alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:11614e372535c07856c588fa669d924d9d487ec7
Branches Tags
alanorth:master alanorth:alpine
..
compare: alanorth:master
Branches Tags
alanorth:master alanorth:alpine

63 Commits
11614e3725 ... master

Author SHA1 Message Date
Alan Orth
73fd06fe3a roles/common: remove cron-apt 
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
 2025-04-07 09:51:09 +03:00
Alan Orth
88cb3a370e Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
Alan Orth
027a43ddbe roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
Alan Orth
bb30c3be20 host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
Alan Orth
d8d9790d21 roles/nginx: enable nginx ssl_session_tickets 
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
 2025-03-29 22:35:56 +03:00
Alan Orth
9a500ebc0d roles/nginx: disable nginx ssl_prefer_server_ciphers 
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
 2025-03-29 22:34:41 +03:00
Alan Orth
4bae942585 roles/nginx: add nginx ssl_ecdh_curve 
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:37 +03:00
Alan Orth
99866c0c90 roles/nginx: use one day for nginx ssl_session_timeout 
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:32 +03:00
Alan Orth
0afb8a4493 roles/nginx: update nginx ssl_buffer_size 
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
 2025-03-29 22:34:27 +03:00
Alan Orth
506695da31 roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
Alan Orth
f67ed7762c roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
Alan Orth
014f4d9502 roles/nginx: add newline 2025-03-29 22:19:41 +03:00
Alan Orth
22c16e1ed3 roles/caddy/templates: closer to supporting WordPress 
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
 2025-03-29 22:09:37 +03:00
Alan Orth
5aa6a33e51 roles/php-fpm: set user and group based on webserver 
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
 2025-03-29 21:01:56 +03:00
Alan Orth
7f9b06af9c roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
Alan Orth
84db337fea roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
Alan Orth
7b23f5f94f roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
Alan Orth
9830338be3 Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
Alan Orth
e3eed26765 roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
Alan Orth
8b31c7e148 host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
Alan Orth
3ff8043aaf Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
Alan Orth
cb79f7ef70 roles/common: minor change to firehol update script 
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
 2025-01-28 09:14:48 +03:00
Alan Orth
bb14f05d2a roles/common: use Ansible timezone module 
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
 2025-01-27 23:11:56 +03:00
Alan Orth
5b1530fa91 roles/common: rework firewall 
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
 2025-01-27 23:05:45 +03:00
Alan Orth
5312dc6bd5 roles/common: use common nftables task 
Use a common nftables task on Debian and Ubuntu.
 2025-01-27 23:05:38 +03:00
Alan Orth
d6e060d3af roles/common: simplify firewall tasks 
Apply firewall tag to included tasks, then we don't need to use a
block.
 2025-01-27 22:30:50 +03:00
Alan Orth
b873af004a roles/common: single firewall task include 
Use one include from the main tasks file.
 2025-01-27 22:28:27 +03:00
Alan Orth
7ea3ab46f8 host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
Alan Orth
0561bd5b52 Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
Alan Orth
d62572f02c Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
Alan Orth
2ffe5e87d9 host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
Alan Orth
38d4f1a303 Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
Alan Orth
ed8cb88038 host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
Alan Orth
c31e447861 roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
Alan Orth
545684467c host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
Alan Orth
24ae5eaab1 host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
Alan Orth
dac23f1427 Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
Alan Orth
41fbc73dd1 host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
Alan Orth
fee794bcf0 Update Pipfile 2024-03-20 20:28:00 +03:00
Alan Orth
8bce1d8b1b host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
Alan Orth
6dc2ea36b6 roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
Alan Orth
af71a9b5f8 roles/php-fpm: remove fmt strings 
Ansible confuses them for jinja2 tokens.
 2023-09-11 19:52:18 +03:00
Alan Orth
4dd57803e2 roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
Alan Orth
18d4245fc0 roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
Alan Orth
1bddf3cccd Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
Alan Orth
20dbe61fe1 roles/mariadb: use MariaDB 10.11 
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
 2023-09-10 22:53:10 +03:00
Alan Orth
899e87321b host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
Alan Orth
06416a3b64 roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
Alan Orth
7a9a24ef5d roles/common: rework fail2ban again 
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
 2023-08-23 22:15:24 +03:00
Alan Orth
067adcd9f5 roles/common: rework fail2ban tasks 
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
 2023-08-23 21:59:28 +03:00
Alan Orth
84d210cfab roles/common: re-format handlers 
Use the newer Ansible format.
 2023-08-23 21:35:28 +03:00
Alan Orth
17736a4f14 roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
Alan Orth
b9e91c4a3d roles/common: minor updates to tarsnap task 
Use modern Ansible task format
 2023-08-23 21:20:22 +03:00
Alan Orth
51c95e5d4c roles/common: update tarsnap task 
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
 2023-08-23 21:18:27 +03:00
Alan Orth
8dbec29d2a roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
Alan Orth
d3bf3dab04 roles/php-fpm: add support for PHP 8.2 
This is used in Debian 12.
 2023-08-23 20:56:35 +03:00
Alan Orth
8f50b7756b host_vars/web22: WordPress 6.3 2023-08-22 21:33:49 +03:00
Alan Orth
e86ccc9979 roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
Alan Orth
cea8529f49 Pipfile.lock: run pipenv update 2023-08-22 21:02:17 +03:00
Alan Orth
d77718edae host_vars: add fail2ban_ignoreip 2023-08-14 16:37:07 +02:00
Alan Orth
14d57fc477 roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
Alan Orth
5c39f1abd8 roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
Alan Orth
6794eb0432 roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
63 changed files with 1789 additions and 12089 deletions
Expand all files Collapse all files

2
Pipfile
View File

@ -10,4 +10,4 @@ ansible = "*"
ansible-lint = "*"
[requires]
python_version = "3.10"
python_version = "3.13"

1054
Pipfile.lock generated
View File

File diff suppressed because it is too large Load Diff

2
README.md
View File

@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions
Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
- You have a clean, minimal Debian 12 host up and running
- Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host

3
group_vars/web
View File

@ -8,4 +8,7 @@ webserver: nginx
extra_fail2ban_filters:
- nginx
# root prefix for all web servers
web_root_prefix: /var/www
# vim: set ts=2 sw=2:

86
host_vars/nomad03
View File

@ -1,86 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
31396238396138613138623165346137663838366430363266646565643765303261636131663538
3932326435366133356536343464633664353734386433330a626533613665623965656430393966
33366238326164303438633265613862376530613236383733386433383437393431303761663534
3131396534643134300a303364653539623938356363346664633539323266323265396565353664
37613435616536343736356564656139633165383538383036313637656235646435363266346332
30343632666438653532353930376461643234303062376134323762303161663832646463313664
32383363316631346131656634393866326233323530656236383865613564633030383338303132
36623236623132653634613966336437663464386662353262313334386465386435626463383536
35376334386564613763343165333762383136353233346134326430386639333938383736613564
65663431616164306231633935636462626232323764326234353966323530636363333432373535
35356265623039623738336533646639336564316561623463353936393531393064326565616232
36346163633164656132303738316531623735646662333936663034626438616430643638613136
33343064376464343561313739616634643339323264306536666231373139376330306130383662
33306364383039633239353062303262663531393538656539313161396538306437613432313662
38303834386234313065326234393962643036633864306263346132373736613435306339393861
34303438333038306431623632373263306336356132613236306438373663346131343536353664
39633330363032653133623161623733323431663261663666306630303832323338646364353335
37316338616561626231333265323134356666363136633938396133656532653338353935633365
63633632626566326336653466343861646465373965643339383361303039613637626562353961
62306236396530663835353438316438343431326237316137616639323732383138643138353666
66386365333465666136343737623064396432323439366634376165663336373536653333373466
32646434613535383539356232636664666237653838336561393530346263666665373962396439
62393262616361366430633738343934383231626461393962663566633134326664613634376361
36643733326563653639306361383434313763326631396165613334366634393465396361646331
65313338623862633335366536626636643636376137663938656534366335393861333430636637
37316662393564333231636433653637393738303933326531653362623935343434376439336665
32653237333861626238616337383533636439366437393363366537393164663563626639343162
38303463663931616437626638626563363937373732346534376438373537303136366666616662
32303536646266396564656363393331643431393438316565386264383036643061656236666265
61616165363336653464343235333762383263626438636665306330333339323438656263633361
39316264356261653234386466623033366334303265633237366130656530366238663766313662
33316336376362616132613661633039643735653565663562393462303436373335343135353864
63393433336638363232333334653633616236383631626665656162303162313939316364393238
38383761363037303864313465353963623438316563633562663130356361353036326333366332
36636631343335313463346539666332626662643166633035363733323337303961646266316435
31356235333433353936353163633132386430336161356238336234353336613761346161386663
31343334393137356138376532363231356636396531646361383436666531646137346231363132
30613362636238386635306264396463316432303437316265386131666535653739663762373138
30643666336530343961336561303266383534393135356361633035393935333133386535666134
37326665623264323233613834336537633935306532353936396361333037353562353734323936
64643131656237666633383738636631303361633366386466633531396432636263626164306166
33366538356165613134386130366433336539613036373934373764336566653039366531653232
63353265663337366265623633373264633231333364666635393564306131303132613439643464
36333434303230646631623433323863303836636466323931363130366465333562613432343032
33353339353733326636373165663865646635353031313230313962303034356432393835666532
31313838333136623466636236393164303232356363373237643762366161633038323565656266
65653662393638383436386533633632386638633431316465393165393861396334386261663733
33383237313233623035343530373963393562633434373563613066343366336233303766383431
66393534613638663637626634316664363235333333616434633239613734363330653662646537
65333731653430356563346435353433363936386664343232613537663233623437376164653562
34343538663339633361323934636131663061353238333766623366653234643637643330646231
35313235383232663533386663366336383632383236313731303533313039383063616136303534
37616131663336353164636333323930366364316437396661663838653538316562616662616133
62663766383933316363353163616338306164656636326238333338316330366135333338303064
38383866643732376262643862383266316435623432623564643433383434373564656161303162
30316434613965643063303663623830646361386132303433366663343464656239396230326438
62643430643761666361623737343838393434343238373336343633363534383830656134383166
65383437643765363036613130666664343935343264363733643330363366326332393636643561
32303139633133646261356238623134643135333166363862666166366261663630323138353962
35663535613131323237616365373866346432616133326136366666333262616536373939356165
61376563633363333465393333323937376565636163623038383635376436613639366335336132
64643132366630613065376334366231393162323931313532393830656432303338346665643034
62653964663131313761363765333364356135616533646232613333646433623631376637303632
33326533383139663266623234363264326233653166626563383263623038643766313062303030
61326538363265336138346166613735363661396437303935373137623230613466613939633234
61643135383539326239326134333163323633316239613238323564626632363863656662323134
37373462343239306630333162643139653539353431623734633864353737626365373934363532
30323334306161623866346532306665366637373730383164613932316230306236323366623564
35326262336232613138646633333661396334393430303433303636643934666637333462326661
37356263646165373739343065653539313034303133656537626662333036323064646634303066
61653364663331306432313766376263643565626466346566343732333332623365643963323232
62363366313936333162303632626561313934303264383338616639366135343337653935363861
63623430343536306633313738313135383465636336663636396239356634303237386365626661
65663861306435626663326137646161373133306430336132613762663735666363343163373432
30353534373634326561633236373462633039353130656438323764363339663637616530316237
35313532633937623633383534656665383066633365666462666331623437626465666466336438
30636436643034316262376635383330383835613138626130363466643362363130356334373730
65363934653138353834353761656265623230326532316161623332383234383139386265643737
64316435653531366163636635636436383135636338313035336633326366663730613839626136
30303735316562383637363462376663396262663333313964393538626665376139373565663963
61663834643265306134316536393166626239643438373336353834383966346366616537363032
64656466303062383731386661373661633666616163643034306661323635363964613736336466
62656637616264393464653439356665653061356534646134373639613536613763393839333731
39643737646566396466663732323237363064643131393065666266393165373331623536353135
64376437643062393436383435343732623766656431353936336265356662393739

