Merge pull request #14 from jessegoodier/new_branch

New branch

Author: aknot242

.gitignore

@@ -36,3 +36,6 @@ default.pem
 
 # Scratch Directory
 scratch/
+
+# nginx keys
+sample-playbook/license/nginx-repo.*

README.md

@@ -98,11 +98,11 @@ Example Playbook
 
 This is a sample playbook file for using the role to install NGINX App Protect on NGINX Plus and configure it using basic settings to all `wafs` inventory hosts.
 
+A copy of this is in the sample-playbook directory in this repo.
+
+First create a file for all the variables as `nginx-app-protect-vars.yml`
 ```yaml
 ---
-- hosts: wafs
-  become: true
-  vars:
 
     # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
     # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
@@ -169,31 +169,24 @@ This is a sample playbook file for using the role to install NGINX App Protect o
       certificate: "{{playbook_dir}}/license/nginx-repo.crt"
       key: "{{playbook_dir}}/license/nginx-repo.key"
 
-  roles:
-    - role: nginxinc.nginx_app_protect
 ```
 
 This is a sample playbook file for deploying the Ansible Galaxy NGINX App Protect role in a localhost and installing NGINX App Protect on NGINX Plus.
 
 ```yaml
 ---
-- hosts: localhost
-  become: true
+- hosts: wafs
+  remote_user: centos  
+  pre_tasks:
+  - name: load the vars
+    include_vars: 
+      file: "{{playbook_dir}}/nginx-app-protect-vars.yml"
   roles:
-    - role: nginxinc.nginx_app_protect
+    - nginxinc.nginx_app_protect
 ```
 
-This is a sample playbook file for deploying the Ansible Galaxy NGINX App Protect role to a dynamic inventory containing the `nginx_plus` tag.
-
-```yaml
----
-- hosts: tag_nginx_plus
-  remote_user: root
-  roles:
-    - role: nginxinc.nginx_app_protect
-```
 
-To run any of the above sample playbooks create a `setup-nginx-app-protect.yml` file and paste the contents. Executing the Ansible Playbook is then as simple as executing `ansible-playbook setup-nginx.yml`.
+To run any of the above sample playbooks create a `nginx-app-protect-playbook.yml` file and paste the contents. Executing the Ansible Playbook is then as simple as executing `ansible-playbook nginx-app-protect-playbook.yml -b -i inventory`.
 
 Alternatively, you can also clone this repository instead of installing it from Ansible Galaxy. If you decide to do so, replace the role variable in the previous sample playbooks from `nginxinc.nginx_app_protect` to `ansible-role-nginx-app-protect`.
 

sample-playbook/README.md

@@ -0,0 +1,11 @@
+# ansible-nap
+
+## Usage
+
+install galaxy role:
+
+`ansible-galaxy install nginxinc.nginx_app_protect`
+
+install app protect
+
+`ansible-playbook nginx-app-protect-ansible-playbook.yml -b -i inventory`

sample-playbook/inventory

@@ -0,0 +1,2 @@
+[wafs]
+centos-nap1 ansible_user=centos

sample-playbook/license/add-license-cert-here

@@ -0,0 +1,9 @@
+---
+- hosts: wafs
+  remote_user: centos  
+  pre_tasks:
+  - name: load the vars
+    include_vars: 
+      file: "{{playbook_dir}}/nginx-app-protect-vars.yml"
+  roles:
+    - nginxinc.nginx_app_protect          

