Merge pull request #13 from nginxinc/staging

merge Staging to master

Author: aknot242

README.md

@@ -50,6 +50,16 @@ CentOS:
     - 8.0
     - 8.1
     - 8.2
+RHEL:
+  versions:
+    - 7.4
+    - 7.5
+    - 7.6
+    - 7.7
+    - 7.8
+    - 8.0
+    - 8.1
+    - 8.2
 Debian:
   versions:
     - 9.0
@@ -78,7 +88,9 @@ Dependencies
 
 - Since this role uses the [package_facts](https://docs.ansible.com/ansible/latest/modules/package_facts_module.html) module, on debian-based systems the `python-apt` package must be installed on targeted hosts.
 
-- NGINX+ R19-R21 must already be installed on the target system 
+- If NGINX+ is *not* already installed on the system, this role will install the version of NGINX+ that is dependent on the version of NGINX App Protect set with the `app_protect_version` variable. If none is specified, the latest version of NGINX+ and NGINX App Protect will be installed.
+
+- When using the `app_protect_version` variable, a specific version of NGINX+ must already be installed on the target system.
 
 Example Playbook
 ----------------
@@ -101,11 +113,7 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     app_protect_state: present
 
     # OPTIONAL: Installs a specific version of NGINX App Protect
-    app_protect_version: 21
-
-    # Enable enforcing selinux (you may need to open ports on your own)
-    # WARNING: If this is set to false and you are installing NGINX Protect on a system with SELinux enforced, NGINX App Protect may fail to load. 
-    app_protect_selinux: false
+    app_protect_version: 22
 
     # The installation of NGINX App Protect includes a base signature set, which may be out of date. 
     # This option installs the latest NGINX App Protect signatures.
@@ -121,6 +129,10 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
     app_protect_delete_license: true
 
+    # If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos.
+    # Otherwise, it will source packages from CentOS' repositories.
+    app_protect_use_rhel_subscription_repos: false
+
     # For use with the app_protect_configure option to determine if the default security policy will be written to the target host
     # Used when `app_protect_configure: true`.
     app_protect_security_policy_template_enable: true
@@ -158,7 +170,7 @@ This is a sample playbook file for using the role to install NGINX App Protect o
       key: "{{playbook_dir}}/license/nginx-repo.key"
 
