roles: use fully qualified module names

This commit is contained in:
Alan Orth 2022-09-10 18:09:12 +03:00
parent 92a4c72809
commit 587bd6dcdd
31 changed files with 173 additions and 173 deletions

View File

@ -1,23 +1,23 @@
--- ---
# file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: reload sshd
systemd: name={{ sshd_service_name }} state=reloaded ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
- name: reload sysctl - name: reload sysctl
command: sysctl -p /etc/sysctl.conf command: sysctl -p /etc/sysctl.conf
- name: restart firewalld - name: restart firewalld
systemd: name=firewalld state=restarted ansible.builtin.systemd: name=firewalld state=restarted
- name: reload systemd - name: reload systemd
systemd: daemon_reload=yes ansible.builtin.systemd: daemon_reload=yes
- name: restart nftables - name: restart nftables
systemd: name=nftables state=restarted ansible.builtin.systemd: name=nftables state=restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's # in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall. # notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban - name: restart fail2ban
systemd: name=fail2ban state=restarted ansible.builtin.systemd: name=fail2ban state=restarted

View File

@ -1,12 +1,12 @@
--- ---
- name: Configure cron-apt (config) - name: Configure cron-apt (config)
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
loop: loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
- name: Configure cron-apt (security) - name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -1,25 +1,25 @@
--- ---
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 ansible.builtin.template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
notify: restart fail2ban notify: restart fail2ban
- name: Configure fail2ban nginx filter - name: Configure fail2ban nginx filter
when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters" when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644 ansible.builtin.template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
notify: restart fail2ban notify: restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 ansible.builtin.file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override - name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 ansible.builtin.template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
notify: notify:
- reload systemd - reload systemd
- restart fail2ban - restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes ansible.builtin.systemd: name=fail2ban state=started enabled=yes
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@ -5,7 +5,7 @@
- block: - block:
- name: Set Debian firewall packages - name: Set Debian firewall packages
when: ansible_distribution_major_version is version('10', '<=') when: ansible_distribution_major_version is version('10', '<=')
set_fact: ansible.builtin.set_fact:
debian_firewall_packages: debian_firewall_packages:
- firewalld - firewalld
- tidy - tidy
@ -14,7 +14,7 @@
- name: Set Debian firewall packages - name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
set_fact: ansible.builtin.set_fact:
debian_firewall_packages: debian_firewall_packages:
- fail2ban - fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl - libnet-ip-perl # for aggregate-cidr-addresses.pl
@ -23,26 +23,26 @@
- curl # for nftables update scripts - curl # for nftables update scripts
- name: Install firewall packages - name: Install firewall packages
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600 ansible.builtin.apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Remove iptables on newer Debian - name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
apt: pkg=iptables state=absent ansible.builtin.apt: pkg=iptables state=absent
- name: Copy nftables.conf - name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify: notify:
- restart nftables - restart nftables
- restart fail2ban - restart fail2ban
- name: Create /etc/nftables extra config directory - name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755 ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files - name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }} ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop: loop:
- { src: "spamhaus-ipv4.nft", force: "no" } - { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" } - { src: "spamhaus-ipv6.nft", force: "no" }
@ -55,7 +55,7 @@
- name: Use iptables backend in firewalld - name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==') when: ansible_distribution_major_version is version('10', '==')
lineinfile: ansible.builtin.lineinfile:
dest: /etc/firewalld/firewalld.conf dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$' regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables' line: 'FirewallBackend=iptables'
@ -68,7 +68,7 @@
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls - name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '==') when: ansible_distribution_major_version is version('10', '==')
lineinfile: ansible.builtin.lineinfile:
dest: /etc/firewalld/firewalld.conf dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$' regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes' line: 'IndividualCalls=yes'
@ -78,7 +78,7 @@
- name: Copy firewalld public zone file - name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=') when: ansible_distribution_major_version is version('10', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file - name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('10', '<=') when: ansible_distribution_major_version is version('10', '<=')
@ -89,7 +89,7 @@
- name: Copy firewalld ipsets of abusive IPs - name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=') when: ansible_distribution_major_version is version('10', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop: loop:
- abusers-ipv4.xml - abusers-ipv4.xml
- abusers-ipv6.xml - abusers-ipv6.xml
@ -101,11 +101,11 @@
- name: Copy Spamhaus firewalld update script - name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=') when: ansible_distribution_version is version('10', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units - name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('10', '<=') when: ansible_distribution_version is version('10', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop: loop:
- update-spamhaus-lists.service - update-spamhaus-lists.service
- update-spamhaus-lists.timer - update-spamhaus-lists.timer
@ -113,7 +113,7 @@
- name: Copy Spamhaus nftables update scripts - name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=') when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop: loop:
- update-spamhaus-nftables.sh - update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl - aggregate-cidr-addresses.pl
@ -121,7 +121,7 @@
- name: Copy nftables systemd units - name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=') when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop: loop:
- update-spamhaus-nftables.service - update-spamhaus-nftables.service
- update-spamhaus-nftables.timer - update-spamhaus-nftables.timer
@ -131,29 +131,29 @@
# need to reload to pick up service/timer/environment changes # need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon - name: Reload systemd daemon
systemd: daemon_reload=yes ansible.builtin.systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer - name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=') when: ansible_distribution_version is version('10', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban - restart fail2ban
- name: Start and enable nftables update timers - name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=') when: ansible_distribution_version is version('11', '>=')
systemd: name={{ item }} state=started enabled=yes ansible.builtin.systemd: name={{ item }} state=started enabled=yes
loop: loop:
- update-spamhaus-nftables.timer - update-spamhaus-nftables.timer
- update-abusech-nftables.timer - update-abusech-nftables.timer
- name: Start and enable nftables - name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
systemd: name=nftables state=started enabled=yes ansible.builtin.systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml - ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('9', '>=')
tags: firewall tags: firewall

