alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:85323d789cf19bfd5bef4e4475861eef51eac9e8
Branches Tags
alanorth:master
alanorth:alpine
...
compare: alanorth:0421807e4de9114f7c355ede0e61bdaa93028649
Branches Tags
alanorth:master
alanorth:alpine

9 Commits
85323d789c ... 0421807e4d

Author SHA1 Message Date
Alan Orth
0421807e4d
Add web23 
Will replace nomad01
 2021-09-27 12:22:45 +03:00
Alan Orth
d5eed5055e
roles/nginx: Add support for gitea 
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
 2021-09-27 12:15:47 +03:00
Alan Orth
f8752bb3e7
roles/nginx: add todo about document roots 
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
 2021-09-27 12:05:53 +03:00
Alan Orth
170e591701
roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
Alan Orth
8d6c3c57c3
roles/nginx: install acme.sh after downloading 
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
 2021-09-27 11:28:02 +03:00
Alan Orth
79b29f0c51
roles/nginx: generate snakeoil cert manually 
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
 2021-09-27 10:48:24 +03:00
Alan Orth
a4acc85704
roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
Alan Orth
f7b9aa67f5
roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
Alan Orth
0a39c4f0ef
README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
11 changed files with 129 additions and 13 deletions
Show Stats Expand all files Collapse all files

2
README.md
View File

@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions ## Assumptions
Before you can run this, a few things are assumed: Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running - You have a clean, minimal Ubuntu 18.04/20.04 or Debian 10/11 host up and running
- Python 3 is installed on the remote server (requirement of Ansible) - Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine - You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host - You have sudo privileges on the remote host

85
host_vars/web23 Normal file
View File

@ -0,0 +1,85 @@
$ANSIBLE_VAULT;1.1;AES256
34643866316432643663656661633339313239653763623430356538363761393162626338336433
6535353761396539323630396230316637363536396631350a343338396638613636396364323762
62306431363961393937633033373963623064333363633034623430613031383032363562663536
3566646634303639340a366236343164666563366130636433383832656563376463333431303861
34323164323161303762616164366632663761626665323832366166386166636130383830633065
64646563396264303035636661663162393332613661663564316466313363656263646533633861
30366136316131643734356431633064373062613539643937626539373536666663646331643862
39366666386438373335396136616662346230363631326465373065333633313638303564336165
62323164373933396166363236396461623432363931636637613235636663613432636136616664
64643130373337353936663863356363653630633033343538623133616662386430343632303031
61386331346561346138643735393162616135633333343135653238366533663733626361656666
61616130313031646365613638633463353861353935623562646666393733656266643834396361
38333363633162636561323331646262643139643135666261343364333634613138343431623637
39383635393565656139666535386336616165623333386266383431663936313034393439626234
30386263323630303563613334393538306430396537613436613264646664616261323336366432
62333061333730393064666131346339623061306637633261333635336233363831353662653437
33626333333130386161323038333465613737393835656632346436396361383761303865333339
36613062353630316633336464336463633230633762366663396463303234343266323233326165
30303637353163613464633930336463326535623662636638643066333733623032353564393164
66363732393438393462353034626363636664316464356432363235366134326261326335306462
61623330656538633364373561336436353362303638356539393031336531396139343539353936
66323332336235393162376436346330386537336239636434346565386565373365343462323164
63373462313861653561313762363338623664333233316632303562393736346665626530643061
65353337623230643136616262623430323235346439626364376362653337303735646663326535
63393937366232623663623165323965303563323137383462623339396163353433343836383666
39633065373839646235326130633635316237366631333765343333613564333461326465356134
37663735393537333532363062633161313437623831356332663765613936383338343634386239
37303137623138396261663230303530343132346665386363346230663836656634316364373064
61666262363638376162393339636138353634633630333435383437313433316564663963323532
30383835336565346337613464343561343832653263663465393133343566333864633766613531
39653238633237373736663635306563323631346331353362343031303636366439356362306138
64656166653232633239633037373330343139636261646238613662613364656632643334343233
31633438386433633736663564613230393662316534336132333636326137353831373335396666
63636530633037643339326466386638323733363732323939323862326432303231393435616630
63303461616338386230303933636161306238613861326633636331376464643531333939303735
38653165303832313739363136616266363837613337306230336433643237326232356333343963
62316139393661323965313066636530393433613438633430373864343438623631666564386639
34656461643530636537383264313266653465333764623166383838373366323662653939613439
38386339393164363863373838303839353532346238643163616635363064343435393933303234
64306431623738656434333766343263653865393935626466353433386463623739393130386332
32623762353665393863383762643035313266643863363062626332316439616639616333623730
35373662316131393836333936656438316334363364323339343236376634323365386461373061
38363335353965646563646231653434623531336465333231396530623365306137643931633238
32663937616366393237623861323337623963353964313233353433643733313730666239373031
62316338623734303839616639303539643439613062656438633563653337626364316535373661
32313337366465656533653766356436623638316534623666346666646364633436656330663666
38636439333834313639316663326630356531613432353837616465353763623335623464363734
34366335656366323634636465353563633532616334636665396439326438656462386336326265
32393131636362633230366330633564376165313830616134393931613566383433646632363536
39636563313662656439613565353663613962653730313666636263373065613230313965336130
30346637323565333139643332336239646636643037316436373134663232373738363564613633
64396330316332616631346339323466376162336539656433353666643438323365663665623661
33656162643163323161373931353963303934643532343561643838336236386139316334636161
38316239356165373036306464313066623432383037613134633364373762313639366330306333
66643139336436643535353466393830363136386431373962656165633465326135616430316634
39333966373361613433333631353334343765643435353466626536636437333739353036346635
64346235336132393030666531343761366562396233386236356332343963363438373535633065
64643730333465316439363735396566636338303236623438393566316533613333396561353930
66633631303336346333306332663639643138656636373266353061623234386339313266376564
37376130336230366630396335343330663162396237366131306237663232316361633939333365
36366234663735393664353934303930616566336133313664313538326136343363323530343865
63663633383338323363353061393366353064346232623464333863666334616636333662323265
35653761323965376364343362643734646439373237333632373736353436326133376663346132
38373530333137323038653534623761353265313336303538376565626363626535663635313235
35663765376334366661383764663066383232323431623262626662623138323431383863363736
66366462303838656234373263653835373666623934633865353533316537363431646661636433
30383862626636613636323639313063323632323731613134303863356166613137363538333466
65666635666563616464616538343639363331336233663038616332663032616364393761343036
61373636623331636136313038333661613339623763663132306131663665663237363730646339
36363766376437643930663363333635666366343431376439613961353039663938303834316433
34326235386164373130643533373566653061366636623565303361666234616530346561386239
37346337336137663366353632323434343263636435313034646639376430633133626466343737
61656334656639393239633361316635646665633532323461663432633135353264383666666438
33306336343732643234623430653538613064653635363765303166303061316636393736663561
66393935663835633437326265656239353730626262333038616633326138623261343864613161
35333233613163666461323339663063646361646563653531356337373663343166613965366232
65313839633730386436633962373434643636396264646431653639343361363335633633383062
34356232366132346537313838663730323336613661376331636363353464316266633336383639
30373564333265653839666161643366313163356161356237383133636130333330316430613632
34376338383561613635323030613731636637653961646632363838316665313934646130663361
65633232396539646337333061326234316534333866383830343632306331663631343864313236
65613932643938313161353331613634656230303863653037343434373862353462336134646637
32616266353730336663613865316164626364303262663461363436323133653663636665323134
30306431336637663130

