matrix-docker-ansible-deploy/roles/custom/matrix-nginx-proxy/tasks/nginx-proxy/setup_metrics_auth.yml

61 lines
3.5 KiB
YAML

---
# When we're dealing with raw htpasswd content, we just store it in the file directly.
- name: Ensure matrix-metrics-htpasswd is present when generated from raw content (protecting /metrics/* URIs)
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_raw_content }}"
dest: "{{ matrix_nginx_proxy_data_path }}/matrix-metrics-htpasswd"
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_groupname }}"
mode: 0600
when: not matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username
# Alternatively, we need to use the `htpasswd` tool to generate the htpasswd file.
# There's an Ansible module that helps with that, but it requires passlib (a Python module) to be installed on the server.
# See: https://docs.ansible.com/ansible/2.3/htpasswd_module.html#requirements-on-host-that-executes-module
# We support various distros, with various versions of Python. Installing additional Python modules can be a hassle.
# As a workaround, we run `htpasswd` from an Apache container image.
- when: matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username != ''
block:
- name: Ensure Apache Docker image is pulled for generating matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
community.docker.docker_image:
name: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}"
source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
force_source: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_force_pull }}"
register: result
retries: "{{ devture_playbook_help_container_retries_count }}"
delay: "{{ devture_playbook_help_container_retries_delay }}"
until: result is not failed
# We store the password in a file and make the `htpasswd` tool read it from there,
# as opposed to passing it directly on stdin (which will expose it to other processes on the server).
- name: Store metrics password in a temporary file
ansible.builtin.copy:
content: "{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_password }}"
dest: "/tmp/matrix-nginx-proxy-metrics-password"
mode: 0400
owner: "{{ matrix_user_uid }}"
group: "{{ matrix_user_gid }}"
- name: Generate matrix-metrics-htpasswd from username/password (protecting /metrics/* URIs)
ansible.builtin.command:
cmd: >-
{{ devture_systemd_docker_base_host_command_docker }} run
--rm
--user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--cap-drop=ALL
--network=none
--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/data
--mount type=bind,src=/tmp/matrix-nginx-proxy-metrics-password,dst=/password,ro
--entrypoint=/bin/sh
{{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_apache_container_image }}
-c
'cat /password | htpasswd -i -c /data/matrix-metrics-htpasswd {{ matrix_nginx_proxy_proxy_matrix_metrics_basic_auth_username }} && chmod 600 /data/matrix-metrics-htpasswd'
changed_when: true
- name: Delete temporary metrics password file
ansible.builtin.file:
path: /tmp/matrix-nginx-proxy-metrics-password
state: absent