51
host_vars/web21
View File

@ -1,26 +1,27 @@
$ANSIBLE_VAULT;1.1;AES256
30323335373866653137343434333334396130326232343331323131306335386539343766373739
3039386264306531346164376336323666373534623165610a393739636333336535626530626166
34303361303965303738373231306566633566616535623832376639366339613165643466343366
3366663737646339640a643361643864356563396537383166333035643861393638616431383030
38333464303264383161653330336631326666323935353864386334323630306336333431336233
64353432326430393964613737373936373561303865393537393436616530396364356139383136
38303035316437663661386233303963323866393266313565333863343234353138316264313865
31643132356334353830383639363532356365666463653964343735383831393962386635343335
30303463613730383165663139666339623335396630346566303663336334346264646439336637
34613537653163383039383230653065666263323538386333363165363566626133646230653930
36616132643732353039616131333261386439643464353836623731333562613031323161633862
66326230623064343632633463386233383036303636643037653238373064636363613634663030
36636262623036356533643139373363663166373363366234396439613438666665626137663936
36363837383735386537343038383965666435336162316235656631343662346465363031343364
66633465643732343434306263303435616663393835663930343932653535653866306231363261
33313766316137356639333330666335346634366261333163333635373061363065396163393239
64353264336335353937646331616334613961633935653731616238343365323237666639633832
39313861633034343563376534383764353963316161326461376131646633356462323736346638
32343635346263346536353439666132333361653730323335366463633964616234633435653663
33323239386333333465333563373839633564353837666534663863643262366663643731366536
31656661303238623439356331656635636534323735616133366164343632373734363236316666
32363834653836636466373462643362323036386262336362663762626436313761363563363536
30636136353039653735313135656230643234346337323632303766646163373161636438336633
64303233396665656362663163323635323531306261363462356433376538373266383936376265
3265
38663333313561616264323430323162323837623430363739623561633331656664613936666665
6364373033623163393239663035306337383066343438310a383666313434323036643037363065
30396333626130303633663930663965666662646233393439376661346265616565616236623366
3930373433646231610a336233663132306263656465633034333030316362643939316465666534
38353961393038613961353732613434663565633466303265383231343336386330333464376363
33616330643364376332623634363766656366666239633964316439376463313063333162343963
61356634393438313063666434626338616264613639656462626639616263366531663135393466
66346635616439306364356133303664376134626636616131373138656562363363306633333164
62623135343633393834393165383231316562643062343165663235313930663039623135373263
61343336643235303962333938613230356465346436376334373438386461366231383737643137
36343832353730366131653430633465383163396336353065306638373166386438356264616139
65346635663338366463343932336231386235393836616238373864626235623935663661396663
31633565356465333737303339333435383162316530396563333335613062623138333232336162
62376363666431363931663231643561616562383230643737393261623934363633313231333137
39383238656237343661626662366465356463396336386261326334613436396364633062646532
61313136366636363861316166396134316562666435653437326331363563653035343138636163
66336139636533656334643966383962383734623565323435333665666164353732663736326364
35616264383237316330386539363065376334643432393636643464646238633034333166663665
33313166393738626133636136346637646437306335326263393634363133663736666338313838
64623139613037653461643563666539613237323934376534376461313833336338623032616661
64643062663633366436383232366137373936383430306332616634636331326361383931363961
62313236313563326438303935373837666434313435653236643135303739373763656562393537
31653265653739346433663937343439656231663963333633373066356231623762313438393763
36306336656566633034373834316363333233326130626639313130643935333437653934313636
32383034346234333561333466653561323834346166633831303566376266373933356536383031
6236303934323963336662386666653138313165366133303434

