[FEATURE REQUEST] Add an exist_environment property

[adamretter]

At the moment, some eXist-db options have been configured for secure operation but several others have not.

I think it would be sensible to add an exist_environment property that could be set to "Development" or "Production", when set to "Production" it would turn on all sensible config options for securing eXist-db in a production environment.

We might also want to choose to add individual options for the blanket option of "Production" to allow users more fine-grained control over their configuration.

[chakl]

no. That would be a meta config option that creates unneeded complexity.

You could create Ansible host groups "my-dev-servers" and "my-prod-servers" and set group defaults to achieve the same. In your Ansible deployment, no need to mess with the role.

[adamretter]

@chakl but the required options don't yet exist in the existdb-ansible-role, so unless I am mistaken, I would still not be able to configure it from the location you suggested

[chakl]

@adamretter what are the "required options"?

[adamretter]

I would yet need to create an exhaustive list... but they include disabling Mail and JNDI modules, adding parameters to the File, Cache, and SQL modules, and also enabling XXE mitigation

[chakl]

I see.. We never felt a need for this, feel free to send a PR

[chakl]

but don't over-engineer :)

and why are these not set to reasonable defaults upstream, so there's no need to turn knobs?

[adamretter]

and why are these not set to reasonable defaults upstream

They are set to reasonable defaults upstream. However, there is of course a difference between running a piece of software for development purposes as opposed to for production purposes.