Compare commits

..

3 Commits

5 changed files with 82 additions and 20 deletions

View File

@ -10,4 +10,8 @@ fail2ban_findtime: 3600
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@ -131,7 +135,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256, curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users? # Is there a list of allowed users?

View File

@ -56,8 +56,12 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes PasswordAuthentication yes
PermitEmptyPasswords no {% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads) # some PAM modules and threads)
@ -130,7 +134,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py # See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}

View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@ -122,7 +126,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now

View File

@ -1,13 +1,25 @@
--- ---
- name: Add nginx.org apt signing key - name: Add nginx.org apt signing key
ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key:
id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
url: https://nginx.org/keys/nginx_signing.key
state: present
register: add_nginx_apt_key register: add_nginx_apt_key
tags: nginx, packages tags:
- nginx
- packages
- name: Add nginx.org repo - name: Add nginx.org repo
ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: 0644
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags:
- nginx
- packages
- name: Update apt cache - name: Update apt cache
ansible.builtin.apt: ansible.builtin.apt:
@ -17,17 +29,32 @@
add_nginx_apt_repository is changed add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present ansible.builtin.apt:
tags: nginx, packages pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx
- packages
- name: Copy nginx.conf - name: Copy nginx.conf
ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: 0644
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/nginx/{{ item }}"
mode: 0644
owner: root
group: root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
@ -36,11 +63,18 @@
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: 0755
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
@ -54,19 +88,32 @@
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: 0644
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: 0644
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
ansible.builtin.systemd: name=nginx state=started enabled=true ansible.builtin.systemd:
name: nginx
state: started
enabled: true
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt