OPSEXP-3040 Remove urls related vars from group vars

.secrets.baseline

@@ -144,7 +144,7 @@
         "filename": "playbooks/acs.yml",
         "hashed_secret": "0ca8f28152882e5edb182fc3f7d4ae10a5b10dc5",
         "is_verified": false,
-        "line_number": 600
+        "line_number": 605
       }
     ],
     "roles/activemq/molecule/default/tests/test_activemq.py": [
@@ -188,5 +188,5 @@
       }
     ]
   },
-  "generated_at": "2025-03-07T17:17:01Z"
+  "generated_at": "2025-03-10T12:30:17Z"
 }

docs/SECURITY.md

@@ -19,10 +19,10 @@ application is hosted on a domain name which do not match the backend server.
 
 In such circumstances, you can tell the playbook which are these applications by
  adding the client application URL as a group variable in the
-`group_vars/all.yaml` file:
+`playbooks/group_vars/all.yaml` file:
 
 ```yaml
-known_urls:
+acs_play_known_urls:
   - http://app.domain.local/legit
   - https://app.domain.local/legit
 ```
@@ -33,7 +33,7 @@ CSRF is enabled by default and its default configuration is to only allow
 requests from the same `Origin` & `Referer` headers. Any other `Origin` or
 `Referer` will be denied.
 If you want a third party application (often SPA) to be able query the alfresco
-API you need to add it to the list of `known_urls` as shown above.
+API you need to add it to the list of `acs_play_known_urls` as shown above.
 In addition you can also control whether you want to enforce presence of either
 or both of the `Referer` or `Origin` headers. This is turned off by default as
 some browser/clients simply do not provide them. You should not enforce them
@@ -62,7 +62,7 @@ repository_csrf:
 The playbook now enables CORS headers to be sent by the server by default. The
 default policy basically only allows the Same-Origin policy.
 If you want to allow for more origins to query  the Alfresco repository, you
-should make sure they are part of the `known_urls` variable. Any location
+should make sure they are part of the `acs_play_known_urls` variable. Any location
 mentioned in this variable will be automatically to the list of relaxed origins
 for CORS queries. By default they will be allowed tu use any following methods:
 DELETE, GET, HEAD, OPTIONS, POST, PUT. If you want to restrict methods or
@@ -110,10 +110,10 @@ role), and as a consequence will always try to access the repo through the
 itself is accessed using `http://localhost/share/` - it is breaking CORS
 protection. For that reason in order for Share to work, it is mandatory to add
 the URL Share will be accessed from as a `known_urls`. We recommand doing it via
-the `all` group variables in `group_vars/all.yml`:
+the `all` group variables in `playbooks/group_vars/all.yml`:
 
 ```yaml
-known_urls:
+acs_play_known_urls:
   - https://ecm.domain.local/share
 ```
 

docs/deployment-guide.md

@@ -84,7 +84,7 @@ node **and** the target host.
     export NEXUS_PASSWORD="<your-password>"
     ```
 
-8. Make sure to add the `known_urls` variables in the file `group_vars/all.yml`.
+8. Make sure to add the `acs_play_known_urls` variables in the file `playbooks/group_vars/all.yml`.
    It should contain any URL which is allowed to query the repository and the
    first entry MUST be set to the dmain URL used to access Alfresco.
    For example with the default vagrant config:
@@ -230,19 +230,19 @@ playbook for the first time (remove it for the next runs).
 ## Minimal configuration
 
 In order to run the playbook successfully you least to provide *AT LEAST* the
-domain name where the Alfresco applications will be served. The `known_urls` is
+domain name where the Alfresco applications will be served. The `acs_play_known_urls` is
 used for that purpose.  It should contain any URL which is allowed to query the
 repository and the first entry MUST be set to the domain URL used to access
 Alfresco. For example if you plan on using ecm.acme.com as your main domain on
-both https & http, you should set the `group_vars/all.yml` file to:
+both https & http, you should set the `playbooks/group_vars/all.yml` file to:
 
 ```yaml
-known_urls:
+acs_play_known_urls:
   - https://ecm.acme.com/share
   - http://ecm.acme.com/share
 ```
 
-> The `known_urls` variable serves a larger purpose, check the
+> The `acs_play_known_urls` variable serves a larger purpose, check the
 > [SECURITY README](SECURITY.md) for more details.
 
