Merge pull request #19 from nginxinc/sig-repo-update

Signatures Repo Update and Refactoring

Author: aknot242

.github/pull_request_template.md

@@ -7,4 +7,4 @@ Before creating a PR, run through this checklist and mark each as complete.
 -   [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx-app-protect/blob/main/CONTRIBUTING.md) document
 -   [ ] I have added Molecule tests that prove my fix is effective or that my feature works
 -   [ ] I have checked that all Molecule tests pass after adding my changes
--   [ ] I have updated any relevant documentation (`defaults/main/*.yml`, `README.md` and `CHANGELOG.md`)
+-   [ ] I have updated any relevant documentation (`defaults/main/*.yml` and `README.md`)

README.md

@@ -104,6 +104,13 @@ nginx_app_protect_delete_license: true
 # Otherwise, it will source packages from CentOS' repositories.
 nginx_app_protect_use_rhel_subscription_repos: false
 
+# OPTIONAL: Choose where to fetch the NGINX App Protect and Security Updates signing keys from.
+# Default settings are the official NGINX signing key hosts.
+nginx_app_protect_signing_keys:
+  nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
+  app_protect: https://cs.nginx.com/static/keys/app-protect.key
+  security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
+
 # For use with the nginx_app_protect_configure option to determine if the default security policy will be written to the target host
 # Used when `nginx_app_protect_configure: true`.
 nginx_app_protect_security_policy_template_enable: true

defaults/main.yml

@@ -28,24 +28,23 @@ nginx_app_protect_delete_license: true
 # Otherwise, it will source packages from CentOS' repositories.
 nginx_app_protect_use_rhel_subscription_repos: false
 
+# Choose where to fetch the NGINX App Protect and Security Updates signing keys from.
+# Default settings are the official NGINX signing key hosts.
+nginx_app_protect_signing_keys:
+  nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
+  app_protect: https://cs.nginx.com/static/keys/app-protect.key
+  security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
+
 # Start/Restart NGINX service when App Protect related changes are complete.
 # Default is true.
 nginx_app_protect_start: true
 
-# Increase NGINX service timeout to accomdate ruleset loading from default 90s
+# Increase NGINX service timeout to accommodate ruleset loading from default 90s
 nginx_app_protect_timeout: 180
 
 # App Protect Temporary Directory to use (Default: /tmp)
 nginx_app_protect_tempdir: /tmp
 
-# Choose where to fetch the NGINX signing key from.
-# Default is the official NGINX signing key host.
-# nginx_app_protect_signing_key: https://cs.nginx.com/static/keys/nginx_signing.key
-
-# Choose where to fetch the NGINX App Protect signing key from.
-# Default is the official NGINX App Protect signing key host.
-# nginx_app_protect_signing_key: https://cs.nginx.com/static/keys/app-protect.key
-
 # populate this dictionary of lists with appropriate values from the ansible_distribution and ansible_distribution_version facts
 nginx_app_protect_linux_families:
   CentOS:

tasks/install/install-signatures-threat-campaigns.yml renamed to tasks/install/install-security-updates.yml

@@ -2,14 +2,14 @@
 - name: Setup Debian and Ubuntu NGINX App Protect repository
   apt_repository:
     repo: deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
-    filename: nginx-plus
+    filename: nginx-app-protect
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
 
-- name: Setup Debian and Ubuntu NGINX App Protect signatures repository
+- name: Setup Debian and Ubuntu NGINX App Protect security updates repository
   apt_repository:
-    repo: deb [arch=amd64] https://app-protect-sigs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
-    filename: app-protect-sigs
+    repo: deb [arch=amd64] https://app-protect-security-updates.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus
+    filename: app-protect-security-updates
     update_cache: false
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
 
@@ -25,15 +25,15 @@
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
     mode: 0444
 
-- name: Setup NGINX App Protect signatures license
+- name: Setup NGINX App Protect security updates license
   blockinfile:
-    path: /etc/apt/apt.conf.d/90app-protect-sigs
+    path: /etc/apt/apt.conf.d/90app-protect-security-updates
     create: true
     block: |
-      Acquire::https::app-protect-sigs.nginx.com::Verify-Peer "true";
-      Acquire::https::app-protect-sigs.nginx.com::Verify-Host "true";
-      Acquire::https::app-protect-sigs.nginx.com::SslCert     "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}";
-      Acquire::https::app-protect-sigs.nginx.com::SslKey      "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}";
+      Acquire::https::app-protect-security-updates.nginx.com::Verify-Peer "true";
+      Acquire::https::app-protect-security-updates.nginx.com::Verify-Host "true";
+      Acquire::https::app-protect-security-updates.nginx.com::SslCert     "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}";
+      Acquire::https::app-protect-security-updates.nginx.com::SslKey      "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}";
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
     mode: 0444
 

