subspace 3.0.20 → 3.0.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60535a3d51d04728b59132a9a0db1ca1c4e13fb61a912daa0c507d74af77ba3c
-  data.tar.gz: ddeb0f458623dd033215b7ee6c72710da921d653d6bbcf43cdee54e7772bfd55
+  metadata.gz: e12ca8ad07d7bc9ef0a4eed0d52be0f1ffa6cac408cd0acb52da0cfb994ea9f1
+  data.tar.gz: '082166c447bb6dcb58a71599167ed69d23ed3cd9dd13ccb1bd34a9eb1039d7c8'
 SHA512:
-  metadata.gz: 5022d270ed1eba11e31d7a61aedb9a8744b40075b0d7b7670be57f6bee4e1f7c3c813bd38b4d86f39fef333701b3f97d47c5e441dc87123cb61aad8d4d5e3884
-  data.tar.gz: bbefbc1564cac47009312fc388d0786d3de8361f41e21cac4005c3068c62940c021c068cc47512e749a72fbe1b1813b2a2d6f494e5e56550b8ad10a73e548a78
+  metadata.gz: 323f2f1acd128d1f4f7c5080bea4263580f77d837a24aa2359d3c4d865c10533978214ea444c365dadb9f8800feb7fa8175f597b0679978bbb33f35994ba1138
+  data.tar.gz: 1eb77a6dcfc4df830e6d5e223cc2d3f48ac48444955bc3a56916997b17b412e2920af98624ed3b119d5f583c819a504bc74aa40b822f3135af51b67c14030026

data/CHANGELOG.md

@@ -12,6 +12,12 @@ This project attempts to follow [semantic versioning](https://semver.org/).
 
 ## Unreleased
 
+## 3.0.22
+  * Switch nginx from ppa:ondrej/nginx to official nginx.org repository.
+
+## 3.0.21
+  * Add gem-patch-report role. Sends stats for each vulnerable gem fixed since the start of the month.
+
 ## 3.0.20
   * Update postgresql-client role to get the actual psql database version instead of the local client version
 

data/ansible/roles/common/tasks/main.yml

@@ -62,6 +62,46 @@
     tags:
       - maintenance
 
+  - name: Remove ppa:ondrej/nginx apt repository
+    apt_repository:
+      repo: ppa:ondrej/nginx
+      state: absent
+    become: true
+
+  - name: Install nginx repo prerequisites
+    apt:
+      pkg:
+        - curl
+        - gnupg2
+        - ca-certificates
+        - lsb-release
+        - ubuntu-keyring
+      state: present
+    become: true
+
+  - name: Import official nginx signing key
+    shell: curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > /usr/share/keyrings/nginx-archive-keyring.gpg
+    args:
+      creates: /usr/share/keyrings/nginx-archive-keyring.gpg
+    become: true
+
+  - name: Add official nginx.org stable apt repository
+    apt_repository:
+      repo: "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/ubuntu {{ ansible_distribution_release }} nginx"
+      filename: nginx
+      state: present
+    become: true
+
+  - name: Pin nginx.org packages over distribution packages
+    copy:
+      content: |
+        Package: *
+        Pin: origin nginx.org
+        Pin: release o=nginx
+        Pin-Priority: 900
+      dest: /etc/apt/preferences.d/99nginx
+    become: true
+
   - name: apt-get update
     apt: update_cache=yes cache_valid_time=86400
     become: true
@@ -84,10 +124,6 @@
       state: latest
       update_cache: yes
 
-  - name: Add ppa:ondrej/nginx apt repository for TLS 1.3
-    apt_repository:
-      repo: ppa:ondrej/nginx
-
   - name: /usr/lib/update-notifier/apt-check --human-readable
     command: /usr/lib/update-notifier/apt-check --human-readable
     tags:

