alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:85323d789cf19bfd5bef4e4475861eef51eac9e8
Branches Tags
alanorth:master alanorth:alpine
..
compare: alanorth:master
Branches Tags
alanorth:master alanorth:alpine

146 Commits
85323d789c ... master

Author SHA1 Message Date
Alan Orth
00558c7dea roles/common: re-work fail2ban and nftables 
Re-work the fail2ban and nftables interaction. Use systemd's PartOf
to indicate that fail2ban is part of the nftables service, which
tells systemd to propogate stop/start signals to it. Then we tell
the firehol update script to restart nftables instead of reload.
The different between restart and reload is meaningless for nftables
but we want systemd to propagate the stop/start signals to fail2ban.
 2025-07-08 10:39:17 +03:00
Alan Orth
c927186837 roles/common: adjust update-firehol-nftables.service 
This service does not actually depend on nftables, at least not in
the systemd sense of dependency. Furthermore, this hard dependency
was causing the service to fail when it restarts nftables at the
end, which causes systemd to start it again and again until it hits
a restarting too quickly error.
 2025-07-08 10:37:39 +03:00
Alan Orth
690774c862 host_vars/web22: WordPress 6.8.1 2025-07-08 10:34:34 +03:00
Alan Orth
cc021bd14a Pipfile.lock: run pipenv update 2025-07-08 10:25:09 +03:00
Alan Orth
73fd06fe3a roles/common: remove cron-apt 
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
 2025-04-07 09:51:09 +03:00
Alan Orth
88cb3a370e Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
Alan Orth
027a43ddbe roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
Alan Orth
bb30c3be20 host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
Alan Orth
d8d9790d21 roles/nginx: enable nginx ssl_session_tickets 
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
 2025-03-29 22:35:56 +03:00
Alan Orth
9a500ebc0d roles/nginx: disable nginx ssl_prefer_server_ciphers 
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
 2025-03-29 22:34:41 +03:00
Alan Orth
4bae942585 roles/nginx: add nginx ssl_ecdh_curve 
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:37 +03:00
Alan Orth
99866c0c90 roles/nginx: use one day for nginx ssl_session_timeout 
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:32 +03:00
Alan Orth
0afb8a4493 roles/nginx: update nginx ssl_buffer_size 
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
 2025-03-29 22:34:27 +03:00
Alan Orth
506695da31 roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
Alan Orth
f67ed7762c roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
Alan Orth
014f4d9502 roles/nginx: add newline 2025-03-29 22:19:41 +03:00
Alan Orth
22c16e1ed3 roles/caddy/templates: closer to supporting WordPress 
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
 2025-03-29 22:09:37 +03:00
Alan Orth
5aa6a33e51 roles/php-fpm: set user and group based on webserver 
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
 2025-03-29 21:01:56 +03:00
Alan Orth
7f9b06af9c roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
Alan Orth
84db337fea roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
Alan Orth
7b23f5f94f roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
Alan Orth
9830338be3 Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
Alan Orth
e3eed26765 roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
Alan Orth
8b31c7e148 host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
Alan Orth
3ff8043aaf Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
Alan Orth
cb79f7ef70 roles/common: minor change to firehol update script 
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
 2025-01-28 09:14:48 +03:00
Alan Orth
bb14f05d2a roles/common: use Ansible timezone module 
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
 2025-01-27 23:11:56 +03:00
Alan Orth
5b1530fa91 roles/common: rework firewall 
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
 2025-01-27 23:05:45 +03:00
Alan Orth
5312dc6bd5 roles/common: use common nftables task 
Use a common nftables task on Debian and Ubuntu.
 2025-01-27 23:05:38 +03:00
Alan Orth
d6e060d3af roles/common: simplify firewall tasks 
Apply firewall tag to included tasks, then we don't need to use a
block.
 2025-01-27 22:30:50 +03:00
Alan Orth
b873af004a roles/common: single firewall task include 
Use one include from the main tasks file.
 2025-01-27 22:28:27 +03:00
Alan Orth
7ea3ab46f8 host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
Alan Orth
0561bd5b52 Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
Alan Orth
d62572f02c Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
Alan Orth
2ffe5e87d9 host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
Alan Orth
38d4f1a303 Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
Alan Orth
ed8cb88038 host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
Alan Orth
c31e447861 roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
Alan Orth
545684467c host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
Alan Orth
24ae5eaab1 host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
Alan Orth
dac23f1427 Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
Alan Orth
41fbc73dd1 host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
Alan Orth
fee794bcf0 Update Pipfile 2024-03-20 20:28:00 +03:00
Alan Orth
8bce1d8b1b host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
Alan Orth
6dc2ea36b6 roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
Alan Orth
af71a9b5f8 roles/php-fpm: remove fmt strings 
Ansible confuses them for jinja2 tokens.
 2023-09-11 19:52:18 +03:00
Alan Orth
4dd57803e2 roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
Alan Orth
18d4245fc0 roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
Alan Orth
1bddf3cccd Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
Alan Orth
20dbe61fe1 roles/mariadb: use MariaDB 10.11 
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
 2023-09-10 22:53:10 +03:00
Alan Orth
899e87321b host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
Alan Orth
06416a3b64 roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
Alan Orth
7a9a24ef5d roles/common: rework fail2ban again 
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
 2023-08-23 22:15:24 +03:00
Alan Orth
067adcd9f5 roles/common: rework fail2ban tasks 
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
 2023-08-23 21:59:28 +03:00
Alan Orth
84d210cfab roles/common: re-format handlers 
Use the newer Ansible format.
 2023-08-23 21:35:28 +03:00
Alan Orth
17736a4f14 roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
Alan Orth
b9e91c4a3d roles/common: minor updates to tarsnap task 
Use modern Ansible task format
 2023-08-23 21:20:22 +03:00
Alan Orth
51c95e5d4c roles/common: update tarsnap task 
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
 2023-08-23 21:18:27 +03:00
Alan Orth
8dbec29d2a roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
Alan Orth
d3bf3dab04 roles/php-fpm: add support for PHP 8.2 
This is used in Debian 12.
 2023-08-23 20:56:35 +03:00
Alan Orth
8f50b7756b host_vars/web22: WordPress 6.3 2023-08-22 21:33:49 +03:00
Alan Orth
e86ccc9979 roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
Alan Orth
cea8529f49 Pipfile.lock: run pipenv update 2023-08-22 21:02:17 +03:00
Alan Orth
d77718edae host_vars: add fail2ban_ignoreip 2023-08-14 16:37:07 +02:00
Alan Orth
14d57fc477 roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
Alan Orth
5c39f1abd8 roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
Alan Orth
6794eb0432 roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
Alan Orth
11614e3725 host_vars: replace nomad02 with nomad03 
The former is Ubuntu 20.04, the latter is Debian 12. Running Drone
CI.
 2023-08-10 08:37:09 +02:00
Alan Orth
b106f9d9e5 roles/common: ignore apt sources.list on Scaleway 
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
 2023-08-10 08:08:42 +02:00
Alan Orth
3c8250e6ac Pipfile.lock: run pipenv update 2023-08-09 22:07:54 +02:00
Alan Orth
d280859b0d roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
Alan Orth
bca1629d2f Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
Alan Orth
4fa82faf18 roles/common: adjust sshd_config for Debian 12 
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
 2023-08-09 21:27:19 +02:00
Alan Orth
b8f0b4b1fb roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
Alan Orth
68e5d05bbb host_vars/web22: WordPress 6.2.2 2023-07-27 18:48:37 +03:00
Alan Orth
446d402778 roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
Alan Orth
67379fc2e4 host_vars/web22: WordPress 6.2 2023-05-04 07:10:40 +03:00
Alan Orth
73546967b6 Pipfile.lock: run pipenv update 2023-05-04 06:58:25 +03:00
Alan Orth
16b661efe1 Pipfile.lock: run pipenv update 2023-04-14 10:09:29 -07:00
Alan Orth
fdb9a75489 roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
Alan Orth
232d7a0348 host_vars/web22: WordPress 6.1.1 2022-11-24 18:31:48 +03:00
Alan Orth
6e4bb5bc34 host_vars/web21: use caddy 2022-11-13 18:58:57 +03:00
Alan Orth
c840ffe018 roles/caddy: improve vhost template 
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
 2022-11-13 18:54:03 +03:00
Alan Orth
45c9d7ea0a Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
Alan Orth
a62bc446e8 host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
Alan Orth
62a6a491db host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
Alan Orth
4867d6da6a Add basic caddy role 2022-11-02 22:29:30 +03:00
Alan Orth
d9f7c7a93b group_vars/web: set default webserver to nginx 
While I'm still getting experience with caddy and adapting it to my
workloads.
 2022-11-02 22:12:36 +03:00
Alan Orth
bc8c030700 roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
Alan Orth
f7598d8f1c Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
Alan Orth
c353e84a84 site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
Alan Orth
99ca23f258 Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
Alan Orth
b663d27fd8 roles/common: rework firewall_Debian.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
 2022-09-12 17:25:40 +03:00
Alan Orth
67c99dacf6 roles/common: rework firewall_Ubuntu.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
 2022-09-12 17:18:33 +03:00
Alan Orth
4abf2b10e4 ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
Alan Orth
f5199264f9 ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
Alan Orth
b259f09cbd roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
Alan Orth
f4b32e516b roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
Alan Orth
fcb12ecee0 roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
Alan Orth
5bc03ceacc roles/mariadb: install packages in single transaction 
Using a list we can install these in a single apt transaction. Also
use the newer task format.
 2022-09-12 10:12:07 +03:00
Alan Orth
c317429f6d roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
Alan Orth
b512a7f765 roles/common: create /etc/apt/keyrings 
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
 2022-09-12 10:05:12 +03:00
Alan Orth
e3a87d4f79 roles/mariadb: MariaDB 10.6 
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
 2022-09-12 09:25:46 +03:00
Alan Orth
dec2d50fbc host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
Alan Orth
34be0013b7 Remove Debian 10 support 2022-09-11 09:21:08 +03:00
Alan Orth
399585f4e7 roles: don't compare literal true and false 
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
 2022-09-11 08:41:25 +03:00
Alan Orth
0240897b1b Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
Alan Orth
1da0da53ec roles: use longer format for when conditionals 
When the condition is an AND we can use this more succinct format.
 2022-09-10 23:12:49 +03:00
Alan Orth
677cc9f160 roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
Alan Orth
ffe7a872dd roles: strict truthy values 
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
 2022-09-10 22:33:19 +03:00
Alan Orth
95d0005978 Add ansible-lint 2022-09-10 18:36:53 +03:00
Alan Orth
498766fdc4 Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
Alan Orth
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
Alan Orth
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
Alan Orth
92a4c72809 Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
Alan Orth
a2d61abba2 roles/mariadb: update mirror 
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
 2022-08-14 22:09:47 -07:00
Alan Orth
d2a5a28809 Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
Alan Orth
84c0589aee host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
Alan Orth
2961578a54 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-28 18:51:35 +03:00
Alan Orth
4d74f76b3c Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
Alan Orth
9e737466c5 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-04 21:47:37 +03:00
Alan Orth
0ffb1b1a36 roles/common: use pyinotify backend for nginx fail2ban jail 
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
 2022-01-04 15:10:02 +02:00
Alan Orth
68f0b85eb3 Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
Alan Orth
ebbde530d2 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
 2021-12-22 11:40:27 +02:00
Alan Orth
ab47df6031 Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
Alan Orth
de75b2ffb6 host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
Alan Orth
e10d83dadd Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
Alan Orth
f070fd9a64 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-11-07 10:12:43 +02:00
Alan Orth
6e1527b1a8 Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
Alan Orth
ebd8b0632b roles/common: Disable unsafe Diffie-Hellman SSH moduli 
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
 2021-10-10 16:57:05 +03:00
Alan Orth
df26b6c17e roles/common: notify fail2ban after updating firewall 
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
 2021-09-28 10:45:51 +03:00
Alan Orth
d92151b8a6 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
 2021-09-28 10:28:02 +03:00
Alan Orth
b13ead0657 roles/common: use a range for mosh ports in nftables 
This is better than a loop in Jinja (though that is useful!).
 2021-09-28 07:34:25 +03:00
Alan Orth
89ced6f952 Pipfile.lock: run pipenv update 2021-09-27 17:28:41 +03:00
Alan Orth
ae5ba0607a Remove host_vars/nomad01 
Replaced by web23.
 2021-09-27 14:17:48 +03:00
Alan Orth
89fd642b78 roles/nginx: minor rework of acme.sh tasks 
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
 2021-09-27 13:40:17 +03:00
Alan Orth
65e6dd34cd roles/common: Add missing section to Debian 11 sshd_config 
We need to be able to configure the list of SSH users.
 2021-09-27 12:59:27 +03:00
Alan Orth
0421807e4d Add web23 
Will replace nomad01
 2021-09-27 12:22:45 +03:00
Alan Orth
d5eed5055e roles/nginx: Add support for gitea 
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
 2021-09-27 12:15:47 +03:00
Alan Orth
f8752bb3e7 roles/nginx: add todo about document roots 
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
 2021-09-27 12:05:53 +03:00
Alan Orth
170e591701 roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
Alan Orth
8d6c3c57c3 roles/nginx: install acme.sh after downloading 
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
 2021-09-27 11:28:02 +03:00
Alan Orth
79b29f0c51 roles/nginx: generate snakeoil cert manually 
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
 2021-09-27 10:48:24 +03:00
Alan Orth
a4acc85704 roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
Alan Orth
f7b9aa67f5 roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
Alan Orth
0a39c4f0ef README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
102 changed files with 2420 additions and 27097 deletions
Expand all files Collapse all files

3
Pipfile
View File

@ -7,6 +7,7 @@ verify_ssl = true
[packages] [packages]
ansible = "*" ansible = "*"
ansible-lint = "*"
[requires] [requires]
python_version = "3.9" python_version = "3.13"