View File

@ -6,7 +6,7 @@
- block: - block:
- name: Set Ubuntu firewall packages - name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '<') when: ansible_distribution_version is version('20.04', '<')
set_fact: ansible.builtin.set_fact:
ubuntu_firewall_packages: ubuntu_firewall_packages:
- firewalld - firewalld
- tidy - tidy
@ -15,7 +15,7 @@
- name: Set Ubuntu firewall packages - name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
set_fact: ansible.builtin.set_fact:
ubuntu_firewall_packages: ubuntu_firewall_packages:
- fail2ban - fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl - libnet-ip-perl # for aggregate-cidr-addresses.pl
@ -24,26 +24,26 @@
- curl # for nftables update scripts - curl # for nftables update scripts
- name: Install firewall packages - name: Install firewall packages
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600 ansible.builtin.apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
- name: Remove ufw - name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('16.04', '>=')
apt: pkg=ufw state=absent ansible.builtin.apt: pkg=ufw state=absent
- name: Copy nftables.conf - name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify: notify:
- restart nftables - restart nftables
- restart fail2ban - restart fail2ban
- name: Create /etc/nftables extra config directory - name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755 ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files - name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }} ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop: loop:
- { src: "spamhaus-ipv4.nft", force: "no" } - { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" } - { src: "spamhaus-ipv6.nft", force: "no" }
@ -56,7 +56,7 @@
- name: Copy firewalld public zone file - name: Copy firewalld public zone file
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file - name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
@ -67,7 +67,7 @@
- name: Copy firewalld ipsets of abusive IPs - name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop: loop:
- abusers-ipv4.xml - abusers-ipv4.xml
- abusers-ipv6.xml - abusers-ipv6.xml
@ -79,11 +79,11 @@
- name: Copy Spamhaus firewalld update script - name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units - name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop: loop:
- update-spamhaus-lists.service - update-spamhaus-lists.service
- update-spamhaus-lists.timer - update-spamhaus-lists.timer
@ -91,7 +91,7 @@
- name: Copy nftables update scripts - name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop: loop:
- update-spamhaus-nftables.sh - update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl - aggregate-cidr-addresses.pl
@ -99,7 +99,7 @@
- name: Copy nftables systemd units - name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop: loop:
- update-spamhaus-nftables.service - update-spamhaus-nftables.service
- update-spamhaus-nftables.timer - update-spamhaus-nftables.timer
@ -109,29 +109,29 @@
# need to reload to pick up service/timer/environment changes # need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon - name: Reload systemd daemon
systemd: daemon_reload=yes ansible.builtin.systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer - name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify: notify:
- restart firewalld - restart firewalld
- restart fail2ban - restart fail2ban
- name: Start and enable nftables update timers - name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
systemd: name={{ item }} state=started enabled=yes ansible.builtin.systemd: name={{ item }} state=started enabled=yes
loop: loop:
- update-spamhaus-nftables.timer - update-spamhaus-nftables.timer
- update-abusech-nftables.timer - update-abusech-nftables.timer
- name: Start and enable nftables - name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
systemd: name=nftables state=started enabled=yes ansible.builtin.systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml - ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('16.04', '>=')
tags: firewall tags: firewall

