roles/nginx: reformat main tasks

roles/common: minor changes to Debian sshd_config files
roles/common: default to disabling SSH passwords
2023-08-10 22:44:47 +02:00 · 2023-08-10 22:10:04 +02:00 · 2023-08-10 22:09:03 +02:00
5 changed files with 82 additions and 20 deletions
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@ -10,4 +10,8 @@ fail2ban_findtime: 3600
 fail2ban_bantime: 1209600
 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24

+# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
+# before re-configuring the SSH daemon to disable passwords.
+ssh_password_authentication: disabled
+
 # vim: set ts=2 sw=2:
--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with
@ -122,7 +126,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
- 
+
 # Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
 # with less than 256 bits removed, as NSA's Suite B removed them years ago and
 # the new (2018) CNSA suite is 256 bits and up.
@ -131,7 +135,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256, curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?
--- a/roles/common/templates/sshd_config_Debian-12.j2
+++ b/roles/common/templates/sshd_config_Debian-12.j2
@ -56,8 +56,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
 PasswordAuthentication yes
-PermitEmptyPasswords no
+{% endif %}
+#PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
@ -130,7 +134,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

 {% if ssh_allowed_users is defined and ssh_allowed_users %}
--- a/roles/common/templates/sshd_config_Ubuntu-20.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-20.04.j2
@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes

 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (beware issues with
@ -122,7 +126,6 @@ Subsystem sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-PasswordAuthentication yes

 # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,13 +1,25 @@
 ---
 - name: Add nginx.org apt signing key
-  ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
+  ansible.builtin.apt_key:
+    id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+    url: https://nginx.org/keys/nginx_signing.key
+    state: present
  register: add_nginx_apt_key
-  tags: nginx, packages
+  tags:
+    - nginx
+    - packages

 - name: Add nginx.org repo
-  ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: nginx_org_sources.list.j2
+    dest: /etc/apt/sources.list.d/nginx_org_sources.list
+    owner: root
+    group: root
+    mode: 0644
  register: add_nginx_apt_repository
-  tags: nginx, packages
+  tags:
+    - nginx
+    - packages

 - name: Update apt cache
  ansible.builtin.apt:
@ -17,17 +29,32 @@
    add_nginx_apt_repository is changed

 - name: Install nginx
-  ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
-  tags: nginx, packages
+  ansible.builtin.apt:
+    pkg: nginx
+    cache_valid_time: 3600
+    state: present
+  tags:
+    - nginx
+    - packages

 - name: Copy nginx.conf
-  ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
+  ansible.builtin.template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: 0644
+    owner: root
+    group: root
  notify:
    - reload nginx
  tags: nginx

 - name: Copy extra nginx configs
-  ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/{{ item }}"
+    mode: 0644
+    owner: root
+    group: root
  loop:
    - extra-security.conf
    - fastcgi_cache
@ -36,11 +63,18 @@
  tags: nginx

 - name: Remove default nginx vhost
-  ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
  tags: nginx

 - name: Create fastcgi cache dir
-  ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
+  ansible.builtin.file:
+    path: /var/cache/nginx/cached/fastcgi
+    state: directory
+    owner: nginx
+    group: nginx
+    mode: 0755
  tags: nginx

 - name: Configure nginx virtual hosts
@ -54,19 +88,32 @@
  tags: wordpress

 - name: Configure blank nginx vhost
-  ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  ansible.builtin.template:
+    src: blank-vhost.conf.j2
+    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
+    mode: 0644
+    owner: root
+    group: root
  notify:
    - reload nginx
  tags: nginx

 - name: Configure munin vhost
-  ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
+  ansible.builtin.copy:
+    src: munin.conf
+    dest: /etc/nginx/conf.d/munin.conf
+    mode: 0644
+    owner: root
+    group: root
  notify:
    - reload nginx
  tags: nginx

 - name: Start and enable nginx service
-  ansible.builtin.systemd: name=nginx state=started enabled=true
+  ansible.builtin.systemd:
+    name: nginx
+    state: started
+    enabled: true
  tags: nginx

 - name: Configure Let's Encrypt
Author	SHA1	Message	Date
Alan Orth	14d57fc477	roles/nginx: reformat main tasks	2023-08-10 22:44:47 +02:00
Alan Orth	5c39f1abd8	roles/common: minor changes to Debian sshd_config files	2023-08-10 22:10:04 +02:00
Alan Orth	6794eb0432	roles/common: default to disabling SSH passwords	2023-08-10 22:09:03 +02:00