data/ansible/roles/gem-patch-report/README.md

@@ -0,0 +1,137 @@
+# Gem Patch Report Role
+
+This Ansible role generates reports on Ruby gems that had security vulnerabilities at the beginning of the current month and have since been patched. It compares the Gemfile.lock from the start of the month (retrieved from the Capistrano git repo) against the current Gemfile.lock using bundle-audit, and reports only the gems that have been fixed.
+
+## Requirements
+
+- Ruby application deployed with Capistrano (requires the `repo/` directory)
+- bundler-audit gem (automatically installed if missing)
+- Stats server configuration (same as other subspace roles)
+
+## Role Variables
+
+Available variables with their default values:
+
+```yaml
+# Path to the Rails/Ruby application (Capistrano current symlink)
+gem_patch_report_app_path: "/u/apps/{{project_name}}/current"
+
+# Required for stats reporting (inherited from other roles)
+send_stats: false
+stats_url: ""
+stats_api_key: ""
+hostname: ""
+```
+
+## Usage
+
+1. Enable the role in your playbook:
+   ```yaml
+   roles:
+     - gem-patch-report
+   ```
+
+2. Configure the required variables:
+   ```yaml
+   send_stats: true
+   stats_url: "https://your-stats-server.com/api/stats"
+   stats_api_key: "your-api-key"
+   ```
+
+## How It Works
+
+1. Retrieves the Gemfile.lock from the last commit before the 1st of the current month using the Capistrano bare git repo at `<deploy_to>/repo/`
+2. Runs `bundle-audit` against both the old and current Gemfile.lock
+3. Compares the results to identify vulnerabilities that existed at the start of the month but are no longer present (i.e. patched)
+4. Outputs a report containing only the patched gems
+
+## Bundle-Audit Input Format
+
+The role processes JSON output from `bundle-audit check --format json`. Here's the simplified structure:
+
+```json
+{
+  "version": "0.9.2",
+  "created_at": "2026-03-06 12:16:58 -0600",
+  "results": [
+    {
+      "type": "unpatched_gem",
+      "gem": {
+        "name": "nokogiri",
+        "version": "1.18.9"
+      },
+      "advisory": {
+        "id": "GHSA-wx95-c6cv-8532",
+        "title": "Nokogiri does not check the return value from xmlC14NExecute",
+        "criticality": "medium",
+        "cve": null,
+        "patched_versions": [">= 1.19.1"]
+      }
+    }
+  ]
+}
+```
+
+### Key Fields Used
+
+The role extracts data from these fields:
+- `results[].type` - Filters for `"unpatched_gem"`
+- `results[].gem.name` - Gem name
+- `results[].gem.version` - Vulnerable version
+- `results[].advisory.id` - Advisory ID (CVE, GHSA, etc.)
+- `results[].advisory.criticality` - Severity level
+
+## Report Format
+
+The role generates a JSON array of gems that were patched during the current month. If a gem had multiple advisories that were all fixed, each advisory appears as its own entry.
+
+```json
+[
+  {
+    "name": "activestorage",
+    "version": "8.0.2.1",
+    "current_version": "8.0.4.1",
+    "advisory_id": "CVE-2026-33658",
+    "criticality": null
+  },
+  {
+    "name": "bcrypt",
+    "version": "3.1.20",
+    "current_version": "3.1.22",
+    "advisory_id": "CVE-2026-33306",
+    "criticality": null
+  },
+  {
+    "name": "devise",
+    "version": "4.9.4",
+    "current_version": "5.0.3",
+    "advisory_id": "CVE-2026-32700",
+    "criticality": null
+  }
+]
+```
+
+### Gem Objects
+
+Each gem object contains:
+- `name`: The gem name
+- `version`: The vulnerable version from the start of the month
+- `current_version`: The current patched version (parsed from the current Gemfile.lock)
+- `advisory_id`: The security advisory ID (CVE, GHSA, etc.)
+- `criticality`: The severity level (low, medium, high, critical, or null if not specified)
+
+## Tags
+
+This role supports the following tags:
+- `maintenance`
+- `stats`
+- `gem-patch-report`
+
+## Error Handling
+
+The role includes error handling for common scenarios:
+- Missing Gemfile.lock
+- No git history before the current month
+- bundle-audit execution failures
+
+Errors are logged but don't fail the entire playbook execution. If no patched gems are found, an empty array `[]` is reported.

data/ansible/roles/gem-patch-report/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+gem_patch_report_app_path: "/u/apps/{{project_name}}/current"

data/ansible/roles/gem-patch-report/tasks/main.yml

@@ -0,0 +1,89 @@
+---
+- name: Check if gem patch reporting is enabled and required variables are set
+  debug:
+    msg: "Gem patch reporting is enabled"
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+
+- name: Install bundler-audit gem globally
+  gem:
+    name: bundler-audit
+    state: present
+    user_install: false
+  become: true
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+
+- name: Generate gem patch report script
+  template:
+    src: gem-patch-report.sh.j2
+    dest: /tmp/gem-patch-report.sh
+    mode: '0755'
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+
+- name: Run gem patch report script
+  shell: /tmp/gem-patch-report.sh
+  register: gem_patch_report_result
+  become: true
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes
+
+- name: Read gem patch report file
+  slurp:
+    src: /tmp/gem-patch-report.json
+  register: gem_patch_report_file
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes
+
+- name: Send gem patch report to stats server
+  uri:
+    url: "{{ stats_url }}"
+    method: POST
+    headers:
+      X-API-Version: 1
+      X-Client-Api-key: "{{ stats_api_key }}"
+    body_format: json
+    body:
+      client_stat:
+        stat_type: gem_patch_report
+        value: "{{ (gem_patch_report_file.content | b64decode) | from_json }}"
+        hostname: "{{ hostname }}"
+  when: send_stats == true and stats_url is defined and stats_api_key is defined and gem_patch_report_file is defined and gem_patch_report_file is not failed
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes
+
+- name: Clean up temporary gem patch report files
+  file:
+    path: "{{ item }}"
+    state: absent
+  become: true
+  loop:
+    - /tmp/gem-patch-report.sh
+    - /tmp/gem-patch-report.json
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes

