Compare commits

34 Commits

Author SHA1 Message Date
602734acce roles: update ansible.builtin.systemd builtin
Use ansible.builtin.systemd_service instead.
2025-09-23 10:33:11 +03:00
0db7911b70 roles/common: remove sudoers.d
We are not using this.
2025-09-21 23:09:40 +03:00
ee4c62e5f9 roles: remove tests for Debian
We only run on Debian now.
2025-09-21 22:20:31 +03:00
a315db8a7c roles/common: use ansible_distribution_version
In most cases it is enough to use the full version (ie 12.12) since
we use Ansible's version comparison function. We rarely need to use
the major version (ie 12) directly.
2025-09-21 22:19:00 +03:00
5f00892df3 roles/common: adjust when in tasks 2025-09-21 22:04:25 +03:00
9357265d27 roles/common: use ansible.builtin.apt module 2025-09-21 22:00:39 +03:00
dd62266340 roles/common: update comment in ntp task 2025-09-21 21:58:11 +03:00
a1bec20824 roles/common: simplify when logic in ntp task 2025-09-21 21:57:34 +03:00
8e91c44529 roles/common: fix syntax error in npt when 2025-09-21 21:56:15 +03:00
02d4135c79 roles/common: adjust ntp task
On Debian 12 we need to explicitly remove ntp because it does not
conflict with other time daemons.
2025-09-21 21:55:09 +03:00
37e148d009 Re-work ansible_managed
This is no longer a configuration setting. Now we must set it like
any other template variabled.
2025-09-21 21:15:12 +03:00
73dbbd23b6 roles/common: adjust handlers
Should start with an upper case letter.
2025-09-21 20:22:58 +03:00
b84283aa38 roles/common: remove unneeded firewall packages
We don't need curl or libnet-ip-perl anymore.
2025-09-21 20:15:11 +03:00
1695fdf8d1 roles/common: syntax in firewall play 2025-09-21 20:11:46 +03:00
9f1f7b1c69 roles/nginx: more syntax fixes to tasks 2025-09-21 20:08:51 +03:00
7d725f2084 roles/nginx: adjust task syntax
Tasks should start with an upper case letter and we should not use
free form syntax anymore.
2025-09-21 20:04:53 +03:00
4c39b0d48c roles/php_fpm: adjust task syntax
All tasks need names, and we can use name, tags, when, block order
for task keys. Suggested by ansible-lint.
2025-09-21 20:02:46 +03:00
f4023d0b20 roles/php_fpm: rename handler
Suggested by ansible-lint.
2025-09-21 19:59:23 +03:00
6aaface4a2 Rename roles/php-fpm to roles/php_fpm
Suggested by ansible-lint.
2025-09-21 19:56:20 +03:00
333e1cbeb9 roles/mariadb/handlers/main.yml: update syntax 2025-09-21 17:32:57 +03:00
0c62f4bdf0 roles/common/tasks/packages.yml: improve task key order
Suggested by ansible-lint. Makes it easier to see the tags after the
very long block.
2025-09-21 17:30:54 +03:00
26f22c0447 roles/munin: update task syntax 2025-09-21 17:29:22 +03:00
05881e2585 roles: fix unquoted octal modes 2025-09-21 17:25:22 +03:00
d4d326c2f7 roles/common: use FQCN in handler 2025-09-21 17:09:45 +03:00
1d4a6f208b roles/common: update default fail2ban ignores 2025-09-21 17:06:48 +03:00
8b22076d4a roles/common: json spacing 2025-09-21 17:06:01 +03:00
38176cb34c roles/nginx: update task syntax for plays 2025-09-21 16:59:08 +03:00
da737b71f7 roles/mariadb: update task syntax for mariadb play 2025-09-21 16:54:19 +03:00
c28189a1a5 roles/common: update task syntax for fail2ban play 2025-09-21 16:54:03 +03:00
b600141e89 roles/common: update task syntax for sshd play 2025-09-21 16:51:23 +03:00
4be98d1a33 roles/common: update task syntax for ssh-keys play 2025-09-21 16:49:32 +03:00
2bb018a40c roles/common: rename firewall and packages task files
Don't use firewall_Debian.yml or packages_Debian.yml since I am not
deploying Ubuntu anymore there is no need to distinguish.
2025-09-21 16:45:51 +03:00
89a1e11b7a roles/common: update task syntax in main play 2025-09-21 16:40:37 +03:00
0c0cad9084 Remove Ubuntu logic
For a few years now I have only been deploying Debian for personal
use.
2025-09-21 16:34:57 +03:00
43 changed files with 209 additions and 547 deletions