808
Pipfile.lock generated
View File

@ -1,11 +1,11 @@
{ {
"_meta": { "_meta": {
"hash": { "hash": {
"sha256": "65b615b857250757470e21fc3a4b1cdfe75b4b012c0d1d633a5ebf1988d9cb91" "sha256": "47970866f4ffc7775e3a95dd04ee8b75f9784c457baadd8a31fe1783584fa73f"
}, },
"pipfile-spec": 6, "pipfile-spec": 6,
"requires": { "requires": {
"python_version": "3.9" "python_version": "3.13"
}, },
"sources": [ "sources": [
{ {
@ -18,224 +18,668 @@
"default": { "default": {
"ansible": { "ansible": {
"hashes": [ "hashes": [
"sha256:cc5352b2351a381015ece79eab783a1b0668f97b377810fed3c746e2f1d50db1" "sha256:caa56fc92e5bea012abf37f08aa348da27d2fcaf94bf398e24cadcb618a4dc3b",
"sha256:f9df37c71d407f65bcb9c5c06c9918e297d9ea74b5cdaf5926c4c9aa9e44db5f"
], ],
"index": "pypi", "index": "pypi",
"version": "==4.5.0" "markers": "python_version >= '3.11'",
"version": "==11.7.0"
},
"ansible-compat": {
"hashes": [
"sha256:c2b4bfeca6383b2047b2e1dea473cec4f1f9f2dd59beef71d6c47f632eaf97c9",
"sha256:cced722001bd7b617d418e54017e308c8b27ef3815f377843c00e020fa07165e"
],
"markers": "python_version >= '3.10'",
"version": "==25.6.0"
}, },
"ansible-core": { "ansible-core": {
"hashes": [ "hashes": [
"sha256:22eaa7c2dfe6c875e9ae380323f1cba6259c6050a5e4c8819f85f92b3683ea49" "sha256:12a34749a7b20f0f1536bd3e3b2e137341867e4642e351273e96647161f595c0",
"sha256:25bb20ce1516a1b7307831b263cef684043b3720711466bd9d4164e5fd576557"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.11'",
"version": "==2.11.4" "version": "==2.18.6"
},
"ansible-lint": {
"hashes": [
"sha256:69fe294a3cc30d8819b5a30625a7e25225f48558cadb83ad3d4dec597c1b8c2c",
"sha256:6a1dd2b7a9f3f202c9e92a6c80296ff33ca863348c3acf978f80fb0d4536dce4"
],
"index": "pypi",
"markers": "python_version >= '3.10'",
"version": "==25.6.1"
},
"attrs": {
"hashes": [
"sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3",
"sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b"
],
"markers": "python_version >= '3.8'",
"version": "==25.3.0"
},
"black": {
"hashes": [
"sha256:030b9759066a4ee5e5aca28c3c77f9c64789cdd4de8ac1df642c40b708be6171",
"sha256:055e59b198df7ac0b7efca5ad7ff2516bca343276c466be72eb04a3bcc1f82d7",
"sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da",
"sha256:172b1dbff09f86ce6f4eb8edf9dede08b1fce58ba194c87d7a4f1a5aa2f5b3c2",
"sha256:1e2978f6df243b155ef5fa7e558a43037c3079093ed5d10fd84c43900f2d8ecc",
"sha256:33496d5cd1222ad73391352b4ae8da15253c5de89b93a80b3e2c8d9a19ec2666",
"sha256:3b48735872ec535027d979e8dcb20bf4f70b5ac75a8ea99f127c106a7d7aba9f",
"sha256:4b60580e829091e6f9238c848ea6750efed72140b91b048770b64e74fe04908b",
"sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32",
"sha256:8f0b18a02996a836cc9c9c78e5babec10930862827b1b724ddfe98ccf2f2fe4f",
"sha256:95e8176dae143ba9097f351d174fdaf0ccd29efb414b362ae3fd72bf0f710717",
"sha256:96c1c7cd856bba8e20094e36e0f948718dc688dba4a9d78c3adde52b9e6c2299",
"sha256:a1ee0a0c330f7b5130ce0caed9936a904793576ef4d2b98c40835d6a65afa6a0",
"sha256:a22f402b410566e2d1c950708c77ebf5ebd5d0d88a6a2e87c86d9fb48afa0d18",
"sha256:a39337598244de4bae26475f77dda852ea00a93bd4c728e09eacd827ec929df0",
"sha256:afebb7098bfbc70037a053b91ae8437c3857482d3a690fefc03e9ff7aa9a5fd3",
"sha256:bacabb307dca5ebaf9c118d2d2f6903da0d62c9faa82bd21a33eecc319559355",
"sha256:bce2e264d59c91e52d8000d507eb20a9aca4a778731a08cfff7e5ac4a4bb7096",
"sha256:d9e6827d563a2c820772b32ce8a42828dc6790f095f441beef18f96aa6f8294e",
"sha256:db8ea9917d6f8fc62abd90d944920d95e73c83a5ee3383493e35d271aca872e9",
"sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba",
"sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f"
],
"markers": "python_version >= '3.9'",
"version": "==25.1.0"
},
"bracex": {
"hashes": [
"sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952",
"sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7"
],
"markers": "python_version >= '3.9'",
"version": "==2.6"
}, },
"cffi": { "cffi": {
"hashes": [ "hashes": [
"sha256:06c54a68935738d206570b20da5ef2b6b6d92b38ef3ec45c5422c0ebaf338d4d", "sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8",
"sha256:0c0591bee64e438883b0c92a7bed78f6290d40bf02e54c5bf0978eaf36061771", "sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2",
"sha256:19ca0dbdeda3b2615421d54bef8985f72af6e0c47082a8d26122adac81a95872", "sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1",
"sha256:22b9c3c320171c108e903d61a3723b51e37aaa8c81255b5e7ce102775bd01e2c", "sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15",
"sha256:26bb2549b72708c833f5abe62b756176022a7b9a7f689b571e74c8478ead51dc", "sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36",
"sha256:33791e8a2dc2953f28b8d8d300dde42dd929ac28f974c4b4c6272cb2955cb762", "sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824",
"sha256:3c8d896becff2fa653dc4438b54a5a25a971d1f4110b32bd3068db3722c80202", "sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8",
"sha256:4373612d59c404baeb7cbd788a18b2b2a8331abcc84c3ba40051fcd18b17a4d5", "sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36",
"sha256:487d63e1454627c8e47dd230025780e91869cfba4c753a74fda196a1f6ad6548", "sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17",
"sha256:48916e459c54c4a70e52745639f1db524542140433599e13911b2f329834276a", "sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf",
"sha256:4922cd707b25e623b902c86188aca466d3620892db76c0bdd7b99a3d5e61d35f", "sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc",
"sha256:55af55e32ae468e9946f741a5d51f9896da6b9bf0bbdd326843fec05c730eb20", "sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3",
"sha256:57e555a9feb4a8460415f1aac331a2dc833b1115284f7ded7278b54afc5bd218", "sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed",
"sha256:5d4b68e216fc65e9fe4f524c177b54964af043dde734807586cf5435af84045c", "sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702",
"sha256:64fda793737bc4037521d4899be780534b9aea552eb673b9833b01f945904c2e", "sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1",
"sha256:6d6169cb3c6c2ad50db5b868db6491a790300ade1ed5d1da29289d73bbe40b56", "sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8",
"sha256:7bcac9a2b4fdbed2c16fa5681356d7121ecabf041f18d97ed5b8e0dd38a80224", "sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903",
"sha256:80b06212075346b5546b0417b9f2bf467fea3bfe7352f781ffc05a8ab24ba14a", "sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6",
"sha256:818014c754cd3dba7229c0f5884396264d51ffb87ec86e927ef0be140bfdb0d2", "sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d",
"sha256:8eb687582ed7cd8c4bdbff3df6c0da443eb89c3c72e6e5dcdd9c81729712791a", "sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b",
"sha256:99f27fefe34c37ba9875f224a8f36e31d744d8083e00f520f133cab79ad5e819", "sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e",
"sha256:9f3e33c28cd39d1b655ed1ba7247133b6f7fc16fa16887b120c0c670e35ce346", "sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be",
"sha256:a8661b2ce9694ca01c529bfa204dbb144b275a31685a075ce123f12331be790b", "sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c",
"sha256:a9da7010cec5a12193d1af9872a00888f396aba3dc79186604a09ea3ee7c029e", "sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683",
"sha256:aedb15f0a5a5949ecb129a82b72b19df97bbbca024081ed2ef88bd5c0a610534", "sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9",
"sha256:b315d709717a99f4b27b59b021e6207c64620790ca3e0bde636a6c7f14618abb", "sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c",
"sha256:ba6f2b3f452e150945d58f4badd92310449876c4c954836cfb1803bdd7b422f0", "sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8",
"sha256:c33d18eb6e6bc36f09d793c0dc58b0211fccc6ae5149b808da4a62660678b156", "sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1",
"sha256:c9a875ce9d7fe32887784274dd533c57909b7b1dcadcc128a2ac21331a9765dd", "sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4",
"sha256:c9e005e9bd57bc987764c32a1bee4364c44fdc11a3cc20a40b93b444984f2b87", "sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655",
"sha256:d2ad4d668a5c0645d281dcd17aff2be3212bc109b33814bbb15c4939f44181cc", "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67",
"sha256:d950695ae4381ecd856bcaf2b1e866720e4ab9a1498cba61c602e56630ca7195", "sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595",
"sha256:e22dcb48709fc51a7b58a927391b23ab37eb3737a98ac4338e2448bef8559b33", "sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0",
"sha256:e8c6a99be100371dbb046880e7a282152aa5d6127ae01783e37662ef73850d8f", "sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65",
"sha256:e9dc245e3ac69c92ee4c167fbdd7428ec1956d4e754223124991ef29eb57a09d", "sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41",
"sha256:eb687a11f0a7a1839719edd80f41e459cc5366857ecbed383ff376c4e3cc6afd", "sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6",
"sha256:eb9e2a346c5238a30a746893f23a9535e700f8192a68c07c0258e7ece6ff3728", "sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401",
"sha256:ed38b924ce794e505647f7c331b22a693bee1538fdf46b0222c4717b42f744e7", "sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6",
"sha256:f0010c6f9d1a4011e429109fda55a225921e3206e7f62a0c22a35344bfd13cca", "sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3",
"sha256:f0c5d1acbfca6ebdd6b1e3eded8d261affb6ddcf2186205518f1428b8569bb99", "sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16",
"sha256:f10afb1004f102c7868ebfe91c28f4a712227fe4cb24974350ace1f90e1febbf", "sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93",
"sha256:f174135f5609428cc6e1b9090f9268f5c8935fddb1b25ccb8255a2d50de6789e", "sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e",
"sha256:f3ebe6e73c319340830a9b2825d32eb6d8475c1dac020b4f0aa774ee3b898d1c", "sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4",
"sha256:f627688813d0a4140153ff532537fbe4afea5a3dffce1f9deb7f91f848a832b5", "sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964",
"sha256:fd4305f86f53dfd8cd3522269ed7fc34856a8ee3709a5e28b2836b2db9d4cd69" "sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c",
"sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576",
"sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0",
"sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3",
"sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662",
"sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3",
"sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff",
"sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5",
"sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd",
"sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f",
"sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5",
"sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14",
"sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d",
"sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9",
"sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7",
"sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382",
"sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a",
"sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e",
"sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a",
"sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4",
"sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99",
"sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87",
"sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b"
], ],
"version": "==1.14.6" "markers": "python_version >= '3.8'",
"version": "==1.17.1"
},
"click": {
"hashes": [
"sha256:27c491cc05d968d271d5a1db13e3b5a184636d9d930f148c50b038f0d0646202",
"sha256:61a3265b914e850b85317d0b3109c7f8cd35a670f963866005d6ef1d5175a12b"
],
"markers": "python_version >= '3.10'",
"version": "==8.2.1"
}, },
"cryptography": { "cryptography": {
"hashes": [ "hashes": [
"sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e", "sha256:0027d566d65a38497bc37e0dd7c2f8ceda73597d2ac9ba93810204f56f52ebc7",
"sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b", "sha256:101ee65078f6dd3e5a028d4f19c07ffa4dd22cce6a20eaa160f8b5219911e7d8",
"sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7", "sha256:12e55281d993a793b0e883066f590c1ae1e802e3acb67f8b442e721e475e6463",
"sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085", "sha256:14d96584701a887763384f3c47f0ca7c1cce322aa1c31172680eb596b890ec30",
"sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc", "sha256:1e1da5accc0c750056c556a93c3e9cb828970206c68867712ca5805e46dc806f",
"sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a", "sha256:206210d03c1193f4e1ff681d22885181d47efa1ab3018766a7b32a7b3d6e6afd",
"sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498", "sha256:2089cc8f70a6e454601525e5bf2779e665d7865af002a5dec8d14e561002e135",
"sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9", "sha256:3a264aae5f7fbb089dbc01e0242d3b67dffe3e6292e1f5182122bdf58e65215d",
"sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c", "sha256:3af26738f2db354aafe492fb3869e955b12b2ef2e16908c8b9cb928128d42c57",
"sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7", "sha256:3fcfbefc4a7f332dece7272a88e410f611e79458fab97b5efe14e54fe476f4fd",
"sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb", "sha256:460f8c39ba66af7db0545a8c6f2eabcbc5a5528fc1cf6c3fa9a1e44cec33385e",
"sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14", "sha256:57c816dfbd1659a367831baca4b775b2a5b43c003daf52e9d57e1d30bc2e1b0e",
"sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af", "sha256:5aa1e32983d4443e310f726ee4b071ab7569f58eedfdd65e9675484a4eb67bd1",
"sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e", "sha256:6ff8728d8d890b3dda5765276d1bc6fb099252915a2cd3aff960c4c195745dd0",
"sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5", "sha256:7259038202a47fdecee7e62e0fd0b0738b6daa335354396c6ddebdbe1206af2a",
"sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06", "sha256:72e76caa004ab63accdf26023fccd1d087f6d90ec6048ff33ad0445abf7f605a",
"sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7" "sha256:7760c1c2e1a7084153a0f68fab76e754083b126a47d0117c9ed15e69e2103492",
"sha256:8c4a6ff8a30e9e3d38ac0539e9a9e02540ab3f827a3394f8852432f6b0ea152e",
"sha256:9024beb59aca9d31d36fcdc1604dd9bbeed0a55bface9f1908df19178e2f116e",
"sha256:90cb0a7bb35959f37e23303b7eed0a32280510030daba3f7fdfbb65defde6a97",
"sha256:91098f02ca81579c85f66df8a588c78f331ca19089763d733e34ad359f474174",
"sha256:926c3ea71a6043921050eaa639137e13dbe7b4ab25800932a8498364fc1abec9",
"sha256:982518cd64c54fcada9d7e5cf28eabd3ee76bd03ab18e08a48cad7e8b6f31b18",
"sha256:9b4cf6318915dccfe218e69bbec417fdd7c7185aa7aab139a2c0beb7468c89f0",
"sha256:ad0caded895a00261a5b4aa9af828baede54638754b51955a0ac75576b831b27",
"sha256:b85980d1e345fe769cfc57c57db2b59cff5464ee0c045d52c0df087e926fbe63",
"sha256:b8fa8b0a35a9982a3c60ec79905ba5bb090fc0b9addcfd3dc2dd04267e45f25e",
"sha256:b9e38e0a83cd51e07f5a48ff9691cae95a79bea28fe4ded168a8e5c6c77e819d",
"sha256:bd4c45986472694e5121084c6ebbd112aa919a25e783b87eb95953c9573906d6",
"sha256:be97d3a19c16a9be00edf79dca949c8fa7eff621763666a145f9f9535a5d7f42",
"sha256:c648025b6840fe62e57107e0a25f604db740e728bd67da4f6f060f03017d5097",
"sha256:d05a38884db2ba215218745f0781775806bde4f32e07b135348355fe8e4991d9",
"sha256:dd420e577921c8c2d31289536c386aaa30140b473835e97f83bc71ea9d2baf2d",
"sha256:e357286c1b76403dd384d938f93c46b2b058ed4dfcdce64a770f0537ed3feb6f",
"sha256:e6c00130ed423201c5bc5544c23359141660b07999ad82e34e7bb8f882bb78e0",
"sha256:e74d30ec9c7cb2f404af331d5b4099a9b322a8a6b25c4632755c8757345baac5",
"sha256:f3562c2f23c612f2e4a6964a61d942f891d29ee320edb62ff48ffb99f3de9ae8"
], ],
"markers": "python_version >= '3.6'", "markers": "python_version >= '3.7' and python_full_version not in '3.9.0, 3.9.1'",
"version": "==3.4.8" "version": "==45.0.5"
},
"filelock": {
"hashes": [
"sha256:adbc88eabb99d2fec8c9c1b229b171f18afa655400173ddc653d5d01501fb9f2",
"sha256:c401f4f8377c4464e6db25fff06205fd89bdd83b65eb0488ed1b160f780e21de"
],
"markers": "python_version >= '3.9'",
"version": "==3.18.0"
},
"importlib-metadata": {
"hashes": [
"sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000",
"sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd"
],
"markers": "python_version >= '3.9'",
"version": "==8.7.0"
}, },
"jinja2": { "jinja2": {
"hashes": [ "hashes": [
"sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4", "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d",
"sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4" "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"
], ],
"markers": "python_version >= '3.6'", "markers": "python_version >= '3.7'",
"version": "==3.0.1" "version": "==3.1.6"
},
"jsonschema": {
"hashes": [
"sha256:0b4e8069eb12aedfa881333004bccaec24ecef5a8a6a4b6df142b2cc9599d196",
"sha256:a462455f19f5faf404a7902952b6f0e3ce868f3ee09a359b05eca6673bd8412d"
],
"markers": "python_version >= '3.9'",
"version": "==4.24.0"
},
"jsonschema-specifications": {
"hashes": [
"sha256:4653bffbd6584f7de83a67e0d620ef16900b390ddc7939d56684d6c81e33f1af",
"sha256:630159c9f4dbea161a6a2205c3011cc4f18ff381b189fff48bb39b9bf26ae608"
],
"markers": "python_version >= '3.9'",
"version": "==2025.4.1"
}, },
"markupsafe": { "markupsafe": {
"hashes": [ "hashes": [
"sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298", "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4",
"sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64", "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30",
"sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b", "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0",
"sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567", "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9",
"sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff", "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396",
"sha256:0d4b31cc67ab36e3392bbf3862cfbadac3db12bdd8b02a2731f509ed5b829724", "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13",
"sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74", "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028",
"sha256:168cd0a3642de83558a5153c8bd34f175a9a6e7f6dc6384b9655d2697312a646", "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca",
"sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35", "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557",
"sha256:1f2ade76b9903f39aa442b4aadd2177decb66525062db244b35d71d0ee8599b6", "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832",
"sha256:2a7d351cbd8cfeb19ca00de495e224dea7e7d919659c2841bbb7f420ad03e2d6", "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0",
"sha256:2d7d807855b419fc2ed3e631034685db6079889a1f01d5d9dac950f764da3dad", "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b",
"sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26", "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579",
"sha256:36bc903cbb393720fad60fc28c10de6acf10dc6cc883f3e24ee4012371399a38", "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a",
"sha256:37205cac2a79194e3750b0af2a5720d95f786a55ce7df90c3af697bfa100eaac", "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c",
"sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7", "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff",
"sha256:3dd007d54ee88b46be476e293f48c85048603f5f516008bee124ddd891398ed6", "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c",
"sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75", "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22",
"sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f", "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094",
"sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135", "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb",
"sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8", "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e",
"sha256:5855f8438a7d1d458206a2466bf82b0f104a3724bf96a1c781ab731e4201731a", "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5",
"sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a", "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a",
"sha256:5bb28c636d87e840583ee3adeb78172efc47c8b26127267f54a9c0ec251d41a9", "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d",
"sha256:60bf42e36abfaf9aff1f50f52644b336d4f0a3fd6d8a60ca0d054ac9f713a864", "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a",
"sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914", "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b",
"sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18", "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8",
"sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8", "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225",
"sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2", "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c",
"sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d", "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144",
"sha256:6fcf051089389abe060c9cd7caa212c707e58153afa2c649f00346ce6d260f1b", "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f",
"sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b", "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87",
"sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f", "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d",
"sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb", "sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93",
"sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833", "sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf",
"sha256:99df47edb6bda1249d3e80fdabb1dab8c08ef3975f69aed437cb69d0a5de1e28", "sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158",
"sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415", "sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84",
"sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902", "sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb",
"sha256:add36cb2dbb8b736611303cd3bfcee00afd96471b09cda130da3581cbdc56a6d", "sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48",
"sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9", "sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171",
"sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d", "sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c",
"sha256:baa1a4e8f868845af802979fcdbf0bb11f94f1cb7ced4c4b8a351bb60d108145", "sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6",
"sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066", "sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd",
"sha256:bf5d821ffabf0ef3533c39c518f3357b171a1651c1ff6827325e4489b0e46c3c", "sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d",
"sha256:c47adbc92fc1bb2b3274c4b3a43ae0e4573d9fbff4f54cd484555edbf030baf1", "sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1",
"sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f", "sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d",
