From 4f7387582f0949b8dcb2f5caf53d7aa18a3b4283 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Fri, 22 Dec 2023 16:21:03 +0100
Subject: [PATCH] fix: create working version of rpcbind configuration

---
 .gitlab-ci.yml              |  4 ++--
 tasks/configure_rpcbind.yml | 14 ++++++++------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8ccc1d7..e9fae02 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,7 +15,7 @@ default:
 variables:
   SCENARIO: "default"
   # ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass"
-  ANSIBLE_VAULT_PASSWORD_FILE: "../../../lza_server_hardening.pass"
+  ANSIBLE_VAULT_PASSWORD_FILE: "../lza_server_hardening.pass"
     
 
 test-job:
@@ -26,7 +26,7 @@ test-job:
     - echo "CURRENT PATH= '$(pwd)'" 
     # make sure that Ansible Vaults are present and can be decrypted
     - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
-    - export ANSIBLE_VAULT_PASSWORD_FILE
+    - export ANSIBLE_VAULT_PASSWORD_FILE="../../${ANSIBLE_VAULT_PASSWORD_FILE}"
     - tree
     - rm -rf ../ansible_vaults/
     - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
diff --git a/tasks/configure_rpcbind.yml b/tasks/configure_rpcbind.yml
index 3a11e29..c8862a7 100644
--- a/tasks/configure_rpcbind.yml
+++ b/tasks/configure_rpcbind.yml
@@ -19,6 +19,7 @@
   ansible.builtin.blockinfile:
     path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
     create: true
+    mode: "0644"
     marker: "### {mark} ANSIBLE MANAGED BLOCK - clear previous settings"
     block: |
       # from `man 5 systemd.socket`:
@@ -34,24 +35,25 @@
   when: rpcbind_installed
   notify: daemon_reload
 
-- name: implement access control in rpcbind socket unit by creating an override - general settings
+- name: implement access control in rpcbind socket unit by creating an override - interface specific settings
   ansible.builtin.blockinfile:
     path: "/etc/systemd/system/rpcbind.socket.d/override.conf"
     create: true
-    marker: ### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }}
+    mode: "0644"
+    marker: "### {mark} ANSIBLE MANAGED BLOCK - allow access for {{ item.source }}"
     block: |
       ListenStream={{ item.source }}
       ListenDatagram={{ item.source }}
-  loop: "{{ nfs_server_interfaces }}"
+  loop: "{{ vault_nfs_server_interfaces }}"
   when: rpcbind_installed
   notify: daemon_reload
 
 - name: implement rpcbind access control in iptables
   ansible.builtin.iptables:
     action: "insert"
-    chain: "INPUP"
-    comment: "{{ item.comment }}"
+    chain: "INPUT"
+    comment: "allow rpcbind access from {{ item.comment }} for NFSv3"
     source: "{{ item.source }}"
     jump: "ACCEPT"
-  loop: "{{ nfs_server_interfaces }}"
+  loop: "{{ vault_nfs_server_interfaces }}"
   notify: "save iptables rules"
-- 
GitLab