From e7c16d7fe0c69cb1aaf7ea0d76482bcf7e320c52 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 18 Sep 2025 11:30:21 -0700 Subject: [PATCH] anubis: move to top level role, add some more items This copies the excellect copr/anubis role to a more generic top level one. It allows for using a different env per ipa_host_group (but we could also just add more cases in there) or a default one if that isn't found. It moves the defaults and policies to template so we can include a static key from ansible-private if we like. Signed-off-by: Kevin Fenzi --- playbooks/groups/proxies.yml | 2 +- .../anubis/files/httpd/00-backend-listen.conf | 23 ++++++++ roles/anubis/handlers/main.yml | 10 ++++ roles/anubis/tasks/main.yml | 56 +++++++++++++++++++ roles/anubis/templates/default.env.j2 | 11 ++++ roles/anubis/templates/default.env.j2.proxies | 20 +++++++ roles/anubis/templates/policies.yaml.j2 | 10 ++++ 7 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 roles/anubis/files/httpd/00-backend-listen.conf create mode 100644 roles/anubis/handlers/main.yml create mode 100644 roles/anubis/tasks/main.yml create mode 100644 roles/anubis/templates/default.env.j2 create mode 100644 roles/anubis/templates/default.env.j2.proxies create mode 100644 roles/anubis/templates/policies.yaml.j2 diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml index c4eca90851..14f41666c8 100644 --- a/playbooks/groups/proxies.yml +++ b/playbooks/groups/proxies.yml @@ -94,7 +94,7 @@ roles: - httpd/mod_ssl - httpd/proxy - - {role: copr/anubis, + - {role: anubis, when: env == "staging"} - varnish # diff --git a/roles/anubis/files/httpd/00-backend-listen.conf b/roles/anubis/files/httpd/00-backend-listen.conf new file mode 100644 index 0000000000..a387bd003d --- /dev/null +++ b/roles/anubis/files/httpd/00-backend-listen.conf @@ -0,0 +1,23 @@ +# This is how the Anubis should be configured: +# +# ┌───────────────────────────┐ +# Client ──> │ Apache on port 443 (SSL) │ +# └───────────┬───────────────┘ +# │ +# ▼ +# ┌───────────────┐ +# │ Anubis on │ +# │ port 8987 │ +# │ (Filter) │ +# └─────┬─────────┘ +# │ <- Is in endpoint-allowlist.yaml? +# ┌───────────────┴─────────────────────┐ +# │ <- ALLOW if endpoint is in │ <- FILTER +# │ endpoint-allowlist.yaml │ +# | | +# | ┌──────────────────┐ | +# | │ Apache on port │ | +# └──────> │ 8345 (App) │ <───────┘ +# └──────────────────┘ + +Listen 127.0.0.1:8345 diff --git a/roles/anubis/handlers/main.yml b/roles/anubis/handlers/main.yml new file mode 100644 index 0000000000..b6e0b2e918 --- /dev/null +++ b/roles/anubis/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: Restart anubis + ansible.builtin.service: + name: anubis@default.service + state: restarted + +- name: Reload httpd + ansible.builtin.service: + name: httpd + state: reloaded diff --git a/roles/anubis/tasks/main.yml b/roles/anubis/tasks/main.yml new file mode 100644 index 0000000000..707b7dfb02 --- /dev/null +++ b/roles/anubis/tasks/main.yml @@ -0,0 +1,56 @@ +--- +- name: Install Anubis Bot Blocker + ansible.builtin.dnf: + name: anubis + state: present + tags: + - anubis + +- name: Install httpd config for backend listener + ansible.builtin.copy: + src: "httpd/{{ item }}" + dest: "/etc/httpd/conf.d/{{ item }}" + mode: '0644' + with_items: + - 00-backend-listen.conf + tags: + - anubis + +- name: Allow Apache to make network connections for proxy + ansible.posix.seboolean: + name: httpd_can_network_connect + state: true + persistent: true + tags: + - anubis + +- name: Ensure Anubis service is enabled and started + anible.builtin.service: + name: anubis@default.service + enabled: true + state: started + tags: + - anubis + +- name: Install Anubis configuration and rules + ansible.builtin.template: + src: "{{ item }}" + dest: "/etc/anubis/{{ item | basename }}" + mode: '0600' + owner: anubis + with_first_found: + - files: + - "default.env.j2.{{ ipa_host_group }}" + - "default.env.j2" + paths: + - "templates/" + - files: + - "policies.yaml.j2.{{ ipa_host_group }}" + - "policies.yaml.j2" + paths: + - "templates/" + notify: + - Restart anubis + - Reload httpd + tags: + - anubis diff --git a/roles/anubis/templates/default.env.j2 b/roles/anubis/templates/default.env.j2 new file mode 100644 index 0000000000..a3b16ffc30 --- /dev/null +++ b/roles/anubis/templates/default.env.j2 @@ -0,0 +1,11 @@ +# most of the configuration is done in the policy file +# https://anubis.techaro.lol/docs/admin/installation + +# Anubis listens to this IP:PORT +BIND="127.0.0.1:8987" + +# IP:PORT of the desired web app +TARGET="http://127.0.0.1:8345" + +# Custom policies will live here once they are ready (package needs to be fixed) +# POLICY_FNAME=/etc/anubis/policies.yaml diff --git a/roles/anubis/templates/default.env.j2.proxies b/roles/anubis/templates/default.env.j2.proxies new file mode 100644 index 0000000000..b56df69b12 --- /dev/null +++ b/roles/anubis/templates/default.env.j2.proxies @@ -0,0 +1,20 @@ +# most of the configuration is done in the policy file +# https://anubis.techaro.lol/docs/admin/installation + +# Anubis listens to this IP:PORT +BIND="127.0.0.1:8987" + +# IP:PORT of the desired web app +TARGET="http://127.0.0.1:8345" + +# We set a static key here for proxies because we want +# all of them to use the same key so users aren't forced +# to a new challenge when they just get a different proxy from the pool. +{% if env == "staging" %} +ED25519_PRIVATE_KEY_HEX={{ anubis_proxy_ed25519_key_stg }} +{% else %} +ED25519_PRIVATE_KEY_HEX={{ anubis_proxy_ed25519_key }} +{% endif %} + +# Custom policies will live here once they are ready (package needs to be fixed) +# POLICY_FNAME=/etc/anubis/policies.yaml diff --git a/roles/anubis/templates/policies.yaml.j2 b/roles/anubis/templates/policies.yaml.j2 new file mode 100644 index 0000000000..d6382acaf7 --- /dev/null +++ b/roles/anubis/templates/policies.yaml.j2 @@ -0,0 +1,10 @@ +--- +# if any custom bot policies are needed, they can be added here +bots: + # these are solid defaults from + # https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml + - import: (data)/botPolicies.yaml + + +# Custom allowlist of API endpoint specified by each copr instance will live here +# - import: /etc/anubis/endpoint-allowlist.yaml