   roles:
-    - role: ansible-role-nginx-app-protect
+    - role: nginxinc.nginx_app_protect
 ```
 
 This is a sample playbook file for deploying the Ansible Galaxy NGINX App Protect role in a localhost and installing NGINX App Protect on NGINX Plus.

defaults/main.yml

@@ -10,13 +10,7 @@
 app_protect_state: present
 
 # # OPTIONAL: Installs a specific version of NGINX App Protect
-# app_protect_version: 20
-
-# Enable enforcing selinux (you may need to open ports on your own)
-app_protect_selinux: false
-
-# Enable enforcing mode if true.  Permissive if false (audit only, no enforcing) globally (only works with app_protect_selinux: true)
-app_protect_selinux_enforcing: true
+# app_protect_version: 22
 
 # The installation of NGINX App Protect includes a base signature set, which may be out of date. 
 # This option installs the latest NGINX App Protect signatures.
@@ -32,6 +26,10 @@ app_protect_configure: false
 # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
 app_protect_delete_license: true
 
+# If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos.
+# Otherwise, it will source packages from CentOS' repositories.
+app_protect_use_rhel_subscription_repos: false
+
 # Start/Restart NGINX service when App Protect related changes are complete.
 # Default is true.
 nginx_start: true
@@ -42,11 +40,15 @@ nginx_timeout: 180
 # App Protect Temporary Directory to use (Default: /tmp)
 app_protect_tempdir: /tmp
 
+# Choose where to fetch the NGINX signing key from.
+# Default is the official NGINX signing key host.
+# nginx_signing_key: https://cs.nginx.com/static/keys/nginx_signing.key
+
 # Choose where to fetch the NGINX App Protect signing key from.
 # Default is the official NGINX App Protect signing key host.
 # app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key
 
-# populate this dictionary of lists with appropriate values from the ansible_os_family and ansible_distribution_version facts
+# populate this dictionary of lists with appropriate values from the ansible_distribution and ansible_distribution_version facts
 app_protect_linux_families:
   CentOS:
     - 7.4
@@ -57,6 +59,15 @@ app_protect_linux_families:
     - 8.0
     - 8.1
     - 8.2
+  RedHat:
+    - 7.4
+    - 7.5
+    - 7.6
+    - 7.7
+    - 7.8
+    - 8.0
+    - 8.1
+    - 8.2
   Debian:
     - 9.0
     - 9.1

tasks/configure-selinux.yml

@@ -5,21 +5,16 @@
     nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
   when: "'nginx-plus' in ansible_facts.packages"
 
-- name: Debug nginx plus version
-  debug:
-    msg: "nginx_plus_version {{ nginx_plus_version }}"
-    verbosity: 2
-
-- name: Fail if NGINX+ version preconditions fail
+- name: Fail if existing NGINX+ version preconditions fail
   assert:
     that:
-      - nginx_plus_version is defined
       - nginx_plus_version | int >= 19
     fail_msg: >
       "'nginx_plus_version' release version must be a minimum of 19 for App Protect.
       Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     quiet: true
+  when: nginx_plus_version is defined
 
 - name: "(Install: Linux) Create override for NGINX Plus service"
   file:

tasks/install-app-protect.yml

@@ -5,21 +5,16 @@
     nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
   when: "'nginx-plus' in ansible_facts.packages"
 
-- name: Debug nginx plus version
-  debug:
-    msg: "nginx_plus_version {{ nginx_plus_version }}"
-    verbosity: 2
-
 - name: Fail if NGINX+ version preconditions fail
   assert:
     that:
-      - nginx_plus_version is defined
       - nginx_plus_version | int >= 19
     fail_msg: >
       "'nginx_plus_version' release version must be a minimum of 19 for App Protect.
       Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     quiet: true
+  when: nginx_plus_version is defined
 
 - name: "(Install: Linux) Install Latest NGINX App Protect Signatures"
   package:

tasks/install-signatures.yml

@@ -5,21 +5,16 @@
     nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
   when: "'nginx-plus' in ansible_facts.packages"
 
-- name: Debug nginx plus version
-  debug:
-    msg: "nginx_plus_version {{ nginx_plus_version }}"
-    verbosity: 2
-
 - name: Fail if NGINX+ version preconditions fail
   assert:
     that:
-      - nginx_plus_version is defined
       - nginx_plus_version | int >= 19
     fail_msg: >
       "'nginx_plus_version' release version must be a minimum of 19 for App Protect.
       Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
     quiet: true
+  when: nginx_plus_version is defined
 
 - name: "(Install: Linux) Install Latest NGINX App Protect Threat Campaigns"
   package:

tasks/install-threat-campaigns.yml

@@ -1,14 +1,18 @@
 ---
-- name: "(Install: APT OSs) Set Default APT NGINX App Protect Signing Key URL"
+- name: "(Install: APT OSs) Set APT NGINX Signing Key URL"
   set_fact:
     key_value: "" # appeasing the linter
-    default_keysite: "https://cs.nginx.com/static/keys/app-protect.key"
+    nginx_keysite: "{{ nginx_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}"
 
 - name: "(Install: APT OSs) Set APT NGINX App Protect Signing Key URL"
   set_fact:
     key_value: "" # appeasing the linter
-    keysite: "{{ app_protect_signing_key | default(default_keysite) }}"
+    app_protect_keysite: "{{ app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}"
+
+- name: "(Install: APT OSs) Add APT NGINX Signing Key"
+  apt_key:
+    url: "{{ nginx_keysite }}"
 
 - name: "(Install: APT OSs) Add APT NGINX App Protect Signing Key"
   apt_key:
-    url: "{{ keysite }}"
+    url: "{{ app_protect_keysite }}"

tasks/keys/apt-key.yml

@@ -1,14 +1,18 @@
 ---
-- name: "(Install: RPM OSs) Set Default RPM NGINX App Protect Signing Key"
+- name: "(Install: RPM OSs) Set Default RPM NGINX Signing Key"
   set_fact:
     key_value: "" # appeasing the linter
-    default_keysite: "https://cs.nginx.com/static/keys/app-protect.key"
+    nginx_keysite: "{{ nginx_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}"
 
-- name: "(Install: RPM OSs) Set RPM NGINX App Protect Signing Key URL"
+- name: "(Install: RPM OSs) Set Default RPM NGINX App Protect Signing Key"
   set_fact:
     key_value: "" # appeasing the linter
-    keysite: "{{ app_protect_signing_key | default(default_keysite) }}"
+    app_protect_keysite: "{{ app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}"
+
+- name: "(Install: RPM OSs) Add RPM NGINX Signing Key"
+  rpm_key:
+    key: "{{ nginx_keysite }}"
 
 - name: "(Install: RPM OSs) Add RPM NGINX App Protect Signing Key"
   rpm_key:
-    key: "{{ keysite }}"
+    key: "{{ app_protect_keysite }}"

tasks/keys/rpm-key.yml

@@ -23,7 +23,7 @@
 
 - name: Debug app_protect_state
   debug:
-    msg: "app_protect_state {{ app_protect_state }}"
+    msg: "Desired app_protect_state {{ app_protect_state }}"
 
 - name: Abort if the OS/version combination is not supported
   fail:
@@ -83,11 +83,6 @@
 
   when: app_protect_state != "absent"
 
-- name: "(Install: CentOS) Setup SELinux"
-  include_tasks: "{{ role_path }}/tasks/configure-selinux.yml"
-  when:
-    - app_protect_selinux
-    - ansible_os_family == "RedHat"
 
 - name: "Remove NGINX App Protect"
   block: