anubis: move to top level role, add some more items

This copies the excellect copr/anubis role to a more generic top level
one. It allows for using a different env per ipa_host_group (but we
could also just add more cases in there) or a default one if that isn't
found.

It moves the defaults and policies to template so we can include a
static key from ansible-private if we like.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

playbooks/groups/proxies.yml

@@ -94,7 +94,7 @@
   roles:
   - httpd/mod_ssl
   - httpd/proxy
-  - {role: copr/anubis,
+  - {role: anubis,
      when: env == "staging"}
   - varnish
   #

roles/anubis/files/httpd/00-backend-listen.conf

@@ -0,0 +1,23 @@
+# This is how the Anubis should be configured:
+#
+#            ┌───────────────────────────┐
+# Client ──> │ Apache on port 443 (SSL)  │
+#            └───────────┬───────────────┘
+#                        │
+#                        ▼
+#                  ┌───────────────┐
+#                  │  Anubis on    │
+#                  │  port 8987    │
+#                  │  (Filter)     │
+#                  └─────┬─────────┘
+#                        │ <- Is in endpoint-allowlist.yaml?
+#        ┌───────────────┴─────────────────────┐
+#        │ <- ALLOW if endpoint is in          │  <- FILTER
+#        │    endpoint-allowlist.yaml          │
+#        |                                     |
+#        |        ┌──────────────────┐         |
+#        |        │ Apache on port   │         |
+#        └──────> │ 8345 (App)       │ <───────┘
+#                 └──────────────────┘
+
+Listen 127.0.0.1:8345

roles/anubis/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Restart anubis
+  ansible.builtin.service:
+    name: anubis@default.service
+    state: restarted
+
+- name: Reload httpd
+  ansible.builtin.service:
+    name: httpd
+    state: reloaded

roles/anubis/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+- name: Install Anubis Bot Blocker
+  ansible.builtin.dnf:
+    name: anubis
+    state: present
+  tags:
+    - anubis
+
+- name: Install httpd config for backend listener
+  ansible.builtin.copy:
+    src: "httpd/{{ item }}"
+    dest: "/etc/httpd/conf.d/{{ item }}"
+    mode: '0644'
+  with_items:
+    - 00-backend-listen.conf
+  tags:
+    - anubis
+
+- name: Allow Apache to make network connections for proxy
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+  tags:
+    - anubis
+
+- name: Ensure Anubis service is enabled and started
+  anible.builtin.service:
+    name: anubis@default.service
+    enabled: true
+    state: started
+  tags:
+    - anubis
+
+- name: Install Anubis configuration and rules
+  ansible.builtin.template:
+    src: "{{ item }}"
+    dest: "/etc/anubis/{{ item | basename }}"
+    mode: '0600'
+    owner: anubis
+  with_first_found:
+    - files:
+        - "default.env.j2.{{ ipa_host_group }}"
+        - "default.env.j2"
+      paths:
+        - "templates/"
+    - files:
+        - "policies.yaml.j2.{{ ipa_host_group }}"
+        - "policies.yaml.j2"
+      paths:
+        - "templates/"
+  notify:
+    - Restart anubis
+    - Reload httpd
+  tags:
+    - anubis

roles/anubis/templates/default.env.j2

@@ -0,0 +1,11 @@
+# most of the configuration is done in the policy file
+# https://anubis.techaro.lol/docs/admin/installation
+
+# Anubis listens to this IP:PORT
+BIND="127.0.0.1:8987"
+
+# IP:PORT of the desired web app
+TARGET="http://127.0.0.1:8345"
+
+# Custom policies will live here once they are ready (package needs to be fixed)
+# POLICY_FNAME=/etc/anubis/policies.yaml

roles/anubis/templates/default.env.j2.proxies

@@ -0,0 +1,20 @@
+# most of the configuration is done in the policy file
+# https://anubis.techaro.lol/docs/admin/installation
+
+# Anubis listens to this IP:PORT
+BIND="127.0.0.1:8987"
+
+# IP:PORT of the desired web app
+TARGET="http://127.0.0.1:8345"
+
+# We set a static key here for proxies because we want
+# all of them to use the same key so users aren't forced
+# to a new challenge when they just get a different proxy from the pool.
+{% if env == "staging" %}
+ED25519_PRIVATE_KEY_HEX={{ anubis_proxy_ed25519_key_stg }}
+{% else %}
+ED25519_PRIVATE_KEY_HEX={{ anubis_proxy_ed25519_key }}
+{% endif %}
+
+# Custom policies will live here once they are ready (package needs to be fixed)
+# POLICY_FNAME=/etc/anubis/policies.yaml

roles/anubis/templates/policies.yaml.j2

@@ -0,0 +1,10 @@
+---
+# if any custom bot policies are needed, they can be added here
+bots:
+  # these are solid defaults from
+  # https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml
+  - import: (data)/botPolicies.yaml
+
+
+# Custom allowlist of API endpoint specified by each copr instance will live here
+# - import: /etc/anubis/endpoint-allowlist.yaml