data/ansible/roles/gem-patch-report/templates/gem-patch-report.sh.j2

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+APP_PATH="{{ gem_patch_report_app_path }}"
+DEPLOY_DIR=$(cd "$APP_PATH" && cd .. && pwd)
+REPO_DIR="$DEPLOY_DIR/repo"
+TEMP_DIR="/tmp/gem-patch-report-$$"
+REPORT_FILE="$TEMP_DIR/report.json"
+OLD_AUDIT_FILE="$TEMP_DIR/audit_old.json"
+CURRENT_AUDIT_FILE="$TEMP_DIR/audit_current.json"
+OLD_GEMFILE_LOCK="$APP_PATH/Gemfile.lock.old"
+
+# Create temp directory
+mkdir -p "$TEMP_DIR"
+
+# Check if current Gemfile.lock exists
+if [ ! -f "$APP_PATH/Gemfile.lock" ]; then
+    echo '[]' > /tmp/gem-patch-report.json
+    rm -rf "$TEMP_DIR"
+    exit 0
+fi
+
+# Update bundle-audit advisory database
+cd "$APP_PATH"
+bundle exec bundle-audit update 2>/dev/null || true
+
+# Get old Gemfile.lock from the beginning of the month
+FIRST_OF_MONTH=$(date +"%Y-%m-01")
+OLD_COMMIT=$(git -c safe.directory="$REPO_DIR" --git-dir="$REPO_DIR" log --all --before="$FIRST_OF_MONTH" -1 --format="%H" -- Gemfile.lock 2>/dev/null)
+
+if [ -z "$OLD_COMMIT" ]; then
+    # No commit before this month, nothing to compare
+    echo '[]' > /tmp/gem-patch-report.json
+    rm -rf "$TEMP_DIR"
+    exit 0
+fi
+
+git -c safe.directory="$REPO_DIR" --git-dir="$REPO_DIR" show "${OLD_COMMIT}:Gemfile.lock" > "$OLD_GEMFILE_LOCK"
+
+# Run bundle-audit on the old Gemfile.lock
+# bundle-audit exits non-zero when vulnerabilities are found, so ignore the exit code
+bundle exec bundle-audit check --gemfile-lock Gemfile.lock.old --format json > "$OLD_AUDIT_FILE" 2>/dev/null || true
+
+# Run bundle-audit on current Gemfile.lock
+bundle exec bundle-audit check --format json > "$CURRENT_AUDIT_FILE" 2>/dev/null || true
+
+# Set environment variables for Ruby script
+export OLD_AUDIT_FILE="$OLD_AUDIT_FILE"
+export CURRENT_AUDIT_FILE="$CURRENT_AUDIT_FILE"
+export CURRENT_GEMFILE_LOCK="$APP_PATH/Gemfile.lock"
+
+# Generate patch report using Ruby
+ruby << 'RUBY' > "$REPORT_FILE"
+require 'json'
+require 'set'
+
+begin
+  old_audit = JSON.parse(File.read(ENV['OLD_AUDIT_FILE']))
+  current_audit = JSON.parse(File.read(ENV['CURRENT_AUDIT_FILE']))
+
+  old_results = old_audit['results'] || []
+  current_results = current_audit['results'] || []
+
+  # Build a set of current vulnerability keys (gem name + advisory id)
+  current_vuln_keys = current_results
+    .select { |r| r['type'] == 'unpatched_gem' && r['gem'] && r['advisory'] }
+    .map { |r| "#{r['gem']['name']}:#{r['advisory']['id']}" }
+    .to_set
+
+  # Parse current Gemfile.lock to get current gem versions
+  current_versions = {}
+  gemfile_lock = File.read(ENV['CURRENT_GEMFILE_LOCK']) rescue ''
+  in_specs = false
+  gemfile_lock.each_line do |line|
+    if line.strip == 'specs:'
+      in_specs = true
+      next
+    end
+    if in_specs
+      if line =~ /^\s{4}(\S+)\s+\(([^)]+)\)/
+        current_versions[$1] = $2
+      elsif line !~ /^\s/
+        in_specs = false
+      end
+    end
+  end
+
+  # Only include gems that were vulnerable at start of month but are now patched
+  patched_gems = old_results
+    .select { |r| r['type'] == 'unpatched_gem' && r['gem'] && r['advisory'] }
+    .reject { |r| current_vuln_keys.include?("#{r['gem']['name']}:#{r['advisory']['id']}") }
+    .map { |r|
+      {
+        'name' => r['gem']['name'],
+        'version' => r['gem']['version'],
+        'current_version' => current_versions[r['gem']['name']] || 'unknown',
+        'advisory_id' => r['advisory']['id'],
+        'criticality' => r['advisory']['criticality']
+      }
+    }
+    .sort_by { |g| [g['name'], g['advisory_id']] }
+
+  puts JSON.pretty_generate(patched_gems)
+
+rescue JSON::ParserError => e
+  puts '[]'
+rescue => e
+  puts '[]'
+end
+RUBY
+
+# Copy report to known location and clean up
+cp "$REPORT_FILE" /tmp/gem-patch-report.json
+rm -rf "$TEMP_DIR"
+rm -f "$OLD_GEMFILE_LOCK"

