diff --git a/roles/mgrote_minio_configure/defaults/main.yml b/roles/mgrote_minio_configure/defaults/main.yml index 32bb87ba..7b487824 100644 --- a/roles/mgrote_minio_configure/defaults/main.yml +++ b/roles/mgrote_minio_configure/defaults/main.yml @@ -14,98 +14,16 @@ minio_users: - name: testuser5 secret: hallowelt state: present - policies: - - testbucket1_rw - name: testuser6 secret: hallowelt2 state: present - policies: - - testbucket3_ro minio_buckets: - name: testbucket1 - name: testbucket3 minio_policies: - - name: testbucket1_rw - policy: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "*" - ] - }, - "Action": [ - "s3:GetBucketLocation", - "s3:ListBucket", - "s3:ListBucketMultipartUploads" - ], - "Resource": [ - "arn:aws:s3:::testbucket1" - ] - }, - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "*" - ] - }, - "Action": [ - "s3:AbortMultipartUpload", - "s3:DeleteObject", - "s3:GetObject", - "s3:ListMultipartUploadParts", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:s3:::testbucket1/*" - ] - } - ] - } - - name: testbucket3_ro - policy: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "*" - ] - }, - "Action": [ - "s3:GetBucketLocation", - "s3:ListBucket", - "s3:ListBucketMultipartUploads" - ], - "Resource": [ - "arn:aws:s3:::testbucket3" - ] - }, - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "*" - ] - }, - "Action": [ - "s3:AbortMultipartUpload", - "s3:DeleteObject", - "s3:GetObject", - "s3:ListMultipartUploadParts", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:s3:::testbucket3/*" - ] - } - ] - } + - bucket: testbucket1 + policy: rw + - bucket: testbucket3 + policy: ro diff --git a/roles/mgrote_minio_configure/tasks/policy.yml b/roles/mgrote_minio_configure/tasks/policy.yml index 19513e01..e7f354a9 100644 --- a/roles/mgrote_minio_configure/tasks/policy.yml +++ b/roles/mgrote_minio_configure/tasks/policy.yml @@ -8,12 +8,18 @@ group: root mode: '0644' -- name: create policy files - ansible.builtin.blockinfile: - path: "{{ minio_config_dir }}/{{ item.name }}" - block: "{{ item.policy }}" +- name: temaplet ro policy files + ansible.builtin.template: + dest: "{{ minio_config_dir }}/{{ item.name }}_ro" + src: policy_ro.j2 + state: present + loop: "{{ minio_policies }}" + +- name: temaplet rw policy files + ansible.builtin.template: + dest: "{{ minio_config_dir }}/{{ item.name }}_rw" + src: policy_rw.j2 state: present - create: true loop: "{{ minio_policies }}" - name: setup minio policies diff --git a/roles/mgrote_minio_configure/templates/blocky.service.j2 b/roles/mgrote_minio_configure/templates/blocky.service.j2 deleted file mode 100644 index 656fe94c..00000000 --- a/roles/mgrote_minio_configure/templates/blocky.service.j2 +++ /dev/null @@ -1,15 +0,0 @@ -{{ file_header | default () }} - -[Unit] -Description=Blocky is a DNS proxy and ad-blocker for the local network written in Go. -Requires=network.target -Wants=nss-lookup.target -Before=nss-lookup.target -After=network.target - -[Service] -Type=simple -ExecStart=/usr/local/bin/blocky --config {{ blocky_conf_dir }}/config.yml - -[Install] -WantedBy=multi-user.target diff --git a/roles/mgrote_minio_configure/templates/config.yml.j2 b/roles/mgrote_minio_configure/templates/config.yml.j2 deleted file mode 100644 index da1402de..00000000 --- a/roles/mgrote_minio_configure/templates/config.yml.j2 +++ /dev/null @@ -1,196 +0,0 @@ -{{ file_header | default () }} -upstreams: - init: - # Configure startup behavior. - # accepted: blocking, failOnError, fast - # default: blocking - strategy: fast - groups: - default: -{% for item in blocky_dns_upstream %} - - {{ item }} -{% endfor %} - strategy: parallel_best - timeout: 2s - -# optional: Determines how blocky will create outgoing connections. This impacts both upstreams, and lists. -# accepted: dual, v4, v6 -# default: dual -connectIPVersion: v4 - - -# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.) -blocking: - # definition of blacklist groups. Can be external link (http/https) or local file - blackLists: - ads: -{% for item in blocky_dns_blocklists %} - - {{ item }} -{% endfor %} - # which response will be sent, if query is blocked: - # zeroIp: 0.0.0.0 will be returned (default) - # nxDomain: return NXDOMAIN as return code - # comma separated list of destination IP addresses (for example: 192.100.100.15, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344). Should contain ipv4 and ipv6 to cover all query types. Useful with running web server on this address to display the "blocked" page. - blockType: {{ blocky_block_type | default ("zeroIp") }} - # optional: TTL for answers to blocked domains - # default: 6h - blockTTL: {{ blocky_block_ttl | default ("6h") }} - clientGroupsBlock: - # default will be used, if no special definition for a client name exists - default: - - ads # siehe blocking.blacklists.ads - # optional: Configure how lists, AKA sources, are loaded - loading: - # optional: list refresh period in duration format. - # Set to a value <= 0 to disable. - # default: 4h - refreshPeriod: 4h - # optional: Applies only to lists that are downloaded (HTTP URLs). - downloads: - # optional: timeout for list download (each url). Use large values for big lists or slow internet connections - # default: 5s - timeout: 60s - # optional: Maximum download attempts - # default: 3 - attempts: 5 - # optional: Time between the download attempts - # default: 500ms - cooldown: 10s - # optional: Maximum number of lists to process in parallel. - # default: 4 - concurrency: 16 - # Configure startup behavior. - # accepted: blocking, failOnError, fast - # default: blocking - strategy: {{ blocky_blacklists_strategy | default ("blocking") }} - # Number of errors allowed in a list before it is considered invalid. - # A value of -1 disables the limit. - # default: 5 - maxErrorsPerSource: 5 - -{% if blocky_conditional_mapping is defined %} - -# optional: definition, which DNS resolver(s) should be used for queries to the domain (with all sub-domains). Multiple resolvers must be separated by a comma -# Example: Query client.fritz.box will ask DNS server 192.168.178.1. This is necessary for local network, to resolve clients by host name -conditional: - # optional: if false (default), return empty result if after rewrite, the mapped resolver returned an empty answer. If true, the original query will be sent to the upstream resolver - # Example: The query "blog.example.com" will be rewritten to "blog.fritz.box" and also redirected to the resolver at 192.168.178.1. If not found and if `fallbackUpstream` was set to `true`, the original query "blog.example.com" will be sent upstream. - # Usage: One usecase when having split DNS for internal and external (internet facing) users, but not all subdomains are listed in the internal domain. - fallbackUpstream: false - mapping: -{% for item in blocky_conditional_mapping %} - {{ item.domain }}: {{ item.resolver }} -{% endfor %} -{% endif %} - - -{% if blocky_custom_lookups is defined %} -# optional: custom IP address(es) for domain name (with all sub-domains). Multiple addresses must be separated by a comma -# example: query "printer.lan" or "my.printer.lan" will return 192.168.178.3 -customDNS: - customTTL: 1h - # optional: if true (default), return empty result for unmapped query types (for example TXT, MX or AAAA if only IPv4 address is defined). - # if false, queries with unmapped types will be forwarded to the upstream resolver - filterUnmappedTypes: true - # optional: replace domain in the query with other domain before resolver lookup in the mapping - # rewrite: - # example.com: printer.lan - mapping: -{% for item in blocky_custom_lookups %} - {{ item.name }}: {{ item.ip }} -{% endfor %} -{% endif %} - -# optional: configuration for caching of DNS responses -caching: - # duration how long a response must be cached (min value). - # If <=0, use response's TTL, if >0 use this value, if TTL is smaller - # Default: 0 - minTime: 0 - # duration how long a response must be cached (max value). - # If <0, do not cache responses - # If 0, use TTL - # If > 0, use this value, if TTL is greater - # Default: 0 - maxTime: 0 - # Max number of cache entries (responses) to be kept in cache (soft limit). Useful on systems with limited amount of RAM. - # Default (0): unlimited - maxItemsCount: 0 - # if true, will preload DNS results for often used queries (default: names