View File

@ -1,54 +1,54 @@
--- ---
- name: Import OS-specific variables - name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml" ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
tags: always tags: always
- name: Configure network time - name: Configure network time
import_tasks: ntp.yml ansible.builtin.import_tasks: ntp.yml
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages_Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
tags: packages tags: packages
- name: Install common packages - name: Install common packages
include_tasks: packages_Ubuntu.yml ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Debian.yml ansible.builtin.include_tasks: firewall_Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
tags: firewall tags: firewall
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Ubuntu.yml ansible.builtin.include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
tags: firewall tags: firewall
- name: Configure secure shell daemon - name: Configure secure shell daemon
import_tasks: sshd.yml ansible.builtin.import_tasks: sshd.yml
tags: sshd tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
notify: notify:
- reload sysctl - reload sysctl
tags: sysctl tags: sysctl
- name: Reconfigure /etc/rc.local - name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=') when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755 ansible.builtin.template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler - name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys
import_tasks: ssh-keys.yml ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys tags: ssh-keys
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@ -14,14 +14,14 @@
- name: Install systemd-timesyncd - name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
apt: name=systemd-timesyncd state=present cache_valid_time=3600 ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=yes
- name: Uninstall ntp on modern Ubuntu/Debian - name: Uninstall ntp on modern Ubuntu/Debian
apt: name=ntp state=absent ansible.builtin.apt: name=ntp state=absent
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -2,11 +2,11 @@
- block: - block:
- name: Configure apt mirror - name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Set fact for base packages - name: Set fact for base packages
set_fact: ansible.builtin.set_fact:
base_packages: base_packages:
- git - git
- git-lfs - git-lfs
@ -28,14 +28,14 @@
- lsof - lsof
- name: Install base packages - name: Install base packages
apt: name={{ base_packages }} state=present cache_valid_time=3600 ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
- name: Configure cron-apt - name: Configure cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@ -2,14 +2,14 @@
- block: - block:
- name: Configure apt mirror - name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Upgrade base OS - name: Upgrade base OS
apt: upgrade=dist cache_valid_time=3600 ansible.builtin.apt: upgrade=dist cache_valid_time=3600
- name: Set Ubuntu base packages - name: Set Ubuntu base packages
set_fact: ansible.builtin.set_fact:
ubuntu_base_packages: ubuntu_base_packages:
- git - git
- git-lfs - git-lfs
@ -30,27 +30,27 @@
- lsof - lsof
- name: Install base packages - name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600 ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend # We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages. # on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap - name: Remove lxd snap
snap: name=lxd state=absent community.general.snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes ignore_errors: yes
- name: Remove core18 snap - name: Remove core18 snap
snap: name=core18 state=absent community.general.snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes ignore_errors: yes
- name: Remove snapd snap - name: Remove snapd snap
snap: name=snapd state=absent community.general.snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes ignore_errors: yes
- name: Set fact for packages to remove (Ubuntu <= 18.04) - name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact: ansible.builtin.set_fact:
ubuntu_annoying_packages: ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1) - whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1) - apport # security (CIS 4.1)
@ -66,7 +66,7 @@
when: ansible_distribution_version is version('18.04', '<=') when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04) - name: Set fact for packages to remove (Ubuntu 20.04)
set_fact: ansible.builtin.set_fact:
ubuntu_annoying_packages: ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1) - whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1) - apport # security (CIS 4.1)
@ -78,10 +78,10 @@
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages - name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
- name: Disable annoying Canonical spam in MOTD - name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop: loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04 - /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+ - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
@ -91,18 +91,18 @@
ignore_errors: yes ignore_errors: yes
- name: Disable annoying Canonical spam in MOTD - name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
loop: loop:
- motd-news.service - motd-news.service
- motd-news.timer - motd-news.timer
- name: Configure cron-apt - name: Configure cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@ -1,9 +1,9 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