data/ansible/roles/nginx/tasks/main.yml

@@ -1,17 +1,64 @@
-- name: Install nginx
-  apt: pkg=nginx state=latest
+- name: Remove ondrej nginx packages before switching to official repo
+  apt:
+    pkg:
+      - nginx
+      - nginx-common
+      - nginx-core
+      - nginx-full
+    state: absent
+    purge: no
   become: true
 
-- name: Disable Server tokens
-  lineinfile:
-    path: /etc/nginx/nginx.conf
-    regexp: '# server_tokens off'
-    line: "\tserver_tokens off;"
+- name: Install nginx from official repo
+  apt:
+    pkg: nginx
+    state: latest
+    update_cache: yes
+  become: true
 
-- name: Remove the default app
+- name: Remove default nginx config files
   file:
-    path: /etc/nginx/sites-enabled/default
+    path: "{{ item }}"
     state: absent
+  loop:
+    - /etc/nginx/sites-enabled/default
+    - /etc/nginx/conf.d/default.conf
+  become: true
+
+- name: Ensure sites-available directory exists
+  file:
+    path: /etc/nginx/sites-available
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: true
+
+- name: Ensure sites-enabled directory exists
+  file:
+    path: /etc/nginx/sites-enabled
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: true
+
+- name: Ensure modules-enabled directory exists
+  file:
+    path: /etc/nginx/modules-enabled
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: true
+
+- name: Deploy nginx.conf
+  template:
+    src: nginx.conf
+    dest: /etc/nginx/nginx.conf
+    owner: root
+    group: root
+    mode: '0644'
   become: true
 
 - name: "Configure rails projects"

data/ansible/roles/nginx/templates/nginx.conf

@@ -0,0 +1,29 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+}
+
+http {
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+
+	access_log /var/log/nginx/access.log;
+
+	gzip on;
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}

data/lib/subspace/version.rb

@@ -1,3 +1,3 @@
 module Subspace
-  VERSION = "3.0.20"
+  VERSION = "3.0.22"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: subspace
 version: !ruby/object:Gem::Version
-  version: 3.0.20
+  version: 3.0.22
 platform: ruby
 authors:
 - Brian Samson
@@ -153,6 +153,10 @@ files:
 - ansible/roles/delayed_job/tasks/main.yml
 - ansible/roles/delayed_job/templates/delayed-job-monit-rc
 - ansible/roles/delayed_job/templates/delayed-job-systemd.service
+- ansible/roles/gem-patch-report/README.md
+- ansible/roles/gem-patch-report/defaults/main.yml
+- ansible/roles/gem-patch-report/tasks/main.yml
+- ansible/roles/gem-patch-report/templates/gem-patch-report.sh.j2
 - ansible/roles/letsencrypt/defaults/main.yml
 - ansible/roles/letsencrypt/tasks/legacy.yml
 - ansible/roles/letsencrypt/tasks/main.yml
@@ -188,6 +192,7 @@ files:
 - ansible/roles/nginx/defaults/main.yml
 - ansible/roles/nginx/handlers/main.yml
 - ansible/roles/nginx/tasks/main.yml
+- ansible/roles/nginx/templates/nginx.conf
 - ansible/roles/nginx/templates/status
 - ansible/roles/nodejs/tasks/main.yml
 - ansible/roles/papertrail/tasks/main.yml
@@ -326,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.8
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Ansible-based server provisioning for rails projects
 test_files: []