"sha256:d8446c54dc28c01e5a2dbac5a25f071f6653e6e40f3a8818e8b45d790fe6ef53", "sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca",
"sha256:e0f138900af21926a02425cf736db95be9f4af72ba1bb21453432a07f6082134", "sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a",
"sha256:e9936f0b261d4df76ad22f8fee3ae83b60d7c3e871292cd42f40b81b70afae85", "sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29",
"sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5", "sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe",
"sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94", "sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798",
"sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509", "sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c",
"sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51", "sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8",
"sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872" "sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f",
"sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f",
"sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a",
"sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178",
"sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0",
"sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79",
"sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430",
"sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"
], ],
"markers": "python_version >= '3.6'", "markers": "python_version >= '3.9'",
"version": "==2.0.1" "version": "==3.0.2"
},
"mypy-extensions": {
"hashes": [
"sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505",
"sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558"
],
"markers": "python_version >= '3.8'",
"version": "==1.1.0"
}, },
"packaging": { "packaging": {
"hashes": [ "hashes": [
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", "sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" "sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f"
], ],
"markers": "python_version >= '3.6'", "markers": "python_version >= '3.8'",
"version": "==21.0" "version": "==25.0"
},
"pathspec": {
"hashes": [
"sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08",
"sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"
],
"markers": "python_version >= '3.8'",
"version": "==0.12.1"
},
"platformdirs": {
"hashes": [
"sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc",
"sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4"
],
"markers": "python_version >= '3.9'",
"version": "==4.3.8"
}, },
"pycparser": { "pycparser": {
"hashes": [ "hashes": [
"sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0", "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6",
"sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705" "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.8'",
"version": "==2.20" "version": "==2.22"
},
"pyparsing": {
"hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
}, },
"pyyaml": { "pyyaml": {
"hashes": [ "hashes": [
"sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff",
"sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48",
"sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086",
"sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e",
"sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133",
"sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5",
"sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484",
"sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee",
"sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5",
"sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68",
"sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a",
"sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf",
"sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99",
"sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", "sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8",
"sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", "sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85",
"sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19",
"sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", "sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc",
"sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", "sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a",
"sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", "sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1",
"sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", "sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317",
"sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", "sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c",
"sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", "sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631",
"sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", "sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d",
"sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", "sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652",
"sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", "sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5",
"sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", "sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e",
"sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", "sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b",
"sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", "sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8",
"sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" "sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476",
"sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706",
"sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563",
"sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237",
"sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b",
"sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083",
"sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180",
"sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425",
"sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e",
"sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f",
"sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725",
"sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183",
"sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab",
"sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774",
"sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725",
"sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e",
"sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5",
"sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d",
"sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290",
"sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44",
"sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed",
"sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4",
"sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba",
"sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12",
"sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", "markers": "python_version >= '3.8'",
"version": "==5.4.1" "version": "==6.0.2"
},
"referencing": {
"hashes": [
"sha256:df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa",
"sha256:e8699adbbf8b5c7de96d8ffa0eb5c158b3beafce084968e2ea8bb08c6794dcd0"
],
"markers": "python_version >= '3.9'",
"version": "==0.36.2"
}, },
"resolvelib": { "resolvelib": {
"hashes": [ "hashes": [
"sha256:8113ae3ed6d33c6be0bcbf03ffeb06c0995c099b7b8aaa5ddf2e9b3b3df4e915", "sha256:04ce76cbd63fded2078ce224785da6ecd42b9564b1390793f64ddecbe997b309",
"sha256:9b9b80d5c60e4c2a8b7fbf0712c3449dc01d74e215632e5199850c9eca687628" "sha256:d2da45d1a8dfee81bdd591647783e340ef3bcb104b54c383f70d422ef5cc7dbf"
], ],
"version": "==0.5.4" "version": "==1.0.1"
},
"rpds-py": {
"hashes": [
"sha256:0919f38f5542c0a87e7b4afcafab6fd2c15386632d249e9a087498571250abe3",
"sha256:093d63b4b0f52d98ebae33b8c50900d3d67e0666094b1be7a12fffd7f65de74b",
"sha256:0a0b60701f2300c81b2ac88a5fb893ccfa408e1c4a555a77f908a2596eb875a5",
"sha256:0c71c2f6bf36e61ee5c47b2b9b5d47e4d1baad6426bfed9eea3e858fc6ee8806",
"sha256:0dc23bbb3e06ec1ea72d515fb572c1fea59695aefbffb106501138762e1e915e",
"sha256:0dfa6115c6def37905344d56fb54c03afc49104e2ca473d5dedec0f6606913b4",
"sha256:12bff2ad9447188377f1b2794772f91fe68bb4bbfa5a39d7941fbebdbf8c500f",
"sha256:1533b7eb683fb5f38c1d68a3c78f5fdd8f1412fa6b9bf03b40f450785a0ab915",
"sha256:1766b5724c3f779317d5321664a343c07773c8c5fd1532e4039e6cc7d1a815be",
"sha256:181ef9b6bbf9845a264f9aa45c31836e9f3c1f13be565d0d010e964c661d1e2b",
"sha256:183f857a53bcf4b1b42ef0f57ca553ab56bdd170e49d8091e96c51c3d69ca696",
"sha256:191aa858f7d4902e975d4cf2f2d9243816c91e9605070aeb09c0a800d187e323",
"sha256:1a8b0dd8648709b62d9372fc00a57466f5fdeefed666afe3fea5a6c9539a0331",
"sha256:1c962145c7473723df9722ba4c058de12eb5ebedcb4e27e7d902920aa3831ee8",
"sha256:1cc81d14ddfa53d7f3906694d35d54d9d3f850ef8e4e99ee68bc0d1e5fed9a9c",
"sha256:1d815d48b1804ed7867b539236b6dd62997850ca1c91cad187f2ddb1b7bbef19",
"sha256:1e6c15d2080a63aaed876e228efe4f814bc7889c63b1e112ad46fdc8b368b9e1",
"sha256:20ab1ae4fa534f73647aad289003f1104092890849e0266271351922ed5574f8",
"sha256:20dae58a859b0906f0685642e591056f1e787f3a8b39c8e8749a45dc7d26bdb0",
"sha256:238e8c8610cb7c29460e37184f6799547f7e09e6a9bdbdab4e8edb90986a2318",
"sha256:24a4146ccb15be237fdef10f331c568e1b0e505f8c8c9ed5d67759dac58ac246",
"sha256:257d011919f133a4746958257f2c75238e3ff54255acd5e3e11f3ff41fd14256",
"sha256:2a343f91b17097c546b93f7999976fd6c9d5900617aa848c81d794e062ab302b",
"sha256:2abe21d8ba64cded53a2a677e149ceb76dcf44284202d737178afe7ba540c1eb",
"sha256:2c03c9b0c64afd0320ae57de4c982801271c0c211aa2d37f3003ff5feb75bb04",
"sha256:2c9c1b92b774b2e68d11193dc39620d62fd8ab33f0a3c77ecdabe19c179cdbc1",
"sha256:3021933c2cb7def39d927b9862292e0f4c75a13d7de70eb0ab06efed4c508c19",
"sha256:3100b3090269f3a7ea727b06a6080d4eb7439dca4c0e91a07c5d133bb1727ea7",
"sha256:313cfcd6af1a55a286a3c9a25f64af6d0e46cf60bc5798f1db152d97a216ff6f",
"sha256:35e9a70a0f335371275cdcd08bc5b8051ac494dd58bff3bbfb421038220dc871",
"sha256:38721d4c9edd3eb6670437d8d5e2070063f305bfa2d5aa4278c51cedcd508a84",
"sha256:390e3170babf42462739a93321e657444f0862c6d722a291accc46f9d21ed04e",
"sha256:39bfea47c375f379d8e87ab4bb9eb2c836e4f2069f0f65731d85e55d74666387",
"sha256:3ac51b65e8dc76cf4949419c54c5528adb24fc721df722fd452e5fbc236f5c40",
"sha256:3c0909c5234543ada2515c05dc08595b08d621ba919629e94427e8e03539c958",
"sha256:3da5852aad63fa0c6f836f3359647870e21ea96cf433eb393ffa45263a170d44",
"sha256:3e1157659470aa42a75448b6e943c895be8c70531c43cb78b9ba990778955582",
"sha256:4019a9d473c708cf2f16415688ef0b4639e07abaa569d72f74745bbeffafa2c7",
"sha256:43f10b007033f359bc3fa9cd5e6c1e76723f056ffa9a6b5c117cc35720a80292",
"sha256:49028aa684c144ea502a8e847d23aed5e4c2ef7cadfa7d5eaafcb40864844b7a",
"sha256:4916dc96489616a6f9667e7526af8fa693c0fdb4f3acb0e5d9f4400eb06a47ba",
"sha256:4a59e5bc386de021f56337f757301b337d7ab58baa40174fb150accd480bc953",
"sha256:4b1f66eb81eab2e0ff5775a3a312e5e2e16bf758f7b06be82fb0d04078c7ac51",
"sha256:4c5fe114a6dd480a510b6d3661d09d67d1622c4bf20660a474507aaee7eeeee9",
"sha256:4c70c70f9169692b36307a95f3d8c0a9fcd79f7b4a383aad5eaa0e9718b79b37",
"sha256:4d11382bcaf12f80b51d790dee295c56a159633a8e81e6323b16e55d81ae37e9",
"sha256:4f01a5d6444a3258b00dc07b6ea4733e26f8072b788bef750baa37b370266137",
"sha256:4f789e32fa1fb6a7bf890e0124e7b42d1e60d28ebff57fe806719abb75f0e9a3",
"sha256:4feb7511c29f8442cbbc28149a92093d32e815a28aa2c50d333826ad2a20fdf0",
"sha256:511d15193cbe013619dd05414c35a7dedf2088fcee93c6bbb7c77859765bd4e8",
"sha256:519067e29f67b5c90e64fb1a6b6e9d2ec0ba28705c51956637bac23a2f4ddae1",
"sha256:521ccf56f45bb3a791182dc6b88ae5f8fa079dd705ee42138c76deb1238e554e",
"sha256:529c8156d7506fba5740e05da8795688f87119cce330c244519cf706a4a3d618",
"sha256:582462833ba7cee52e968b0341b85e392ae53d44c0f9af6a5927c80e539a8b67",
"sha256:5963b72ccd199ade6ee493723d18a3f21ba7d5b957017607f815788cef50eaf1",
"sha256:59b2093224a18c6508d95cfdeba8db9cbfd6f3494e94793b58972933fcee4c6d",
"sha256:5afaddaa8e8c7f1f7b4c5c725c0070b6eed0228f705b90a1732a48e84350f4e9",
"sha256:5afea17ab3a126006dc2f293b14ffc7ef3c85336cf451564a0515ed7648033da",
"sha256:5e09330b21d98adc8ccb2dbb9fc6cb434e8908d4c119aeaa772cb1caab5440a0",
"sha256:6188de70e190847bb6db3dc3981cbadff87d27d6fe9b4f0e18726d55795cee9b",
"sha256:68ffcf982715f5b5b7686bdd349ff75d422e8f22551000c24b30eaa1b7f7ae84",
"sha256:696764a5be111b036256c0b18cd29783fab22154690fc698062fc1b0084b511d",
"sha256:69a607203441e07e9a8a529cff1d5b73f6a160f22db1097211e6212a68567d11",
"sha256:69b312fecc1d017b5327afa81d4da1480f51c68810963a7336d92203dbb3d4f1",
"sha256:69f0c0a3df7fd3a7eec50a00396104bb9a843ea6d45fcc31c2d5243446ffd7a7",
"sha256:6a1cb5d6ce81379401bbb7f6dbe3d56de537fb8235979843f0d53bc2e9815a79",
"sha256:6d3498ad0df07d81112aa6ec6c95a7e7b1ae00929fb73e7ebee0f3faaeabad2f",
"sha256:72a8d9564a717ee291f554eeb4bfeafe2309d5ec0aa6c475170bdab0f9ee8e88",
"sha256:777c62479d12395bfb932944e61e915741e364c843afc3196b694db3d669fcd0",
"sha256:77a7711fa562ba2da1aa757e11024ad6d93bad6ad7ede5afb9af144623e5f76a",
"sha256:79061ba1a11b6a12743a2b0f72a46aa2758613d454aa6ba4f5a265cc48850158",
"sha256:7a48af25d9b3c15684059d0d1fc0bc30e8eee5ca521030e2bffddcab5be40226",
"sha256:7ab504c4d654e4a29558eaa5bb8cea5fdc1703ea60a8099ffd9c758472cf913f",
"sha256:7bdb17009696214c3b66bb3590c6d62e14ac5935e53e929bcdbc5a495987a84f",
"sha256:7da84c2c74c0f5bc97d853d9e17bb83e2dcafcff0dc48286916001cc114379a1",
"sha256:801a71f70f9813e82d2513c9a96532551fce1e278ec0c64610992c49c04c2dad",
"sha256:824e6d3503ab990d7090768e4dfd9e840837bae057f212ff9f4f05ec6d1975e7",
"sha256:82b165b07f416bdccf5c84546a484cc8f15137ca38325403864bfdf2b5b72f6a",
"sha256:84cfbd4d4d2cdeb2be61a057a258d26b22877266dd905809e94172dff01a42ae",
"sha256:84d142d2d6cf9b31c12aa4878d82ed3b2324226270b89b676ac62ccd7df52d08",
"sha256:87a5531de9f71aceb8af041d72fc4cab4943648d91875ed56d2e629bef6d4c03",
"sha256:893b022bfbdf26d7bedb083efeea624e8550ca6eb98bf7fea30211ce95b9201a",
"sha256:894514d47e012e794f1350f076c427d2347ebf82f9b958d554d12819849a369d",
"sha256:8a7898b6ca3b7d6659e55cdac825a2e58c638cbf335cde41f4619e290dd0ad11",
"sha256:8ad7fd2258228bf288f2331f0a6148ad0186b2e3643055ed0db30990e59817a6",
"sha256:92c8db839367ef16a662478f0a2fe13e15f2227da3c1430a782ad0f6ee009ec9",
"sha256:941c1cfdf4799d623cf3aa1d326a6b4fdb7a5799ee2687f3516738216d2262fb",
"sha256:9bc596b30f86dc6f0929499c9e574601679d0341a0108c25b9b358a042f51bca",
"sha256:9c55b0a669976cf258afd718de3d9ad1b7d1fe0a91cd1ab36f38b03d4d4aeaaf",
"sha256:9da4e873860ad5bab3291438525cae80169daecbfafe5657f7f5fb4d6b3f96b9",
"sha256:9def736773fd56b305c0eef698be5192c77bfa30d55a0e5885f80126c4831a15",
"sha256:9dfbe56b299cf5875b68eb6f0ebaadc9cac520a1989cac0db0765abfb3709c19",
"sha256:9e851920caab2dbcae311fd28f4313c6953993893eb5c1bb367ec69d9a39e7ed",
"sha256:9e8cb77286025bdb21be2941d64ac6ca016130bfdcd228739e8ab137eb4406ed",
"sha256:a547e21c5610b7e9093d870be50682a6a6cf180d6da0f42c47c306073bfdbbf6",
"sha256:a90a13408a7a856b87be8a9f008fff53c5080eea4e4180f6c2e546e4a972fb5d",
"sha256:a9a63785467b2d73635957d32a4f6e73d5e4df497a16a6392fa066b753e87387",
"sha256:aa81873e2c8c5aa616ab8e017a481a96742fdf9313c40f14338ca7dbf50cb55f",
"sha256:ac64f4b2bdb4ea622175c9ab7cf09444e412e22c0e02e906978b3b488af5fde8",
"sha256:aea1f9741b603a8d8fedb0ed5502c2bc0accbc51f43e2ad1337fe7259c2b77a5",
"sha256:b0afb8cdd034150d4d9f53926226ed27ad15b7f465e93d7468caaf5eafae0d37",
"sha256:b37a04d9f52cb76b6b78f35109b513f6519efb481d8ca4c321f6a3b9580b3f45",
"sha256:b5f7a446ddaf6ca0fad9a5535b56fbfc29998bf0e0b450d174bbec0d600e1d72",
"sha256:b6d9e5a2ed9c4988c8f9b28b3bc0e3e5b1aaa10c28d210a594ff3a8c02742daf",
"sha256:b6e2c12160c72aeda9d1283e612f68804621f448145a210f1bf1d79151c47090",
"sha256:b818a592bd69bfe437ee8368603d4a2d928c34cffcdf77c2e761a759ffd17d20",
"sha256:c1851f429b822831bd2edcbe0cfd12ee9ea77868f8d3daf267b189371671c80e",
"sha256:c1fb0cda2abcc0ac62f64e2ea4b4e64c57dfd6b885e693095460c61bde7bb18e",
"sha256:c5ab0ee51f560d179b057555b4f601b7df909ed31312d301b99f8b9fc6028284",
"sha256:c70d9ec912802ecfd6cd390dadb34a9578b04f9bcb8e863d0a7598ba5e9e7ccc",
"sha256:c741107203954f6fc34d3066d213d0a0c40f7bb5aafd698fb39888af277c70d8",
"sha256:ca3f059f4ba485d90c8dc75cb5ca897e15325e4e609812ce57f896607c1c0867",
"sha256:caf51943715b12af827696ec395bfa68f090a4c1a1d2509eb4e2cb69abbbdb33",
"sha256:cb28c1f569f8d33b2b5dcd05d0e6ef7005d8639c54c2f0be824f05aedf715255",
"sha256:cdad4ea3b4513b475e027be79e5a0ceac8ee1c113a1a11e5edc3c30c29f964d8",
"sha256:cf47cfdabc2194a669dcf7a8dbba62e37a04c5041d2125fae0233b720da6f05c",
"sha256:d04cab0a54b9dba4d278fe955a1390da3cf71f57feb78ddc7cb67cbe0bd30323",
"sha256:d422b945683e409000c888e384546dbab9009bb92f7c0b456e217988cf316107",
"sha256:d80bf832ac7b1920ee29a426cdca335f96a2b5caa839811803e999b41ba9030d",
"sha256:da619979df60a940cd434084355c514c25cf8eb4cf9a508510682f6c851a4f7a",
"sha256:dafd4c44b74aa4bed4b250f1aed165b8ef5de743bcca3b88fc9619b6087093d2",
"sha256:dca83c498b4650a91efcf7b88d669b170256bf8017a5db6f3e06c2bf031f57e0",
"sha256:de2713f48c1ad57f89ac25b3cb7daed2156d8e822cf0eca9b96a6f990718cc41",
"sha256:de4ed93a8c91debfd5a047be327b7cc8b0cc6afe32a716bbbc4aedca9e2a83af",
"sha256:df52098cde6d5e02fa75c1f6244f07971773adb4a26625edd5c18fee906fa84d",
"sha256:dfbf280da5f876d0b00c81f26bedce274e72a678c28845453885a9b3c22ae632",
"sha256:e3730a48e5622e598293eee0762b09cff34dd3f271530f47b0894891281f051d",
"sha256:e5162afc9e0d1f9cae3b577d9c29ddbab3505ab39012cb794d94a005825bde21",
"sha256:e5d524d68a474a9688336045bbf76cb0def88549c1b2ad9dbfec1fb7cfbe9170",
"sha256:e99685fc95d386da368013e7fb4269dd39c30d99f812a8372d62f244f662709c",
"sha256:ea89a2458a1a75f87caabefe789c87539ea4e43b40f18cff526052e35bbb4fdf",
"sha256:ec671691e72dff75817386aa02d81e708b5a7ec0dec6669ec05213ff6b77e1bd",
"sha256:eed5ac260dd545fbc20da5f4f15e7efe36a55e0e7cf706e4ec005b491a9546a0",
"sha256:f14440b9573a6f76b4ee4770c13f0b5921f71dde3b6fcb8dabbefd13b7fe05d7",
"sha256:f405c93675d8d4c5ac87364bb38d06c988e11028a64b52a47158a355079661f3",
"sha256:f53ec51f9d24e9638a40cabb95078ade8c99251945dad8d57bf4aabe86ecee35",
"sha256:f61a9326f80ca59214d1cceb0a09bb2ece5b2563d4e0cd37bfd5515c28510674",
"sha256:f7bf2496fa563c046d05e4d232d7b7fd61346e2402052064b773e5c378bf6f73",
"sha256:fbaa70553ca116c77717f513e08815aec458e6b69a028d4028d403b3bc84ff37",
"sha256:fc3e55a7db08dc9a6ed5fb7103019d2c1a38a349ac41901f9f66d7f95750942f",
"sha256:fc921b96fa95a097add244da36a1d9e4f3039160d1d30f1b35837bf108c21136",
"sha256:fd0641abca296bc1a00183fe44f7fced8807ed49d501f188faa642d0e4975b83",
"sha256:feac1045b3327a45944e7dcbeb57530339f6b17baff154df51ef8b0da34c8c12",
"sha256:ff110acded3c22c033e637dd8896e411c7d3a11289b2edf041f86663dbc791e9"
],
"markers": "python_version >= '3.9'",
"version": "==0.26.0"
},
"ruamel.yaml": {
"hashes": [
"sha256:710ff198bb53da66718c7db27eec4fbcc9aa6ca7204e4c1df2f282b6fe5eb6b2",
"sha256:7227b76aaec364df15936730efbf7d72b30c0b79b1d578bbb8e3dcb2d81f52b7"
],
"markers": "python_version >= '3.8'",
"version": "==0.18.14"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b",
"sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4",
"sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef",
"sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5",
"sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3",
"sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632",
"sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6",
"sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7",
"sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680",
"sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf",
"sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da",
"sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6",
"sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a",
"sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01",
"sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519",
"sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6",
"sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f",
"sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd",
"sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2",
"sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52",
"sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd",
"sha256:943f32bc9dedb3abff9879edc134901df92cfce2c3d5c9348f172f62eb2d771d",
"sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c",
"sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6",
"sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb",
"sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a",
"sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969",
"sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28",
"sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d",
"sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e",
"sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45",
"sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4",
"sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12",
"sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31",
"sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642",
"sha256:d84318609196d6bd6da0edfa25cedfbabd8dbde5140a0a23af29ad4b8f91fb1e",
"sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285",
"sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed",
"sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1",
"sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7",
"sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3",
"sha256:e7e3736715fbf53e9be2a79eb4db68e4ed857017344d697e8b9749444ae57475",
"sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5",
"sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76",
"sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987",
"sha256:fd5415dded15c3822597455bc02bcd66e81ef8b7a48cb71a33628fc9fdde39df"
],
"markers": "python_version >= '3.9'",
"version": "==0.2.12"
},
"subprocess-tee": {
"hashes": [
"sha256:21942e976715af4a19a526918adb03a8a27a8edab959f2d075b777e3d78f532d",
"sha256:91b2b4da3aae9a7088d84acaf2ea0abee3f4fd9c0d2eae69a9b9122a71476590"
],
"markers": "python_version >= '3.8'",
"version": "==0.4.2"
},
"wcmatch": {
"hashes": [
"sha256:5848ace7dbb0476e5e55ab63c6bbd529745089343427caa5537f230cc01beb8a",
"sha256:f11f94208c8c8484a16f4f48638a85d771d9513f4ab3f37595978801cb9465af"
],
"markers": "python_version >= '3.9'",
"version": "==10.1"
},
"yamllint": {
"hashes": [
"sha256:364f0d79e81409f591e323725e6a9f4504c8699ddf2d7263d8d2b539cd66a583",
"sha256:81f7c0c5559becc8049470d86046b36e96113637bcbe4753ecef06977c00245d"
],
"markers": "python_version >= '3.9'",
"version": "==1.37.1"
},
"zipp": {
"hashes": [
"sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e",
"sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166"
],
"markers": "python_version >= '3.9'",
"version": "==3.23.0"
} }
}, },
"develop": {} "develop": {}