View File

@ -2,14 +2,14 @@
# SSH configs don't change in Debian minor versions # SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
notify: reload sshd notify: reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc. # ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
notify: reload sshd notify: reload sshd
@ -40,7 +40,7 @@
notify: reload sshd notify: reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub

View File

@ -1,24 +1,24 @@
--- ---
- name: Add Tarsnap apt mirror - name: Add Tarsnap apt mirror
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
register: add_tarsnap_apt_repository register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap - name: Add GPG key for Tarsnap
apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key register: add_tarsnap_apt_key
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
when: when:
add_tarsnap_apt_key is changed or add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600 ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
- name: Copy tarsnaprc - name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@ -1,5 +1,5 @@
--- ---
# file: roles/mariadb/defaults/main.yml # ansible.builtin.file: roles/mariadb/defaults/main.yml
# #
# Based on my running of mysqltuner.pl on a host with three WordPress databases # Based on my running of mysqltuner.pl on a host with three WordPress databases
# #

View File

@ -1,5 +1,5 @@
--- ---
- name: restart mariadb - name: restart mariadb
systemd: name=mariadb state=restarted ansible.builtin.systemd: name=mariadb state=restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -1,55 +1,55 @@
--- ---
- name: Add GPG key for MariaDB repo - name: Add GPG key for MariaDB repo
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc ansible.builtin.apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc
register: add_mariadb_apt_key register: add_mariadb_apt_key
tags: mariadb, packages tags: mariadb, packages
- name: Add MariaDB 10.5 repo - name: Add MariaDB 10.5 repo
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 ansible.builtin.template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644
register: add_mariadb_apt_repository register: add_mariadb_apt_repository
tags: mariadb, packages tags: mariadb, packages
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
when: when:
add_mariadb_apt_key is changed or add_mariadb_apt_key is changed or
add_mariadb_apt_repository is changed add_mariadb_apt_repository is changed
- name: Install mariadb-server - name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600 ansible.builtin.apt: name={{ item }} state=present cache_valid_time=3600
loop: loop:
- mariadb-server - mariadb-server
- python3-pymysql # for ansible - python3-pymysql # for ansible
tags: mariadb, packages tags: mariadb, packages
- name: Create system my.cnf - name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 ansible.builtin.template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644
notify: notify:
- restart mariadb - restart mariadb
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
loop: loop:
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 ansible.builtin.template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }}
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }}
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb

View File

@ -1,4 +1,4 @@
--- ---
# file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
systemd: name=munin-node state=restarted ansible.builtin.systemd: name=munin-node state=restarted

View File

@ -1,8 +1,8 @@
--- ---
- name: Configure munin scraper - name: Configure munin scraper
import_tasks: munin.yml ansible.builtin.import_tasks: munin.yml
tags: munin tags: munin
- name: Configure munin listener - name: Configure munin listener
import_tasks: munin-node.yml ansible.builtin.import_tasks: munin-node.yml
tags: munin-node tags: munin-node

View File

@ -1,25 +1,25 @@
--- ---
- name: Install munin-node - name: Install munin-node
apt: name=munin-node state=present ansible.builtin.apt: name=munin-node state=present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
apt: name=libwww-perl state=present ansible.builtin.apt: name=libwww-perl state=present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
- name: Configure munin-node - name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify: notify:
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
systemd: name=munin-node state=started enabled=true ansible.builtin.systemd: name=munin-node state=started enabled=true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -1,9 +1,9 @@
--- ---
- name: Install munin package - name: Install munin package
apt: name=munin state=present ansible.builtin.apt: name=munin state=present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -1,5 +1,5 @@
--- ---
# file: roles/nginx/defaults/main.yml # ansible.builtin.file: roles/nginx/defaults/main.yml
# path config # path config
nginx_confd_path: /etc/nginx/conf.d nginx_confd_path: /etc/nginx/conf.d