queried more than 5 times in a 2-hour time window) - # this improves the response time for often used queries, but significantly increases external traffic - # default: false - prefetching: true - # prefetch track time window (in duration format) - # default: 120 - prefetchExpires: 2h - # name queries threshold for prefetch - # default: 5 - prefetchThreshold: 5 - # Max number of domains to be kept in cache for prefetching (soft limit). Useful on systems with limited amount of RAM. - # Default (0): unlimited - prefetchMaxItemsCount: 0 - # Time how long negative results (NXDOMAIN response or empty result) are cached. A value of -1 will disable caching for negative results. - # Default: 30m - cacheTimeNegative: -1 - -# optional: configuration of client name resolution -clientLookup: - # optional: this DNS resolver will be used to perform reverse DNS lookup (typically local router) - upstream: {{ blocky_local_upstream | default ("192.168.2.1") }} - # optional: some routers return multiple names for client (host name and user defined name). Define which single name should be used. - # Example: take second name if present, if not take first name - # singleNameOrder: - # - 2 - # - 1 - - -# optional: configuration for prometheus metrics endpoint -prometheus: - # enabled if true - enable: {{ blocky_prometheus | default ("false") }} - # url path, optional (default '/metrics') - path: /metrics - - -# optional: Mininal TLS version that the DoH and DoT server will use -# minTlsServeVersion: 1.3 - -# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated -#certFile: server.crt -#keyFile: server.key - -# optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries. -bootstrapDns: - - tcp+udp:9.9.9.9 - -# optional: drop all queries with following query types. Default: empty -filtering: - queryTypes: - - AAAA - -# optional: return NXDOMAIN for queries that are not FQDNs. -fqdnOnly: - # default: false - enable: {{ blocky_fqdn_only | default ("false") }} - -# optional: ports configuration -ports: - # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353" - dns: {{ blocky_port_dns | default ("53") }} - # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853 - # tls: 853 - # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443 - # https: 443 - # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000 - http: 4000 - -# optional: logging configuration -log: - # optional: Log level (one from debug, info, warn, error). Default: info - level: {{ blocky_log_level | default ("info") }} - # optional: Log format (text or json). Default: text - format: text - # optional: log timestamps. Default: true - timestamp: true - # optional: obfuscate log output (replace all alphanumeric characters with *) for user sensitive data like request domains or responses to increase privacy. Default: false - privacy: false diff --git a/roles/mgrote_minio_configure/templates/policy_ro.j2 b/roles/mgrote_minio_configure/templates/policy_ro.j2 new file mode 100644 index 00000000..72a3d618 --- /dev/null +++ b/roles/mgrote_minio_configure/templates/policy_ro.j2 @@ -0,0 +1,38 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": [ + "s3:GetBucketLocation", + "s3:ListBucket", + "s3:ListBucketMultipartUploads" + ], + "Resource": [ + "arn:aws:s3:::{{ item.bucket }}" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + if + "Action": [ + "s3:AbortMultipartUpload", + "s3:GetObject", + "s3:ListMultipartUploadParts", + ], + "Resource": [ + "arn:aws:s3:::{{ item.bucket }}/*" + ] + } + ] +} diff --git a/roles/mgrote_minio_configure/templates/policy_rw.j2 b/roles/mgrote_minio_configure/templates/policy_rw.j2 new file mode 100644 index 00000000..17391d99 --- /dev/null +++ b/roles/mgrote_minio_configure/templates/policy_rw.j2 @@ -0,0 +1,39 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": [ + "s3:GetBucketLocation", + "s3:ListBucket", + "s3:ListBucketMultipartUploads" + ], + "Resource": [ + "arn:aws:s3:::testbucket3" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": [ + "s3:AbortMultipartUpload", + "s3:DeleteObject", + "s3:GetObject", + "s3:ListMultipartUploadParts", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::testbucket3/*" + ] + } + ] +}