274
host_vars/web22
View File

@ -1,135 +1,141 @@
$ANSIBLE_VAULT;1.1;AES256
35376262343536323361666636343162396166663733666265366363373433376162303931323339
3934616330636638323866613564626634643065353336310a323436303031303532363932343632
63336265363266643932623738323365303436656235383636303966353566376533653130646363
3462653937303030370a343130653735343966663031336665356663383132646635383738613539
63626165336133393661306438366535613533326339636263343034623431366165663331366531
30646666633039633138346363666262356136363537353231666631333933393736666361376166
38323964313264343861306137643630636133356461643266356231333937363833366166376662
36663633313930363563376263356662623635313163393765323635306636363565663739333464
38663865363562636337336433363433633832396165393361663566633362396565646261313835
39356133623831303636346631373665343037353931323331373135336639653564316564643365
31396530633366393035356563386237306462646561633164626163646433653138313030313263
39653737326132633237363066666564653338396136613437336336383761333634393130363165
38343730386265623734376536383434363236323464613363393338303533373030313231356232
64383964376436323933356335626661336636353338346566383064383431363862383239666436
33306235623864393839313730643634316332353334376437326533383463393066663034343031
33333266393762616631643134366337383437396535363334616265616233346539386531383732
63616435326235336630663262333631613862386333316331633531653133653431643563353735
64393461306531613833326334366235356263666139623834616262643831323763316338623663
61316238373639643039346430623164626336393333316537636333356166626231393635333135
37613866663763323466613631373034666366663361366532336661363536313535373637346365
64346262313632363564376631343965313462353664633036376137333835336665323331386330
36323836623137343434353261666438313030333162666461343632646433643637393765666139
36333366643931636263383239643434616461623232646436313039316161656262303562666132
61393339366663333363653366613362313635376633653337313466633834346666313663663435
33626331363466366262346362396663326335316464333536653463306663643965623630306462
66313664353430366537303630396164633063383837653536333062626433343839376633653032
30633035326263393161353839663336623235323139323930656339666233616233376434316462
39626162353561376437613236363862646365616134356565333633336666353432313763623232
31376265303032316137623334623833343939393534616164616163366639393736623231663264
62396433313434343163323435663666316466636334613736623564373836646533623061393063
30393339643464623164336339656263366531616536353464666232343866666666336561613036
66623962643530613264363862383266373361623865363731656639343933663334333861376333
63663638653337366433656534306236363739343961616234656539633961616461386461326363
35343936616437626134653237623833333561623537623032663538343865393633623637346336
34306264613031373235666534656230336265363236653563303833663261343737626563663732
33346335383234396434613436313764626530623862323536626231363536616362336132656661
62353137303365643134663063383135363135306265363738646464316337336263303561633034
64616131656338613664373034643632613037303531623565613131356230653737386565626237
39393232616630626437393562653438666430393332636465363731663332383265626665613162
62623262653331623637313266626464366434306531326430636337373737383732643730333361
65313635346535353238363430636639643136366562333732633739353130363263363962336462
64616537386366316439626534646563336335323332663233613137323665616534356264656437
35393563633961366238653761616130393166663664666436386461633636656561353131666664
63343833326139316634323937633631323763353135663936623130343636663361666333653665
66313336363163656561636163316435303561313734623065616161613232323635653839366534
35653364356534326536353430663237323530353266653234633637383165663839343562303763
36333238653132353530366637636234633766353364633162373765333438373964323266636336
66376361656264386233303261346166303463303034623033336331633732343365316131326437
65323036306562373537303330623666323734646335363761373762653062323363383533653664
63613264353766356134336139613735633334313530353939363637376239333064376536343166
32613464323161313938393337323765303131666134306131366436383932373934363833303461
37353264303939333933373666333365376330326237303537616332633730356433663037363363
38613539633761373630353562366537333037313030643562383961633632363964363931336566
66643236626362356264643162626438333333326136336435643335313835353432353530633965
33633532356137353536633564346661316263333537316436653138316562396163356564393931
62383731613063396435336163353064303730356635633737663464663266303439636332303035
35623739326136336464373061373637613666316632343134313265306537383234363138393265
34346662356161613362393432656566663430306435386462633936383564653937626431663535
38363561626461353537623463376237613533376531613439346365616365366163353561633237
39666432336631356331396536643464616533323836363365316434383030643663636430336536
33626239373263383339613062666364376639346337666332346330313834663266663937353032
36613762663466623534653335646434356335333933313832363431343538616161363661653762
35323765356330633331356435623733663238396165366234323335666632306336643533333966
31383566623266663365613236613538333666646266396236616164303466653035636532363063
62383261636464383538313733393237373432306562656666303936383939373837643462366431
62636161653834353061633865323431646334636638366435303334353062653138373139323035
32366130666336626134393061383164626466303639343661393064626162383838653466656262
36613333623637656637313433353837383634393731353334616237636565653833643236356539
36343537356339303637356137323534646465333338336364643463333464393637646132383561
33656339623865663739376537313835393364653537333730346632383965343434636335613731
62313533326136613035613766666435356161323337353665346164633532363364643030666366
31663838333861626531616465396663363437373630353261313336353839643961316165393864
38396530346138313930643863623032326437333933383362393764643263616638636338383966
35346230656336386137333335613739636336316662346635623630373366336532633163616431
32313832623365666531366231353636356634313639623462316665646338653264336637663562
66383731373961663735646633353833376561356538333263653463626237393733633161646161
37393066316530313533383832636463393239303834326363636532393138323366666334376234
65373862333733643634613033616230656263333734663364656464383336646364643163356136
61663134323263356636626531393231656132323130373933616139646632353731396136323239
37363033636561666639376634646261356438663739346163323939336139303261333664323231
31333862343036376335376665613537663662623161386632396139353664656238306639346538
63383032386634363936323839666131623533353639356238623666313762343131306231613035
62646134313331363164383939303064396230353263623462383664613239626330396166303830
61306430353230343964663639656364333233376564393666366334376533636365386338613962
32343261313063323231373163616232653862383937323832313936643930616537323765666431
35376434666564636434306366346631393239303763313566613565383336353132623630633131
33333737643363616366326431636237646331333461353630383664306465643862636361333232
33393738326236313237373437393734313337323831386338623463663032636336383234346338
65393262303938643237623335663836363364353566663234646161373564333539306261643039
63343961363136333564323337356364396566623764306164396236316639383963633333366461
66343564323366396164616132353339653832373935386430633430303434363238623966383730
30616134396161353333383738313165643632373361363062623163623062323062366331653436
65303961356163653163393565656230383434326665343165626438363865313566666531363134
36643064393462333034336438623835316339303338366531396339356430336462323063616639
36623164396536633630373764643932366239616462613533653366356663393135393735353163
34306165333633653034653262666137323238636636396236353961353835663964353362376533
62386634623661616663616331333961333661663335353037313639643236386664316530623063
62636437336238353834343439306266366238643966396238333061383462343162636236643531
65353164366262623261393239326133643739346164366635393230336566623066303564633362
65663963623937303835626464303233383531666534643430663163643934393430653965613334
34383339636637396262623365323663316662353536646132646230616661373633346431323265
38636666343530343639356464653333333638666139613536316364353337626465633261646532
36303465323437626463323432666239316131656566333361326233643365613365323161623038
65373738313166653633376530626136616636656233366332626439323937353461356165363263
38613436373837306332356163313431633931386163333238643963356262663638343230326134
32616461653432343763353732393766343931346532396162643461303661313162303137656665
36316464316630353431666136613139353435346135373833386135383735333437386236643736
33353831393530326339366439613933306637393139383261643136353839373461623961373036
37653231336161613963666638316331363531376564613564313037666363643532323036303935
36356430663432636363393934366538373562383466396337353133396531313035323166616338
39383361353965396435333136633462346363623766373833313532363734316361333535373637
37656338333564396666613330316635376439353130386339643330396636616131313735346464
30373064663430623366663038363762666136376261313334633963663466663166353336303764
63626361626238363738663731653266356663306633313533366466376166366335346235396365
32616231316234643937313964643130313836393934663433353766323137373534373138643866
38346134653461343231346663303637663865333762613935643932626266393765363732333637
35373339333333366364303765323262313164396232653736653361373465653535666631323439
36393534373738653533333363646165653832616464623564663963316663386431613333633838
36363761373164383237616534643737353137643163396262633664323263643265303761326434
62643237393264343466643463653964303362626334633434653236623035613166616330346265
62366138376164326266346563623539343539333539366662396131633631313532633134363666
63663163303931666561376337386530363032353533653430363532316434643136346331346636
34623062343132306465336138336335636365313835373362363365373137396162333430636635
66376531343336303530393964656165373063633839633335386536373337643833663863343761
31323161613062636138393236363862663966636263363031306666396236316130333737346339
34343230323636653534366366636564393933343361353634626239393733666438303439356639
38363430646162666464643835306335646333313534663565333666376661306237656233373136
38653238363262623330653436373435303630663461393164393139653534363330613061316637
30333735333366306232626631656131366430396533616431663664663033316434346430343562
39323135653732633063323937646539626261643933383031663461376230613432653363363737
64323461366465616364386632303739383332383539313533326635306165373265316636316664
35636633356531393762303634383430336664346561663766613864626361636165326538663932
38643133666535333731376264393232343133393362396562383136613836306263376438363264
6364666333363839626132303233333063636163363661636162
64313136396662396631396561646634386134313337316166376264346466386533383934393130
6339663736653462613737323932396664643132383036370a343032653931343063326337626336