2
README.md
View File

@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions ## Assumptions
Before you can run this, a few things are assumed: Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running - You have a clean, minimal Debian 12 host up and running
- Python 3 is installed on the remote server (requirement of Ansible) - Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine - You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host - You have sudo privileges on the remote host

6
ansible.cfg
View File

@ -2,10 +2,16 @@
retry_files_enabled=False retry_files_enabled=False
force_handlers=True force_handlers=True
inventory=hosts inventory=hosts
gathering = smart
# instead of using --ask-vault-pass # instead of using --ask-vault-pass
ask_vault_pass=True ask_vault_pass=True
remote_user = provisioning remote_user = provisioning
interpreter_python=auto interpreter_python=auto
# Don't warn on unknown SSH host keys because it's super annoying for new hosts
# or if you get a new laptop and run Ansible there!
#
# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
host_key_checking = False
ansible_managed = This file is managed by Ansible.%n ansible_managed = This file is managed by Ansible.%n
template: {file} template: {file}

6
group_vars/web
View File

@ -1,8 +1,14 @@
--- ---
# file: group_vars/web # file: group_vars/web
# run nginx by default
webserver: nginx
# all hosts run fail2ban with the sshd filter, but some can use other filters # all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters: extra_fail2ban_filters:
- nginx - nginx
# root prefix for all web servers
web_root_prefix: /var/www
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

71
host_vars/nomad01
View File

@ -1,71 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
39303965636262373331663530663562363864636132363362616636346166303835336463326261
6435316332636438363630386231326231666163626335350a353662623034313766383035636237
38346531313235613266646665363135393735613836393838313164356561663431333864353237
6230666363363738370a306432643732626337376638383564323032626465306263643533653561
63326261323032303466656162303132633933643232656238643936306235316436616237333963
32633363333636303564383062636463393531326565643732396539386230393434633134306433
38363130626139616631373336653530343762336165666131303464386561646434363163333034
65323837313164343238623766373431656462376262393737323166306537353365663163383032
61393662393433653937313533313537336132663432383634343163653866306232326464626131
33356630666130376565663666613032333637633061663433623363626632356531313231393136
64343463396632633061353861613438613537666466613132316265326530343733343535333836
39376632373137383636623637373639653933623639646266336331353337343166313132613131
32373632323363616333303863656537613264346439326662383265323731613263396138366161
62393838376435393036383836646433346365306239666335356265616237336138373632313139
63613236613166343332363730356262373131646462373561663964343438623863636539633030
38353430363435616139353165633330396135383939396531333436663533666564653765336330
39303832633931653461363766616562323865383832663434356534386337386262653730663838
65623234356134393963376431653965353566303261386533383736316439636536363463633339
35323939373939386436336233333664313735376439353062306562353435323031346335666334
36306537643734316131373335613234363135393866333231343533623961333562646333663332
64643036386237626138633561613966373831326331636437636564616662326563393336636138
62643034333831333765636532633235653733303838393430363830346436646632373364353832
33376635336338303230343833313936633832653235353836633932393230376435353739646563
31653765393631316135366466353162633261386132633433313866363563386563383437623538
33636134646531383130663038343939333565613736363162366132303535336663646265353138
32376536623864656531346434383537396563383130386231336431653464326461326531393861
62356361636434623133383264326433333163633964316262633138633838393234343538316465
32656534623839343132313662636464333963306138356162623462353933633436333930346430
33636235303339353236646438666233653736653566356638653538366131646432373338303535
38643630363231656334623539633235393062656165316266626538663339363538343031323835
34383865663936383161326664353464393263626262383463616336623662613233656630303037
35633461643439666233666136626462353838323162653730646632636132323632663666316166
34373237343931363331653966306535396635306364643135336234366364303062383332376532
61623337326236623861326433653739613133666538396438643937353730363062626136333034
35353733633234313965616439326666623936303464323462313037303230346164353366373661
33613231316461386636383030643862616165623565623337346264656531393232323030306464
37393065386161383532663862333263626338393832343566383065316434656564613831636535
30653330393936323733373938353763643431366134636263616535343565656164343931326464
65653464373231636337313932636238376130323566323637376634626439366635363537623234
34656466366435666162643237383163303936383061393939356438303765313566343162303038
37383531326436373336363134663838346463613462333265663363323538663437623830363831
39333934316634386562333330613831386530633365613939393638373063323830636363356432
62626562366634636266333737343238363235613366313737383335383264343435623434353838
63633964333262616439623266643938313466396339343237666239363730393935626466366434
66333739373662656237386663373465303336343432393735376463643562303431383832313934
61396134393830303234383162633533336436346334393265363766386638303831613036343163
33663638323235613465363539373965326430323035656564633830656365663537393233626365
61646162383439626638633137656639653830366162636532616634313738353166633438346433
64633037343864343939383865333737366638386331623230303830343636363938366432366265
37313963633536396433376331663132643435376164393138653738376338623239323966363430
63346464303162306332303036346362626134363666396130326163613730633966393438316333
30626365623532636436646138373434343031643131343238353661623636623138346333663866
62393937376538343135353030653838346239393633343239313137663464353165653961336237
36646332663539363438343939643335613236666630616636623837386133396262303033333435
36336566333333393137666533323439303036653362333832346537356663656635356635363761
62363638316435633563396662323131383736663939633133626131616638653665633963623439
33343038326339356634366461346132393537613232623334326561366164333862343766386137
66636437613661616261336232316436353739316463383063363663383230613934663334333538
39623037646638386263643438623137346137616664396638366436383561313933633039393936
32383432363363666466363364376631346365373239353339633532666134396138373765643031
64333061343237616135643439396266616161333537333837643530633136313932623531653163
36373165393238306264353461383765343938393635633236313565393733306536386464373639
38386131623133376230653134316536356238336162356331376465613962356231316666643661
65616138333731313961316463643137373831616266623631376266643864656164356531316238
34376264373432356162363962353338393362386434313465643533396330386666636430663530
66396665383431333534383038333163336639613435333039633136366235636638393337613232
35636336383333376138306630383230383861396164386162323264376234396130323933666437
38343036656562636130366663663565666530623765353265363833303634643862313634326461
62643864613762386366633634343964396631356462346665663131623034303133346438613433
6336623030393661663631303038366630353638613337653365

163
host_vars/nomad02
View File

@ -1,163 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
36643866316634653430343333316233346137663238373035376232643132663036343736376464
3033313234383933656361343938653362623265653030360a396638643333633137376231663538
65313537316564303330663730333131633165633238643532646435386436623163346366383533
3965636630393834620a343531623964626135636337313861653361393733333463633234363435
64643934346466663934613962613230623562323666353231326363343430336637323666383634
36626136643432343332343665343734653435383336313862383863626466663633363738313563
30303666306439333836306161633432346636396333653434666531353966353430666436623531
31636562656161333830313362653764306137396231346334613336346538306432636639386561
65323737383865313264623934613365373465323065616130333837386665666333623832626239
33333230643332373238363432306466613737373132643134363563613535376365616130333433
35653262356233626331643432396237306237363135623830643536653938363461303738613130
66613036393338393037386162383831663866323233383736303532363837663039376166363639
34666237333562643665653165393730646632316237663337383937353365333532336462656362
31353934393363363765616335626565343238336262653361306164383030303835303666326532
31386332346362633433356161643536333862373030306364393935663061396538616637623230
66383163396139306430343639346264336464646233316636666239643132376164613666363538
33356365643430383732396235623038643566623131616461376261343563353236306663656634
64643035373039383031303464346264383066623762323161643561366164313461613038633531
36383161363065366164383932623231626633646166313835343264373366393236626336353039
66646338303731346337363962353135346239306562663737363038306433386230326636336162
65313132626564663738633531333662666661326463643032656136376564643938623061346464
66653239663464306430613563666336643839323537626338666435336138613763313364323637
30666566326463623438316263623233333434623366306330656564636163336636623433646631
65316562616136626330333166646332366537666664303766346239316535333031396235303466
34393664373361356231333530323865646333653237613636386632393730623330653437393164
65343266373237386364373862656138633263666633333465623836366233663537393539393638
34643963363865383434633163623832646632393234636136346137366361393638393461306337
64653436313065326637363632336565306137613131306364336537613835306332633366313130
34393732643361663731383661646631353035353064613931333330653031626435353163323633
65326135376462666435643837333131313863313630336566333835613132383365343234366133
39336131363366616136663636663334386361646465336331343836626439316532376566353565
37643361646435643133336333643837633331316432303062623062396564373137613235363762
32363838333337363035343631353261653063316138626133303937623233326531333837383033
39366536333434303864616164313137613337643730306261626138343764663662393161613730
36303736306631636266336131396336646635653131336265623364633038363339353933636632
39626134353866313439333962376663393831303261633431303035663130613265333739616135
62623138386235653935383364623230343662333138653562633266336534383963326237663132
38646335623532383565303466386261613931666438313261653434633934353739613431636132
39633133656230666231383936396264313630353434313035643565333661393736386637313264
63636337373334313937643261313564333564383566633730396364653533666236643433643436
33363061356362386535323038383637613364393639646363366630373735353234333134636565
37653064636536376638626135393332626539346365353661636439323338653137383866663734
62303139363436646464383266396464313565376132393937356665396536623332376134393366
30346435313566313237326461346362353633353261373038656130323365383765613739323239
38633934643531633037623036623839386637663762366631633033646138323936353433326430
34396466653230643766636636393735373363616637386662333535643536626261653264346332
34336337646133646261353939353166393530323730333063393365626365383366633464633236
64656535613838313461623864666362373030636366373038373863616462373939356238353362
36363535653734343533666532343166313964303236313135386134623963386535306435656330
38386430303330303837326138356364373439313836636234656331643131646363386138653065
64353837396533303463643130613339663166333933643362303565623432643064353865393635
65663362666130623933623733323933343065633432613965373764383035316338316338373934
65383061386635316331366532626437303664636436306535663365373064346136393063623335
35643062363536633332313531356637313032666262366466626462666663303161653635666331
32343130383231323239363235313031346438323330383938303733323436646336353163356132
30336136646261323866663530336335636464623035626635333961623363396239353935636531
64373231386163663962313834333538333133376433623363306239393462383930306432396562
65393761633834663431353032393032396330393338343863333939323632393438646331613463
35363530653161653266616331356531666434353663643364316564623438316132383463356437
38626365343733383735383939646331376531376563623231323535323735356630336130383835
39633335373163656431336130333664306164336536356431323438333933636365303330393233
32353437393133646632373234376431626332626333343866643463653662373861346539663131
32393333633766633738393937356134313236343633636533376665316134653632623061353866
36373761366264653737386331383235306137323965363265653937353833343362633433313462
32316466356335366630373635376561636233336165666661653632323835336563313134343064
30333033333331303164323133613536613636373333663131633162616235316636346337333462
64306336636562353733613538343462626233303661363131333665366135306332346135323136
31306535643539303936346632623930333339353439376462633462626165633437393830373739
61653230646366623830353630336661623466316136373264353762313065346632366164653261
64313830303466306135313964613537633236383535343132613332613733316161623365333163
38633930323439303030316433343764356538313632366635653437346161646439663563323832
38363731353734303932653662326138646239306261383232643537313365393061383663643632
31343736373739643164623437663239616663373335643262336664326365656137643066383463
37356666306666353339626662326135636530386462613061326631366535383034303830323237
65316135343135383230656638363564303635363333623833373163326365393430663235623231
35646632643735363730613462656562356139323863616266343566343861356238623564326430
31306366366330363036616137363163663136316565313334616164346639663465666338316439
33643732343062313536313233333039366435386235333736333937633266653761616262346566
32636337623266656464636634643632316134376334653932363134613336346539656438633137
31306439663834663431346133653532636664636463376337616539393239316465636537633630
30363461343733653465666332646236386633396530333863616236383437333931643731626364
38393337656130666237373538393430306333333033306466343866303038643234646339306233
32336364363838636563643939626665643231636633666166653539313461393238333461383262
62346634633236343433336531396361323238386262313565396265663162353765343037303862
63633034363664313733633433356332333633366530643863316364653065623161663932323831
31646530613933613735333834373532616136393662346431656363346364353031303262326134
31343332386166646530373635343039323163323366616263346431353765303430353636373539
36346461303730313630373637346266323331373733383465323037343633313739306233336339
63646137643332623834343462333263356432366631663065383962373634366639656133323964
64343035323863373139313163323562643066306139363235626532396436663137653635353035
31396334346137626461633436343539366635356537306231353961333963616334323037346637
33626161333264643261656661643933653835356236333831343563653938303266323730363865
31363562383666633636343935386535306361386234346535613363613363393065363832306363
63643238383363646137306361306265666435363739306463663637343761643831633261633531
36626562636333336434613365316232343832646163396338613839643064653834633832376230
33343265386162303266373033353332393931633663623734396133326232303465666432356363
66306338616634616631363662313963386638343266383063313166353437373433623736333361
36333163386630376262616362613530346563383637656130363365366634633135323863646363
35323430343033323734363533326334303438663065656535666432376661613435623365316139
30623835373535623662633131393831376231623663316331313661646531393338613532623063
66343665356338636438646339663761336636653332646233326264373435346263386130383861
34623265373463653165383665306334643233373066356231343666663866373739336436653933
65623134306536333538333061303066636339376636333438623666366362666137653261376539
31346435613134303866333065306237343162333138643339313461663934643234303132613961
65393037396463663034636534323566366161623365666466393634373764333437383263656535
33643461636362646135626164373335386130303766633434633062356630336463623661396639
32646565623164363631383731666161343762393639343839373234326337643766336263353166
62633964303733643035326535656561366139626565643938356264646239336166316534373261
30623765623338616537353062666338376262393966373033346233383132653839323731626663
66393938313132653538313031323538333263333361303661646633366633353534373837313935
37323635633431623365643738623834653631323564393436326562326439666462306263653331
66316134616432323939373366343564623264336632376132663462396362663134643236643832
31393366653961323763333335303135383934633538636335303435636334343737306232373561
31343139363863326536613163663862343263313630336438666132306162646130613233393935
37336330643361323032366433313939616134366134393032613862616136393339643232356139
35326534623263353766326132623330323639303230616263636536366263643339663838376238
35323731303163616236306439343632353561646339663933313937363739303864336438626638
64633139633338623431343236333534373835356365343536636261386437613538303334663739
62396532353832323262343763353365333561643633353638313534393164366539353431396336
36653563633237333730376331326432663561343463616135613738663130323936373136393538
65636634363631313364326665336164653939356133333031633632373030623666373562623564
64616365616435393231646236623333333037346363666664666233306661353337343066626136
35666164356537323735636131383266393064373538303966353531636561623032643233346566
61633465376631656636366662373865623764336135323865316336663731383335303330616231
64313836373063313061626365316538653831316562333165616531643434633964333438333665
66376634323531356538343837326636636636393639396535346264656531613733386337353966
31363730646365313834316234626532663563613234643563366566373662616335623035393536
61653334346336613539313732383438313132653738393339373661336531633565303635353665
31383939643261666538356633326666363934643738636430383537636165623264616236633863
35336134386437383539303061343261313530313366316338663539383238663966653837663331
33386464653161376335316536633532383035363066653234626363343232393165313463343930
63323435613932626435363235396236313365636166663238323534623038663034303365326566
66306635373433313730343536633931643935323062643136383434643138306138363366663834
66613964303634616139323832363633363063653237366135613964663733376161373937323462
30313833623733336366356635323261613132393734613735393062333232313236326264323366
32376535616334376137663636633333323665333939363366313432633436653864306532393966
61636337356534373164653637633162613235623364396539623961353466303036383031363162
37313364613939613939343538633665666136363135656330623332656466383139656234336133
62366262663064623137626363613066366666313733623463623562636131323435346264653564
31323431663339653966336230356339303534353139663739363263633564373364323937386434
37306462653630326366316530656462316539373263366262313930356663376334343562303361
61623161613939616666386336626537333135346136643537326635383939663863623332373033
32643730313861636163623133323061333631333332373838636163326562633936363631653062
37336661626336623462616562333264373330323363363630313739363962323735393332303562
62393161323962393039346432353066646162336332663636343739343566363833333738316437
64333337363137643931366536396333633538633830353865323765616264356335383031353534
33376363386630303332643263383738386532373434613963613764326636333133303262393832
35373930383662383064333465633736363063363434333662396331633032353733353334363162
32393361643562623362333963663262363235326536396131643435306665343438333933616466
34326634373965313638666337326633653938343561663739333464343135346437636436633034
62333039373136656664363531373430356363363736306533386135323061316339326636643739
38363763653331646638613963646138666165666439643065363335343132613731623264376536
37366533636564346661343966373964353731623861633463363638356163346165643164373535
30373564326263393436326337653631383731313139636339356433333830666265343165323330
36616538616534626237623862636536303336343331383237333333656637303266616137336439
61653631636632366563373034346365313337356266636338336663643538303063613036383831
65613635336366316263336131666238386237366264396438383966313762626639643236313532
30663235666662396231376631366139653937646132343639396430643339393165656266636235
38356135666433323434613238356537306630643861353436323037353461326534313632386232
63643261373263646437373535333036336634396331616330353233613564363361396437326435
38396462643833313362633436303637323163663166653231653866643733616432323663316362
3037356363643462356137346638313963376637643162623062

71
host_vars/web21
View File

@ -1,46 +1,27 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
65653532333862366436303432656664373261323934306234623534633335356466623330373063 38663333313561616264323430323162323837623430363739623561633331656664613936666665
3164363863313131303330363564326130383433646332640a373233653965653164353663633038 6364373033623163393239663035306337383066343438310a383666313434323036643037363065
63363966646361366637643261613062393736366361356235633139323537636638396264316534 30396333626130303633663930663965666662646233393439376661346265616565616236623366
6366313732323066620a333738656661656537646632326262663862393434663435313037653564 3930373433646231610a336233663132306263656465633034333030316362643939316465666534
66303732396261373436373538396466643330633336623066313933323266386438363566343834 38353961393038613961353732613434663565633466303265383231343336386330333464376363
38616661303931376136616532386637386130326264336430613336613836323666326261643838 33616330643364376332623634363766656366666239633964316439376463313063333162343963
36613565323062626662313864633539323538316562346533363437373766343764346132333631 61356634393438313063666434626338616264613639656462626639616263366531663135393466
66336135383732393939383133626662343335376531336364303662356566393034326635333066 66346635616439306364356133303664376134626636616131373138656562363363306633333164
64333635303633306639656161623631333139653034633939303565386330383236616364353136 62623135343633393834393165383231316562643062343165663235313930663039623135373263
62663536613565383064633235613539313933373530306164356462353861383761363931613430 61343336643235303962333938613230356465346436376334373438386461366231383737643137
37373939616564663562376635333862646234353133663331396661626234356665633835323137 36343832353730366131653430633465383163396336353065306638373166386438356264616139
39343462303438376131626335346637316238626462333430346539313838386662363031336636 65346635663338366463343932336231386235393836616238373864626235623935663661396663
34366132363439653137393662653661663262346632306533376565353037616362316161333566 31633565356465333737303339333435383162316530396563333335613062623138333232336162
30393530656566643136613039363537613035666465656530366637393664343665666534383837 62376363666431363931663231643561616562383230643737393261623934363633313231333137
63393133336664313466636538386338653937643563633737633962626562326637356661633463 39383238656237343661626662366465356463396336386261326334613436396364633062646532
61613231346532306265623361636330376563396266393330393166643833353165363934313533 61313136366636363861316166396134316562666435653437326331363563653035343138636163
66333832373035376334326336616534326566666361616665633363383032393236336634303232 66336139636533656334643966383962383734623565323435333665666164353732663736326364
36656336316635376431396233626539633839386533333436633264613761353361333565656233 35616264383237316330386539363065376334643432393636643464646238633034333166663665
65373331306434363938393339333133336461646130666535343965646536656263623530666333 33313166393738626133636136346637646437306335326263393634363133663736666338313838
36353664643132623465353661656466383363376261363534303462306661623564663561656664 64623139613037653461643563666539613237323934376534376461313833336338623032616661
37633936636263623065366666666530616264396334623766613036313735353264356162613836 64643062663633366436383232366137373936383430306332616634636331326361383931363961
35643737346530393933643537333561356465363239353630343333373038373836623231336437 62313236313563326438303935373837666434313435653236643135303739373763656562393537
30343932363864663435656634343138353638343461623665336461326565636164643231323133 31653265653739346433663937343439656231663963333633373066356231623762313438393763
65383664633665343365363764353566653635663137633033303731303030613565653565303433 36306336656566633034373834316363333233326130626639313130643935333437653934313636
35373930396166646134326165653436613137383630653338613634633361623432373839376430 32383034346234333561333466653561323834346166633831303566376266373933356536383031
38376630633363613632316530663839326538366366626230356337323536306665616661373261 6236303934323963336662386666653138313165366133303434
36653965623936663963353836653636306362663062636466613034333532633534646635313737
33313962323636643132396166626566366466336238323163656332383530363833613633383165
66366239613530613264313739396661386165343162633237303034373765643037656564653061
63373036356134353633633532663365323932633531616261373735313737333033353532656434
36316339303930336464393261323035626330366133626137373034396166336263333964333963
62636432386531306133623163643461336137653331653861383139373938353162636566623566
35616637663638313566653832343634613632663861333162333932336264613730313864663663
38396563373339626365353766646565336335656539393738376331383038353436313963633438
33373433613034373763643434613365303938373764306662363635626636633266643035663836
65353632313137366231323764313036613134643830326330653763656362343561643964623361
64336565666630626339346563663931393035363938663734616666356435326638353131383434
65623539613662393936653161663264343132333936303661643534343536363165313564333037
39343561656461313265393466346662343530313230386266646662633262643464366661363630
63376463396631666366313266633964396137373661643764666537366539373337333731343933
31613232363436643236623935326265353666313861303531633462623363373536636534623532
66636533356363353735653839646263663631316239326164646463396532343038373861393033
36623962396231633164356335623865326632303237643864656335326435373234366536313565
34313638373063303434613663323136646263393036356336323532373130386536306235343165
6462

