Wazuh authd pr devel 2.x (#2381)

drazenCE · gregharvey · matej5 · web-flow · commit 1141bd5319a7 · 2025-03-20T07:57:35.000+01:00
* Bug fixes 2.x pr 2.x (#1670)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Updating-waf-acl-role (#1672)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Setting up proxy vhost pr 2.x (#1674)

* Setting-up-proxy-vhost

* Setting-up-proxy-vhost-2

* Fixing-typo (#1676)

* New-version-of-aws-acl-role (#1683)

* New-version-of-aws-acl-role

* Fixing-jinja-linting

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Updating-nginx-template (#1688)

* Updating-aws_backup-to-register-iam-arn-2 (#1696)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Updating-nginx-htpasswd-task-2 (#1698)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1702)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* r69424-Adding-resource-group-task (#1706)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Adding lock file behaviour to ce-provision. (#1708)

* Adding lock file behaviour to ce-provision.

* Updating documentation.

* Adding extra lock file handling for ASG EC2 machines.

* Moving lock file paths to variables.

* Adding docs about connection management.

* Fixing placement of lock files on ASGs.

* Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone).

* Adding in a lock file removal if we do not replace the ASG.

* Bug fixes 2.x pr 2.x (#1715)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Bug fixes 2.x pr 2.x (#1717)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Creating a ce-provision installer script. (#1724)

* Installer pr 2.x (#1726)

* Creating a ce-provision installer script.

* Updating installation docs.

* Bug fixes 2.x pr 2.x (#1730)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Installer pr 2.x (#1732)

* Creating a ce-provision installer script.

* Updating installation docs.

* Adding pip upgrade line and python-debian.

* Installing certbot in a python venv. (#1659)

* Installing certbot in a python venv.

* Changing default location for Python packages.

* Allowing the ansible role to override venv settings.

* Preventing ce_deploy from installing in an entirely separate venv by default.

* Updating certbot installation to use _init venv variables.

* Updating duplicity role to use _init venv variables by default.

* Ordering pip docs.

* Update documentation.

* Fixing Ansible path in installer.

* Fixing occurrences of path to venv.

* Installer pr 2.x (#1735)

* Creating a ce-provision installer script.

* Updating installation docs.

* Adding pip upgrade line and python-debian.

* Updating docs.

* Some minor installer bug fixes.

* Bug fixes 2.x pr 2.x (#1737)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Bug fixes 2.x pr 2.x (#1738)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Fixing-ACM-SAN-behaviour (#1739)

* Bug fixes 2.x pr 2.x (#1742)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Bug fixes 2.x pr 2.x (#1749)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Bug fixes 2.x pr 2.x (#1752)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Bug fixes 2.x pr 2.x (#1754)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Bug fixes 2.x pr 2.x (#1756)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Redoing-changes-for-aws-acl-role (#1728)

* Redoing-changes-for-aws-acl-role

* retrigger checks

* Fixing-conflicts-4

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Remvoing-scp-extra-args-temporary (#1761)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1765)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Bug fixes 2.x pr 2.x (#1767)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Bug fixes 2.x pr 2.x (#1769)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Bug fixes 2.x pr 2.x (#1771)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Managing-mime-types-nginx (#1773)

* Whitelisting ce vpn ip wazuh pr 2.x (#1775)

* Whitelisting-CE-VPN-IP-wazuh

* Fixing-wazuh-whitelist-variable

* Updating-wazuh-vars (#1777)

* add community.postgresql collection and remove varnish master release (#1779)

* Updating wazuh vars pr 2.x (#1781)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating wazuh vars pr 2.x (#1783)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Updating wazuh vars pr 2.x (#1785)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Fixing-wazuh-broken-pipeline

* Updating wazuh vars pr 2.x (#1787)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Fixing-wazuh-broken-pipeline

* Tweaking-wazuh-vars

* r68065 mattermost role first commit (#1789)

* r68065 mattermost role first commit

* fixing linting/syntax

* reload systemd with ansible.builtin.systemd_service

* handler for postgresql reloads

* default systemd unit file for mattermost role

* r68065 install python psycopg2 (#1791)