38383332346637633636663865333031636166643161323335363663653033646234656332333462
3833643037313134320a613332303261356363363138636138323661633233353365623665663632
30616166383161663534666337303632663532343866366261393935373935666536616530373862
66653836393966346463393061646431336666316537613364643939663938303135386463616661
31633330663364353663646338386338323039646530373165386663646235303963623837646533
30316236313736303837353536633161326564643566643533363431303130376338383034623365
34303861356264333463613739373635616363366362333738383838326162313238313966313765
35356637623833663437373765333237323961383133336161363439316632363634623734373962
32326466303536363164666532313264343661336364396562383630653865316132366538313066
65666661343632383434346639353462623735373933303263613938363635353666656139663832
66333638636136393166636332623934613938656336663431323032333339336165366664636334
65363166616462303939383838363363623530313539386635313664333136643035623262663333
35643335346639623363323535633735613965333133323639383339323166366635303536376265
35613939376135393165653466366462656162353632393139376666666334386166366162643438
31313033353661313031303961313032613539396561303734356533373234633233613465306431
31303332643931333037343164643162663738393466346639306632306534613065376138323564
31326462666336633938396230666231356439343630336132313064363636333563373637313666
32303230616235653733323032343238303230396232623364643765613764336137646630363462
64343239343530636333663764643338623630366163636232353734616333306339626136313338
35616632326436663734376263366437356236343339663430323632646136373066373961666135
38313838316266313830626234366262383037646661386537663534633263633239306461346535
32643032316266373931346232356162336437623137623365616132643731666361313637316536
39656332383466346236633461366437386538373734646337393666346562323139663734326436
65623633363266323563666437633666326363626561313133633031623632633333346332623334
31396365333336313939633161613639383963633136616562333236636666306139663430363265
63353261306332346439313534393363626638633531633532363365663265353331336231316238
37323439383930346136383036303833316565306139613235333633373832313130316534666435
30323262623037623939336265303866356532653064303436653131633162616630326362616430
33343538353139326663653735343436623834653264376264363761313835376433653531623266
34386266613733653634363135616335303138303062316664623666643263323939643939303133
32393564323833666132626664646436333733396565623164646363343065343464363465383330
33636562613734303665343366656630303732323739363339306337316266356635323262643031
63393261363764613638666231663837373263353137643265336134646364343130353237336463
62306363373339363235343034393230623035373366656531666663323936323366643938646135
62643135383734663766353230356463373337613936633037396538643365393738363234313166
62303038326236656332663939333364633132386266383665363632386235643731616631313431
37613566616463613662633734316461386261646464636539353439373431323133663435333763
63333230663431323136373564613239386531356463646366313537303861616234626561663133
32643134666337633938633530323034653131663663643732623636633834323064633832396339
35613738366666653765333434616336383635323765626561376232363062373761383665313735
30643165633930656566633339383439353931303836333537343634353434653433333933386338
64393566616166353731313261386239646531316563623363646537653964366631663266353366
65666638393337663633366132663933376135396334303461653232353765626365303464626338
30653334393439373632393662653032633264363238626431326136653561636164646237373033
32646464616137366163313634623864656666346336383037373562633333633432313439323631
34646132643834323261316166303531666238333964396165313936393937366533396436633832
34663538613139623063346666306165306530646363353732353431343831303161343535623539
38663537323132653034393335623232623530343432336531643538356430636262313132356430
33363062333931306633643733313239373934313635336465643139616266613237353166626334
35643138633561393531313835623665303531313437323664616561633764316332393435373065
38633766623633666362633336326466343938623461393736666137313965386133396433303236
34366339326637323934323236346239373565623565313433376433303061353763383732663239
65313636646539623037653761316662303565636262376262333332316136623737613338303036
37623837313636333464626664323163633136343762306462323339646535636237326138613132
33613761646237396265616135346639636566316633646165616332656333383233343836316163
36313736343263343534656533646463343933333031666433393635623461633639356430303434
34663033333933333439386532623664316364343066646232353335643536353733326165623231
66306661343939616235313238353761643034623062326632393161336462333365636536343934
63343866666237636563363561366339623161643362326632333532613562336238653562346231
33623337386233636331326232393465346362336439303336303638643430623864323434633333
63623036623764646234636433383364333763613866626230316533643535356662306136346664
36353734663866306336303439623537336266383131303365383439356462306237363030306432
38623738643434396138373837386334616435383662363032663930363038666536653334613261
36623730666333393564346539653533656434346439346632643730356665313865396463343737
31326633646661666461396365643061333361643638363835343235646231633637616464343265
36646439383737336531303236666136313063653563653433306563643362353536663863653266
38613461363432333666343264333461396461653231646133383861363763353763626334373635
35313431346465336636363531363766633234653066376366636263306238393361343936663066
61653739303230316232626335383865636235363638663463396435623737616661346666613037
32666436333937356530326566626237303065363834313837383837306432383833643632376564
39623937653631656562306565376232333463626563336630633331663764346138323466303433
38303965386635386565653035666631616239306231616530363965306134633034623936396135
32366430333763333039613734343563663065636538616139646239303533336437616162366532
38343137366563333866343537393532353835386230623536663966643730663031636639313232
33636133303432343531626539633862646466653864393737363333366238666536303663343837
39363330383432353465633132346165333564646262383736366664303239366365643533353738
65656163313966306464633237383530316338666665666236656164636433653735353739393363
30633462393933646436356365323864383239633963306366356534333036663438643438303365
37366638383066653965383764323436336230363336303233303433656563656563343630613935
64373965366662323137353631323233643463366338393639663833633635313531616539366333
30656663666561353938393761353266386533383361326439383338363762633538396638386630
31383131316137346234336462333032366337393438343237613231323164306132373136323233
38643133356166303661363761646430363734373130363334376535356565386638366630306362
63626539336134356539366166616331626361356335616665336564636638316137316230643961
65623465336232326533616538653561646263626536333738346531366661336134366362386239
39643665663566376264356332653062313536353635656231656566386333636330353765373664
34616338623161333232653832386436343361636461653338363932633337623537303261396334
30386663613335303438376234333138363432633234646133646466323930656330623161373530
36383261373139663932623933626164313765613930323035326334373231303033616665346337
32353235663465336433666539333032376365373266363436353063366139616232373037383664
31323062383063373932623030356461353039326363336165326138353335326436363165393639
33643830353734616164653833613830333066626161636130323861643866386234383136313336
37333337363462313831633437636633383137303736303264393236333633383933303939383533
38626138396537663463633961303766663636353737336365393638383832303735323266646337
62643665353431326465386162633737613935353261633963616531306233613966643862316166
38316164383433333263363630386462313639336464653061373239633235346633613237646563
62383836393063613365653635663136356538623962623961326434646635633464313932626333
36383666653264366236396638626265356338653630303930383861386534393732633437363663
38623739313131643038396335326437323231636661346164353433303235356432306532353066
63373662313366376363653039316361366266616466663663313732303962336339616235366432
32643832366231396132333236313962313932343230333832616664356333646533323732656466
34393862393434383362303531653638303366323530656661623236336630383064663135373862
61313761643038333035376535633964303564616532646139393964353165353763626235303662
65633465626365393033376437633134333532656262366462323365653466616462316664323837
64346533366238656637366665303339666433623261623635383631303862616438353166353866
66346366316562316230306233323937313364656537393063306537353237353737626164663365
38636331363138326336646434653238636463633138343134373937373835373232356363663366
37386633353439656162613736303932633333313131653364616364343761363335343430396432
39636630343066616633376237643062616666666135363232376632666132396333363334623036
63323531626632383062353162346536663233656132383734643761396264623165663738616564
61316234386135656538363861363531373232303163643364366136616130643737346438353334
63653234376562663937663135363763656236346663363738313836383466656162643131636138
63383430653030383232333830656333373765333639303265643938323833613262643863643835
66326466313730323666643939623539326639663838663737326665326164366262323731623037
33383631616530383238626431333033366134383839613761656264366331663539363131396361
64316333373134636163666634656561306130616337383030653063626161303930653730623130
33653730656332616135663631653336386166363866303932643163353963396466646662626439
39653562613461353633313533356336393334643066626137306164643530343331666430636330
63613763336663613639343036363332626232346530366633646536396338613164666163663235
37333334313436326233653866316438626366633632653336393633333931353961353132376639
66343362646630376537356638396263623262363138323630363834386162656236313365393766
39616135303337303166313663383635636165373333313463623731346561356430326164663164
30333839386564616133393630396538633032616332646639616161643739626437306532356136
34383432626136336261666166633739313663333664663035333533626334623132373037663239
38393638323833643730353432656365396161353161613733653562303731616462623436643832
35376133653665333432303132383966333362313262393931373264616664643438346566333764
34303439633538376439646435646631336361316436306330653838363665366461333366656239
33303038643139643431613764333864306134666166376164623038333330613933333766643830
30653637666533363234626465353734303538623233623532393936303566306434346537343932
39393863373635626530326139376339653764623265636530323330376633363265636439353738
32353634316162656461353666666338633233393039343935613539623766363237656161383364
61356165313637343134363932333136643464353436323333653939613666653164303363656637
32386561326461353665633339373038616464633430303763666234313032653735373832393539
33333334663336346139373064633364353530366166636465343734633465623065666563383539
30316166356239316530633239313765623438306234666235616464313765356165363435303336
39633532393965646539356439396132616637383430653762616562323065343233383034363130
32623331343035306165313637356131633963353035313838363439343133636631626532613366
33323364616262303962