tasks/install/setup-debian-repos.yml

@@ -28,18 +28,18 @@
     sslclientkey: "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}"
     enabled: true
     gpgcheck: true
-    gpgkey: https://cs.nginx.com/static/keys/app-protect.key
+    gpgkey: "{{ nginx_app_protect_signing_keys.app_protect }}"
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
 
-- name: Setup NGINX App Protect signatures repository
+- name: Setup NGINX App Protect security updates repository
   yum_repository:
-    name: nginx-app-protect-signatures
+    name: nginx-app-protect-security-updates
     baseurl: >-
       https://app-protect-sigs.nginx.com/centos/{{ redhat_major_version }}/$basearch/
-    description: NGINX App Protect Signatures Repository
+    description: NGINX App Protect Security Updates Repository
     sslclientcert: "/etc/ssl/nginx/{{ nginx_app_protect_license.certificate | basename }}"
     sslclientkey: "/etc/ssl/nginx/{{ nginx_app_protect_license.key | basename }}"
     enabled: true
     gpgcheck: true
-    gpgkey: https://cs.nginx.com/static/keys/app-protect.key
+    gpgkey: "{{ nginx_app_protect_signing_keys.security_updates }}"
     state: "{{ nginx_app_protect_license_status | default ('present') }}"

tasks/install/setup-redhat-repos.yml

@@ -1,16 +1,12 @@
 ---
-- name: Set APT NGINX signing key URL
-  set_fact:
-    nginx_keysite: "{{ nginx_app_protect_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}"
-
-- name: Set APT NGINX App Protect signing key URL
-  set_fact:
-    app_protect_keysite: "{{ nginx_app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}"
-
-- name: Add APT NGINX signing key
+- name: Add APT NGINX Plus signing key
   apt_key:
-    url: "{{ nginx_keysite }}"
+    url: "{{ nginx_app_protect_signing_keys.nginx_plus }}"
 
 - name: Add APT NGINX App Protect signing key
   apt_key:
-    url: "{{ app_protect_keysite }}"
+    url: "{{ nginx_app_protect_signing_keys.app_protect }}"
+
+- name: Add APT NGINX App Protect security updates signing key
+  apt_key:
+    url: "{{ nginx_app_protect_signing_keys.security_updates }}"

tasks/keys/apt-key.yml

@@ -1,16 +1,12 @@
 ---
-- name: Set default RPM NGINX signing key
-  set_fact:
-    nginx_keysite: "{{ nginx_app_protect_signing_key | default('https://cs.nginx.com/static/keys/nginx_signing.key') }}"
-
-- name: Set default RPM NGINX App Protect signing key
-  set_fact:
-    app_protect_keysite: "{{ nginx_app_protect_signing_key | default('https://cs.nginx.com/static/keys/app-protect.key') }}"
+- name: Add RPM NGINX Plus signing key
+  rpm_key:
+    key: "{{ nginx_app_protect_signing_keys.nginx_plus }}"
 
-- name: Add RPM NGINX signing key
+- name: Add RPM NGINX App Protect signing key
   rpm_key:
-    key: "{{ nginx_keysite }}"
+    key: "{{ nginx_app_protect_signing_keys.app_protect }}"
 
-- name: Add RPM NGINX signing key
+- name: Add RPM NGINX App Protect security updates signing key
   rpm_key:
-    key: "{{ app_protect_keysite }}"
+    key: "{{ nginx_app_protect_signing_keys.security_updates }}"

tasks/keys/rpm-key.yml

@@ -64,8 +64,8 @@
       include_tasks: "{{ role_path }}/tasks/install/install-app-protect.yml"
       tags: nginx_app_protect_install_app_protect
 
-    - name: Install NGINX App Protect signatures and threat campaigns
-      include_tasks: "{{ role_path }}/tasks/install/install-signatures-threat-campaigns.yml"
+    - name: Install NGINX App Protect security updates (signatures and threat campaigns)
+      include_tasks: "{{ role_path }}/tasks/install/install-security-updates.yml"
       when:
         - nginx_app_protect_install_signatures | bool
         - nginx_app_protect_install_threat_campaigns | bool