View File

@ -1,5 +1,5 @@
--- ---
- name: reload nginx - name: reload nginx
systemd: name=nginx state=reloaded ansible.builtin.systemd: name=nginx state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -4,12 +4,12 @@
# snap now. # snap now.
- block: - block:
- name: Remove certbot - name: Remove certbot
apt: ansible.builtin.apt:
name: certbot name: certbot
state: absent state: absent
- name: Remove old certbot post and pre hooks for nginx - name: Remove old certbot post and pre hooks for nginx
file: ansible.builtin.file:
dest: "{{ item }}" dest: "{{ item }}"
state: absent state: absent
with_items: with_items:
@ -17,12 +17,12 @@
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed - name: Check if acme.sh is installed
stat: ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}" path: "{{ letsencrypt_acme_home }}"
register: acme_home register: acme_home
- name: Download acme.sh - name: Download acme.sh
get_url: ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}" dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700 mode: 0700
@ -41,7 +41,7 @@
when: acme_download is changed when: acme_download is changed
- name: Remove temporary acme.sh script - name: Remove temporary acme.sh script
file: ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}" dest: "{{ letsencrypt_acme_script_temp }}"
state: absent state: absent
when: acme_install.rc is defined and acme_install.rc == 0 when: acme_install.rc is defined and acme_install.rc == 0
@ -51,7 +51,7 @@
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt" cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory - name: Prepare Let's Encrypt well-known directory
file: ansible.builtin.file:
state: directory state: directory
path: /var/lib/letsencrypt/.well-known path: /var/lib/letsencrypt/.well-known
owner: root owner: root
@ -59,7 +59,7 @@
mode: g+s mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs - name: Copy systemd service to renew Let's Encrypt certs
template: ansible.builtin.template:
src: renew-letsencrypt.service.j2 src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644 mode: 0644
@ -67,7 +67,7 @@
group: root group: root
- name: Copy systemd timer to renew Let's Encrypt certs - name: Copy systemd timer to renew Let's Encrypt certs
copy: ansible.builtin.copy:
src: renew-letsencrypt.timer src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644 mode: 0644
@ -76,7 +76,7 @@
# always issues daemon-reload just in case the service/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
systemd: ansible.builtin.systemd:
name: renew-letsencrypt.timer name: renew-letsencrypt.timer
state: started state: started
enabled: yes enabled: yes

View File

@ -1,33 +1,33 @@
--- ---
- name: Add nginx.org apt signing key - name: Add nginx.org apt signing key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
register: add_nginx_apt_key register: add_nginx_apt_key
tags: nginx, packages tags: nginx, packages
- name: Add nginx.org repo - name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags: nginx, packages
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: yes
when: when:
add_nginx_apt_key is changed or add_nginx_apt_key is changed or
add_nginx_apt_repository is changed add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
apt: pkg=nginx cache_valid_time=3600 state=present ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
tags: nginx, packages tags: nginx, packages
- name: Copy nginx.conf - name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
@ -36,41 +36,41 @@
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
include_tasks: vhosts.yml ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
include_tasks: wordpress.yml ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes ansible.builtin.systemd: name=nginx state=started enabled=yes
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt
include_tasks: letsencrypt.yml ansible.builtin.include_tasks: letsencrypt.yml
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -2,18 +2,18 @@
- block: - block:
- name: Configure https vhosts - name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - reload nginx
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify: notify:
- reload nginx - reload nginx
- name: Download 4096-bit RFC 7919 dhparams - name: Download 4096-bit RFC 7919 dhparams
get_url: ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}" dest: "{{ nginx_ssl_dhparam }}"
@ -22,7 +22,7 @@
# TODO: this could break because we can override the document root in host vars # TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: nginx tags: nginx

View File

@ -2,12 +2,12 @@
- block: - block:
- name: Install WordPress - name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
when: item.has_wordpress is defined and item.has_wordpress when: item.has_wordpress is defined and item.has_wordpress
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
when: item.has_wordpress is defined and item.has_wordpress when: item.has_wordpress is defined and item.has_wordpress
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: wordpress tags: wordpress

View File

@ -1,5 +1,5 @@
--- ---
# file: roles/php-fpm/defaults/main.yml # ansible.builtin.file: roles/php-fpm/defaults/main.yml
# default is on, but turn it off because of protection in nginx vhosts # default is on, but turn it off because of protection in nginx vhosts
cgi_fix_pathinfo: 0 cgi_fix_pathinfo: 0

