From e3d2675585f04b9882d56a1f267a267ebd5de07f Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Fri, 1 Mar 2024 13:33:12 +0100
Subject: [PATCH 1/3] Making Varnish template handling more flexible.

---
 docs/_Sidebar.md                              |  2 +-
 docs/roles/debian/varnish_config.md           | 21 +++++++++++++++++--
 docs/roles/debian/wazuh.md                    |  1 +
 roles/debian/varnish_config/README.md         | 21 +++++++++++++++++--
 roles/debian/varnish_config/defaults/main.yml |  4 +++-
 roles/debian/varnish_config/tasks/main.yml    |  6 +++++-
 roles/debian/wazuh/README.md                  |  1 +
 7 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
index 5a5213a0b..64e7a00dc 100644
--- a/docs/_Sidebar.md
+++ b/docs/_Sidebar.md
@@ -77,7 +77,7 @@
        - [SSL](/roles/debian/ssl)
        - [sudo config](/roles/debian/sudo_config)
        - [Swap](/roles/debian/swap)
-       - [varnish-config](/roles/debian/varnish_config)
+       - [varnish_config](/roles/debian/varnish_config)
        - [wazuh](/roles/debian/wazuh)
      - [Init role](/roles/_init)
      - ["Meta" roles that group individual roles together.](/roles/_meta)
diff --git a/docs/roles/debian/varnish_config.md b/docs/roles/debian/varnish_config.md
index 875136ad8..59483d046 100644
--- a/docs/roles/debian/varnish_config.md
+++ b/docs/roles/debian/varnish_config.md
@@ -1,5 +1,19 @@
-# varnish-config
-Installs and configures Varnish, with 6.4 being the default version. Depends on geerlingguy.varnish which does the setup bit, varnish-config handles the default.vcl file.
+# varnish_config
+Installs and configures Varnish, with 6.4 being the default version. Depends on `geerlingguy.varnish` which does the setup bit, `varnish_config` handles the `default.vcl` file.
+
+You can provide a template override in two locations, they will be checked in this order:
+* `templates` in the same directory as your server's playbook
+* `files/templates` in your `ce-provision-config` repository
+
+If no alternative is found, the `default.vcl.j2` template provided with this role is used. By default the override template is expected to be named `default.vcl.j2`, however if you set `varnish_config.template_filename` you can change this. For example, if you place a template at `files/templates/my-app.v1.vcl.j2` in your config repository, you need to set the variable as follows, note *without* the `.j2` which is implicit:
+
+```yaml
+varnish_config:
+  template_filename: my-app.v1.vcl
+```
+
+This behaviour allows you to manage different Varnish templates for different applications. You may of course provide your own variables in the `varnish_config` dictionary for your custom template.
+
 <!--TOC-->
 <!--ENDTOC-->
 
@@ -23,6 +37,9 @@ varnish_config:
   strip_cookies: (^|;\s*)(_[_a-z]+|has_js|AWSELB|cookie-agreed)=[^;]*
   # List of upstream proxies we trust to set X-Forwarded-For correctly, use either CIDR or list all the IPs.
   upstream_proxies: []
+  # Provide an alternative filename if you are providing a template.
+  template_filename: default.vcl
+
 ```
 
 <!--ENDROLEVARS-->
diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md
index e7cba9b35..f6efaa7ca 100644
--- a/docs/roles/debian/wazuh.md
+++ b/docs/roles/debian/wazuh.md
@@ -11,6 +11,7 @@ Supports standalone managers, scaled out services and agent installation (defaul
 ```yaml
 ---
 wazuh:
+  path: wazuh
   #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible
   branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version!
   # Agent variables, installed locally by default
diff --git a/roles/debian/varnish_config/README.md b/roles/debian/varnish_config/README.md
index 875136ad8..59483d046 100644
--- a/roles/debian/varnish_config/README.md
+++ b/roles/debian/varnish_config/README.md
@@ -1,5 +1,19 @@
-# varnish-config
-Installs and configures Varnish, with 6.4 being the default version. Depends on geerlingguy.varnish which does the setup bit, varnish-config handles the default.vcl file.
+# varnish_config
+Installs and configures Varnish, with 6.4 being the default version. Depends on `geerlingguy.varnish` which does the setup bit, `varnish_config` handles the `default.vcl` file.
+
+You can provide a template override in two locations, they will be checked in this order:
+* `templates` in the same directory as your server's playbook
+* `files/templates` in your `ce-provision-config` repository
+
+If no alternative is found, the `default.vcl.j2` template provided with this role is used. By default the override template is expected to be named `default.vcl.j2`, however if you set `varnish_config.template_filename` you can change this. For example, if you place a template at `files/templates/my-app.v1.vcl.j2` in your config repository, you need to set the variable as follows, note *without* the `.j2` which is implicit:
+
+```yaml
+varnish_config:
+  template_filename: my-app.v1.vcl
+```
+
+This behaviour allows you to manage different Varnish templates for different applications. You may of course provide your own variables in the `varnish_config` dictionary for your custom template.
+
 <!--TOC-->
 <!--ENDTOC-->
 