* r68065 use psycopg binary package as compiling creates depsolve issues (#1793)

* permissions for postgres setup (#1795)

* r68065 add mattermost group before user (#1797)

* Updating-duplicity (#1804)

* enable mattermost systemd unit (#1810)

* nginx include for mattermost (#1812)

* nginx include for mattermost

* add mattermost project type

* ssl on handled by nginx role (#1814)

* fix mattermost nginx include (#1822)

* remove unsupported nginx option (#1824)

* Restore testing update pr 2.x (#1832)

* Restore-testing-update

* Restore-testing-update-2

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Resolving conflicts pr 2.x (#1834)

* Fixing-conflicts-and-updating-docs

* Fixed-conflicts

* Fixed-conflicts-2

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* initial commit - mattermost local backups (#1838)

* r69995-Updating-vhost-for-LE-validation (#1843)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Changing priority flexibility pr 2.x (#1841)

* Changing-priority-flexibility

* Changing-priority-flexibility-2

* Adding-aws-acl-to-meta

* Adding-cast-to-int-for-priority

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Aws acl role changes for ip set pr 2.x (#1848)

* aws_acl-role-changes-for-ip-set

* aws_acl-role-changes-for-ip-set-docs-update

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* add_php_repo_before_apt_extra_packages_task_from_common_base (#1850)

* fix_opensearch_vars (#1852)

* wait_timeout_for_opensearch_domain_creation (#1854)

* wait_timeout_for_opensearch_domain_creation

* remove trailing space

* Updating-aws-acl-task (#1856)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1859)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Bug fixes 2.x pr 2.x (#1860)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Variable path error.

* Updating linter ignore paths.

* Small-changes-on-aws-acl-and-RDS-validation (#1863)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Updating-user-ansible-vars (#1864)

* Updating user ansible vars pr 2.x (#1867)

* Updating-user-ansible-vars

* Fixing-syntax

* add_vars_to_user_deploy_user_provision (#1869)

* Disabling-general-log-mariadb (#1871)

* Updating-aws_acl-role (#1873)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* r70260-rkhunter-whitelist (#1877)

* fix(nginx): Remove default nginx dummy vhost that could clash with Varnish (#1750)

* fix(nginx): Remove default nginx dummy vhost that could clash with Varnish

* Fix variable naming and comment

* Implement keep_default_vhost setting

* Wazuh-var-update (#1903)

* Wazuh-agent-vars-more-readable (#1905)

* Filebeat-restart-task-wazuh (#1907)

* Filebeat restart task wazuh pr 2.x (#1909)

* Filebeat-restart-task-wazuh

* Fixing-wazuh-filebeat-restart

* Adding-gawk-to-extra-packages (#1910)

* Updating-filebeat-restart-task (#1913)

* Adding motd to exit role pr 2.x (#1915)

* Fixing-backup-validation-role-plicies

* Adding-parts-for-VPC-and-SG

* Adding-region-to-vpc-and-subnet-tasks

* Adding-region-to-vpc-and-subnet-tasks-2

* Updating-vars-for-vpc-and-subnet

* Updating-vars-for-vpc-and-subnet-2

* Updating-vars-for-vpc-and-subnet-3

* Adding-json-file-for-restore-testing

* Changing-user-where-json-file-is-generated

* Updating-json-file-location

* Updating-path-to-j2-file

* Changing-force-valkue

* Testing-file-creation

* Testing-file-creation-via-command-task

* Adding-motd-to-exit-role

* Commenting-out-task-that-will-fail

* Fixing-pipefail

* Fixing-syntax-issue

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Fixing-motd-task (#1917)

* Motd-switch-egrep-with-awk (#1919)

* Motd-task-update (#1922)

* Motd-task-update

* Restoring-deleted-task

* Fixing motd task when running on localhost pr 2.x (#1924)

* Fixing-backup-validation-role-plicies

* Fixing-motd-task-when-running-on-localhost

* Updating-when-statement

* Adding-become-true-on-motd-update

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Apt bug workaround pr 2.x (#1935)