131
host_vars/web23
View File

@ -1,66 +1,67 @@
$ANSIBLE_VAULT;1.1;AES256
61316332393939333164663961386365343936663433326263656334356337666439643666313230
3266663864383234633263626438653466643532323532620a636337353334366365336531313862
39393864613739303933366136633032336563666338656161313838313839616433633831626237
3132363636383034380a313566653662663635386632613164626634376563323739653662323333
61663634336137646232626365623632353663323466363130396238356337653834623336643865
64646664376330636665303034326537363132366532373631646533643963643263386366316634
30623432623333343462316239343962643263336132643634356137336664393335353530383635
36353537333933356232326666316363306639366433383164313566343739663734656337376237
61303534626331643939636432626533376131613439393138613433613936666262346535353436
36366532303164366363663738653162653238386639336230656362373163303634646230633830
33643765616534636237333133383436633330666436326332306663656336353961663363623934
36613135626565363131613062646232333038653662626361663232323061626339303666316337
31383863656162366436356138666131383063323431646466323731373164356332363636356661
39333235353566303130346537636364623265393939346137613638383832333434303966313931
65633962353736633938666530393561616463343039393162393033353731663735363137303661
36303264316137386666343566636332623762353236303364623134346361333231353130333439
66326163323962663736656339336330386531663462653563633964373231323834333832373861
33363039333837633430646336303939393038376663373735336232376534376237636630653932
35373565313337663532633330663462343435666663386365366231643230333138306333383831
35383536633565616265303434653736396439396437386439666631306134313935343863663765
63323230396333616163356330613962313666343531656364373738376266653236623332393930
63363162373765633535653661393261363238623931346435346236616235656365626431353466
39353835393761333132396533613632616237313761653734396665393337346431666462623636
65333337363637653436306638636366636563393434323631623865633036306235316263643863
34376234363635343133333038623931653833353064633937663462646332616630393066316230
32353765306631653163643536646464643435343935356235633835633333623930653030366335
34346430343466633834376163663661643337326232626137323365666363653334333231653034
63346136376538353063626564343063306634613435323133393433343665356266636366666134
36383661343364633134663465336266633332613138393563383336626137363063663132663230
32633763363838393936653064323136643861386431316139623862333163343730643061633534
66653030303333366366366233646265323836313830383334653335363461386435326633663536
34666335343438626638376563346364373362326130633066653062343737303538636339663932
38326137363466396566386236373531353130653963313166383866323363373063653934356333
32303533613134376164336634343531363638613563643136343135636538623437333630616431
31373837383066366365386235316431626232356366313932373833356465656232663638393131
61663761313531353064313739323863323836333563636566356234363339656336313638646663
63356665393734633735323966323466393335363031643237353132376536643039626130353461
33303236306663363034386234633632393439653433386261646139396364663964333230303534
32356663326661653133336338393332626435366333346230326335643765656561316533643835
65326634633438363562313366646637663031363066316534336361623061613431633064353039
39643834366236633535346138356662323039303134363030623630626165313263613561616362
64623461393437633238656133343432316437666238643530646338353436343936386139376438
37626237646230656433326433353333386661373433353835343866656632616235393964306333
36663439383836383265616634643763643963663461666165636536643062356664373565303431
37646563376339636434376262323539633139373364613561626462393432326463646530386638
36633730323136643364613432383935656533363064633035626333633538623534376463316138
62633763633135373561363332363665303432646365326365636664346230393731643662616231
63333033393133653932633133323937646131373038663266643631623831303036623566653863
39306561393835636437346566366639396464303937643733363334383064323665636333623439
66303934663966313935383261363037636233636262666333343131326165633134393635633563
37656163393133646165353838663534343731323065393932396338616663633361626566666630
32656437616632323736303230613862613433666538653439303034646238333032303731336432
31363132373034333262636464346237353264323632393836663837313665303365376331373161
36653337633366613764383566383762626638613365373065633133366361653632653135623530
30333961633963366161313164313539613466353331363630313562316535313331306531383334
37313636666364376235633035326333633436333238643164393830643361646666633036623565
36393432356661656333363436613365346161646332386634386531363337663035633561353430
37323531303033623938373036313738373434623032643434383565343163393438333763646131
65373138643563666162343865636237353931623466613466623135666266613561343738613162
65636338336164613862393031303039663131316662373138663437666230353365323931656233
62303164353366313234613965393838316533396237363032303031336430346138353138393061
35396236306330646135333662663066303466616535313638636161383138663933653531376333
36366563363130363463393235363631663064356163353963383331326239666265343362306232
34616134633766663932346339396537633561343264326537653062323561383266316539646530
6636
64326662336532386161646564656439396461666266656463393335663130323930326139386562
3639653630336132663666646161363938386334323064320a663564613066313533353433333434
30346561616465646163646534356339666639333862623637613435376361323032636439633930
3731313063363337380a373961353530383764623830363935626231333734303364313565626633
37343037633862633632613165323136373662396438613663636433346566653064653632313338
36396333393334336434326630646164333531306432386133353664336535343363343939393464
34626335626436353239366138323863656336636536383733363931633933636331643263653566
30613931616462373336393337363430353962613665353936383533326364353365623333316664
62383439396131303831326562323264336638623461643361663763356236373464346464316237
65393232343733643338653734326562626166366562303037613862396564636662363066356664
32656363616637303039373732396533643432343961666365313963383131643464333765643737
32386165666131626365313938633530346361383734323334613464353862393931323836626563
62656531346532646530306463653364326362613162323536643836643839663933343132613435
63303234646335306632316166626266313635303566396363333464363631353834373761353837
65643461623135363139646564336430353461336433633765303138313730613630346465326666
61393133636262653836333664623333656164663361353130623863653863323131326136373238
33376333316433653337373834666136363130373261333330643439313734343036636364306532
63343662383539633235356162656366323965383331343139616361653466633865626337326562
63643761613536613334333065643533323066393764633931633066353064393966646161376361
37623939386636346161346164303832303534323038626335336665653634386132343031303861
61323765306366333936303765636436633465356539316631343562363535663932333666363035
30386233623265636464393662386464333430396337626230306438396563303437363938303061
32653939383136376365343934613339383563303935623664633639326137353437363261393637
66613331643530623862636665396536613730306537373666623135663837393466343261646461
62376162613861643633656334303132353034333834626664666237393534386439313638393933
35643663613432323432646466386434363335353234643264643463613334356462313766643030
30336364396235663230356235303264323339643761333036333537633862343862386130626533
36626536396663393031303533313238616133323239356634303830353439363133353839663266
36306539636563633734623162356230383232306138393831393336626336383966643335376564
36303730313936633361643736613736303163363536313038316432323039643362636538333037
65613663333032623035656665393565366363396134363832363163656532363537373435623233
36373961333237373264326634353363356537356538343663613034396132396366626330303365
62353461616434343938386237373365633861333733613631633234623034366364363761613636
34393532316466323264363363653335366639613731326131393335313039646538626665356333
62663435633539643237326631636563363833633130363535653336333538366137306235663730
36633934636536633865376262356239303966646638626638386536366662386432343466366161
36646436636538643366623864326630396565373462393132343834626638313437316137353564
34646138616438323065336266366434316135613938643131353034646230396632386433366365
38616436346232363563336439613939313464323861616530633962316634363462373530613665
63653636646565303664326631363535373037663734663965346430363831613431613365393832
62373030336262643430313635626261613232656236333130396537633238623265363932333966
34326135363762396564613064323135313663613565646461376162306532643433333336666532
65383661303137613335653336663666653463623565386137326662653839633536326135633764
33623437333931393737363061356235336232376437643131373531356566323336306138353561
66333863313461613930383231663162616261616639323238646439656166666261626533636161
38333362393033316266633364313739366262636530363937386137616234326638303137613433
65313962653566333364383732386165396136303666383439303064326463346563663434646364
62396130646632653039383661613638303162363538376236666338623865366639663138363636
36373766386234383465316635323931356233366262386135363238366538623135623361386436
64653533646233653463656334633566373433303365353965663732636566663332343337626337
34623861373562386264346430333133343631653631376366373735626664363965666561306262
35666235653235346233636361383566616533646662333662323139313865383264633734643263
63656431393834633935613430643839613433326431666665323136376562333737383862313261
65656431336439303563373833343965323965346439636131633366633431393032613963666539
38326539343132326334316233323362633835356265333031663066643535363639623031336362
64346230383638363763323462386261666266623134393139303264343234623132323437396630
66363738376133393731616535653230303262313937373333353932303038626166346366303163
66613831353731373165636532363165356561383137626437333563616561386666623234313438
37333435306530323235393164383138346131653235633536383636316161316238313064636261
33353963333430383236303038333939316637326130396430623964633338353863613534653663
30333839393230626261663966616230303330636335323565663938343562666663303536636332
34336665323764663163653161373166313631393534326532613538313637313136356336313433
34353036653738343433613763383137336562373332333062326134626638633938336364376131
61303435333163663636653135363162303663663266393438656430306532343438386436343735
31343231653263373532386263653263386435363633396638396164323539306233303562303862
3339306136613431636138333266633739323666633431363039

2
roles/caddy/defaults/main.yml
View File

@ -2,7 +2,7 @@
# file: roles/caddy/defaults/main.yml
# parent directory of vhost document roots
caddy_root_prefix: /var/www
caddy_root_prefix: "{{ web_root_prefix }}"
# Email address to use for the ACME account managing the site's certificates.
# Not sure what Caddy does if this doesn't exist.

13
roles/caddy/tasks/main.yml
View File

@ -18,7 +18,7 @@
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: 0644
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
@ -27,7 +27,7 @@
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: 'deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main'
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
@ -38,9 +38,7 @@
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
(download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or
add_caddy_apt_repository is changed
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
@ -59,7 +57,7 @@
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: 0755
mode: "0755"
owner: root
group: root
notify:
@ -70,9 +68,10 @@
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: 0755
mode: "0755"
owner: root
group: root
tags: caddy
# TODO: the variable is still named nginx_vhosts
- name: Configure Caddy virtual hosts

3
roles/caddy/tasks/vhosts.yml
View File

@ -1,10 +1,9 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: 0644
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"

23
roles/caddy/templates/etc/caddy/conf.d/vhost.j2
View File

@ -8,6 +8,12 @@
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{% set static_site = item.static_site | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
{% if domain_aliases %}
{# domain_aliases is a string, so we split on space #}
@ -21,15 +27,20 @@
{{ domain_name }} {
{% if has_gitea %}
reverse_proxy :3000
{% endif %}
{% elif static_site -%}
root * {{ document_root }}
{% if static_site -%}
root * {{ item.document_root }}
encode zstd gzip
encode
file_server
{% endif %}
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server
{% endif -%}
import security-headers
}

4
roles/common/defaults/main.yml
View File

@ -10,4 +10,8 @@ fail2ban_findtime: 3600
fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2:

10004
roles/common/files/abuseipdb-ipv4.nft
View File

File diff suppressed because it is too large Load Diff

5
roles/common/files/abuseipdb-ipv6.nft
View File

@ -1,5 +0,0 @@
#!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = {
fd21:3523:74e0:7301::
}

89
roles/common/files/aggregate-cidr-addresses.pl
View File

@ -1,89 +0,0 @@
#!/usr/bin/perl
#
# aggregate-cidr-addresses - combine a list of CIDR address blocks
# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see L<http://www.gnu.org/licenses/>.
#
# [MJS 22 Oct 2001] Aggregate CIDR addresses
# [MJS 9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
use strict;
use warnings;
use English qw( -no_match_vars );
use Net::IP;
## Read in all the IP addresses
my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
## Split any ranges into prefixes
@addrs = map {
defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
$_->find_prefixes
} @addrs;
## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
## Handle overlaps
my $count = 0;
my $current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
my $r = $current->overlaps($next);
if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
$current = $next;
$count++;
}
elsif ( $r == $IP_A_IN_B_OVERLAP ) {
$current = $next;
splice @addrs, $count, 1;
}
elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
splice @addrs, $count + 1, 1;
}
else {
die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
}
}
## Keep aggregating until we don't change anything
my $change = 1;
while ($change) {
$change = 0;
my @new_addrs = ();
$current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
if ( my $total = $current->aggregate($next) ) {
$current = $total;
$change = 1;
}
else {
push @new_addrs, $current;
$current = $next;
}
}
push @new_addrs, $current;
@addrs = @new_addrs;
}
## Print out the IP addresses
foreach (@addrs) {
print $_->prefix(), "\n";
}
# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