@@ -23,6 +37,9 @@ varnish_config:
   strip_cookies: (^|;\s*)(_[_a-z]+|has_js|AWSELB|cookie-agreed)=[^;]*
   # List of upstream proxies we trust to set X-Forwarded-For correctly, use either CIDR or list all the IPs.
   upstream_proxies: []
+  # Provide an alternative filename if you are providing a template.
+  template_filename: default.vcl
+
 ```
 
 <!--ENDROLEVARS-->
diff --git a/roles/debian/varnish_config/defaults/main.yml b/roles/debian/varnish_config/defaults/main.yml
index ef16fcd9a..38f9bd90e 100644
--- a/roles/debian/varnish_config/defaults/main.yml
+++ b/roles/debian/varnish_config/defaults/main.yml
@@ -14,4 +14,6 @@ varnish_config:
   redirect_host_destination: ""
   strip_cookies: (^|;\s*)(_[_a-z]+|has_js|AWSELB|cookie-agreed)=[^;]*
   # List of upstream proxies we trust to set X-Forwarded-For correctly, use either CIDR or list all the IPs.
-  upstream_proxies: []
\ No newline at end of file
+  upstream_proxies: []
+  # Provide an alternative filename if you are providing a template.
+  template_filename: default.vcl
diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml
index 98f243aa3..d55c23511 100644
--- a/roles/debian/varnish_config/tasks/main.yml
+++ b/roles/debian/varnish_config/tasks/main.yml
@@ -1,11 +1,15 @@
 ---
 - name: Copy Varnish default VCL.
   ansible.builtin.template:
-    src: "default.vcl.j2"
+    src: "{{ item }}"
     dest: "{{ varnish_config_path }}/default.vcl"
     owner: root
     group: root
     mode: 0644
+  with_first_found:
+    - "{{ playbook_dir }}/templates/{{ varnish_config.template_filename }}.j2"
+    - "{{ _ce_provision_base_dir }}/config/files/templates/{{ varnish_config.template_filename }}.j2"
+    - "default.vcl.j2"
   notify:
     - reload systemd
     - restart varnish
\ No newline at end of file
diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md
index e7cba9b35..f6efaa7ca 100644
--- a/roles/debian/wazuh/README.md
+++ b/roles/debian/wazuh/README.md
@@ -11,6 +11,7 @@ Supports standalone managers, scaled out services and agent installation (defaul
 ```yaml
 ---
 wazuh:
+  path: wazuh
   #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible
   branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version!
   # Agent variables, installed locally by default

From 78fd1be51489ae02c7b89bd9400d85bffbcaa72c Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Fri, 1 Mar 2024 13:34:30 +0100
Subject: [PATCH 2/3] Adding empty line.

---
 roles/debian/varnish_config/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/debian/varnish_config/tasks/main.yml b/roles/debian/varnish_config/tasks/main.yml
index d55c23511..7f8929355 100644
--- a/roles/debian/varnish_config/tasks/main.yml
+++ b/roles/debian/varnish_config/tasks/main.yml
@@ -12,4 +12,4 @@
     - "default.vcl.j2"
   notify:
     - reload systemd
-    - restart varnish
\ No newline at end of file
+    - restart varnish

From 63afa495f65b2c3883aa3c418119b5a93460a455 Mon Sep 17 00:00:00 2001
From: gregharvey <greg.harvey@gmail.com>
Date: Mon, 11 Mar 2024 14:21:22 +0100
Subject: [PATCH 3/3] Minor template changes.

---
 roles/debian/varnish_config/templates/default.vcl.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/debian/varnish_config/templates/default.vcl.j2 b/roles/debian/varnish_config/templates/default.vcl.j2
index a2a6c480e..d9dd109bf 100644
--- a/roles/debian/varnish_config/templates/default.vcl.j2
+++ b/roles/debian/varnish_config/templates/default.vcl.j2
@@ -24,6 +24,8 @@ acl purge {
 
 # List of upstream proxies we trust to set X-Forwarded-For correctly.
 acl upstream_proxy {
+  "localhost";
+  "127.0.0.1";
 {% for proxy in varnish_config.upstream_proxies %}
   "{{ proxy }}";
 {% endfor %}
@@ -78,7 +80,7 @@ sub vcl_recv {
     }
   }
 
-{% if varnish_config.redirect_host%}
+{% if varnish_config.redirect_host %}
   if (req.http.host ~ "^{{ varnish_config.redirect_host }}") {
     return (synth (750, ""));
   }