View File

@ -1,14 +1,14 @@
--- ---
# For Ubuntu 18.04 # For Ubuntu 18.04
- name: reload php7.2-fpm - name: reload php7.2-fpm
systemd: name=php7.2-fpm state=reloaded ansible.builtin.systemd: name=php7.2-fpm state=reloaded
# For Debian 10 # For Debian 10
- name: reload php7.3-fpm - name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded ansible.builtin.systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04 # For Ubuntu 20.04
- name: reload php7.4-fpm - name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded ansible.builtin.systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -2,7 +2,7 @@
- block: - block:
- name: Set php-fpm packages - name: Set php-fpm packages
set_fact: ansible.builtin.set_fact:
php_fpm_packages: php_fpm_packages:
- php-fpm - php-fpm
# for WordPress # for WordPress
@ -11,22 +11,22 @@
- php-curl - php-curl
- name: Install php-fpm and deps - name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP # only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config - name: Copy php-fpm pool config
template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 ansible.builtin.template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.3-fpm notify: reload php7.3-fpm
- name: Remove default www pool - name: Remove default www pool
file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent ansible.builtin.file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
notify: reload php7.3-fpm notify: reload php7.3-fpm
# re-configure php.ini # re-configure php.ini
- name: Update php.ini - name: Update php.ini
template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644 ansible.builtin.template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.3-fpm notify: reload php7.3-fpm
tags: php-fpm tags: php-fpm

View File

@ -2,7 +2,7 @@
- block: - block:
- name: Set php-fpm packages - name: Set php-fpm packages
set_fact: ansible.builtin.set_fact:
php_fpm_packages: php_fpm_packages:
- php-fpm - php-fpm
# for WordPress # for WordPress
@ -11,22 +11,22 @@
- php-curl - php-curl
- name: Install php-fpm and deps - name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP # only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config - name: Copy php-fpm pool config
template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 ansible.builtin.template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.2-fpm notify: reload php7.2-fpm
- name: Remove default www pool - name: Remove default www pool
file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent ansible.builtin.file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
notify: reload php7.2-fpm notify: reload php7.2-fpm
# re-configure php.ini # re-configure php.ini
- name: Update php.ini - name: Update php.ini
template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644 ansible.builtin.template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.2-fpm notify: reload php7.2-fpm
tags: php-fpm tags: php-fpm

View File

@ -2,7 +2,7 @@
- block: - block:
- name: Set php-fpm packages - name: Set php-fpm packages
set_fact: ansible.builtin.set_fact:
php_fpm_packages: php_fpm_packages:
- php7.4-fpm - php7.4-fpm
# for WordPress # for WordPress
@ -12,22 +12,22 @@
- php7.4-xml - php7.4-xml
- name: Install php-fpm and deps - name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP # only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config - name: Copy php-fpm pool config
template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm notify: reload php7.4-fpm
- name: Remove default www pool - name: Remove default www pool
file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm notify: reload php7.4-fpm
# re-configure php.ini # re-configure php.ini
- name: Update php.ini - name: Update php.ini
template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644 ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm notify: reload php7.4-fpm
tags: php-fpm tags: php-fpm

View File

@ -10,40 +10,40 @@
# #
# See: https://stackoverflow.com/a/31896249 # See: https://stackoverflow.com/a/31896249
- name: Check if any vhost needs WordPress - name: Check if any vhost needs WordPress
set_fact: ansible.builtin.set_fact:
install_php: True install_php: True
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0" when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0"
# Legacy, was only for Piwik, but leaving for now. # Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP - name: Check if any vhost needs PHP
set_fact: ansible.builtin.set_fact:
install_php: True install_php: True
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0" when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0"
# If install_php has not been set, then we assume no vhosts need PHP. This is # If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else. # a bit hacky, but it's the closest we come to an if/then/else.
- name: Set install_php to False - name: Set install_php to False
set_fact: ansible.builtin.set_fact:
install_php: False install_php: False
when: install_php is not defined when: install_php is not defined
- name: Configure php-fpm on Ubuntu 18.04 - name: Configure php-fpm on Ubuntu 18.04
include_tasks: Ubuntu_18.04.yml ansible.builtin.include_tasks: Ubuntu_18.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php
tags: php-fpm tags: php-fpm
- name: Configure php-fpm on Debian 10 - name: Configure php-fpm on Debian 10
include_tasks: Debian_10.yml ansible.builtin.include_tasks: Debian_10.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php
tags: php-fpm tags: php-fpm
- name: Configure php-fpm on Ubuntu 20.04 - name: Configure php-fpm on Ubuntu 20.04
include_tasks: Ubuntu_20.04.yml ansible.builtin.include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php
tags: php-fpm tags: php-fpm
- name: Configure php-fpm on Debian 11 - name: Configure php-fpm on Debian 11
include_tasks: Ubuntu_20.04.yml ansible.builtin.include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php
tags: php-fpm tags: php-fpm