2
roles/common/files/etc/cron-apt/3-download
View File

@ -1,2 +0,0 @@
autoclean -y
upgrade -y -o APT::Get::Show-Upgraded=true

5
roles/common/files/etc/cron-apt/config
View File

@ -1,5 +0,0 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see the README file.
MAILON="never"
OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

2
roles/common/files/spamhaus-ipv4.nft → roles/common/files/firehol_level1-ipv4.nft
View File

@ -1,5 +1,5 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
define FIREHOL_LEVEL1_IPV4 = {
192.168.254.254/32
}

5
roles/common/files/spamhaus-ipv6.nft
View File

@ -1,5 +0,0 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
fd21:3523:74e0:7301::/64
}

27
roles/common/files/update-abusech-nftables.service
View File

@ -1,27 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-abusech-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-abusech-nftables
ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
/usr/local/bin/update-abusech-nftables.sh
[Install]
WantedBy=multi-user.target

63
roles/common/files/update-abusech-nftables.sh
View File

@ -1,63 +0,0 @@
#!/usr/bin/env bash
#
# update-abuseipdb-nftables.sh v0.0.1
#
# Download IP addresses seen using a blacklisted SSL certificate and load them
# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
#
# See: https://sslbl.abuse.ch/blacklist
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
abusech_list_temp=$(mktemp)
echo "Downloading Abuse.sh SSL Blacklist IPs"
abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
if [[ $abusech_response -ne 200 ]]; then
echo "Abuse.ch responded: HTTP $abusech_response"
exit 1
fi
if [[ -f "$abusech_list_temp" ]]; then
echo "Processing IPv4 list"
abusech_ipv4_list_temp=$(mktemp)
abusech_ipv4_set_temp=$(mktemp)
# Remove comments, DOS carriage returns, and IPv6 addresses (even though
# Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
# that assumption some time down the line).
sed -e '/#/d' -e 's/
//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
echo "Building abusech-ipv4 set"
cat << NFT_HEAD > "$abusech_ipv4_set_temp"
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$abusech_ipv4_set_temp"
done < $abusech_ipv4_list_temp
echo "}" >> "$abusech_ipv4_set_temp"
install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
fi
echo "Reloading nftables"
# The abusech nftables sets are included by nftables.conf

12
roles/common/files/update-abusech-nftables.timer
View File

@ -1,12 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

10
roles/common/files/update-spamhaus-nftables.service → roles/common/files/update-firehol-nftables.service
View File

@ -1,11 +1,11 @@
[Unit]
Description=Update Spamhaus lists
Description=Update FireHOL lists
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-spamhaus-nftables.timer
Wants=network-online.target update-firehol-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
@ -19,9 +19,9 @@ ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-nftables
ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
/usr/local/bin/update-spamhaus-nftables.sh
SyslogIdentifier=update-firehol-nftables
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
/usr/local/bin/update-firehol-nftables.sh
[Install]
WantedBy=multi-user.target

2
roles/common/files/update-spamhaus-nftables.timer → roles/common/files/update-firehol-nftables.timer
View File

@ -1,5 +1,5 @@
[Unit]
Description=Update Spamhaus lists
Description=Update FireHOL lists
[Timer]
# Once a day at midnight

91
roles/common/files/update-spamhaus-nftables.sh
View File

@ -1,91 +0,0 @@
#!/usr/bin/env bash
#
# update-spamhaus-nftables.sh v0.0.1
#
# Download Spamhaus DROP lists and load them into nftables sets.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
spamhaus_ipv4_list_temp=$(mktemp)
spamhaus_ipv4_set_temp=$(mktemp)
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
# ranges to work around a firewalld bug.
#
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
echo "Building spamhaus-ipv4 set"
cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$spamhaus_ipv4_set_temp"
done < $spamhaus_ipv4_list_temp
echo "}" >> "$spamhaus_ipv4_set_temp"
install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP lists"
spamhaus_ipv6_list_temp=$(mktemp)
spamhaus_ipv6_set_temp=$(mktemp)
sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
echo "Building spamhaus-ipv6 set"
cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
NFT_HEAD
while read -r network; do
echo "$network," >> "$spamhaus_ipv6_set_temp"
done < $spamhaus_ipv6_list_temp
echo "}" >> "$spamhaus_ipv6_set_temp"
install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
fi
echo "Reloading nftables"
# The spamhaus nftables sets are included by nftables.conf
/usr/sbin/nft -f /etc/nftables.conf
rm -v drop.txt edrop.txt dropv6.txt

15
roles/common/handlers/main.yml
View File

@ -2,19 +2,26 @@
# ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd
ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
ansible.builtin.systemd:
name: "{{ sshd_service_name }}"
state: reloaded
- name: reload sysctl
command: sysctl -p /etc/sysctl.conf
- name: reload systemd
ansible.builtin.systemd: daemon_reload=true
ansible.builtin.systemd:
daemon_reload: true
- name: restart nftables
ansible.builtin.systemd: name=nftables state=restarted
ansible.builtin.systemd:
name: nftables
state: restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
ansible.builtin.systemd: name=fail2ban state=restarted
ansible.builtin.systemd:
name: fail2ban
state: restarted

19
roles/common/tasks/cron-apt.yml
View File

@ -1,12 +1,17 @@
---
- name: Remove cron-apt
ansible.builtin.apt:
name: cron-apt
state: absent
cache_valid_time: 3600
- name: Configure cron-apt (config)
ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
- name: Remove cron-apt configs
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
- name: Configure cron-apt (security)
ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
- /etc/cron-apt/config
- /etc/cron-apt/action.d/3-download
- /etc/apt/security.sources.list
# vim: set ts=2 sw=2:

19
roles/common/tasks/fail2ban.yml
View File

@ -1,21 +1,32 @@
---
- name: Install fail2ban
when:
- ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter
ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: 0644
mode: "0644"
notify: restart fail2ban
- name: Configure fail2ban nginx filter
when:
- webserver is defined and webserver == 'nginx'
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: 0644
mode: "0644"
notify: restart fail2ban
- name: Create fail2ban service override directory
@ -23,7 +34,7 @@
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: 0755
mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
@ -31,7 +42,7 @@
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: 0644
mode: "0644"
notify:
- reload systemd
- restart fail2ban

20
roles/common/tasks/firewall.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Configure firewall (Debian)
when: ansible_distribution == 'Debian'
ansible.builtin.include_tasks:
file: firewall_Debian.yml
apply:
tags:
- firewall
tags: firewall
- name: Configure firewall (Ubuntu)
when: ansible_distribution == 'Ubuntu'
ansible.builtin.include_tasks:
file: firewall_Ubuntu.yml
apply:
tags:
- firewall
tags: firewall

128
roles/common/tasks/firewall_Debian.yml
View File

@ -1,116 +1,28 @@
---
# Debian 11+ will use nftables directly, with no firewalld.
- block:
- name: Install Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package:
name:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Install Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package:
name:
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: 0644
notify:
- restart nftables
- restart fail2ban
- name: Configure nftables
ansible.builtin.include_tasks: nftables.yml
when: ansible_distribution_version is version('11', '>=')
- name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: 0755
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/nftables/{{ item.src }}"
owner: root
group: root
mode: 0644
force: "{{ item.force }}"
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables update scripts
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
owner: root
group: root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
owner: root
group: root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd:
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
- ansible.builtin.include_tasks: fail2ban.yml
when:
- ansible_distribution_major_version is version('9', '>=')
# vim: set sw=2 ts=2:

125
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -1,114 +1,27 @@
---
# Ubuntu 20.04 will use nftables directly, with no firewalld.
- block:
- name: Install Ubuntu firewall packages
ansible.builtin.package:
name:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Install Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.package:
name:
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Remove ufw
ansible.builtin.package:
name: ufw
state: absent
- name: Remove ufw
ansible.builtin.package:
name: ufw
state: absent
- name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: 0644
notify:
- restart nftables
- restart fail2ban
- name: Configure nftables
ansible.builtin.include_tasks: nftables.yml
when: ansible_distribution_version is version('20.04', '>=')
- name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: 0755
- name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "/etc/nftables/{{ item.src }}"
owner: root
group: root
mode: 0644
force: "{{ item.force }}"
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
owner: root
group: root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
owner: root
group: root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd:
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
- ansible.builtin.include_tasks: fail2ban.yml
when:
- ansible_distribution_version is version('16.04', '>=')
# vim: set sw=2 ts=2:

10
roles/common/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: Import OS-specific variables
ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
tags: always
- name: Configure network time
@ -18,13 +18,7 @@
tags: packages
- name: Configure firewall
ansible.builtin.include_tasks: firewall_Debian.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
ansible.builtin.include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
ansible.builtin.import_tasks: firewall.yml
tags: firewall
- name: Configure secure shell daemon

