 system_proxy_extra_no_proxy: []
 system_proxy_no_proxy: "{{ system_proxy_base_no_proxy + system_proxy_extra_no_proxy }}"
+
+# List of protocols for which env variables will be set (if a proxy is configured)
+system_proxy_proto:
+  - http
+  - https
+  - ftp
diff --git a/roles/system_proxy/tasks/Debian.yml b/roles/system_proxy/tasks/Debian.yml
new file mode 100644
index 0000000..15f0ff2
--- /dev/null
+++ b/roles/system_proxy/tasks/Debian.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Config proxy for apt
+  copy:
+    content: |
+      Acquire::http::Proxy "{{ system_proxy }}";
+      Acquire::https::Proxy "{{ system_proxy }}";
+    dest: /etc/apt/apt.conf.d/10proxy
+  when:
+    - system_proxy is defined
+    - system_proxy != ''
+  tags: proxy
+
+- name: Remove proxy from apt config
+  file: path=/etc/apt/apt.conf.d/10proxy state=absent
+  when: system_proxy is not defined or system_proxy == ''
+  tags: proxy
diff --git a/roles/system_proxy/tasks/RedHat.yml b/roles/system_proxy/tasks/RedHat.yml
new file mode 100644
index 0000000..4faa2d7
--- /dev/null
+++ b/roles/system_proxy/tasks/RedHat.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Configure proxy for yum
+  ini_file:
+    path: /etc/yum.conf
+    section: main
+    option: proxy
+    value: "{{ (system_proxy is defined and system_proxy != '') | ternary(system_proxy,'') }}"
+    state: "{{ (system_proxy is defined and system_proxy != '') | ternary('present','absent') }}"
+  tags: proxy
+
+- name: Configure proxy for dnf
+  ini_file:
+    path: /etc/dnf/yum.conf
+    section: main
+    option: proxy
+    value: "{{ (system_proxy is defined and system_proxy != '') | ternary(system_proxy,'') }}"
+    state: "{{ (system_proxy is defined and system_proxy != '') | ternary('present','absent') }}"
+  when: ansible_distribution_major_version is version('8', '>=')
+  tags: proxy
diff --git a/roles/system_proxy/tasks/main.yml b/roles/system_proxy/tasks/main.yml
index 5bef8be..51816d1 100644
--- a/roles/system_proxy/tasks/main.yml
+++ b/roles/system_proxy/tasks/main.yml
@@ -10,13 +10,7 @@
     regexp: "^{{ item }}=.*"
     line: "{{ item }}={{ (system_proxy is defined and system_proxy != '') | ternary(system_proxy,'') }}"
     state: "{{ (system_proxy is defined and system_proxy != '') | ternary('present','absent') }}"
-  with_items:
-    - http_proxy
-    - HTTP_PROXY
-    - https_proxy
-    - HTTPS_PROXY
-    - ftp_proxy
-    - FTP_PROXY
+  with_items: "{{ system_proxy_proto | map('regex_replace', '^(.*)$', '\\1_proxy') | list }} + {{ system_proxy_proto | map('regex_replace', '^(.*)$', '\\1_proxy') | map('upper') | list }}"
   tags: proxy
 
 - name: Set proxy exceptions
@@ -30,55 +24,15 @@
     - NO_PROXY
   tags: proxy
 
-- name: Creates systemd.conf.d dir
-  file: path=/etc/systemd/system.conf.d state=directory
-  when: ansible_service_mgr == 'systemd'
+- when: ansible_service_mgr == 'systemd'
+  block:
+    - name: Creates systemd.conf.d dir
+      file: path=/etc/systemd/system.conf.d state=directory
+
+    - name: Deploy a systemd snippet for default proxy
+      template: src=systemd.conf.j2 dest=/etc/systemd/system.conf.d/proxy.conf
+      notify: reload systemd
   tags: proxy
 