269
host_vars/web22
View File

@ -1,130 +1,141 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
30653064396464333266346335623639626664323437633033643334333131666533373636346562 61623539626162633765633037643066613863623631336534396535353439376238646263306463
3064356161636364306236663237383737373437613335390a386266376130303236333635356530 3762323765316137356636623430333662386564626536350a333334393630653733353864636162
62393236356533383061323034646466323464636635643336346533363362366130343637353234 64623562623462373337363339343832336439363832653666316335313633343663396438346365
3438313633323564380a383963353238303663313061316135383530366161386334363836316530 6531343731363736340a373839663837396138366237303636326363663366656564306663663934
36383038323835343432393735366233363561633034623961646364386539643864303533613439 34333862643232383566306335363462653035313039353764643261663165613861623333663136
32613561343837613565386235323932363664323665386232656532616638386565653835386333 31333131303630356239636334346466643433356661383234383132653865326634643138613666
64616164303332323565306161303936373530323761343235363334363330313564316635343737 35386430646239643535373264386535316135623633303863646564313538323532333739653636
63333566646262613339333130333165353037636330666232633963666335333161313562636339 37393833363564323533333963376334326536666535626530383165613938353232356539633732
64653034363136323431333137653736646463323762323866303965626565363934373834633034 30633761336638636265353764643063316538353065376431616165343936323834303733326433
39616562353138653834636233333665316461623335616136313534343933613065343962316163 62626233643630643835323834343461333365333232373236376234376532636431396232633034
33363464623233313336386134303764623338616464623735653836623565316330333561393439 34303538313331383332643731653634313736383261393563393232643466386339363836623466
62666332653863656537326235376532613135623435353762316261393162383732393463303231 33383633353239623930363765326638643066373332653264633437323536366233383030346135
64316138623466643331326464633932386636636639646434633261303564653665353530646661 61353636353239376564396336353538616135663237613137366263353730366263643961373461
63363337373939626535393963386364393862343039623633316364323863616236616464376630 36646132646563646133373563653034646330653931396562643832666634383439313764646535
31356531363535336639303863633430626130613238663237366131663738343330396665626333 35643161356263316638363662626662346232633230363731633263333566376262396236363161
35633032663333366131626331363964613530616333383031633937316663663930666433643662 38636138306366666163663861346639323630663039353863346161613336363730633738386635
63376431396538333566383234666163323734653965326466656137336362643862366530316164 31356638623938353964346436353565363431636238326266373863316464396563336461336162
65663436383239613931383138646363623037666338633132353034663231653466363735313834 37323962343637626634386539643062343565313431386265323166623437346639363630343739
39363131653232356137343532613664353438616566646339623334306234346132656436343663 63613738656465346261653538643932666235356635346564356234613265353761393263373965
32366466623637613366333866316432643763616465633639383165366462656131343331306635 37326438346432306165616538363334653732643138643864633731363936626433303961373465
66336264326661313136663665336366616633323834646336633266653961613635353337303031 38383535396665643037363665623739346230666539643835343862646464303436303561313035
30393531383631303734373162323233633032353730616536373033643861393039613164656336 31356462656230326137616531363461316365333432326230373632356632313765333464313164
30396132313432363230373663386534646361636430336138333735393366643962326130396637 65393537656364656464343237646137396331643165343639643330353264333066633432363066
66313966393863313134386335653435613037353061656366373862323865633630386162613437 31336132373162393033363636386632313938333039393533313038623633613362646134363162
33623631303363666538373864353365616666393139386330373130376531323132393034333930 36346532306166346335643636353439323732663763396432613537316234376366616262626638
30333231316462393035663330333036383234613962346633616538363962303733643935333930 38613936626237343464373937383464356439383934353264643632386239353666396133656635
32356330663639663135623738356265393431323937633162663166303335663464323332373931 37666534383461663433653139383732383062643939653066656231646532666262386239616433
31376533303861383662623638346566313231393465346139646230306563353334343262316664 34386335363663313933663465623534633163316635353439616532386565613234373039653364
62303439323630623965666162396636373162356261663063646636633662363530356666653862 62376565613863656232643631343634636366643034386466323963643837653831653635333865
64323637313435316362616432363038306634353464306162333562643063373938363239653666 37383834626362613235623264613234653236323236383632356666643465313561626137343330
62616435316230306637383365383665313561383139633961623636336433316365313131613465 61643963306363366638306335653364616264613766346539316337623466666537616535333363
33333561656435653630353139363233616363616234353538336564626566633135396131383434 35306665383339643834616463396362663538303031386639343932346537363866663536373634
37633165643637333539323935663561316161343431306233386439306638373130316365333234 32623738363234326361336436626330363962316163653733663663316139393134666632633438
66653762636163393030396330663365646538363533643366643164383332306135323935313938 32303463343363383663636165643730653138356538326137613730383863373635646533373066
65373331386361373337663466313331333234376533366661666435383931306466373162623837 38323361373665376435313266373439636533646634326533626135313462303739313430383730
34376136336631366464623630373264653931303038623262353130376635626365353166326535 32333636633737376566623663323234376235623039313865663232323761616532666466306264
63643865656333376265656464666332343830393234633265386234623731333635653762313639 39623434333638323065623830656535353331326435643464333035326338366136666136663337
64616634346137656634613831383733326334343466646233663832303331653866323937383334 34336366333539333232653263396231633234313935396366646639383465326333653236383362
37373635616538323931666434626632623635336432623266346662663966663862623636373338 36656563653465346439653230333534656530373766653733373765623234336466663631323765
39666565633232643333626234306466313662316563353939653435663039333362326263633230 38636262373831393633343262356538393736666134633264353037383033343436346333306565
31646637383337333538376266333239356637383735303161646237346537376638653931333863 38663637333062653565666163616330393637616434666634633839373966373666323831353338
32346464336664313134616530623564356230316132633433346262653438303966643932343633 33666235646162343234343336356563663430643035306333623136323461636135386238396137
61653830303334356534626632633839346666313330343636363530316261346534653436326339 63323830316634653666333735663533336262303931653666356531343464656132326134313831
33343338656636313139383536313366653234326165306130653431396433656434303432656537 30666466373833313331316330353539646534333135373364343066643536636335633264306334
36393632373330323439663930396432323539306235623532326238323937386433383664656263 63396133626234323734666162343835613436393763303836383839323338323339313261383033
66353237313435383933623730646663343064336532356232643234636234356130666166396530 33616430376436663966626230343436643032353636363765303032333637396531623265393064
66663434383763323135363161306161373336303364626438383066376130666535623438336536 62336330396533346462313638613262363435306330366561303336316239313731623562316366
38343862386636343337613130363531656163346538376262653866613962343663373931343131 36373864373763383236663163363335373435636431613562373334396432323633373063346564
32366163306436353566613135346433666630633837666563343636303465663162623164636463 38616637316162396638356234323436383765663036366363323964613264373638656161393661
63653534353561393533656432326237323937636339613063333964343534303165353335653239 38623234356137383936303738306263376632393533613739613636613561333262333537616336
64643466366461373166633831373838323533613631653830336538626136616161623462346366 35393739636533373865343533633961316137626337363336316333616162643538343362613634
35333966666231626336323239643966323538366666646335333537663461323763343361633339 34376334393134643963383634646432643763316232656135663031373361346332636662653266
66366266313134333461623130396434343261623236616231633533656334373138316434646139 38663931663239666462626664373064666366613834623033346133306335333462623931646535
32396639623139383565303261643165366662633065343461613437353765636333303061326534 65343966313966386632333133363965623436313237343331366565323133343833623232326337
32616539316631666165336364333264386239326466373534313638336630306439653132663962 38363234336137633035333362383164656238326434366330336662653435343639663438613062
30353863346331366564376536633834656134386265303265366233373933616235623432343834 30346336353964346362393832653835303730383934316563333538376333353830376661313065
62313530663038633665653235386534306130326639386231616233326433366463663361366231 31353837333563363561663931386264346263323665616231383538353937393330303163306433
30356638363639393130383564303538623831653230653338633633366666383439353132363032 64376662393464643836636162373564376664306161656539626132313232343861396537386462
61353134376335633461303138333863666135323138616464333438623536363734656438316231 32376636333564323137623862396135313863306337346131323834396633333261633438646561
64663030326361396365346339393235373636313763623865393163333238646536663066356361 31613734343839373735356464643865663061363338346663353932313635393138613538303463
61656261323566306433626432393339306437323233663762323232333735323033626236633666 33373333373230383336336462636333353137303563366234363737343437323336386335633739
34326434633437336238646663633863626536653230386436626130373434346231396263313166 61363266633065383738336537346331376663313133393761633530633932643739636238633565
65313961393732333431353865313530356365333462653666663865313034366462376330366439 33343236633834383933336466636663383566633932643464353665643733613137633538346437
63616261386664633963393864633538366662653239356261663561653139326665666335306138 33366361663537343931653537333737633463336135623836373261663538303532633763646432
35326232363166653638383830356565303337323833323233396634353931626331313039306433 39343361383335636433666431616363373161646265393231353265393436633238303066613963
65346666373334376661353463323434636235636234313764323330353665373339653866646239 39633765663339643864386334613337666138333538333762353866333464386232396530306335
63346636613065623233643537343237356538363230326431326130303464336637643338666562 64306461363730313061633831343839613065313061326132613563666563656131383236623032
63653266623138653165316635643235303131323861306235353135623564366337646166363830 33346234333966653732643263313138333262343461623736386334356662383536633062653832
39643431356464376238366134303231323031326437363330343130326136383065626438623930 37626132376336643563396561626636346237393138343133656565643631646530326166613061
64623630346230343662626133313332623661353663383863626565373033323065396633636430 31353863623430656433356636616636303961336262613063616464313832343030333937356662
65613861303964616633373038646162326634376363623432363161613632376361613065613234 61353136633539306265386335393035313864366464303131663337383636363431636537646461
35363963366662386334306233363233643465366164316434373538643732663236616539323133 37646431643862646262623038336635653764383165376433666639363337623035616562663561
64383761336233656534653266333832383632343939366662643830643065316464356563376666 36613165393931336639306662656136663231316530663266666135353461613538653734316661
31653762616163396134363238346563623961653738383132646264306339623961306561393732 36363065663261323439653733336266613539363732323230346433353363333637616635666234
32633635336436663435303731306666336365613030646236363634663731353366366337396435 36373439343762336161313965396537363332316561303235666264653038353132633561393038
37316339316534346235666664646335373335306634336262663566386336366235646635336238 30373366303136656661353664396261393136623436323930666430636435623362396636646161
30323861663239366438353339633863363536616363396365643361363331633463366162636438 63613734663964656139393531316465623130666663376266616137316137616233373630396663
33633364353333663538393430323434373531373536613837353833646336356332313837326431 32326166663731643837623262393835656532393139396535393732626164316136626239663230
36666335313163303933333734336532303832373465393939313636343635313737653433323531 35326166346162626134626566313963333661643531353437666139396333343335306633643531
33646636373431346432343630633034383936613336353839616632343339643262656330313436 63386437646536633430643539623164306139316364646136306366373732373065376561303431
36363538323038623765616636366537633332343465326564323830656333383330393461333638 65363237353163656162393264316263303366633630303532623130343066636132613865363662
31633561626265613839303265663164306166313331353739613661313234626563396133353430 63323233323064633238356236616665373933626465393032326134363434613262653165343166
63343664633238316263303662633032323965363939393238313062316166663563366534646233 38313263376637383163336565376538326532353766626264346536353563663464623737653430
36393233643635353333376462353563333536366533643664303232626564623461643266303530 66373866343865326331333833353261386132393234303536353864343934353039323038363630
33616333306262656136646238366631643963356266306533623962653462366335656333383862 37373632356461633137336230353762316562353430323761623861343639393030653038313632
63623535316439663664653862386565383737333035653732336266393266323437383666313165 66636133643566306432333038623866333531613334396432306666316439366435383661336531
38623336653731303464643363643034623333306362636536323137626462326632346332343762 36373333623266353461383431333462343037306563616231663563353833653839313538613631
31393235303962653533306431363062386331666461366235396337646532316231373136396562 30646130383932343865363062313836323365616639346537663461343164363934653737613466
30333734666134623430623030646166653831303963303837353664646561653031333935353931 38326234356261343764323063613366313633313766613736663033666664613433363438646366
32383936633432313964616166646664633330656637333133363735613631616264613034623237 64366333373164333838363934636366336430343032316562653137323634303833616363393063
32623563313164663563633263383839646231363931363136333361613537633439333564373934 35343330663434356530333535663664336463396533393564663138623162666563323736366135
39646639613131626430326534346639306136626236303635626438343963666262643330626563 63653662306265326238363266393864393630333064303861376432333432386262306363336135
33666262393363373237336531653236323161613237613636663736373331393734613661633332 32333762333339383662303931376631326638666635353433636461386264633166313336636663
64353939383463383261626537653637363134393839623434383066663432393361643666336364 36313336663730363937316539623132313937633032396462616634346630383937353034343332
35333266343261663963313064623932353133613163663231663565663765343630363139636636 32346164363362346264353965633761306163343131323661313836636438646337396238653962
32613463363932333166666364646235656661343161633764323831306337636666363565323831 66306666366663343731333338666463313139373033306137643631313930353932616339636337
63303935353933363265386361653863313734353366613430326536393761343262323632313332 39363337376232616139663863303430353530643964633333376561326339373334663862383230
64633635303261313931386165316161326164613635613537663466646430376139306333373366 37613861373836643762386339666434623931376266643361383761373235393035303137613838
38326136356333633432623237643266633361376363393034383330613034353830313039646237 39383230393831373836396435323734316332663465376136333365393433633065666565393033
64346666616363316361356466383234646436663863373961666636373863373436373334383031 62356661346433643532633366313132313137623134626431343532373461396462653738613030
38653836653563383666663139633164643361303732356239323435356630613239623962366462 39323566326239383434616663626330646136386463646331616431386235633435333838363732
34316166326334613131626230613363303334373537393134633930663636626135663162336636 33633063363065343032383736643634313034663632373237663132373561656530396661326366
61363633653666323832656362363532663833623835613732363339336638323662353130653136 31313738633662616663646163386461336537313236313930336466346161306535373965366137
62393338646662303934633438633935316563386135663862323438613234313138393364343461 32383934626563663033356466653162333732633639363563663464353466383233373830633361
31373963613431313966303339666531626161633361383836303534333931363135353062613633 37326531636262313337333665626233303263633461356331343261353838396661656138323130
37336637623731623838303639653832633866613564393232326261336137363862303731626332 39316634666432656638623733333531303662613062323430333933626264376138393665363964
36643438663564333865326263643834373730316136376538393731353165316331346331366532 62633765313262653165393332336539363263636362383262303766373331353363363564333037
63633233663966373934663532656530623765616336376634613366376136613831313239656563 39373164633563303461313830383632623438666333333938613066313562623233353665653631
35343464376364333035356639343966326335663432636363323339363335656437336439663161 62313634373537356365633065333763333533313730353235363963643131316364323031643235
66343434383334616535313330396165316262393962383232343564623833313964346635326264 64313731343735346533646430346565393365363334626563353030313663363930363966313339
31303139386463663539623862643431396130666537663137643439646535346631396530383134 34346130626633333239663935376663393962363761663935303639346333326230363730363366
36333663316434613933623965346264343164316132346466643262616235653266663765653864 39313230353130373733396264616530303534383466633231303661663635623266346235363163
32643139396430656136313235633538313334383538626532356664386539313161376662303837 61383761623039666462383266666565643930303664616432393434666566636437616536626365
64393230623732643335363164393733386131323235613065633530383864343161643562323735 33336366333139633138386366333938343630373965613865663830366333363363303565633238
30333766383030666463363535613138373735373833366661366563616532316132363233333737 32313762303739356433383534653966376231316366396333616435343539376432633837666635
30353137303439383038663063666631666264633062333837353837363731316662313636326431 31396137373263386365616237396232376664653266663562356533613263323131356266666264
37613939333766353530646330653532353965323864353434383035613639643263663762666663 36636266623338323861303237623361666130373938306539343438316662326536376438306465
37636463396161656335376539356638643539336330396432356338393665616637623039346433 62656463356364363837353738663539316163346565333431343363303564376436666631383435
30656161666135376130303566623132303738323038363939363733376666646431643465303065 65333066383335633462613034383139336262393865383534323032323730343865303339343239
63636263653262376533646636373536373661353063323431373537323930626638613735643338 62343962363566643566356433623133333363343535376534333938623033656334613432326533
33346565363462326236373137306332616562666631313131356634353961383165383939313665 63666339373135353331326363303064666137383439663738373236623137383562346439356432
32613438333061613139666530313962366536323531663866313638626433623736613536633965 62383365373063376637313437346333643637376234376434613666353734333039353463313335
32353635626161363930333562613536393238366333366365616435353164663265643831303566 32326564343139383035313261646635313939366531323530393434303735306138633435333037
61643333313635626231373564363730313731646464373566363961396439333433313432383138 65666533366634666665393838616533656338353938333437363939616435636538313937303631
32666438333637613633373537326139343266393335616634353961646535616237613764336663 32663439396165333633653531353835366436323062326535366432313936323031613639633164
63653437396538353238383138656535646539303864633235363535376635643362663064666366 66323234613139626433326130396232366231623135366462393366616365653337346261663836
62623165333234393435343233373430363161663936343165346662336366623532383730353136 61386435636361336334333235663865343262633333633162376433383062336663396162303133
66643739626538353036663739326132336161623363393130346365666265323765346232633264 32666437336634323132396664373930316365626131646636366632616138626366613737616131
6337 64386439386265373631373232626538323936383162333535383134643438336336636435613033
31336139376434316432343139363464616136626463396534646239646633363164646330373161
31663233393234393837356133316462346563303435663262363532333963333535373031656434
64303262633166346534396166643365326262636431353065613236666463336238633838633636
35356265653935663963343737616563373663376239613436663138386566393438323735393362
32616238623538366639373762336363353638306539336263316338323666303866633935386433
62313865303732613266393066386533313263313432356434363734626365643338646438646633
31346463313236643862303034363737343731343934666632623130613932323137376134653265
35326164303031623235303265613765663263663333353066333633663636323635383832373865
35626135333634346637346537373962646236376431393266306436333634646263646266326234
37383037363364306230646334333532613464353931376338366532326134393437303535393033
34316232326462343662