97
roles/common/tasks/nftables.yml Normal file
View File

@ -0,0 +1,97 @@
---
# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
# and Debian 12.
- name: Copy nftables.conf
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: "0644"
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: "0755"
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: firehol_level1-ipv4.nft, force: false }
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables update scripts
ansible.builtin.template:
src: update-firehol-nftables.sh.j2
dest: /usr/local/bin/update-firehol-nftables.sh
mode: "0755"
owner: root
group: root
- name: Remove deprecated data and scripts
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/nftables/spamhaus-ipv4.nft
- /etc/nftables/spamhaus-ipv6.nft
- /etc/nftables/abuseipdb-ipv4.nft
- /etc/nftables/abuseipdb-ipv6.nft
- /etc/nftables/abusech-ipv4.nft
- /usr/local/bin/update-abusech-nftables.sh
- /usr/local/bin/update-spamhaus-nftables.sh
- /etc/systemd/system/update-abusech-nftables.service
- /etc/systemd/system/update-abusech-nftables.timer
- /etc/systemd/system/update-spamhaus-nftables.service
- /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- update-firehol-nftables.service
- update-firehol-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd: # noqa no-handler
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-firehol-nftables.timer
- name: Start and enable nftables
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
# vim: set sw=2 ts=2:

11
roles/common/tasks/ntp.yml
View File

@ -4,16 +4,19 @@
# client.
- name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd'
command: /usr/bin/timedatectl set-timezone {{ timezone }}
when:
- timezone is defined
- ansible_service_mgr == 'systemd'
community.general.timezone:
name: "{{ timezone }}"
tags: timezone
# Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11.
- name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client

18
roles/common/tasks/packages_Debian.yml
View File

@ -1,20 +1,6 @@
---
- name: Configure Debian packages
block:
# Create directory for third-party package signing keys. Required on distros
# older than Debian 12 / Ubuntu 22.04.
#
# See: https://wiki.debian.org/DebianRepository/UseThirdParty
- name: Create /etc/apt/keyrings
file:
path: /etc/apt/keyrings
mode: 0755
owner: root
group: root
state: directory
when: ansible_distribution_major_version is version('12', '<')
# Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources
ansible.builtin.stat:
@ -36,7 +22,6 @@
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
@ -48,11 +33,12 @@
- zstd
- rsync
- lsof
- unattended-upgrades
- name: Install base packages
ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
- name: Configure cron-apt
- name: Remove cron-apt
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt

80
roles/common/tasks/packages_Ubuntu.yml
View File

@ -1,20 +1,6 @@
---
- name: Configure Ubuntu packages
block:
# Create directory for third-party package signing keys. Required on distros
# older than Debian 12 / Ubuntu 22.04.
#
# See: https://wiki.debian.org/DebianRepository/UseThirdParty
- name: Create /etc/apt/keyrings
file:
path: /etc/apt/keyrings
mode: 0755
owner: root
group: root
state: directory
when: ansible_distribution_major_version is version('22.04', '<')
- name: Configure apt mirror
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
@ -25,59 +11,27 @@
- name: Set Ubuntu base packages
ansible.builtin.set_fact:
ubuntu_base_packages:
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- rsync
- lsof
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- rsync
- lsof
- name: Install base packages
ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap
community.general.snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: true
- name: Remove core18 snap
community.general.snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: true
- name: Remove snapd snap
community.general.snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: true
- name: Set fact for packages to remove (Ubuntu 20.04)
ansible.builtin.set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd-agent-loader # annoying (Ubuntu 20.04)
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
- name: Disable annoying Canonical spam in MOTD
ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop:

2
roles/common/tasks/ssh-keys.yml
View File

@ -3,7 +3,7 @@
ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys
ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub

4
roles/common/tasks/sshd.yml
View File

@ -1,8 +1,8 @@
---
# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
mode=0600
when: ansible_distribution == 'Debian'
notify: reload sshd

45
roles/common/tasks/tarsnap.yml
View File

@ -1,24 +1,45 @@
---
- name: Add Tarsnap apt mirror
ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
- name: Check tarsnap apt signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
register: tarsnap_signing_key_stat
- name: Download tarsnap apt signing key
ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: "0644"
register: download_tarsnap_signing_key
when: not tarsnap_signing_key_stat.stat.exists
- name: Add tarsnap.org repo
ansible.builtin.template:
src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: "0644"
register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap
ansible.builtin.apt_key: id=0xF608BA1BFB5CE8F8CAB088359F084BEE7F938A76 url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key
- name: Update apt cache
ansible.builtin.apt:
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
- name: Install tarsnap
ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
ansible.builtin.apt:
pkg: tarsnap
cache_valid_time: 3600
- name: Copy tarsnaprc
ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
ansible.builtin.copy:
src: tarsnaprc
dest: /root/.tarsnaprc
owner: root
group: root
mode: "0600"
# vim: set sw=2 ts=2:

53
roles/common/templates/nftables.conf.j2
View File

@ -5,47 +5,18 @@
flush ruleset
# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"
# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"
# Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft"
# List updated daily by update-firehol-nftables.sh
include "/etc/nftables/firehol_level1-ipv4.nft"
# Notes:
# - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6
table inet filter {
set spamhaus-ipv4 {
set firehol_level1-ipv4 {
type ipv4_addr
# if the set contains prefixes we need to use the interval flag
flags interval
elements = $SPAMHAUS_IPV4
}
set spamhaus-ipv6 {
type ipv6_addr
flags interval
elements = $SPAMHAUS_IPV6
}
set abusech-ipv4 {
type ipv4_addr
elements = $ABUSECH_IPV4
}
set abuseipdb-ipv4 {
type ipv4_addr
elements = $ABUSEIPDB_IPV4
}
set abuseipdb-ipv6 {
type ipv6_addr
elements = $ABUSEIPDB_IPV6
elements = $FIREHOL_LEVEL1_IPV4
}
chain input {
@ -55,13 +26,7 @@ table inet filter {
ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
iifname lo accept comment "Allow from loopback"
@ -105,12 +70,6 @@ table inet filter {
chain output {
type filter hook output priority 0;
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
}
}

5
roles/common/templates/security.sources.list.j2
View File

@ -1,5 +0,0 @@
{% if ansible_distribution == 'Ubuntu' %}
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
{% elif ansible_distribution == 'Debian' %}
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
{% endif %}

8
roles/common/templates/sshd_config_Debian-11.j2
View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
@ -131,7 +135,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256, curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?

8
roles/common/templates/sshd_config_Debian-12.j2
View File

@ -56,8 +56,12 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
PermitEmptyPasswords no
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
@ -130,7 +134,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}

7
roles/common/templates/sshd_config_Ubuntu-20.04.j2
View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
@ -122,7 +126,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now

2
roles/common/templates/tarsnap_sources.list.j2
View File

@ -1 +1 @@
deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./

65
roles/common/templates/update-firehol-nftables.sh.j2 Executable file
View File

@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
#
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}
download firehol_level1.netset
if [[ -f "firehol_level1.netset" ]]; then
echo "Processing FireHOL Level 1 list"
firehol_level1_ipv4_list_temp=$(mktemp)
firehol_level1_ipv4_set_temp=$(mktemp)
# Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
# for local services like systemd-resolved and others on localhost. Ideally
# these are blocked already at the WAN side by network administrators.
cat firehol_level1.netset \
| sed \
-e '/^$/d' \
-e '/^#.*/d' \
-e '/^127\.0\.0\.0\/8/d' \
> "$firehol_level1_ipv4_list_temp"
echo "Building firehol_level1-ipv4 set"
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$firehol_level1_ipv4_set_temp"
done < $firehol_level1_ipv4_list_temp
echo "}" >> "$firehol_level1_ipv4_set_temp"
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi
echo "Reloading nftables"
/usr/bin/systemctl reload nftables.service
rm -v firehol_level1.netset

19
roles/mariadb/tasks/main.yml
View File

@ -1,7 +1,7 @@
---
- name: Remove MariaDB key from apt-key
ansible.builtin.apt_key:
id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
id: "013577200103762554506315430003013705453362230723150730"
state: absent
tags:
- packages
@ -21,16 +21,17 @@
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: 0644
mode: "0644"
register: download_mariadb_signing_key
when: not mariadb_signing_key_stat.stat.exists
tags:
- packages
- mariadb
- name: Add MariaDB 10.6 repo
- name: Add MariaDB 10.11 repo
ansible.builtin.apt_repository:
repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
}} main
filename: mariadb
state: present
register: add_mariadb_apt_repository
@ -41,16 +42,14 @@
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
(download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
add_mariadb_apt_repository is changed
when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
tags:
- packages
- mariadb
- name: Install mariadb-server
ansible.builtin.apt:
name: ['mariadb-server', 'python3-pymysql']
name: [mariadb-server, python3-pymysql]
state: present
cache_valid_time: 3600
tags: mariadb, packages
@ -61,7 +60,7 @@
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: 0644
mode: "0644"
notify:
- restart mariadb
tags: mariadb
@ -83,7 +82,7 @@
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: 0600
mode: "0600"
tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html