5
roles/common/tasks/firewall_Debian.yml
View File

@ -1,4 +1,5 @@
--- ---
# Debian 10 will use firewalld with the iptables backend.
# Debian 11 will use nftables directly, with no firewalld. # Debian 11 will use nftables directly, with no firewalld.
- block: - block:
@ -24,6 +25,10 @@
- name: Install firewall packages - name: Install firewall packages
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600 apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
apt: pkg=iptables state=absent
- name: Copy nftables.conf - name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644

2
roles/common/tasks/packages_Debian.yml
View File

@ -24,6 +24,8 @@
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- gnupg2 - gnupg2
- zstd - zstd
- rsync
- lsof
- name: Install base packages - name: Install base packages
apt: name={{ base_packages }} state=present cache_valid_time=3600 apt: name={{ base_packages }} state=present cache_valid_time=3600

2
roles/common/tasks/packages_Ubuntu.yml
View File

@ -26,6 +26,8 @@
- unzip - unzip
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- zstd - zstd
- rsync
- lsof
- name: Install base packages - name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600 apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600

13
roles/nginx/tasks/letsencrypt.yml
View File

@ -22,6 +22,19 @@
dest: "{{ letsencrypt_acme_script }}" dest: "{{ letsencrypt_acme_script }}"
mode: 0700 mode: 0700
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script }} --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory - name: Prepare Let's Encrypt well-known directory
file: file:
state: directory state: directory

11
roles/nginx/tasks/main.yml
View File

@ -16,15 +16,8 @@
add_nginx_apt_key is changed or add_nginx_apt_key is changed or
add_nginx_apt_repository is changed add_nginx_apt_repository is changed
- name: Set nginx packages - name: Install nginx
set_fact: apt: pkg=nginx cache_valid_time=3600 state=present
nginx_packages:
- nginx
- ssl-cert # for ssl-cert-snakeoil.pem in nginx
tags: nginx, packages
- name: Install nginx packages
apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
tags: nginx, packages tags: nginx, packages
- name: Copy nginx.conf - name: Copy nginx.conf

6
roles/nginx/tasks/vhosts.yml
View File

@ -7,6 +7,11 @@
notify: notify:
- reload nginx - reload nginx
- name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams - name: Download 4096-bit RFC 7919 dhparams
get_url: get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
@ -15,6 +20,7 @@
notify: notify:
- reload nginx - reload nginx
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"

6
roles/nginx/templates/blank-vhost.conf.j2
View File

@ -16,9 +16,9 @@ server {
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
server_name _; server_name _;
# self-signed "snakeoil" certificate from ssl-cert package # self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }}; ssl_session_cache {{ nginx_ssl_session_cache }};

5
roles/nginx/templates/gitea.j2 Normal file
View File

@ -0,0 +1,5 @@
location / {
proxy_pass http://localhost:3000;
}

5
roles/nginx/templates/vhost.conf.j2
View File

@ -7,6 +7,7 @@
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(False) %}
{% set has_wordpress = item.has_wordpress | default(False) %} {% set has_wordpress = item.has_wordpress | default(False) %}
{% set needs_php = item.needs_php | default(False) %} {% set needs_php = item.needs_php | default(False) %}
{% set has_gitea = item.has_gitea | default(False) %}
# http -> https vhost # http -> https vhost
server { server {
@ -49,6 +50,10 @@ server {
{% include 'wordpress.j2' %} {% include 'wordpress.j2' %}
{% endif %} {% endif %}
{% if has_gitea == True %}
{% include 'gitea.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;