Compare commits
3 Commits
11614e3725
...
14d57fc477
Author | SHA1 | Date | |
---|---|---|---|
14d57fc477 | |||
5c39f1abd8 | |||
6794eb0432 |
@ -10,4 +10,8 @@ fail2ban_findtime: 3600
|
|||||||
fail2ban_bantime: 1209600
|
fail2ban_bantime: 1209600
|
||||||
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
|
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
|
||||||
|
|
||||||
|
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
|
||||||
|
# before re-configuring the SSH daemon to disable passwords.
|
||||||
|
ssh_password_authentication: disabled
|
||||||
|
|
||||||
# vim: set ts=2 sw=2:
|
# vim: set ts=2 sw=2:
|
||||||
|
@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||||||
#IgnoreRhosts yes
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
#PasswordAuthentication yes
|
{% if ssh_password_authentication == 'disabled' %}
|
||||||
|
PasswordAuthentication no
|
||||||
|
{% else %}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
{% endif %}
|
||||||
#PermitEmptyPasswords no
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
# Change to yes to enable challenge-response passwords (beware issues with
|
# Change to yes to enable challenge-response passwords (beware issues with
|
||||||
@ -122,7 +126,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||||||
# AllowTcpForwarding no
|
# AllowTcpForwarding no
|
||||||
# PermitTTY no
|
# PermitTTY no
|
||||||
# ForceCommand cvs server
|
# ForceCommand cvs server
|
||||||
|
|
||||||
# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
|
# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
|
||||||
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
|
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
|
||||||
# the new (2018) CNSA suite is 256 bits and up.
|
# the new (2018) CNSA suite is 256 bits and up.
|
||||||
@ -131,7 +135,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||||||
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||||
KexAlgorithms curve25519-sha256, curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
||||||
|
|
||||||
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
||||||
# Is there a list of allowed users?
|
# Is there a list of allowed users?
|
||||||
|
@ -56,8 +56,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||||||
#IgnoreRhosts yes
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
{% if ssh_password_authentication == 'disabled' %}
|
||||||
|
PasswordAuthentication no
|
||||||
|
{% else %}
|
||||||
PasswordAuthentication yes
|
PasswordAuthentication yes
|
||||||
PermitEmptyPasswords no
|
{% endif %}
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
# Change to yes to enable challenge-response passwords (beware issues with
|
# Change to yes to enable challenge-response passwords (beware issues with
|
||||||
# some PAM modules and threads)
|
# some PAM modules and threads)
|
||||||
@ -130,7 +134,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||||||
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
|
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
|
||||||
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
|
||||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||||
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||||
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
|
||||||
|
|
||||||
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
{% if ssh_allowed_users is defined and ssh_allowed_users %}
|
||||||
|
@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||||||
#IgnoreRhosts yes
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
#PasswordAuthentication yes
|
{% if ssh_password_authentication == 'disabled' %}
|
||||||
|
PasswordAuthentication no
|
||||||
|
{% else %}
|
||||||
|
PasswordAuthentication yes
|
||||||
|
{% endif %}
|
||||||
#PermitEmptyPasswords no
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
# Change to yes to enable challenge-response passwords (beware issues with
|
# Change to yes to enable challenge-response passwords (beware issues with
|
||||||
@ -122,7 +126,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
|
|||||||
# AllowTcpForwarding no
|
# AllowTcpForwarding no
|
||||||
# PermitTTY no
|
# PermitTTY no
|
||||||
# ForceCommand cvs server
|
# ForceCommand cvs server
|
||||||
PasswordAuthentication yes
|
|
||||||
|
|
||||||
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||||
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
|
||||||
|
@ -1,13 +1,25 @@
|
|||||||
---
|
---
|
||||||
- name: Add nginx.org apt signing key
|
- name: Add nginx.org apt signing key
|
||||||
ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
|
ansible.builtin.apt_key:
|
||||||
|
id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
|
||||||
|
url: https://nginx.org/keys/nginx_signing.key
|
||||||
|
state: present
|
||||||
register: add_nginx_apt_key
|
register: add_nginx_apt_key
|
||||||
tags: nginx, packages
|
tags:
|
||||||
|
- nginx
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Add nginx.org repo
|
- name: Add nginx.org repo
|
||||||
ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
|
ansible.builtin.template:
|
||||||
|
src: nginx_org_sources.list.j2
|
||||||
|
dest: /etc/apt/sources.list.d/nginx_org_sources.list
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
register: add_nginx_apt_repository
|
register: add_nginx_apt_repository
|
||||||
tags: nginx, packages
|
tags:
|
||||||
|
- nginx
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Update apt cache
|
- name: Update apt cache
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
@ -17,17 +29,32 @@
|
|||||||
add_nginx_apt_repository is changed
|
add_nginx_apt_repository is changed
|
||||||
|
|
||||||
- name: Install nginx
|
- name: Install nginx
|
||||||
ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
|
ansible.builtin.apt:
|
||||||
tags: nginx, packages
|
pkg: nginx
|
||||||
|
cache_valid_time: 3600
|
||||||
|
state: present
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
- packages
|
||||||
|
|
||||||
- name: Copy nginx.conf
|
- name: Copy nginx.conf
|
||||||
ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
|
ansible.builtin.template:
|
||||||
|
src: nginx.conf.j2
|
||||||
|
dest: /etc/nginx/nginx.conf
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
notify:
|
notify:
|
||||||
- reload nginx
|
- reload nginx
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Copy extra nginx configs
|
- name: Copy extra nginx configs
|
||||||
ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
|
ansible.builtin.copy:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "/etc/nginx/{{ item }}"
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
loop:
|
loop:
|
||||||
- extra-security.conf
|
- extra-security.conf
|
||||||
- fastcgi_cache
|
- fastcgi_cache
|
||||||
@ -36,11 +63,18 @@
|
|||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Remove default nginx vhost
|
- name: Remove default nginx vhost
|
||||||
ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
|
ansible.builtin.file:
|
||||||
|
path: /etc/nginx/conf.d/default.conf
|
||||||
|
state: absent
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Create fastcgi cache dir
|
- name: Create fastcgi cache dir
|
||||||
ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
|
ansible.builtin.file:
|
||||||
|
path: /var/cache/nginx/cached/fastcgi
|
||||||
|
state: directory
|
||||||
|
owner: nginx
|
||||||
|
group: nginx
|
||||||
|
mode: 0755
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Configure nginx virtual hosts
|
- name: Configure nginx virtual hosts
|
||||||
@ -54,19 +88,32 @@
|
|||||||
tags: wordpress
|
tags: wordpress
|
||||||
|
|
||||||
- name: Configure blank nginx vhost
|
- name: Configure blank nginx vhost
|
||||||
ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
|
ansible.builtin.template:
|
||||||
|
src: blank-vhost.conf.j2
|
||||||
|
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
notify:
|
notify:
|
||||||
- reload nginx
|
- reload nginx
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Configure munin vhost
|
- name: Configure munin vhost
|
||||||
ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
|
ansible.builtin.copy:
|
||||||
|
src: munin.conf
|
||||||
|
dest: /etc/nginx/conf.d/munin.conf
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
notify:
|
notify:
|
||||||
- reload nginx
|
- reload nginx
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Start and enable nginx service
|
- name: Start and enable nginx service
|
||||||
ansible.builtin.systemd: name=nginx state=started enabled=true
|
ansible.builtin.systemd:
|
||||||
|
name: nginx
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
tags: nginx
|
tags: nginx
|
||||||
|
|
||||||
- name: Configure Let's Encrypt
|
- name: Configure Let's Encrypt
|
||||||
|
Loading…
Reference in New Issue
Block a user