18
roles/nginx/defaults/main.yml
View File

@ -5,20 +5,20 @@
nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots
nginx_root_prefix: /var/www
nginx_root_prefix: "{{ web_root_prefix }}"
# 1 hour timeout
nginx_ssl_session_timeout: 1h
# 1 day timeout
nginx_ssl_session_timeout: 1d
# 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_buffer_size: 4k
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
nginx_ssl_protocols: TLSv1.2 TLSv1.3
nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/
@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.20.x
# mainline is 1.21.x
# stable is 1.26.x
# mainline is 1.27.x
nginx_version: mainline
# vim: set ts=2 sw=2:

145
roles/nginx/tasks/letsencrypt.yml
View File

@ -1,91 +1,90 @@
---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block:
- name: Remove certbot
ansible.builtin.apt:
name: certbot
state: absent
- name: Remove certbot
ansible.builtin.apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Remove old certbot post and pre hooks for nginx
ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Check if acme.sh is installed
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700
register: acme_download
when: not acme_home.stat.exists
- name: Download acme.sh
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: "0700"
register: acme_download
when: not acme_home.stat.exists
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
when: acme_download is changed
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
when: acme_download is changed
- name: Remove temporary acme.sh script
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when:
- acme_install.rc is defined
- acme_install.rc == 0
- name: Remove temporary acme.sh script
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when:
- acme_install.rc is defined
- acme_install.rc == 0
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory
ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- name: Prepare Let's Encrypt well-known directory
ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs
ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644
owner: root
group: root
- name: Copy systemd service to renew Let's Encrypt certs
ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: "0644"
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs
ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs
ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: "0644"
owner: root
group: root
# always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
ansible.builtin.systemd:
name: renew-letsencrypt.timer
state: started
enabled: true
daemon_reload: true
# always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
ansible.builtin.systemd:
name: renew-letsencrypt.timer
state: started
enabled: true
daemon_reload: true
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
tags: letsencrypt
# vim: set ts=2 sw=2:

94
roles/nginx/tasks/main.yml
View File

@ -1,33 +1,69 @@
---
- name: Add nginx.org apt signing key
ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
register: add_nginx_apt_key
tags: nginx, packages
- name: Remove nginx apt signing key from apt-key
ansible.builtin.apt_key:
id: "053473772654754373614404074646527257655730117366337542"
state: absent
tags:
- packages
- nginx
- name: Download nginx apt signing key
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: "0644"
checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
register: download_nginx_signing_key
tags:
- packages
- nginx
- name: Add nginx.org repo
ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: "0644"
register: add_nginx_apt_repository
tags: nginx, packages
tags:
- nginx
- packages
- name: Update apt cache
ansible.builtin.apt:
ansible.builtin.apt: # noqa no-handler
update_cache: true
when:
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
- name: Install nginx
ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
tags: nginx, packages
ansible.builtin.apt:
pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx
- packages
- name: Copy nginx.conf
ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: "0644"
owner: root
group: root
notify:
- reload nginx
tags: nginx
- name: Copy extra nginx configs
ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- extra-security.conf
- fastcgi_cache
@ -36,11 +72,18 @@
tags: nginx
- name: Remove default nginx vhost
ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx
- name: Create fastcgi cache dir
ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: "0755"
tags: nginx
- name: Configure nginx virtual hosts
@ -54,19 +97,32 @@
tags: wordpress
- name: Configure blank nginx vhost
ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: "0644"
owner: root
group: root
notify:
- reload nginx
tags: nginx
- name: Configure munin vhost
ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: "0644"
owner: root
group: root
notify:
- reload nginx
tags: nginx
- name: Start and enable nginx service
ansible.builtin.systemd: name=nginx state=started enabled=true
ansible.builtin.systemd:
name: nginx
state: started
enabled: true
tags: nginx
- name: Configure Let's Encrypt

42
roles/nginx/tasks/vhosts.yml
View File

@ -1,29 +1,29 @@
---
- block:
- name: Configure https vhosts
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}"
notify:
- reload nginx
- name: Configure https vhosts
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}"
notify:
- reload nginx
- name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify:
- reload nginx
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}"
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}"
tags: nginx
# vim: set ts=2 sw=2:

26
roles/nginx/tasks/wordpress.yml
View File

@ -1,19 +1,19 @@
---
- block:
- name: Install WordPress
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Install WordPress
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
}} depth=1 force=true
when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}"
tags: wordpress
# vim: set ts=2 sw=2:

6
roles/nginx/templates/blank-vhost.conf.j2
View File

@ -11,9 +11,11 @@ server {
return 444;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
# self-signed "snakeoil" certificate

12
roles/nginx/templates/https.j2
View File

@ -27,8 +27,9 @@
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #}
{% if use_letsencrypt == true or item.tls_certificate_path %}
@ -38,15 +39,6 @@
resolver {{ nginx_ssl_stapling_resolver }};
{% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store

8
roles/nginx/templates/nginx_org_sources.list.j2
View File

@ -3,17 +3,17 @@
{% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
{% endif %}
{% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %}
{% endif %}

24
roles/nginx/templates/vhost.conf.j2
View File

@ -8,6 +8,12 @@
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
# http -> https vhost
server {
@ -26,15 +32,11 @@ server {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
{# Allow sites to override the nginx document root #}
{% if item.document_root is defined %}
root {{ item.document_root }};
{% else %}
root {{ nginx_root_prefix }}/{{ domain_name }};
{% endif %}
root {{ document_root }};
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }};
@ -75,10 +77,8 @@ server {
# See: https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
{% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
{% endif %}
fastcgi_index index.php;
# set script path relative to document root in server block

8
roles/php-fpm/handlers/main.yml
View File

@ -1,6 +1,8 @@
---
# For Ubuntu 20.04 and Debian 11
- name: reload php7.4-fpm
ansible.builtin.systemd: name=php7.4-fpm state=reloaded
# For Debian 12
- name: reload php8.2-fpm
ansible.builtin.systemd:
name: php8.2-fpm
state: reloaded
# vim: set ts=2 sw=2:

50
roles/php-fpm/tasks/Debian_12.yml Normal file
View File

@ -0,0 +1,50 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php8.2-fpm
# for WordPress
- php8.2-mysql
- php8.2-gd
- php8.2-curl
- php8.2-xml
- name: Install php-fpm and deps
ansible.builtin.apt:
name: "{{ php_fpm_packages }}"
state: present
update_cache: true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template:
src: php8.2-pool.conf.j2
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
owner: root
group: root
mode: "0644"
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php8.2-fpm
- name: Remove default www pool
ansible.builtin.file:
path: /etc/php/8.2/fpm/pool.d/www.conf
state: absent
notify: reload php8.2-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template:
src: php8.2-php.ini.j2
dest: /etc/php/8.2/fpm/php.ini
owner: root
group: root
mode: "0644"
notify: reload php8.2-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Ubuntu_20.04.yml
View File

@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php7.4-fpm
# for WordPress
- php7.4-mysql
- php7.4-gd
- php7.4-curl
- php7.4-xml
- name: Install php-fpm and deps
ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm
- name: Remove default www pool
ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

23
roles/php-fpm/tasks/main.yml
View File

@ -1,6 +1,5 @@
---
# Ubuntu 20.04 uses PHP 7.4
# Debian 11 uses PHP 7.4
# Debian 12 uses PHP 8.2
# If any of the vhosts on this host need WordPress then we need to install PHP.
# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
@ -10,13 +9,13 @@
- name: Check if any vhost needs WordPress
ansible.builtin.set_fact:
install_php: true
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
# Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP
ansible.builtin.set_fact:
install_php: true
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
# If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else.
@ -25,20 +24,12 @@
install_php: false
when: install_php is not defined
- name: Configure php-fpm on Ubuntu 20.04
ansible.builtin.include_tasks: Ubuntu_20.04.yml
when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_version is version('20.04', '==')
- install_php == true
tags: php-fpm
- name: Configure php-fpm on Debian 11
ansible.builtin.include_tasks: Ubuntu_20.04.yml
- name: Configure php-fpm on Debian 12
ansible.builtin.include_tasks: Debian_12.yml
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version is version('11', '==')
- install_php == true
- ansible_distribution_major_version is version('12', '==')
- install_php
tags: php-fpm
# vim: set ts=2 sw=2:

559
roles/php-fpm/templates/php7.4-php.ini.j2 → roles/php-fpm/templates/php8.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

98
roles/php-fpm/templates/php7.4-pool.conf.j2 → roles/php-fpm/templates/php8.2-pool.conf.j2
View File

@ -19,11 +19,16 @@
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = {{ webserver }}
group = {{ webserver }}
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
@ -35,20 +40,22 @@ group = nginx
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
; is not set, the owner's group is used. Mode is set to 0660.
listen.owner = {{ webserver }}
listen.group = {{ webserver }}
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
@ -63,6 +70,10 @@ listen.group = nginx
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
@ -71,8 +82,9 @@ listen.group = nginx
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
@ -94,6 +106,8 @@ listen.group = nginx
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
@ -129,6 +143,12 @@ pm.min_spare_servers = 1
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
@ -141,7 +161,7 @@ pm.max_spare_servers = 3
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
@ -231,7 +251,7 @@ pm.max_spare_servers = 3
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.4/fpm/status.html
; It's available in: /usr/share/php/8.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
@ -239,6 +259,22 @@ pm.max_spare_servers = 3
; Default Value: not set
;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
@ -271,13 +307,13 @@ pm.max_spare_servers = 3
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
@ -306,14 +342,30 @@ pm.max_spare_servers = 3
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests
; Default Value: not set
@ -372,7 +424,7 @@ pm.max_spare_servers = 3
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes