Update NGINX App Protect default repository (#88)

Author: aknot242

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## 0.5.0 (Unreleased)
 
+BREAKING CHANGES:
+
+*   The NGINX App Protect repository has been updated. This might cause some issues when running the role on an instance that already has NGINX Plus or NGINX App Protect installed. **Starting with NGINX Plus R25, you will need to install NGINX Plus using release `0.5.0`. If you are trying to install R23, please use release `0.4.3`. NGINX Plus R24 should work with both release `0.4.3` and `0.5.0`.**
+
 DEPRECATION WARNINGS:
 
 *   **The ability to create an NGINX config including some basic App Protect directives will be removed in the upcoming `0.6.0` release at some stage after June 2021.** Please instead use the [NGINX config role](https://github.com/nginxinc/ansible-role-nginx-config) for this (and much more) functionality. This will include the removal of the following variables: `nginx_app_protect_conf_template_enable`, `nginx_app_protect_conf_template`, `nginx_app_protect_demo_workload_protocol`, `nginx_app_protect_demo_workload_host`, `nginx_app_protect_log_policy_syslog_target`, `nginx_app_protect_log_policy_target`.

defaults/main.yml

@@ -35,9 +35,13 @@ nginx_app_protect_install_threat_campaigns: true
 #   nginx_plus: https://cs.nginx.com/static/keys/nginx_signing.key
 #   security_updates: https://cs.nginx.com/static/keys/app-protect-security-updates.key
 
+# (Optional) Specify repository for NGINX Plus.
+# Defaults are the official NGINX repositories.
+# nginx_plus_repository: deb [arch=amd64] https://pkgs.nginx.com/plus/debian buster nginx-plus
+
 # (Optional) Specify repository for NGINX App Protect.
 # Defaults are the official NGINX repositories.
-# nginx_app_protect_repository: deb [arch=amd64] https://plus-pkgs.nginx.com/debian buster nginx-plus
+# nginx_app_protect_repository: deb [arch=amd64] https://pkgs.nginx.com/app-protect/debian buster nginx-plus
 
 # (Optional) Specify repository for NGINX App Protect security updates.
 # Defaults are the official NGINX repositories.

tasks/install/install-alpine.yml

@@ -1,4 +1,11 @@
 ---
+- name: (Alpine Linux) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository
+  lineinfile:
+    path: /etc/apk/repositories
+    insertafter: EOF
+    line: "{{ nginx_plus_repository | default(nginx_plus_default_repository_alpine) }}"
+    state: "{{ nginx_license_status | default ('present') }}"
+
 - name: (Alpine Linux) {{ nginx_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect repository
   lineinfile:
     path: /etc/apk/repositories

tasks/install/install-debian.yml

@@ -1,13 +1,26 @@
 ---
-- name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect license
+
+- name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus license
   blockinfile:
     path: /etc/apt/apt.conf.d/90nginx
+    create: yes
+    block: |
+      Acquire::https::{{ (nginx_plus_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Peer "true";
+      Acquire::https::{{ (nginx_plus_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Host "true";
+      Acquire::https::{{ (nginx_plus_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
+      Acquire::https::{{ (nginx_plus_repository | default(nginx_plus_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslKey      "/etc/ssl/nginx/nginx-repo.key";
+    state: "{{ nginx_license_status | default ('present') }}"
+    mode: 0444
+
+- name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect license
+  blockinfile:
+    path: /etc/apt/apt.conf.d/90app-protect
     create: true
     block: |
-      Acquire::https::plus-pkgs.nginx.com::Verify-Peer "true";
-      Acquire::https::plus-pkgs.nginx.com::Verify-Host "true";
-      Acquire::https::plus-pkgs.nginx.com::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
-      Acquire::https::plus-pkgs.nginx.com::SslKey      "/etc/ssl/nginx/nginx-repo.key";
+      Acquire::https::{{ (nginx_app_protect_repository | default(nginx_app_protect_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Peer "true";
+      Acquire::https::{{ (nginx_app_protect_repository | default(nginx_app_protect_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::Verify-Host "true";
+      Acquire::https::{{ (nginx_app_protect_repository | default(nginx_app_protect_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslCert     "/etc/ssl/nginx/nginx-repo.crt";
+      Acquire::https::{{ (nginx_app_protect_repository | default(nginx_app_protect_default_repository_debian)) | regex_search('(?<=https://)[^/]*') }}::SslKey      "/etc/ssl/nginx/nginx-repo.key";
     state: "{{ nginx_app_protect_license_status | default ('present') }}"
     mode: 0444
 