67
host_vars/web23 Normal file
View File

@ -0,0 +1,67 @@
$ANSIBLE_VAULT;1.1;AES256
64326662336532386161646564656439396461666266656463393335663130323930326139386562
3639653630336132663666646161363938386334323064320a663564613066313533353433333434
30346561616465646163646534356339666639333862623637613435376361323032636439633930
3731313063363337380a373961353530383764623830363935626231333734303364313565626633
37343037633862633632613165323136373662396438613663636433346566653064653632313338
36396333393334336434326630646164333531306432386133353664336535343363343939393464
34626335626436353239366138323863656336636536383733363931633933636331643263653566
30613931616462373336393337363430353962613665353936383533326364353365623333316664
62383439396131303831326562323264336638623461643361663763356236373464346464316237
65393232343733643338653734326562626166366562303037613862396564636662363066356664
32656363616637303039373732396533643432343961666365313963383131643464333765643737
32386165666131626365313938633530346361383734323334613464353862393931323836626563
62656531346532646530306463653364326362613162323536643836643839663933343132613435
63303234646335306632316166626266313635303566396363333464363631353834373761353837
65643461623135363139646564336430353461336433633765303138313730613630346465326666
61393133636262653836333664623333656164663361353130623863653863323131326136373238
33376333316433653337373834666136363130373261333330643439313734343036636364306532
63343662383539633235356162656366323965383331343139616361653466633865626337326562
63643761613536613334333065643533323066393764633931633066353064393966646161376361
37623939386636346161346164303832303534323038626335336665653634386132343031303861
61323765306366333936303765636436633465356539316631343562363535663932333666363035
30386233623265636464393662386464333430396337626230306438396563303437363938303061
32653939383136376365343934613339383563303935623664633639326137353437363261393637
66613331643530623862636665396536613730306537373666623135663837393466343261646461
62376162613861643633656334303132353034333834626664666237393534386439313638393933
35643663613432323432646466386434363335353234643264643463613334356462313766643030
30336364396235663230356235303264323339643761333036333537633862343862386130626533
36626536396663393031303533313238616133323239356634303830353439363133353839663266
36306539636563633734623162356230383232306138393831393336626336383966643335376564
36303730313936633361643736613736303163363536313038316432323039643362636538333037
65613663333032623035656665393565366363396134363832363163656532363537373435623233
36373961333237373264326634353363356537356538343663613034396132396366626330303365
62353461616434343938386237373365633861333733613631633234623034366364363761613636
34393532316466323264363363653335366639613731326131393335313039646538626665356333
62663435633539643237326631636563363833633130363535653336333538366137306235663730
36633934636536633865376262356239303966646638626638386536366662386432343466366161
36646436636538643366623864326630396565373462393132343834626638313437316137353564
34646138616438323065336266366434316135613938643131353034646230396632386433366365
38616436346232363563336439613939313464323861616530633962316634363462373530613665
63653636646565303664326631363535373037663734663965346430363831613431613365393832
62373030336262643430313635626261613232656236333130396537633238623265363932333966
34326135363762396564613064323135313663613565646461376162306532643433333336666532
65383661303137613335653336663666653463623565386137326662653839633536326135633764
33623437333931393737363061356235336232376437643131373531356566323336306138353561
66333863313461613930383231663162616261616639323238646439656166666261626533636161
38333362393033316266633364313739366262636530363937386137616234326638303137613433
65313962653566333364383732386165396136303666383439303064326463346563663434646364
62396130646632653039383661613638303162363538376236666338623865366639663138363636
36373766386234383465316635323931356233366262386135363238366538623135623361386436
64653533646233653463656334633566373433303365353965663732636566663332343337626337
34623861373562386264346430333133343631653631376366373735626664363965666561306262
35666235653235346233636361383566616533646662333662323139313865383264633734643263
63656431393834633935613430643839613433326431666665323136376562333737383862313261
65656431336439303563373833343965323965346439636131633366633431393032613963666539
38326539343132326334316233323362633835356265333031663066643535363639623031336362
64346230383638363763323462386261666266623134393139303264343234623132323437396630
66363738376133393731616535653230303262313937373333353932303038626166346366303163
66613831353731373165636532363165356561383137626437333563616561386666623234313438
37333435306530323235393164383138346131653235633536383636316161316238313064636261
33353963333430383236303038333939316637326130396430623964633338353863613534653663
30333839393230626261663966616230303330636335323565663938343562666663303536636332
34336665323764663163653161373166313631393534326532613538313637313136356336313433
34353036653738343433613763383137336562373332333062326134626638633938336364376131
61303435333163663636653135363162303663663266393438656430306532343438386436343735
31343231653263373532386263653263386435363633396638396164323539306233303562303862
3339306136613431636138333266633739323666633431363039

4
misc-plays/change_password.yml
View File

@ -13,13 +13,13 @@
- hosts: all - hosts: all
user: provisioning user: provisioning
become: yes become: true
vars_files: vars_files:
- "../vars/{{ ansible_distribution }}.yml" - "../vars/{{ ansible_distribution }}.yml"
tasks: tasks:
- name: Set password, shell, homedir for provisioning user - name: Set password, shell, homedir for provisioning user
when: provisioning_user is defined when: provisioning_user is defined
user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

2
nomads.yml
View File

@ -2,7 +2,7 @@
# file: nomads.yml # file: nomads.yml
- hosts: nomads - hosts: nomads
become: yes become: true
roles: roles:
- common - common
- munin - munin

11
roles/caddy/defaults/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
# file: roles/caddy/defaults/main.yml
# parent directory of vhost document roots
caddy_root_prefix: "{{ web_root_prefix }}"
# Email address to use for the ACME account managing the site's certificates.
# Not sure what Caddy does if this doesn't exist.
caddy_email: foo@example.com
# vim: set ts=2 sw=2:

10
roles/caddy/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
# file: roles/caddy/handlers/main.yml
# I'm currently not sure when we need to restart versus reload
- name: reload caddy
ansible.builtin.systemd:
name: caddy
state: reloaded
# vim: set sw=2 ts=2:

82
roles/caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,82 @@
---
# file: roles/caddy/tasks/main.yml
#
# Configure Caddy.
- name: Check Caddy package signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
register: caddy_signing_key_stat
tags:
- packages
- caddy
# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
- name: Download Caddy package signing key
ansible.builtin.get_url:
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
- packages
- caddy
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
tags:
- packages
- caddy
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
- name: Install Caddy
ansible.builtin.apt:
name: caddy
state: present
install_recommends: false
cache_valid_time: 3600
tags:
- caddy
- packages
- name: Create Caddyfile
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: "0755"
owner: root
group: root
notify:
- reload caddy
tags: caddy
- name: Create Caddy conf.d directory
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: "0755"
owner: root
group: root
tags: caddy
# TODO: the variable is still named nginx_vhosts
- name: Configure Caddy virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: caddy
# vim: set sw=2 ts=2:

14
roles/caddy/tasks/vhosts.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"
notify:
- reload caddy
tags: caddy
# vim: set ts=2 sw=2:

29
roles/caddy/templates/etc/caddy/Caddyfile.j2 Normal file
View File

@ -0,0 +1,29 @@
# Global options
{
email {{ caddy_email }}
}
# Common security response headers
(security-headers) {
header {
# disable Google FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection: refuse to allow rendering this page
# in a frame, iframe, etc.
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
# Note: these are imported in lexical sort order!
import /etc/caddy/conf.d/*

46
roles/caddy/templates/etc/caddy/conf.d/vhost.j2 Normal file
View File

@ -0,0 +1,46 @@
{{ ansible_managed | comment }}
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{% set static_site = item.static_site | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
{% if domain_aliases %}
{# domain_aliases is a string, so we split on space #}
{% for domain in domain_aliases | split (' ') %}
{{ domain }} {
redir https://{{domain_name}}{uri}
}
{% endfor %}
{% endif %}
{{ domain_name }} {
{% if has_gitea %}
reverse_proxy :3000
{% elif static_site -%}
root * {{ document_root }}
encode
file_server
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server
{% endif -%}
import security-headers
}

4
roles/common/defaults/main.yml
View File

@ -10,4 +10,8 @@ fail2ban_findtime: 3600
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

10001
roles/common/files/abuseipdb-ipv4.nft
View File

File diff suppressed because it is too large Load Diff

7
roles/common/files/abuseipdb-ipv6.nft
View File

@ -1,7 +0,0 @@
#!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = {
2400:6180:0:d1::4ce:d001,
2607:5300:60:232d::,
2607:f298:6:a066::1bf:e80e,
}

10003
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

9
roles/common/files/abusers-ipv6.xml
View File

@ -1,9 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="family" value="inet6" />
<short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description>
<entry>2400:6180:0:d1::4ce:d001</entry>
<entry>2607:5300:60:232d::</entry>
<entry>2607:f298:6:a066::1bf:e80e</entry>
</ipset>

89
roles/common/files/aggregate-cidr-addresses.pl
View File

@ -1,89 +0,0 @@
#!/usr/bin/perl
#
# aggregate-cidr-addresses - combine a list of CIDR address blocks
# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see L<http://www.gnu.org/licenses/>.
#
# [MJS 22 Oct 2001] Aggregate CIDR addresses
# [MJS 9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
use strict;
use warnings;
use English qw( -no_match_vars );
use Net::IP;
## Read in all the IP addresses
my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
## Split any ranges into prefixes
@addrs = map {
defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
$_->find_prefixes
} @addrs;
## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
## Handle overlaps
my $count = 0;
my $current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
my $r = $current->overlaps($next);
if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
$current = $next;
$count++;
}
elsif ( $r == $IP_A_IN_B_OVERLAP ) {
$current = $next;
splice @addrs, $count, 1;
}
elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
splice @addrs, $count + 1, 1;
}
else {
die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
}
}
## Keep aggregating until we don't change anything
my $change = 1;
while ($change) {
$change = 0;
my @new_addrs = ();
$current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
if ( my $total = $current->aggregate($next) ) {
$current = $total;
$change = 1;
}
else {
push @new_addrs, $current;
$current = $next;
}
}
push @new_addrs, $current;
@addrs = @new_addrs;
}
## Print out the IP addresses
foreach (@addrs) {
print $_->prefix(), "\n";
}
# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

2
roles/common/files/etc/cron-apt/3-download
View File

@ -1,2 +0,0 @@
autoclean -y
upgrade -y -o APT::Get::Show-Upgraded=true

5
roles/common/files/etc/cron-apt/config
View File

@ -1,5 +0,0 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see the README file.
MAILON="never"
OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

2
roles/common/files/spamhaus-ipv4.nft → roles/common/files/firehol_level1-ipv4.nft
View File

@ -1,5 +1,5 @@
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = { define FIREHOL_LEVEL1_IPV4 = {
192.168.254.254/32 192.168.254.254/32
} }

6
roles/common/files/spamhaus-ipv4.xml
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet" />
<short>spamhaus-ipv4</short>
<description>Spamhaus DROP and EDROP lists placeholder (IPv4).</description>
</ipset>

5
roles/common/files/spamhaus-ipv6.nft
View File

@ -1,5 +0,0 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
fd21:3523:74e0:7301::/64
}

6
roles/common/files/spamhaus-ipv6.xml
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet6" />
<short>spamhaus-ipv6</short>
<description>Spamhaus DROP list placeholder (IPv6).</description>
</ipset>

1
roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

27
roles/common/files/update-abusech-nftables.service
View File

@ -1,27 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-abusech-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-abusech-nftables
ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
/usr/local/bin/update-abusech-nftables.sh
[Install]
WantedBy=multi-user.target

63
roles/common/files/update-abusech-nftables.sh
View File

@ -1,63 +0,0 @@
#!/usr/bin/env bash
#
# update-abuseipdb-nftables.sh v0.0.1
#
# Download IP addresses seen using a blacklisted SSL certificate and load them
# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
#
# See: https://sslbl.abuse.ch/blacklist
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
abusech_list_temp=$(mktemp)
echo "Downloading Abuse.sh SSL Blacklist IPs"
abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
if [[ $abusech_response -ne 200 ]]; then
echo "Abuse.ch responded: HTTP $abusech_response"
exit 1
fi
if [[ -f "$abusech_list_temp" ]]; then
echo "Processing IPv4 list"
abusech_ipv4_list_temp=$(mktemp)
abusech_ipv4_set_temp=$(mktemp)
# Remove comments, DOS carriage returns, and IPv6 addresses (even though
# Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
# that assumption some time down the line).
sed -e '/#/d' -e 's/
//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
echo "Building abusech-ipv4 set"
cat << NFT_HEAD > "$abusech_ipv4_set_temp"
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$abusech_ipv4_set_temp"
done < $abusech_ipv4_list_temp
echo "}" >> "$abusech_ipv4_set_temp"
install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
fi
echo "Reloading nftables"
# The abusech nftables sets are included by nftables.conf

12
roles/common/files/update-abusech-nftables.timer
View File

@ -1,12 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

24
roles/common/files/update-firehol-nftables.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=Update FireHOL lists
# Make sure the network is up
After=network-online.target
Wants=network-online.target update-firehol-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-firehol-nftables
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
/usr/local/bin/update-firehol-nftables.sh
[Install]
WantedBy=multi-user.target

2
roles/common/files/update-spamhaus-nftables.timer → roles/common/files/update-firehol-nftables.timer
View File

@ -1,5 +1,5 @@
[Unit] [Unit]
Description=Update Spamhaus lists Description=Update FireHOL lists
[Timer] [Timer]
# Once a day at midnight # Once a day at midnight

27
roles/common/files/update-spamhaus-lists.service
View File

@ -1,27 +0,0 @@
[Unit]
Description=Update Spamhaus lists
# This service will fail if firewalld is not running so we use Requires to make
# sure that firewalld is started.
Requires=firewalld.service
# Make sure the network is up and firewalld is started
After=network-online.target firewalld.service
Wants=network-online.target update-spamhaus-lists.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/firewalld/ipsets
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-lists
ExecStart=/usr/bin/flock -x update-spamhaus-lists.lck \
/usr/local/bin/update-spamhaus-lists.sh
[Install]
WantedBy=multi-user.target

107
roles/common/files/update-spamhaus-lists.sh
View File

@ -1,107 +0,0 @@
#!/usr/bin/env bash
#
# update-spamhaus-lists.sh v0.0.5
#
# Download Spamhaus DROP lists and load them into firewalld ipsets. Should work
# with both the iptables and nftables backends.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firewalld_ipsets=$(firewall-cmd --get-ipsets)
xml_temp=$(mktemp)
spamhaus_ipv4_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv4.xml
spamhaus_ipv6_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv6.xml
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments.
networks=$(cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//')
# If firewalld already has this ipset we should delete it first to emulate
# `ipset flush` (but I don't want to use that because newer hosts might be
# using nftables and firewalld will handle that for us).
if [[ "$firewalld_ipsets" =~ spamhaus-ipv4 ]]; then
echo "Deleting existing spamhaus-ipv4 ipset"
# This deletes the firewalld ipset XML file as well as the ipset itself
firewall-cmd --permanent --delete-ipset=spamhaus-ipv4
else
echo "Creating placeholder spamhaus-ipv4 ipset"
# Create a placeholder ipset so firewalld doesn't complain when we try
# to reload the ipset later after having added a new XML definition. I
# don't know why, but depending on the system state there may not be a
# ipset defined and firewalld errors on INVALID_IPSET.
firewall-cmd --permanent --new-ipset=spamhaus-ipv4 --type=hash:net --option=family=inet
fi
# I'm not proud of this, but writing the XML directly is WAY faster than
# using firewall-cmd to add each entry one by one (and we can't add from
# a file because many of our hosts are using old firewalld).
cat << XML_HEAD > "$xml_temp"
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet" />
<short>spamhaus-ipv4</short>
<description>Spamhaus DROP and EDROP lists (IPv4).</description>
XML_HEAD
for network in $networks; do
echo " <entry>$network</entry>" >> "$xml_temp"
done
echo "</ipset>" >> "$xml_temp"
install -m 0600 "$xml_temp" "$spamhaus_ipv4_ipset_path"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP list"
networks=$(sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt)
if [[ "$firewalld_ipsets" =~ spamhaus-ipv6 ]]; then
echo "Deleting existing spamhaus-ipv6 ipset"
firewall-cmd --permanent --delete-ipset=spamhaus-ipv6
else
echo "Creating placeholder spamhaus-ipv6 ipset"
firewall-cmd --permanent --new-ipset=spamhaus-ipv6 --type=hash:net --option=family=inet6
fi
cat << XML_HEAD > "$xml_temp"
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet6" />
<short>spamhaus-ipv6</short>
<description>Spamhaus DROP lists (IPv6).</description>
XML_HEAD
for network in $networks; do
echo " <entry>$network</entry>" >> "$xml_temp"
done
echo "</ipset>" >> "$xml_temp"
install -m 0600 "$xml_temp" "$spamhaus_ipv6_ipset_path"
fi
echo "Reloading firewalld"
firewall-cmd --reload
rm -v drop.txt edrop.txt dropv6.txt "$xml_temp"

12
roles/common/files/update-spamhaus-lists.timer
View File

@ -1,12 +0,0 @@
[Unit]
Description=Update Spamhaus lists
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

27
roles/common/files/update-spamhaus-nftables.service
View File

@ -1,27 +0,0 @@
[Unit]
Description=Update Spamhaus lists
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-spamhaus-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-nftables
ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
/usr/local/bin/update-spamhaus-nftables.sh
[Install]
WantedBy=multi-user.target

91
roles/common/files/update-spamhaus-nftables.sh
View File

@ -1,91 +0,0 @@
#!/usr/bin/env bash
#
# update-spamhaus-nftables.sh v0.0.1
#
# Download Spamhaus DROP lists and load them into nftables sets.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
spamhaus_ipv4_list_temp=$(mktemp)
spamhaus_ipv4_set_temp=$(mktemp)
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
# ranges to work around a firewalld bug.
#
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
echo "Building spamhaus-ipv4 set"
cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$spamhaus_ipv4_set_temp"
done < $spamhaus_ipv4_list_temp
echo "}" >> "$spamhaus_ipv4_set_temp"
install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP lists"
spamhaus_ipv6_list_temp=$(mktemp)
spamhaus_ipv6_set_temp=$(mktemp)
sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
echo "Building spamhaus-ipv6 set"
cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
NFT_HEAD
while read -r network; do
echo "$network," >> "$spamhaus_ipv6_set_temp"
done < $spamhaus_ipv6_list_temp
echo "}" >> "$spamhaus_ipv6_set_temp"
install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
fi
echo "Reloading nftables"
# The spamhaus nftables sets are included by nftables.conf
/usr/sbin/nft -f /etc/nftables.conf
rm -v drop.txt edrop.txt dropv6.txt

27
roles/common/handlers/main.yml
View File

@ -1,20 +1,27 @@
--- ---
# file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: reload sshd
systemd: name={{ sshd_service_name }} state=reloaded ansible.builtin.systemd:
name: "{{ sshd_service_name }}"
state: reloaded
- name: reload sysctl - name: reload sysctl
command: sysctl -p /etc/sysctl.conf command: sysctl -p /etc/sysctl.conf
- name: restart firewalld
systemd: name=firewalld state=restarted
- name: restart fail2ban
systemd: name=fail2ban state=restarted
- name: reload systemd - name: reload systemd
systemd: daemon_reload=yes ansible.builtin.systemd:
daemon_reload: true
- name: restart nftables - name: restart nftables
systemd: name=nftables state=restarted ansible.builtin.systemd:
name: nftables
state: restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
ansible.builtin.systemd:
name: fail2ban
state: restarted

19
roles/common/tasks/cron-apt.yml
View File

@ -1,12 +1,17 @@
--- ---
- name: Remove cron-apt
ansible.builtin.apt:
name: cron-apt
state: absent
cache_valid_time: 3600
- name: Configure cron-apt (config) - name: Remove cron-apt configs
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/config
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/action.d/3-download
- /etc/apt/security.sources.list
- name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