sample-playbook/nginx-app-protect-playbook.yml

@@ -0,0 +1,69 @@
+
+    # Specify whether you want to maintain your version of NGINX App Protect, upgrade to the latest version, or remove NGINX App Protect.
+    # Can be used with `app_protect_version` to achieve fine grained control on which version of NGINX App Protect is installed/used on each playbook execution.
+    # Using 'present' will install the latest version (or 'app_protect_version') of NGINX App Protect on a fresh install.
+    # Using 'latest' will upgrade NGINX App Protect to the latest version (that matches your 'app_protect_version') of NGINX App Protect on every playbook execution.
+    # Using 'absent' will remove NGINX App Protect from your system.
+    # Default is present.
+    app_protect_state: present
+
+    # OPTIONAL: Installs a specific version of NGINX App Protect
+    #app_protect_version: 22
+
+    # The installation of NGINX App Protect includes a base signature set, which may be out of date.
+    # This option installs the latest NGINX App Protect signatures.
+    app_protect_install_signatures: true
+
+    # The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns.
+    # This option installs the latest NGINX App Protect Threat Campaigns signatures.
+    app_protect_install_threat_campaigns: true
+
+    # Creates basic configuration files and enables NGINX App Protect on the target host
+    app_protect_configure: true
+
+    # Removes the license (certificate and key) for the NGINX App Protect repositories on the target host(s) when playbook run is complete.
+    app_protect_delete_license: true
+
+    # If you have a RHEL subscription, NGINX App Protect's dependencies will use subscription repos.
+    # Otherwise, it will source packages from CentOS' repositories.
+    app_protect_use_rhel_subscription_repos: false
+
+    # For use with the app_protect_configure option to determine if the default security policy will be written to the target host
+    # Used when `app_protect_configure: true`.
+    app_protect_security_policy_template_enable: true
+
+    # Default app protect enforcement mode. Values can be `blocking` or `transparent`.
+    # Used when `app_protect_configure: true` and `app_protect_security_policy_template_enable: true`.
+    security_policy_enforcement_mode: blocking
+
+    # For use with the app_protect_configure option to determine if the default log policy will be written to the target host.
+    # Used when `app_protect_configure: true`.
+    app_protect_log_policy_template_enable: true
+
+    # Which violation types to log. Possible values: all, illegal, blocked
+    # Used when `app_protect_configure: true` and `app_protect_log_policy_template_enable: true`.
+    log_policy_filter_request_type: all
+
+    # For use with the app_protect_configure option to determine if the sample nginx.conf will be written to the target host.
+    # Since this can be dangerous, this value is default to false in the role defaults.
+    # Used when `app_protect_configure: true`.
+    nginx_conf_template_enable: true
+
+    # For use with the app_protect_configure option to determine the syslog target to be injected
+    # into the default log policy that will be written to the target host.
+    # Used when `nginx_conf_template_enable: true`.
+    log_policy_syslog_target: 10.0.0.2:514
+
+    # DEPRECATED: A proxy pass workload used in the sample nginx.conf for demo purposes.
+    # Will be removed from this role in the future.
+    # Used when `nginx_conf_template_enable: true`.
+    nginx_demo_workload: http://10.0.0.3:88
+
+    # The location of the certificate and key to be used when downloading the packages onto the host
+    nginx_license:
+      certificate: "{{playbook_dir}}/license/nginx-repo.crt"
+      key: "{{playbook_dir}}/license/nginx-repo.key"
+
+    # upstream target:
+    nginx_demo_workload_protocol: http://
+    nginx_demo_workload_host: 10.1.1.1:8080

sample-playbook/nginx-app-protect-vars.yml

@@ -17,13 +17,15 @@
   template:
     src: "{{ app_protect_security_policy_template.template_file }}"
     dest: "{{ app_protect_security_policy_template.out_file_location }}{{ app_protect_security_policy_template.out_file_name }}"
+    mode: "0644"
     backup: true
   when: app_protect_security_policy_template_enable
 
 - name: "Dynamically Generate NGINX App Protect log policy file"
   template:
     src: "{{ app_protect_log_policy_template.template_file }}"
     dest: "{{ app_protect_log_policy_template.out_file_location }}{{ app_protect_log_policy_template.out_file_name }}"
+    mode: "0644"
     backup: true
   when: app_protect_log_policy_template_enable