 ## Understanding the playbook
@@ -607,7 +607,7 @@ the `configuration_files/alfresco-global.properties` file.
 
 ### Enable SSL
 
-If you have a FQDN and a certificate you want to use place the certificate and the key in the `configuration_files/ssl_certificates` folder before running the playbook. Also replace the `fqdn_alfresco: "your_domain.com"` with your own domain in `group_vars/all.yml` along with setting `use_ssl: true`.
+If you have a FQDN and a certificate you want to use place the certificate and the key in the `configuration_files/ssl_certificates` folder before running the playbook. Also replace the `acs_play_fqdn_alfresco: "your_domain.com"` with your own domain in `playbooks/group_vars/all.yml` along with setting `acs_play_use_ssl: true`.
 
 > NOTE: The certificate and the key should be named the same as the domain eg: `your_domain.com.key` and `your_domain.com.crt`
 

docs/playbook-upgrade.md

@@ -84,7 +84,7 @@ activemq_password: ""
 
 If you are managing a test environment and don't want to bother manually
 configuring passwords, you can proceed as usual just by setting the
-`autogen_unsecure_secrets` variable to `true` in `group_vars/all.yml`. In this
+`autogen_unsecure_secrets` variable to `true` in `playbooks/group_vars/all.yml`. In this
 way secrets will be auto-generated but will be saved on your file-system in
 plain text as in the previous versions of the playbook.
 

group_vars/all.yml

@@ -1,11 +1 @@
-# REQUIRED: add at least the Share url
-# The first entry will also be used to assume the base URL of this alfresco install
-# For more information please have a look at the
-# [security_doc](https://github.com/Alfresco/alfresco-ansible-deployment/blob/master/docs/SECURITY.md#specify-trustworthy-applications)
-known_urls: []
 acs_play_major_version: 23
-use_ssl: false
-# Put your domain name here if any (e.g. ecm.alfresco.com).
-# Needs to be empty if unused (don't use dummy values)
-fqdn_alfresco: ""
-autogen_unsecure_secrets: false

molecule/default/prepare.yml

@@ -26,7 +26,7 @@
         marker: >-
           # {mark} KNOWN_URLS VAR
         block: |
-          known_urls:
+          acs_play_known_urls:
             - https://{{ node_hostname }}/share/
         path: ../{{ lookup('env', 'MOLECULE_SCENARIO_NAME') }}/host_vars/{{ item }}.yml
       loop: "{{ groups.repository }}"

molecule/identity/prepare.yml

@@ -18,7 +18,7 @@
         marker: >-
           # {mark} KNOWN_URLS VAR
         block: |
-          known_urls:
+          acs_play_known_urls:
             - http://localhost
         path: ../{{ lookup('env', 'MOLECULE_SCENARIO_NAME') }}/host_vars/{{ item }}.yml
       loop: "{{ groups.repository }}"

molecule/pki/host_vars/tls-repo-instance.yaml

@@ -1,6 +1,6 @@
 # placeholder
 ansible_user: ansible
-known_urls:
+acs_play_known_urls:
   - http://localhost:8080/share
 amps: {}
 amp_downloads: []