43
roles/common/tasks/fail2ban.yml
View File

@ -1,25 +1,56 @@
--- ---
- name: Install fail2ban
when:
- ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: "0644"
notify: restart fail2ban notify: restart fail2ban
- name: Configure fail2ban nginx filter - name: Configure fail2ban nginx filter
when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters" when:
template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644 - webserver is defined and webserver == 'nginx'
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: "0644"
notify: restart fail2ban notify: restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override - name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 ansible.builtin.template:
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: "0644"
notify: notify:
- reload systemd - reload systemd
- restart fail2ban - restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

20
roles/common/tasks/firewall.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Configure firewall (Debian)
when: ansible_distribution == 'Debian'
ansible.builtin.include_tasks:
file: firewall_Debian.yml
apply:
tags:
- firewall
tags: firewall
- name: Configure firewall (Ubuntu)
when: ansible_distribution == 'Ubuntu'
ansible.builtin.include_tasks:
file: firewall_Ubuntu.yml
apply:
tags:
- firewall
tags: firewall

150
roles/common/tasks/firewall_Debian.yml
View File

@ -1,148 +1,28 @@
--- ---
# Debian 11 will use nftables directly, with no firewalld. # Debian 11+ will use nftables directly, with no firewalld.
- block: - name: Install Debian firewall packages
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('10', '<=')
set_fact:
debian_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
set_fact: ansible.builtin.package:
debian_firewall_packages: name:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl - libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables - nftables
- python3-systemd
- curl # for nftables update scripts - curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Install firewall packages - name: Remove iptables on newer Debian
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 ansible.builtin.apt:
notify: pkg: iptables
- restart nftables state: absent
- name: Create /etc/nftables extra config directory - name: Configure nftables
when: ansible_distribution_major_version is version('11', '>=') ansible.builtin.include_tasks: nftables.yml
file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify:
- restart nftables
- name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
notify:
- restart firewalld
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
# backend. Using individual calls seems to work around it.
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('10', '<=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('10', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=') when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units - ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('11', '>=') when:
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root - ansible_distribution_major_version is version('9', '>=')
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

134
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -1,133 +1,27 @@
--- ---
# Ubuntu 20.04 will use nftables directly, with no firewalld. # Ubuntu 20.04 will use nftables directly, with no firewalld.
# Ubuntu 18.04 will use firewalld with the nftables backend.
# Ubuntu 16.04 will use firewalld with the iptables backend.
- block: - name: Install Ubuntu firewall packages
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '<')
set_fact:
ubuntu_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
set_fact: ansible.builtin.package:
ubuntu_firewall_packages: name:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl - libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables - nftables
- python3-systemd
- curl # for nftables update scripts - curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Install firewall packages - name: Remove ufw
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600 ansible.builtin.package:
name: ufw
state: absent
- name: Remove ufw - name: Configure nftables
when: ansible_distribution_version is version('16.04', '>=') ansible.builtin.include_tasks: nftables.yml
apt: pkg=ufw state=absent
- name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- restart nftables
- name: Create /etc/nftables extra config directory - ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('20.04', '>=') when:
file: path=/etc/nftables state=directory owner=root mode=0755 - ansible_distribution_version is version('16.04', '>=')
- name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify:
- restart nftables
- name: Copy firewalld public zone file
when: ansible_distribution_version is version('18.04', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('18.04', '<=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('18.04', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('18.04', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

28
roles/common/tasks/main.yml
View File

@ -1,54 +1,44 @@
--- ---
- name: Import OS-specific variables - name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml" ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
tags: always tags: always
- name: Configure network time - name: Configure network time
import_tasks: ntp.yml ansible.builtin.import_tasks: ntp.yml
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages_Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
tags: packages tags: packages
- name: Install common packages - name: Install common packages
include_tasks: packages_Ubuntu.yml ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Debian.yml ansible.builtin.import_tasks: firewall.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: firewall tags: firewall
- name: Configure secure shell daemon - name: Configure secure shell daemon
import_tasks: sshd.yml ansible.builtin.import_tasks: sshd.yml
tags: sshd tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
notify: notify:
- reload sysctl - reload sysctl
tags: sysctl tags: sysctl
- name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler - name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys
import_tasks: ssh-keys.yml ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys tags: ssh-keys
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

97
roles/common/tasks/nftables.yml Normal file
View File

@ -0,0 +1,97 @@
---
# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
# and Debian 12.
- name: Copy nftables.conf
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: "0644"
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: "0755"
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: firehol_level1-ipv4.nft, force: false }
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables update scripts
ansible.builtin.template:
src: update-firehol-nftables.sh.j2
dest: /usr/local/bin/update-firehol-nftables.sh
mode: "0755"
owner: root
group: root
- name: Remove deprecated data and scripts
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/nftables/spamhaus-ipv4.nft
- /etc/nftables/spamhaus-ipv6.nft
- /etc/nftables/abuseipdb-ipv4.nft
- /etc/nftables/abuseipdb-ipv6.nft
- /etc/nftables/abusech-ipv4.nft
- /usr/local/bin/update-abusech-nftables.sh
- /usr/local/bin/update-spamhaus-nftables.sh
- /etc/systemd/system/update-abusech-nftables.service
- /etc/systemd/system/update-abusech-nftables.timer
- /etc/systemd/system/update-spamhaus-nftables.service
- /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- update-firehol-nftables.service
- update-firehol-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd: # noqa no-handler
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-firehol-nftables.timer
- name: Start and enable nftables
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
# vim: set sw=2 ts=2:

17
roles/common/tasks/ntp.yml
View File

@ -4,24 +4,27 @@
# client. # client.
- name: Set timezone - name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd' when:
command: /usr/bin/timedatectl set-timezone {{ timezone }} - timezone is defined
- ansible_service_mgr == 'systemd'
community.general.timezone:
name: "{{ timezone }}"
tags: timezone tags: timezone
# Apparently some cloud images don't have this installed by default. From what # Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on # I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11. # Ubuntu 20.04 and Debian 11.
- name: Install systemd-timesyncd - name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) is version('11', '>='))
apt: name=systemd-timesyncd state=present cache_valid_time=3600 ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
- name: Uninstall ntp on modern Ubuntu/Debian - name: Uninstall ntp on modern Ubuntu/Debian
apt: name=ntp state=absent ansible.builtin.apt: name=ntp state=absent
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

28
roles/common/tasks/packages_Debian.yml
View File

@ -1,12 +1,20 @@
--- ---
- name: Configure Debian packages
block:
# Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources
ansible.builtin.stat:
path: /etc/apt/sources.list.d/debian.sources
register: weird_debian_sources_stat
- block:
- name: Configure apt mirror - name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l' when:
- ansible_architecture != 'armv7l'
- not weird_debian_sources_stat
- name: Set fact for base packages - name: Set fact for base packages
set_fact: ansible.builtin.set_fact:
base_packages: base_packages:
- git - git
- git-lfs - git-lfs
@ -14,7 +22,6 @@
- iotop - iotop
- htop - htop
- strace - strace
- cron-apt
- safe-rm - safe-rm
- debian-goodies - debian-goodies
- mosh - mosh
@ -24,16 +31,19 @@
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- gnupg2 - gnupg2
- zstd - zstd
- rsync
- lsof
- unattended-upgrades
- name: Install base packages - name: Install base packages
apt: name={{ base_packages }} state=present cache_valid_time=3600 ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
- name: Configure cron-apt - name: Remove cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

72
roles/common/tasks/packages_Ubuntu.yml
View File

@ -1,15 +1,15 @@
--- ---
- name: Configure Ubuntu packages
- block: block:
- name: Configure apt mirror - name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Upgrade base OS - name: Upgrade base OS
apt: upgrade=dist cache_valid_time=3600 ansible.builtin.apt: upgrade=dist cache_valid_time=3600
- name: Set Ubuntu base packages - name: Set Ubuntu base packages
set_fact: ansible.builtin.set_fact:
ubuntu_base_packages: ubuntu_base_packages:
- git - git
- git-lfs - git-lfs
@ -26,81 +26,35 @@
- unzip - unzip
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- zstd - zstd
- rsync
- lsof
- name: Install base packages - name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600 ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap
snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove core18 snap
snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove snapd snap
snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd # annoying (Ubuntu >= 16.04)
- lxd-client # annoying (Ubuntu >= 16.04)
- liblxc1 # annoying (Ubuntu >= 16.04)
- lxc-common # annoying (Ubuntu >= 16.04)
- lxcfs #annoying (Ubuntu >= 16.04)
when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd-agent-loader # annoying (Ubuntu 20.04)
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
- name: Disable annoying Canonical spam in MOTD - name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop: loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04 - /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+ - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+ - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+ - /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+ - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: yes ignore_errors: true
- name: Disable annoying Canonical spam in MOTD - name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
loop: loop:
- motd-news.service - motd-news.service
- motd-news.timer - motd-news.timer
- name: Configure cron-apt - name: Configure cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

4
roles/common/tasks/ssh-keys.yml
View File

@ -1,9 +1,9 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

34
roles/common/tasks/sshd.yml
View File

@ -1,20 +1,46 @@
--- ---
# SSH configs don't change in Debian minor versions # SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
mode=0600
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
notify: reload sshd notify: reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc. # ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
notify: reload sshd notify: reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli
block:
- name: Check unsafe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 < 3071' moduli
chdir: /etc/ssh
creates: moduli.safe
register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh
creates: moduli.safe
when: check_unsafe_moduli.stdout | length > 0
register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli
ansible.builtin.command:
cmd: mv moduli.safe moduli
chdir: /etc/ssh
register: replace_small_moduli
when: extract_safe_moduli is changed
notify: reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub

47
roles/common/tasks/tarsnap.yml
View File

@ -1,24 +1,45 @@
--- ---
- name: Add Tarsnap apt mirror - name: Check tarsnap apt signing key
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
register: tarsnap_signing_key_stat
- name: Download tarsnap apt signing key
ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: "0644"
register: download_tarsnap_signing_key
when: not tarsnap_signing_key_stat.stat.exists
- name: Add tarsnap.org repo
ansible.builtin.template:
src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: "0644"
register: add_tarsnap_apt_repository register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap
apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600 ansible.builtin.apt:
pkg: tarsnap
cache_valid_time: 3600
- name: Copy tarsnaprc - name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 ansible.builtin.copy:
src: tarsnaprc
dest: /root/.tarsnaprc
owner: root
group: root
mode: "0600"
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

6
roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2
View File

@ -2,13 +2,9 @@
enabled = true enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf # See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch filter = nginx-botsearch
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables # Integrate with nftables
banaction=nftables[type=allports] banaction=nftables[type=allports]
{% else %} backend = pyinotify
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
logpath = /var/log/nginx/*-access.log logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck. # Try to find a non-existent wp-login.php once and get banned. Tough luck.
maxretry = 1 maxretry = 1

5
roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
View File

@ -2,13 +2,8 @@
enabled = true enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf # See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd filter = sshd
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables # Integrate with nftables
banaction=nftables[type=allports] banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
backend = systemd backend = systemd
maxretry = {{ fail2ban_maxretry }} maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }} findtime = {{ fail2ban_findtime }}

4
roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
View File

@ -1,3 +1,7 @@
[Unit]
# If nftables is stopped or restarted, propagate to fail2ban as well
PartOf=nftables.service
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes

61
roles/common/templates/nftables.conf.j2
View File

@ -5,47 +5,18 @@
flush ruleset flush ruleset
# Lists updated daily by update-spamhaus-nftables.sh # List updated daily by update-firehol-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft" include "/etc/nftables/firehol_level1-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"
# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"
# Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft"
# Notes: # Notes:
# - tables hold chains, chains hold rules # - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6 # - inet is for both ipv4 and ipv6
table inet filter { table inet filter {
set spamhaus-ipv4 { set firehol_level1-ipv4 {
type ipv4_addr type ipv4_addr
# if the set contains prefixes we need to use the interval flag # if the set contains prefixes we need to use the interval flag
flags interval flags interval
elements = $SPAMHAUS_IPV4 elements = $FIREHOL_LEVEL1_IPV4
}
set spamhaus-ipv6 {
type ipv6_addr
flags interval
elements = $SPAMHAUS_IPV6
}
set abusech-ipv4 {
type ipv4_addr
elements = $ABUSECH_IPV4
}
set abuseipdb-ipv4 {
type ipv4_addr
elements = $ABUSEIPDB_IPV4
}
set abuseipdb-ipv6 {
type ipv6_addr
elements = $ABUSEIPDB_IPV6
} }
chain input { chain input {
@ -55,13 +26,7 @@ table inet filter {
ct state invalid counter drop comment "Early drop of invalid connections" ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list" ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
iifname lo accept comment "Allow from loopback" iifname lo accept comment "Allow from loopback"
@ -81,12 +46,8 @@ table inet filter {
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS" ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
{% endif %} {% endif %}
ip saddr 0.0.0.0/0 ct state new udp dport 60001 counter accept comment "Allow mosh" ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
ip saddr 0.0.0.0/0 ct state new udp dport 60002 counter accept comment "Allow mosh" ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
ip saddr 0.0.0.0/0 ct state new udp dport 60003 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60001 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60002 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60003 counter accept comment "Allow mosh"
{# Extra rules #} {# Extra rules #}
{% if extra_iptables_rules is defined %} {% if extra_iptables_rules is defined %}
@ -109,12 +70,6 @@ table inet filter {
chain output { chain output {
type filter hook output priority 0; type filter hook output priority 0;
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list" ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
} }
} }

81
roles/common/templates/public.xml.j2
View File

@ -1,81 +0,0 @@
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interface name="{{ ansible_default_ipv4.interface }}"/>
{# ssh rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# ipv6 ssh rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# web rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# ipv6 web rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# munin rules #}
{% if munin_master_host is defined %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
<port protocol="tcp" port="{{ munin_node_port }}"/>
<accept/>
</rule>
{% endif %}
{# extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[rule.acl].src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{# ipv6 extra rules #}
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
<rule family="ipv6">
<source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{% endif %}
{% endfor %}
{% endif %}
<rule>
<source ipset="abusers-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="abusers-ipv6"/>
<drop/>
</rule>
<rule>
<source ipset="spamhaus-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="spamhaus-ipv6"/>
<drop/>
</rule>
</zone>

14
roles/common/templates/rc.local_Ubuntu.j2
View File

@ -1,14 +0,0 @@
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0

5
roles/common/templates/security.sources.list.j2
View File

@ -1,5 +0,0 @@
{% if ansible_distribution == 'Ubuntu' %}
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
{% elif ansible_distribution == 'Debian' %}
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
{% endif %}

18
roles/common/templates/sshd_config_Debian-11.j2
View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@ -131,8 +135,12 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
# only allow shell access by provisioning user {% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ provisioning_user.name }} # Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

47
roles/common/templates/sshd_config_Ubuntu-18.04.j2 → roles/common/templates/sshd_config_Debian-12.j2
View File

@ -1,21 +1,23 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with # The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where # OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
#ListenAddress :: #ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
@ -54,12 +56,16 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads) # some PAM modules and threads)
ChallengeResponseAuthentication no KbdInteractiveAuthentication no
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@ -75,13 +81,13 @@ ChallengeResponseAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and # be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration, # PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass # PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password". # the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
UsePAM yes UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
@ -94,13 +100,12 @@ X11Forwarding no
PrintMotd no PrintMotd no
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no #PermitUserEnvironment no
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
#UseDNS no #UseDNS no
#PidFile /var/run/sshd.pid #PidFile /run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100
#PermitTunnel no #PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
@ -122,12 +127,20 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # with less than 256 bits removed, as NSA's Suite B removed them years ago and
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user {% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ provisioning_user.name }} # Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

7
roles/common/templates/sshd_config_Ubuntu-20.04.j2
View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@ -122,7 +126,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now

2
roles/common/templates/tarsnap_sources.list.j2
View File

@ -1 +1 @@
deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./ deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./

65
roles/common/templates/update-firehol-nftables.sh.j2 Executable file
View File

@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
#
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}
download firehol_level1.netset
if [[ -f "firehol_level1.netset" ]]; then
echo "Processing FireHOL Level 1 list"
firehol_level1_ipv4_list_temp=$(mktemp)
firehol_level1_ipv4_set_temp=$(mktemp)
# Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
# for local services like systemd-resolved and others on localhost. Ideally
# these are blocked already at the WAN side by network administrators.
cat firehol_level1.netset \
| sed \
-e '/^$/d' \
-e '/^#.*/d' \
-e '/^127\.0\.0\.0\/8/d' \
> "$firehol_level1_ipv4_list_temp"
echo "Building firehol_level1-ipv4 set"
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$firehol_level1_ipv4_set_temp"
done < $firehol_level1_ipv4_list_temp
echo "}" >> "$firehol_level1_ipv4_set_temp"
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi
echo "Restarting nftables"
/usr/bin/systemctl restart nftables.service
rm -v firehol_level1.netset

2
roles/mariadb/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
# file: roles/mariadb/defaults/main.yml # ansible.builtin.file: roles/mariadb/defaults/main.yml
# #
# Based on my running of mysqltuner.pl on a host with three WordPress databases # Based on my running of mysqltuner.pl on a host with three WordPress databases
# #

2
roles/mariadb/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: restart mariadb - name: restart mariadb
systemd: name=mariadb state=restarted ansible.builtin.systemd: name=mariadb state=restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

96
roles/mariadb/tasks/main.yml
View File

@ -1,55 +1,109 @@
--- ---
- name: Add GPG key for MariaDB repo - name: Remove MariaDB key from apt-key
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc ansible.builtin.apt_key:
register: add_mariadb_apt_key id: "013577200103762554506315430003013705453362230723150730"
tags: mariadb, packages state: absent
tags:
- packages
- mariadb
- name: Add MariaDB 10.5 repo - name: Check MariaDB package signing key
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/mariadb_release_signing_key.asc
register: mariadb_signing_key_stat
tags:
- packages
- mariadb
- name: Download MariaDB package signing key
ansible.builtin.get_url:
url: https://mariadb.org/mariadb_release_signing_key.asc
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: "0644"
register: download_mariadb_signing_key
when: not mariadb_signing_key_stat.stat.exists
tags:
- packages
- mariadb
- name: Add MariaDB 10.11 repo
ansible.builtin.apt_repository:
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
}} main
filename: mariadb
state: present
register: add_mariadb_apt_repository register: add_mariadb_apt_repository
tags: mariadb, packages tags:
- packages
- mariadb
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
add_mariadb_apt_key is changed or tags:
add_mariadb_apt_repository is changed - packages
- mariadb
- name: Install mariadb-server - name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600 ansible.builtin.apt:
loop: name: [mariadb-server, python3-pymysql]
- mariadb-server state: present
- python3-pymysql # for ansible cache_valid_time: 3600
tags: mariadb, packages tags: mariadb, packages
- name: Create system my.cnf - name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 ansible.builtin.template:
src: my.cnf.j2
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: "0644"
notify: notify:
- restart mariadb - restart mariadb
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user:
name: root
host: "{{ item }}"
password: "{{ mariadb_root_password }}"
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: loop:
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 ansible.builtin.template:
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: "0600"
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_db:
db: "{{ item.name }}"
state: present
encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
priv: "{{ item.name }}.*:ALL"
host: 127.0.0.1
state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb

3
roles/mariadb/templates/mariadb.list.j2
View File

@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.5/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

4
roles/munin/handlers/main.yml
View File

@ -1,4 +1,4 @@
--- ---
# file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
systemd: name=munin-node state=restarted ansible.builtin.systemd: name=munin-node state=restarted