@@ -25,6 +38,14 @@
   when: nginx_app_protect_install_signatures | bool
         or nginx_app_protect_install_threat_campaigns | bool
 
+- name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository
+  apt_repository:
+    repo: "{{ nginx_plus_repository | default(nginx_plus_default_repository_debian) }}"
+    filename: nginx-plus
+    mode: 0644
+    update_cache: false
+    state: "{{ nginx_app_protect_license_status | default ('present') }}"
+
 - name: (Debian/Ubuntu) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect repository
   apt_repository:
     repo: "{{ nginx_app_protect_repository | default(nginx_app_protect_default_repository_debian) }}"

tasks/install/install-redhat.yml

@@ -1,4 +1,15 @@
 ---
+- name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX Plus repository
+  yum_repository:
+    name: nginx-plus
+    baseurl: "{{ nginx_plus_repository | default(nginx_plus_default_repository_redhat) }}"
+    description: NGINX Plus repository
+    sslclientcert: /etc/ssl/nginx/nginx-repo.crt
+    sslclientkey: /etc/ssl/nginx/nginx-repo.key
+    enabled: true
+    gpgcheck: true
+    state: "{{ nginx_app_protect_license_status | default ('present') }}"
+
 - name: (CentOS/RHEL) {{ nginx_app_protect_license_status is defined | ternary('Remove', 'Configure') }} NGINX App Protect repository
   yum_repository:
     name: nginx-app-protect

vars/main.yml

@@ -40,12 +40,17 @@ nginx_app_protect_default_signing_key_rsa_pub: https://nginx.org/keys/nginx_sign
 nginx_app_protect_security_updates_default_signing_key_pgp: https://cs.nginx.com/static/keys/app-protect-security-updates.key
 nginx_app_protect_security_updates_default_signing_key_rsa_pub: https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub
 
+# Default NGINX Plus repositories
+nginx_plus_default_repository_alpine: "https://pkgs.nginx.com/plus/alpine/v{{ ansible_facts['distribution_version'] | regex_search('^[0-9]+\\.[0-9]+') }}/main"
+nginx_plus_default_repository_debian: "deb [arch=amd64] https://pkgs.nginx.com/plus/{{ ansible_facts['distribution'] | lower }} {{ ansible_facts['distribution_release'] }} nginx-plus"
+nginx_plus_default_repository_redhat: "https://pkgs.nginx.com/plus/centos/{{ ansible_distribution_major_version }}/$basearch/"
+
 # Default NGINX App Protect repositories
-nginx_app_protect_default_repository_alpine: "https://plus-pkgs.nginx.com/alpine/v{{ ansible_distribution_version | regex_search('^[0-9]+\\.[0-9]+') }}/main"
-nginx_app_protect_default_repository_debian: "deb [arch=amd64] https://plus-pkgs.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus"
-nginx_app_protect_default_repository_redhat: "https://plus-pkgs.nginx.com/centos/{{ ansible_distribution_major_version }}/$basearch/"
+nginx_app_protect_default_repository_alpine: "https://pkgs.nginx.com/app-protect/alpine/v{{ ansible_distribution_version | regex_search('^[0-9]+\\.[0-9]+') }}/main"
+nginx_app_protect_default_repository_debian: "deb [arch=amd64] https://pkgs.nginx.com/app-protect/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus"
+nginx_app_protect_default_repository_redhat: "https://pkgs.nginx.com/app-protect/centos/{{ ansible_distribution_major_version }}/$basearch/"
 
 # Default NGINX App Protect Security Updates repositories
-nginx_app_protect_security_updates_default_repository_alpine: "https://app-protect-security-updates.nginx.com/alpine/v{{ ansible_distribution_version | regex_search('^[0-9]+\\.[0-9]+') }}/main"
-nginx_app_protect_security_updates_default_repository_debian: "deb [arch=amd64] https://app-protect-security-updates.nginx.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus"
-nginx_app_protect_security_updates_default_repository_redhat: "https://app-protect-security-updates.nginx.com/centos/{{ ansible_distribution_major_version }}/$basearch/"
+nginx_app_protect_security_updates_default_repository_alpine: "https://pkgs.nginx.com/app-protect-security-updates/alpine/v{{ ansible_distribution_version | regex_search('^[0-9]+\\.[0-9]+') }}/main"
+nginx_app_protect_security_updates_default_repository_debian: "deb [arch=amd64] https://pkgs.nginx.com/app-protect-security-updates/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus"
+nginx_app_protect_security_updates_default_repository_redhat: "https://pkgs.nginx.com/app-protect-security-updates/centos/{{ ansible_distribution_major_version }}/$basearch/"