playbooks/acs.yml

@@ -49,7 +49,7 @@
   tasks:
     - name: Set alfresco_url from first entry of known_urls
       vars:
-        first_known_url: "{{ known_urls | first | default('http://' ~ nginx_host) }}"
+        first_known_url: "{{ acs_play_known_urls | first | default('http://' ~ nginx_host) }}"
       ansible.builtin.set_fact:
         alfresco_url: "{{ first_known_url | urlsplit('scheme') }}://{{ first_known_url | urlsplit('hostname') }}"
     - name: Populate identity_enabled
@@ -137,6 +137,9 @@
   gather_facts: false
   roles:
     - role: "../roles/nginx"
+      vars:
+        nginx_use_ssl: "{{ acs_play_use_ssl }}"
+        nginx_fqdn_alfresco: "{{ acs_play_fqdn_alfresco }}"
   post_tasks:
     - name: Make sure NGINX is running
       become: true
@@ -320,6 +323,8 @@
         java_version: "{{ acs_play_java_version }}"
         repository_trusted_urls: "{{ acs_play_trusted_urls }}"
         repository_default_keystore: "{{ repository_keystore | default({}) }}"
+        repository_use_ssl: "{{ acs_play_use_ssl }}"
+        repository_fqdn_alfresco: "{{ acs_play_fqdn_alfresco }}"
         repository_use_custom_keystores: "{{ acs_play_repository_use_custom_keystores }}"
         repository_properties: "{{ global_properties }}"
         repository_raw_properties: "{{ properties_snippets }}"

playbooks/group_vars/all.yml

@@ -1,3 +1,9 @@
+# REQUIRED: add at least the Share url
+# The first entry will also be used to assume the base URL of this alfresco install
+# For more information please have a look at the
+# [security_doc](https://github.com/Alfresco/alfresco-ansible-deployment/blob/master/docs/SECURITY.md#specify-trustworthy-applications)
+acs_play_known_urls: []
+
 artifacts_repositories:
   enterprise:
     base_url: "https://artifacts.alfresco.com/nexus/content"
@@ -42,5 +48,10 @@ acs_play_sync_db_username: "alfresco-sync"
 # to replace this with a custom keystore place the keystore file in the "configuration_files/keystores" folder
 # and change this flag to true. See the deployment guide for more details.
 acs_play_repository_use_custom_keystores: false
+acs_play_use_ssl: false
+# Put your domain name here if any (e.g. ecm.alfresco.com).
+# Needs to be empty if unused (don't use dummy values)
+acs_play_fqdn_alfresco: ""
 
 ansible_installation_status_file: "/opt/alfresco/.ansible_alfresco_components.status"
+autogen_unsecure_secrets: false

playbooks/group_vars/repository.yml

@@ -58,9 +58,9 @@ acs_play_repository_extra_amp_downloads: []
 #   # as in `mount -o` options
 #   options: _netdev,noatime,nodiratime
 
-acs_play_proto: "{{ 'https' if use_ssl | bool else 'http' }}"
+acs_play_proto: "{{ 'https' if acs_play_use_ssl | bool else 'http' }}"
 acs_play_port: >-
-  {{ ports_cfg.nginx.https if use_ssl | bool else ports_cfg.nginx.http }}
+  {{ ports_cfg.nginx.https if acs_play_use_ssl | bool else ports_cfg.nginx.http }}
 global_properties:
   db:
     url: >-
@@ -69,13 +69,13 @@ global_properties:
     username: "{{ acs_play_repo_db_username }}"
     password: "{{ repo_db_password }}"
   alfresco:
-    host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}"
+    host: "{{ acs_play_fqdn_alfresco | default(acs_play_known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}"
     port: "{{ acs_play_port }}"
     protocol: "{{ acs_play_proto }}"
     cluster:
       enabled: "{{ (groups['repository'] | length > 1 and not (repository_cluster_keepoff | bool)) | lower }}"
   share:
-    host: "{{ fqdn_alfresco | default(known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}"
+    host: "{{ acs_play_fqdn_alfresco | default(acs_play_known_urls[0] | urlsplit('hostname')) | default(nginx_host) }}"
     port: "{{ acs_play_port }}"
     protocol: "{{ acs_play_proto }}"
   messaging:
@@ -85,6 +85,6 @@ global_properties:
       password: "{{ activemq_password }}"
   aos:
     baseUrlOverwrite: >-
-      {{ acs_play_proto }}://{{ fqdn_alfresco | default(nginx_host) }}:{{ acs_play_port }}/alfresco/aos
+      {{ acs_play_proto }}://{{ acs_play_fqdn_alfresco | default(nginx_host) }}:{{ acs_play_port }}/alfresco/aos
 properties_snippets:
   - ../../configuration_files/alfresco-global.properties