4
roles/munin/tasks/main.yml
View File

@ -1,8 +1,8 @@
--- ---
- name: Configure munin scraper - name: Configure munin scraper
import_tasks: munin.yml ansible.builtin.import_tasks: munin.yml
tags: munin tags: munin
- name: Configure munin listener - name: Configure munin listener
import_tasks: munin-node.yml ansible.builtin.import_tasks: munin-node.yml
tags: munin-node tags: munin-node

10
roles/munin/tasks/munin-node.yml
View File

@ -1,25 +1,25 @@
--- ---
- name: Install munin-node - name: Install munin-node
apt: name=munin-node state=present ansible.builtin.apt: name=munin-node state=present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
apt: name=libwww-perl state=present ansible.builtin.apt: name=libwww-perl state=present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
- name: Configure munin-node - name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify: notify:
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
systemd: name=munin-node state=started enabled=true ansible.builtin.systemd: name=munin-node state=started enabled=true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

4
roles/munin/tasks/munin.yml
View File

@ -1,9 +1,9 @@
--- ---
- name: Install munin package - name: Install munin package
apt: name=munin state=present ansible.builtin.apt: name=munin state=present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

28
roles/nginx/defaults/main.yml
View File

@ -1,44 +1,44 @@
--- ---
# file: roles/nginx/defaults/main.yml # ansible.builtin.file: roles/nginx/defaults/main.yml
# path config # path config
nginx_confd_path: /etc/nginx/conf.d nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots # parent directory of vhost roots
nginx_root_prefix: /var/www nginx_root_prefix: "{{ web_root_prefix }}"
# 1 hour timeout # 1 day timeout
nginx_ssl_session_timeout: 1h nginx_ssl_session_timeout: 1d
# 10MB -> 40,000 sessions # 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!) nginx_ssl_buffer_size: 4k
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3' nginx_ssl_protocols: TLSv1.2 TLSv1.3
nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS) # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/ # in seconds, see: https://hstspreload.org/
nginx_hsts_max_age: 31536000 nginx_hsts_max_age: 31536000
# install acme.sh? # install acme.sh?
# True unless you're in development and using "localhost" + snakeoil certs # true unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True use_letsencrypt: true
# Directory root for Let's Encrypt certs # Directory root for Let's Encrypt certs
letsencrypt_root: /etc/ssl letsencrypt_root: /etc/ssl
# Location where to save initial acme.sh script. After installation the script # Location where to save initial acme.sh script. After installation the script
# will automatically create its home in the /root/.acme.sh directory (including # will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself). # a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script: /root/acme.sh letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh letsencrypt_acme_home: /root/.acme.sh
# stable is 1.20.x # stable is 1.26.x
# mainline is 1.21.x # mainline is 1.27.x
nginx_version: mainline nginx_version: mainline
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

2
roles/nginx/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: reload nginx - name: reload nginx
systemd: name=nginx state=reloaded ansible.builtin.systemd: name=nginx state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

61
roles/nginx/tasks/letsencrypt.yml
View File

@ -1,29 +1,58 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via # Use acme.sh instead of certbot because they only support installation via
# snap now. # snap now.
- block: - block:
- name: Remove certbot - name: Remove certbot
apt: ansible.builtin.apt:
name: certbot name: certbot
state: absent state: absent
- name: Remove old certbot post and pre hooks for nginx - name: Remove old certbot post and pre hooks for nginx
file: ansible.builtin.file:
dest: "{{ item }}" dest: "{{ item }}"
state: absent state: absent
with_items: with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh - name: Download acme.sh
get_url: ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script }}" dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700 mode: "0700"
register: acme_download
when: not acme_home.stat.exists
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
when: acme_download is changed
- name: Remove temporary acme.sh script
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when:
- acme_install.rc is defined
- acme_install.rc == 0
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory - name: Prepare Let's Encrypt well-known directory
file: ansible.builtin.file:
state: directory state: directory
path: /var/lib/letsencrypt/.well-known path: /var/lib/letsencrypt/.well-known
owner: root owner: root
@ -31,31 +60,31 @@
mode: g+s mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs - name: Copy systemd service to renew Let's Encrypt certs
template: ansible.builtin.template:
src: renew-letsencrypt.service.j2 src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
- name: Copy systemd timer to renew Let's Encrypt certs - name: Copy systemd timer to renew Let's Encrypt certs
copy: ansible.builtin.copy:
src: renew-letsencrypt.timer src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
# always issues daemon-reload just in case the service/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
systemd: ansible.builtin.systemd:
name: renew-letsencrypt.timer name: renew-letsencrypt.timer
state: started state: started
enabled: yes enabled: true
daemon_reload: yes daemon_reload: true
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) is version('11', '>='))
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

109
roles/nginx/tasks/main.yml
View File

@ -1,40 +1,69 @@
--- ---
- name: Add nginx.org apt signing key - name: Remove nginx apt signing key from apt-key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key:
register: add_nginx_apt_key id: "053473772654754373614404074646527257655730117366337542"
tags: nginx, packages state: absent
tags:
- packages
- nginx
- name: Download nginx apt signing key
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: "0644"
checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
register: download_nginx_signing_key
tags:
- packages
- nginx
- name: Add nginx.org repo - name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: "0644"
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags:
- nginx
- packages
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
- name: Set nginx packages - name: Install nginx
set_fact: ansible.builtin.apt:
nginx_packages: pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx - nginx
- ssl-cert # for ssl-cert-snakeoil.pem in nginx - packages
tags: nginx, packages
- name: Install nginx packages
apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
tags: nginx, packages
- name: Copy nginx.conf - name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
@ -43,41 +72,61 @@
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: "0755"
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
include_tasks: vhosts.yml ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
include_tasks: wordpress.yml ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes ansible.builtin.systemd:
name: nginx
state: started
enabled: true
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt
include_tasks: letsencrypt.yml ansible.builtin.include_tasks: letsencrypt.yml
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

14
roles/nginx/tasks/vhosts.yml
View File

@ -1,22 +1,28 @@
--- ---
- block: - block:
- name: Configure https vhosts - name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - reload nginx
- name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams - name: Download 4096-bit RFC 7919 dhparams
get_url: ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}" dest: "{{ nginx_ssl_dhparam }}"
notify: notify:
- reload nginx - reload nginx
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: nginx tags: nginx

14
roles/nginx/tasks/wordpress.yml
View File

@ -1,14 +1,18 @@
--- ---
- block: - block:
- name: Install WordPress - name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
when: item.has_wordpress is defined and item.has_wordpress }} depth=1 force=true
when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when: item.has_wordpress is defined and item.has_wordpress when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: wordpress tags: wordpress

12
roles/nginx/templates/blank-vhost.conf.j2
View File

@ -11,14 +11,16 @@ server {
return 444; return 444;
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl default_server;
http2 on;
server_name _; server_name _;
# self-signed "snakeoil" certificate from ssl-cert package # self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }}; ssl_session_cache {{ nginx_ssl_session_cache }};

5
roles/nginx/templates/gitea.j2 Normal file
View File

@ -0,0 +1,5 @@
location / {
proxy_pass http://localhost:3000;
}

20
roles/nginx/templates/https.j2
View File

@ -1,7 +1,7 @@
{# helper variables and per-site defaults that we can't set in role defaults #} {# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to True #} {# assume HSTS is off unless a vhost explicitly sets it to true #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{# first, check if the current vhost has a custom cert (perhaps self-signed) #} {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
{% if item.tls_certificate_path is defined and item.tls_key_path is defined %} {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@ -27,27 +27,19 @@
ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }}; ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}"; ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #} {# OSCP stapling only works with real certs #}
{% if use_letsencrypt == True or item.tls_certificate_path %} {% if use_letsencrypt == true or item.tls_certificate_path %}
# OCSP stapling... # OCSP stapling...
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver {{ nginx_ssl_stapling_resolver }}; resolver {{ nginx_ssl_stapling_resolver }};
{% endif %} {# end: use_letsencrypt #} {% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and {% if enable_hsts == true %}
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == True %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/

8
roles/nginx/templates/nginx_org_sources.list.j2
View File

@ -3,17 +3,17 @@
{% if ansible_distribution == 'Ubuntu' %} {% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
{% endif %} {% endif %}
{% elif ansible_distribution == 'Debian' %} {% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %} {% endif %}
{% endif %} {% endif %}

52
roles/nginx/templates/vhost.conf.j2
View File

@ -4,9 +4,16 @@
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %} {% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #} {# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{% set has_wordpress = item.has_wordpress | default(False) %} {% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(False) %} {% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
# http -> https vhost # http -> https vhost
server { server {
@ -25,36 +32,36 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
{# Allow sites to override the nginx document root #} root {{ document_root }};
{% if item.document_root is defined %}
root {{ item.document_root }};
{% else %}
root {{ nginx_root_prefix }}/{{ domain_name }};
{% endif %}
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #} {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %}; index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
access_log /var/log/nginx/{{ domain_name }}-access.log; access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log; error_log /var/log/nginx/{{ domain_name }}-error.log;
{% include 'https.j2' %} {% include 'https.j2' %}
{% if has_wordpress == True %} {% if has_wordpress == true %}
{% include 'wordpress.j2' %} {% include 'wordpress.j2' %}
{% endif %} {% endif %}
{% if has_gitea == true %}
{% include 'gitea.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;
} }
{% if has_wordpress == True or needs_php == True %} {% if has_wordpress == true or needs_php == true %}
location ~ [^/]\.php(/|$) { location ~ [^/]\.php(/|$) {
# Zero-day exploit defense. # Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3 # http://forum.nginx.org/read.php?2,88845,page=3
@ -70,17 +77,8 @@ server {
# See: https://httpoxy.org/ # See: https://httpoxy.org/
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #} {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %} fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
{% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
{% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
{% endif %} {% endif %}
fastcgi_index index.php; fastcgi_index index.php;
# set script path relative to document root in server block # set script path relative to document root in server block
@ -94,7 +92,7 @@ server {
fastcgi_cache_bypass $http_pragma $wordpress_logged_in; fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in; fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
@ -108,7 +106,7 @@ server {
include extra-security.conf; include extra-security.conf;
} }
{% if has_wordpress == True %} {% if has_wordpress == true %}
# Check if a user is logged in # Check if a user is logged in
# if so, set $wordpress_logged_in = 1 # if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0 # otherwise, set $wordpress_logged_in = 0

4
roles/nginx/templates/wordpress.j2
View File

@ -5,7 +5,7 @@
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
@ -16,7 +16,7 @@
location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ { location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
add_header Cache-Control "max-age=604800"; add_header Cache-Control "max-age=604800";
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/

2
roles/php-fpm/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
# file: roles/php-fpm/defaults/main.yml # ansible.builtin.file: roles/php-fpm/defaults/main.yml
# default is on, but turn it off because of protection in nginx vhosts # default is on, but turn it off because of protection in nginx vhosts
cgi_fix_pathinfo: 0 cgi_fix_pathinfo: 0

16
roles/php-fpm/handlers/main.yml
View File

@ -1,14 +1,8 @@
--- ---
# For Ubuntu 18.04 # For Debian 12
- name: reload php7.2-fpm - name: reload php8.2-fpm
systemd: name=php7.2-fpm state=reloaded ansible.builtin.systemd:
name: php8.2-fpm
# For Debian 10 state: reloaded
- name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04
- name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

35
roles/php-fpm/tasks/Debian_10.yml
View File

@ -1,35 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.3-fpm
- name: Remove default www pool
file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
notify: reload php7.3-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.3-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

50
roles/php-fpm/tasks/Debian_12.yml Normal file
View File

@ -0,0 +1,50 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php8.2-fpm
# for WordPress
- php8.2-mysql
- php8.2-gd
- php8.2-curl
- php8.2-xml
- name: Install php-fpm and deps
ansible.builtin.apt:
name: "{{ php_fpm_packages }}"
state: present
update_cache: true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template:
src: php8.2-pool.conf.j2
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
owner: root
group: root
mode: "0644"
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php8.2-fpm
- name: Remove default www pool
ansible.builtin.file:
path: /etc/php/8.2/fpm/pool.d/www.conf
state: absent
notify: reload php8.2-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template:
src: php8.2-php.ini.j2
dest: /etc/php/8.2/fpm/php.ini
owner: root
group: root
mode: "0644"
notify: reload php8.2-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

35
roles/php-fpm/tasks/Ubuntu_18.04.yml
View File

@ -1,35 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.2-fpm
- name: Remove default www pool
file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
notify: reload php7.2-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.2-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Ubuntu_20.04.yml
View File

@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php7.4-fpm
# for WordPress
- php7.4-mysql
- php7.4-gd
- php7.4-curl
- php7.4-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm
- name: Remove default www pool
file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

49
roles/php-fpm/tasks/main.yml
View File

@ -1,50 +1,35 @@
--- ---
# Ubuntu 18.04 uses php-fpm 7.2 # Debian 12 uses PHP 8.2
# Debian 10 uses php-fpm 7.3
# Ubuntu 20.04 uses PHP 7.4
# Debian 11 uses PHP 7.4
# If any of the vhosts on this host need WordPress then we need to install PHP. # If any of the vhosts on this host need WordPress then we need to install PHP.
# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
# any that have has_wordpress defined, and has_wordpress set to True. # any that have has_wordpress defined, and has_wordpress set to true.
# #
# See: https://stackoverflow.com/a/31896249 # See: https://stackoverflow.com/a/31896249
- name: Check if any vhost needs WordPress - name: Check if any vhost needs WordPress
set_fact: ansible.builtin.set_fact:
install_php: True install_php: true
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0" when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
# Legacy, was only for Piwik, but leaving for now. # Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP - name: Check if any vhost needs PHP
set_fact: ansible.builtin.set_fact:
install_php: True install_php: true
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0" when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
# If install_php has not been set, then we assume no vhosts need PHP. This is # If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else. # a bit hacky, but it's the closest we come to an if/then/else.
- name: Set install_php to False - name: Set install_php to false
set_fact: ansible.builtin.set_fact:
install_php: False install_php: false
when: install_php is not defined when: install_php is not defined
- name: Configure php-fpm on Ubuntu 18.04 - name: Configure php-fpm on Debian 12
include_tasks: Ubuntu_18.04.yml ansible.builtin.include_tasks: Debian_12.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php when:
tags: php-fpm - ansible_distribution == 'Debian'
- ansible_distribution_major_version is version('12', '==')
- name: Configure php-fpm on Debian 10 - install_php
include_tasks: Debian_10.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php
tags: php-fpm
- name: Configure php-fpm on Ubuntu 20.04
include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php
tags: php-fpm
- name: Configure php-fpm on Debian 11
include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php
tags: php-fpm tags: php-fpm
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

1915
roles/php-fpm/templates/php7.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

415
roles/php-fpm/templates/php7.2-pool.conf.j2
View File

@ -1,415 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1946
roles/php-fpm/templates/php7.3-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

428
roles/php-fpm/templates/php7.3-pool.conf.j2
View File

@ -1,428 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.3-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

559
roles/php-fpm/templates/php7.4-php.ini.j2 → roles/php-fpm/templates/php8.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

98
roles/php-fpm/templates/php7.4-pool.conf.j2 → roles/php-fpm/templates/php8.2-pool.conf.j2
View File

@ -19,11 +19,16 @@
; Default Value: none ; Default Value: none
;prefix = /path/to/pools/$pool ;prefix = /path/to/pools/$pool
; Unix user/group of processes ; Unix user/group of the child processes. This can be used only if the master
; Note: The user is mandatory. If the group is not set, the default user's group ; process running user is root. It is set after the child process is created.
; will be used. ; The user and group can be specified either by their name or by their numeric
user = nginx ; IDs.
group = nginx ; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = {{ webserver }}
group = {{ webserver }}
; The address on which to accept FastCGI requests. ; The address on which to accept FastCGI requests.
; Valid syntaxes are: ; Valid syntaxes are:
@ -35,20 +40,22 @@ group = nginx
; (IPv6 and IPv4-mapped) on a specific port; ; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket. ; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory. ; Note: This value is mandatory.
listen = /run/php/php7.4-fpm-{{ domain_name }}.sock listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog. ; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD) ; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511 ;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write ; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many ; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. ; BSD-derived systems allow connections regardless of permissions. The owner
; Default Values: user and group are set as the running user ; and group can be specified either by name or by their numeric IDs.
; mode is set to 0660 ; Default Values: Owner is set to the master process running user. If the group
listen.owner = nginx ; is not set, the owner's group is used. Mode is set to 0660.
listen.group = nginx listen.owner = {{ webserver }}
listen.group = {{ webserver }}
;listen.mode = 0660 ;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using ; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names. ; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored ; When set, listen.owner and listen.group are ignored
@ -63,6 +70,10 @@ listen.group = nginx
; Default Value: any ; Default Value: any
;listen.allowed_clients = 127.0.0.1 ;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set) ; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority) ; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root ; Note: - It will only work if the FPM master process is launched as root
@ -71,8 +82,9 @@ listen.group = nginx
; Default Value: no set ; Default Value: no set
; process.priority = -19 ; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user ; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; or group is differrent than the master process user. It allows to create process ; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user. ; core dump and ptrace the process for the pool user.
; Default Value: no ; Default Value: no
; process.dumpable = yes ; process.dumpable = yes
@ -94,6 +106,8 @@ listen.group = nginx
; state (waiting to process). If the number ; state (waiting to process). If the number
; of 'idle' processes is greater than this ; of 'idle' processes is greater than this
; number then some children will be killed. ; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when ; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used: ; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that ; pm.max_children - the maximum number of children that
@ -129,6 +143,12 @@ pm.min_spare_servers = 1
; Note: Mandatory when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3 pm.max_spare_servers = 3
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed. ; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand' ; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s ; Default Value: 10s
@ -141,7 +161,7 @@ pm.max_spare_servers = 3
;pm.max_requests = 500 ;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be ; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations: ; recognized as a status page. It shows the following information:
; pool - the name of the pool; ; pool - the name of the pool;
; process manager - static, dynamic or ondemand; ; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started; ; start time - the date and time FPM has started;
@ -231,7 +251,7 @@ pm.max_spare_servers = 3
; last request memory: 0 ; last request memory: 0
; ;
; Note: There is a real-time FPM status monitoring sample web page available ; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.4/fpm/status.html ; It's available in: /usr/share/php/8.2/fpm/status.html
; ;
; Note: The value must start with a leading slash (/). The value can be ; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it ; anything, but it may not be a good idea to use the .php extension or it
@ -239,6 +259,22 @@ pm.max_spare_servers = 3
; Default Value: not set ; Default Value: not set
;pm.status_path = /status ;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no ; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside ; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to ; that FPM is alive and responding, or to
@ -271,13 +307,13 @@ pm.max_spare_servers = 3
; %d: time taken to serve the request ; %d: time taken to serve the request
; it can accept the following format: ; it can accept the following format:
; - %{seconds}d (default) ; - %{seconds}d (default)
; - %{miliseconds}d ; - %{milliseconds}d
; - %{mili}d ; - %{milli}d
; - %{microseconds}d ; - %{microseconds}d
; - %{micro}d ; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER) ; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env ; it must be associated with embraces to specify the name of the env
; variable. Some exemples: ; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename ; %f: script filename
@ -306,14 +342,30 @@ pm.max_spare_servers = 3
; %s: status (response code) ; %s: status (response code)
; %t: server time the request was received ; %t: server time the request was received
; it can accept a strftime(3) format: ; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag ; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished) ; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format: ; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag ; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %u: remote user ; %u: remote user
; ;
; Default: "%R - %u %t \"%m %r\" %s" ; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests ; The log file for slow requests
; Default Value: not set ; Default Value: not set
@ -372,7 +424,7 @@ pm.max_spare_servers = 3
; Redirect worker stdout and stderr into main error log. If not set, stdout and ; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs. ; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page ; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms). ; process time (several ms).
; Default Value: no ; Default Value: no
;catch_workers_output = yes ;catch_workers_output = yes

Some files were not shown because too many files have changed in this diff Show More