* apt_bug_workaround

* apt_bug_workaround

* apt_bug_workaround

* apt_bug_workaround

* fix_var_logic

* Pushing-aws-backup-validation-role (#1944)

* Pushing-aws-backup-validation-role

* Fixing-linting

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* fix(redis): Convert maxmemory setting to int before comparing (#1897)

* Reverting-nginx-username (#1945)

* Reverting nginx username pr 2.x (#1947)

* Reverting-nginx-username

* Minor-fix-nginx-username

* Updating-nginx-vars (#1950)

* Bug fixes 2.x pr 2.x (#1952)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Variable path error.

* Updating linter ignore paths.

* Making the NGINX test result var private.

* Documentation update.

* Fixing role dependency in NGINX role.

* r70597 new system role for ipv6 disablement (#1954)

* r70597 new system role for ipv6 disablement

* fix linting problem

* add readme for system role

* Fixing-json-file-for-restore-testing (#1956)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Fixing json file for restore testing pr 2.x (#1957)

* Fixing-json-file-for-restore-testing

* Missing-coma-in-json

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* updating asg role to support custom rule on http and https (#1959)

Co-authored-by: filip &lt;filip.rupic@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1962)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Variable path error.

* Updating linter ignore paths.

* Making the NGINX test result var private.

* Documentation update.

* Fixing role dependency in NGINX role.

* Adding installation path handling …
diff --git a/roles/aws/aws_iam_role/tasks/main.yml b/roles/aws/aws_iam_role/tasks/main.yml
@@ -21,10 +21,20 @@
     _combined_policies: "{{ aws_iam_role.managed_policies }}"
   when: inline_policies.action is not defined or inline_policies.action == 0
 
+- name: Check if policy document file exists.
+  ansible.builtin.stat:
+    path: "{{ aws_iam_role.policy_document + '_document_policy.json' }}"
+  register: policy_file_stat
+
+- name: Fail if the assume role policy document file does not exist.
+  ansible.builtin.fail:
+    msg: "The assume role policy document file '{{ aws_iam_role.policy_document + '_document_policy.json' }}' does not exist."
+  when: not policy_file_stat.stat.exists
+
 - name: Create assume role policy document if predefined string is passed.
   ansible.builtin.set_fact:
     _assume_role_policy: "{{ lookup('file', aws_iam_role.policy_document + '_document_policy.json') }}"
-  when: aws_iam_role.policy_document | type_debug == 'string'
+  when: aws_iam_role.policy_document | type_debug == 'string' and policy_file_stat.stat.exists
 
 - name: Create assume role policy document if template is provided.
   ansible.builtin.set_fact:
diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml
@@ -20,5 +20,4 @@
       notify:
         - reload systemd
         - restart varnish
-
 # TO DO: add varnish to unattended upgrades
diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml
@@ -102,6 +102,7 @@ wazuh:
           timeout: 3600
       authd:
         enabled: false
+        use_password: false
     wazuh_manager_globals:
       - '1.1.1.1'
     agent_groups: [] # maps to `groups` string in agent config above
diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml
@@ -132,3 +132,29 @@
     name: filebeat
     state: restarted
   when: filebeat_exists
+
+- name: Check if wazuh-manager service exists
+  ansible.builtin.systemd:
+    name: wazuh-manager
+  register: wazuh_service
+  ignore_errors: true
+
+- name: Generate random password
+  ansible.builtin.set_fact:
+    authd_password: "{{ lookup('password', '/dev/null length=32') }}"
+  when: not wazuh_service.failed | default(true)
+
+- name: Write the password to /var/ossec/etc/authd.pass
+  ansible.builtin.copy:
+    dest: /var/ossec/etc/authd.pass
+    content: "{{ authd_password }}"
+    mode: '0640'
+    owner: root
+    group: wazuh
+  when: not wazuh_service.failed | default(true)
+
+- name: Restart wazuh-manager to apply changes
+  ansible.builtin.systemd:
+    name: wazuh-manager
+    state: restarted
+  when: not wazuh_service.failed | default(true)