playbooks/group_vars/trusted_resource_consumers.yml

@@ -1 +1 @@
-acs_play_trusted_urls: "{{ groups['trusted_resource_consumers'] | map('extract', hostvars) | map(attribute='known_urls', default=[]) | flatten }}"
+acs_play_trusted_urls: "{{ groups['trusted_resource_consumers'] | map('extract', hostvars) | map(attribute='acs_play_known_urls', default=[]) | flatten }}"

playbooks/prerun-checks.yml

@@ -51,10 +51,10 @@
     - name: Check Share security setup
       ansible.builtin.fail:
         msg: |
-          No `known_urls` has been provided to set up Share security.
+          No `acs_play_known_urls` has been provided to set up Share security.
           This is likely to result in a non working Share instance.
           Take a look at the documentation to set it up properly or disable CORS
           https://github.com/Alfresco/alfresco-ansible-deployment/blob/master/docs/SECURITY.md
       when:
-        - known_urls | default([]) | length == 0
+        - acs_play_known_urls | default([]) | length == 0
         - repository_cors.enabled | default(True)

roles/nginx/defaults/main.yml

@@ -5,6 +5,9 @@ nginx_vhosts:
   - listen: "80"
     filename: "alfresco.conf"
 
+nginx_use_ssl: false
+nginx_fqdn_alfresco: ""
+
 # role arguments defaults
 nginx_setup_service: true
 nginx_setup_vhosts: true

roles/nginx/meta/argument_specs.yml

@@ -30,3 +30,11 @@ argument_specs:
         description: Timeout of uploads (client requests read timeout)
         type: str
         default: 20m
+      nginx_use_ssl:
+        description: If the nginx vhosts should be configured to use SSL
+        type: bool
+        default: false
+      nginx_fqdn_alfresco:
+        description: The FQDN of the Alfresco instance
+        type: str
+        default: ""

roles/nginx/tasks/vhosts.yml

@@ -17,7 +17,7 @@
 
     - name: Include ssl vhost if enabled
       ansible.builtin.include_vars: ssl.yml
-      when: use_ssl
+      when: nginx_use_ssl
 
     - name: Add ssl key
       ansible.builtin.template:

roles/nginx/vars/ssl.yml

@@ -1,10 +1,10 @@
 nginx_vhosts:
   - listen: "80"
-    server_name: "{{ fqdn_alfresco }}" # this should be an input from the client
+    server_name: "{{ nginx_fqdn_alfresco }}" # this should be an input from the client
     template: "alfresco_redirect.conf.j2"
     filename: "alfresco.conf"
   - listen: "443"
-    server_name: "{{ fqdn_alfresco }}" # this should be an input from the client
-    filename: "ssl.{{ fqdn_alfresco }}.conf"
-    cert_crt: "{{ fqdn_alfresco }}.crt"
-    cert_key: "{{ fqdn_alfresco }}.key"
+    server_name: "{{ nginx_fqdn_alfresco }}" # this should be an input from the client
+    filename: "ssl.{{ nginx_fqdn_alfresco }}.conf"
+    cert_crt: "{{ nginx_fqdn_alfresco }}.crt"
+    cert_key: "{{ nginx_fqdn_alfresco }}.key"

roles/repository/defaults/main.yml

@@ -12,6 +12,9 @@ repository_acs_environment:
   JAVA_TOOL_OPTIONS:
     - $JAVA_TOOL_OPTIONS
 
+repository_use_ssl: false
+repository_fqdn_alfresco: ""
+
 repository_nexus_username: null
 repository_nexus_password: null
 

roles/repository/meta/argument_specs.yml

@@ -143,3 +143,15 @@ argument_specs:
         elements: str
         description: |
           A list of URLs that are considered trusted by the repository
+      repository_use_ssl:
+        type: bool
+        required: false
+        default: false
+        description: |
+          Whether to enable SSL or not
+      repository_fqdn_alfresco:
+        type: str
+        required: false
+        default: ""
+        description: |
+          The FQDN of the Alfresco instance

roles/repository/molecule/default/host_vars/repository-instance.yml

@@ -1,9 +1,6 @@
 ---
 ansible_user: ansible
 bssrf_protection_enabled: true
-known_urls:
-  - http://localhost:8080/share
-  - https://someotherapp/
 cs_storage:
   type: tmpfs
   device: none
@@ -31,9 +28,9 @@ repository_acs_environment:
 repository_db_name: "alfresco"
 repository_db_username: "alfresco"
 
