nginx: unoverride secure defaults

Both Alpine and Debian override default nginx ssl_protocols to enable older TLS versions. Unoverride to return to secure nginx defaults.
alpine: support non-VM hosts in interfaces template
2025-05-16 14:01:33 +02:00 · 2025-05-15 14:55:43 +02:00
3 changed files with 45 additions and 3 deletions
--- a/filter_plugins/util.py
+++ b/filter_plugins/util.py
@ -0,0 +1,21 @@
+#!/usr/bin/python
+
+class FilterModule(object):
+    '''Helper filters to make Ansible less unpleasant'''
+    def filters(self):
+        return {
+            'defaultattr': self.defaultattr,
+            'list2dict': self.list2dict,
+        }
+
+    def defaultattr(self, objects, attr, val=None):
+        '''
+        Set a default value if the given attribute is not defined for an object.
+        '''
+        yield from (obj | { attr: obj.get(attr, val) } for obj in objects)
+
+    def list2dict(self, items, key):
+        '''
+        Like items2dict but keep entire dictionaries as values.
+        '''
+        return {item[key]: item for item in items}
--- a/roles/alpine/templates/interfaces.j2
+++ b/roles/alpine/templates/interfaces.j2
@ -1,9 +1,21 @@
+{# Loopback interface must be present so define it here if none exists. #}
+{% if interfaces | rejectattr("name", "==", "lo") %}
 auto lo
 iface lo inet loopback

-{% for iface in interfaces | selectattr('enabled') %}
+{% endif -%}
+
+{# Skip disabled and OOB management interfaces. #}
+{# For VMs we have to set the attribute manually (to false) so rejectattr works. #}
+{% for iface in interfaces
+    | defaultattr('mgmt_only')
+    | rejectattr('mgmt_only')
+    | selectattr('enabled') %}
 auto {{ iface.name }}
-iface {{ iface.name }} inet static
+iface {{ iface.name }} inet {% if iface.name == "lo" %}loopback{% else %}static{% endif +%}
+{% if iface.mtu %}
+    mtu {{ iface.mtu }}
+{% endif %}
 {% for address in iface.ip_addresses %}
    address {{ address.address }}
 {% if address.family.value == 4 %}
@ -21,4 +33,6 @@ iface {{ iface.name }} inet static
    pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
 {% endif %}

-{% endfor %}
+{% endfor -%}
+
+source-directory /etc/network/interfaces.d
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -16,6 +16,13 @@
      - certbot
      - nginx

+- name: Don’t enable old TLS versions
+  lineinfile:
+    path: /etc/nginx/nginx.conf
+    regex: '(\s+ssl_protocols\s.*)'
+    backrefs: yes
+    line: '#\1'
+
 - name: Create HTTP server directories
  file:
    path: /srv/http/.well-known