-- name: Deploy a systemd snippet for default proxy
-  template: src=systemd.conf.j2 dest=/etc/systemd/system.conf.d/proxy.conf
-  notify: reload systemd
-  when: ansible_service_mgr == 'systemd'
-  tags: proxy
-
-- name: Configure proxy for yum
-  ini_file:
-    path: /etc/yum.conf
-    section: main
-    option: proxy
-    value: "{{ (system_proxy is defined and system_proxy != '') | ternary(system_proxy,'') }}"
-    state: "{{ (system_proxy is defined and system_proxy != '') | ternary('present','absent') }}"
-  when: ansible_os_family == 'RedHat'
-  tags: proxy
-
-- name: Configure proxy for dnf
-  ini_file:
-    path: /etc/dnf/yum.conf
-    section: main
-    option: proxy
-    value: "{{ (system_proxy is defined and system_proxy != '') | ternary(system_proxy,'') }}"
-    state: "{{ (system_proxy is defined and system_proxy != '') | ternary('present','absent') }}"
-  when:
-    - ansible_os_family == 'RedHat'
-    - ansible_distribution_major_version is version('8', '>=')
-  tags: proxy
-
-- name: Config proxy for apt
-  copy:
-    content: |
-      Acquire::http::Proxy "{{ system_proxy }}";
-      Acquire::https::Proxy "{{ system_proxy }}";
-    dest: /etc/apt/apt.conf.d/10proxy
-  when:
-    - ansible_os_family == 'Debian'
-    - system_proxy is defined
-    - system_proxy != ''
-  tags: proxy
-
-- name: Remove proxy from apt config
-  file: path=/etc/apt/apt.conf.d/10proxy state=absent
-  when:
-    - ansible_os_family == 'Debian'
-    - system_proxy is not defined or system_proxy == ''
-  tags: proxy
+- include: "{{ ansible_os_family }}.yml"
 
diff --git a/roles/system_proxy/templates/proxy.sh.j2 b/roles/system_proxy/templates/proxy.sh.j2
index 31a0829..d5205c4 100644
--- a/roles/system_proxy/templates/proxy.sh.j2
+++ b/roles/system_proxy/templates/proxy.sh.j2
@@ -1,12 +1,10 @@
 #!/bin/bash
 
 {% if system_proxy is defined and system_proxy != '' %}
-export http_proxy={{ system_proxy }}
-export https_proxy={{ system_proxy }}
-export ftp_proxy={{ system_proxy }}
-export HTTP_PROXY={{ system_proxy }}
-export HTTPS_PROXY={{ system_proxy }}
-export FTP_PROXY={{ system_proxy }}
+{% for proto in system_proxy_proto %}
+export {{ proto }}_proxy={{ system_proxy }}
+export {{ proto | upper }}_PROXY={{ system_proxy }}
+{% endfor %}
 export no_proxy='{{ system_proxy_no_proxy | join(',') }}'
 export NO_PROXY='{{ system_proxy_no_proxy | join(',') }}'
 {% endif %}
diff --git a/roles/system_proxy/templates/systemd.conf.j2 b/roles/system_proxy/templates/systemd.conf.j2
index bada512..b275185 100644
--- a/roles/system_proxy/templates/systemd.conf.j2
+++ b/roles/system_proxy/templates/systemd.conf.j2
@@ -1,6 +1,6 @@
 [Manager]
 {% if system_proxy is defined  and system_proxy != '' %}
-DefaultEnvironment=http_proxy={{ system_proxy }} https_proxy={{ system_proxy }} ftp_proxy={{ system_proxy }} HTTP_PROXY={{ system_proxy }} HTTPS_PROXY={{ system_proxy }} FTP_PROXY={{ system_proxy }} no_proxy={{ system_proxy_no_proxy | join(',') }} NO_PROXY={{ system_proxy_no_proxy | join(',') }}
+DefaultEnvironment={% for proto in system_proxy_proto %}{{ proto }}_proxy={{ system_proxy }} {{ proto | upper }}_PROXY={{ system_proxy }} {% endfor %}no_proxy={{ system_proxy_no_proxy | join(',') }} NO_PROXY={{ system_proxy_no_proxy | join(',') }}
 {% else %}
 # No proxy configured
 {% endif %}