-acs_play_proto: "{{ 'https' if use_ssl | bool else 'http' }}"
+acs_play_proto: "{{ 'https' if repository_use_ssl | bool else 'http' }}"
 acs_play_port: >-
-  {{ ports_cfg.nginx.https if use_ssl | bool else ports_cfg.nginx.http }}
+  {{ ports_cfg.nginx.https if repository_use_ssl | bool else ports_cfg.nginx.http }}
 global_properties:
   authentication:
     protection:

roles/repository/templates/alfresco-global.properties.j2

@@ -56,7 +56,7 @@ transform.service.url={{ ats_proto() }}://{{ trouter_host }}:{{ ports_cfg.transf
 sfs.url={{ ats_proto() }}://{{ sfs_host }}:{{ ports_cfg.sfs.http }}
 {% endif %}
 
-dsync.service.uris={% if use_ssl | bool %}https{% else %}http{% endif %}://{% if fqdn_alfresco %}{{ fqdn_alfresco }}{% else %}{{ nginx_host }}{% endif %}:{% if use_ssl | bool %}{{ ports_cfg.nginx.https }}{% else %}{{ ports_cfg.nginx.http }}{% endif %}/alfresco
+dsync.service.uris={% if repository_use_ssl | bool %}https{% else %}http{% endif %}://{% if repository_fqdn_alfresco %}{{ repository_fqdn_alfresco }}{% else %}{{ nginx_host }}{% endif %}:{% if repository_use_ssl | bool %}{{ ports_cfg.nginx.https }}{% else %}{{ ports_cfg.nginx.http }}{% endif %}/alfresco
 
 # CSRF filter overrides
 {% import 'xorigins_macros.j2' as _xorigins_protection %}

roles/repository/vars/main.yml

@@ -7,6 +7,6 @@ repository_share_templates:
   - share-config-custom.xml
   - smartfolders-amp-actions-config.xml
 
-repository_protocol: "{{ 'https' if use_ssl | bool else 'http' }}"
+repository_protocol: "{{ 'https' if repository_use_ssl | bool else 'http' }}"
 repository_host: "{{ nginx_host }}"
-repository_port: "{{ ports_cfg.nginx.https if use_ssl | bool else ports_cfg.nginx.http }}"
+repository_port: "{{ ports_cfg.nginx.https if repository_use_ssl | bool else ports_cfg.nginx.http }}"

roles/sync/molecule/default/host_vars/syncservice-instance.yml

@@ -1,6 +1,4 @@
 ansible_user: ansible
-known_urls:
-  - http://localhost/share
 
 repository_db_name: "alfresco"
 repository_db_username: "alfresco"

scripts/vagrant_provision.sh

@@ -3,4 +3,4 @@ curl https://raw.githubusercontent.com/pypa/pipenv/master/get-pipenv.py | python
 cd /vagrant
 python3 -m pipenv install --deploy
 python3 -m pipenv run ansible-galaxy install -r requirements.yml
-python3 -m pipenv run ansible-playbook -i inventory_local.yml -e "autogen_unsecure_secrets=true" -e "known_urls=[http://localhost]" playbooks/acs.yml
+python3 -m pipenv run ansible-playbook -i inventory_local.yml -e "autogen_unsecure_secrets=true" -e "acs_play_known_urls=[http://localhost]" playbooks/acs.yml

tests/test-ssl.yml

@@ -1,3 +1,3 @@
 ---
-use_ssl: true
-fqdn_alfresco: "TEST_FQDN"
+acs_play_use_ssl: true
+acs_play_fqdn_alfresco: "TEST_FQDN"