View File

@@ -13,12 +13,6 @@ interpreter_python=auto
# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
host_key_checking = False host_key_checking = False
ansible_managed = This file is managed by Ansible.%n
template: {file}
date: %Y-%m-%d %H:%M:%S
user: {uid}
host: {host}
[privilege_escalation] [privilege_escalation]
# instead of using -K # instead of using -K
become_ask_pass=True become_ask_pass=True

View File

@@ -3,4 +3,12 @@
tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ansible_managed: |-
This file is managed by Ansible.
{{ 'template: ' + template_path }}
{{ 'date: ' + (template_mtime | string) }}
{{ 'user: ' + template_uid }}
{{ 'host: ' + template_host }}
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -3,7 +3,7 @@
# I'm currently not sure when we need to restart versus reload # I'm currently not sure when we need to restart versus reload
- name: reload caddy - name: reload caddy
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: caddy name: caddy
state: reloaded state: reloaded

View File

@@ -36,7 +36,7 @@
{% elif has_wordpress -%} {% elif has_wordpress -%}
root * {{ document_root }} root * {{ document_root }}
encode encode
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%} {% if ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%} {% endif -%}
file_server file_server

View File

@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
fail2ban_findtime: 3600 fail2ban_findtime: 3600
# 2 weeks in seconds # 2 weeks in seconds
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24 fail2ban_ignoreip: 127.0.0.1/8
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords. # before re-configuring the SSH daemon to disable passwords.

View File

@@ -1 +0,0 @@
provisioning ALL=(ALL) ALL

View File

@@ -1,27 +1,27 @@
--- ---
# ansible.builtin.file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: Reload sshd
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: "{{ sshd_service_name }}" name: "{{ sshd_service_name }}"
state: reloaded state: reloaded
- name: reload sysctl - name: Reload sysctl
command: sysctl -p /etc/sysctl.conf ansible.builtin.command: sysctl -p /etc/sysctl.conf
- name: reload systemd - name: Reload systemd
ansible.builtin.systemd: ansible.builtin.systemd_service:
daemon_reload: true daemon_reload: true
- name: restart nftables - name: Restart nftables
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: nftables name: nftables
state: restarted state: restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's # in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall. # notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban - name: Restart fail2ban
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: fail2ban name: fail2ban
state: restarted state: restarted

View File

@@ -1,8 +1,7 @@
--- ---
- name: Install fail2ban - name: Install fail2ban
when: when: ansible_distribution_version is version('11', '>=')
- ansible_distribution_major_version is version('11', '>=') ansible.builtin.apt:
ansible.builtin.package:
name: name:
- fail2ban - fail2ban
- python3-systemd - python3-systemd
@@ -15,7 +14,7 @@
dest: /etc/fail2ban/jail.d/sshd.local dest: /etc/fail2ban/jail.d/sshd.local
owner: root owner: root
mode: "0644" mode: "0644"
notify: restart fail2ban notify: Restart fail2ban
- name: Configure fail2ban nginx filter - name: Configure fail2ban nginx filter
when: when:
@@ -27,7 +26,7 @@
dest: /etc/fail2ban/jail.d/nginx.local dest: /etc/fail2ban/jail.d/nginx.local
owner: root owner: root
mode: "0644" mode: "0644"
notify: restart fail2ban notify: Restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
ansible.builtin.file: ansible.builtin.file:
@@ -44,11 +43,11 @@
owner: root owner: root
mode: "0644" mode: "0644"
notify: notify:
- reload systemd - Reload systemd
- restart fail2ban - Restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: fail2ban name: fail2ban
state: started state: started
enabled: true enabled: true

View File

@@ -1,20 +1,25 @@
--- ---
- name: Configure firewall (Debian) # Debian 11+ will use nftables directly, with no firewalld.
when: ansible_distribution == 'Debian'
ansible.builtin.include_tasks:
file: firewall_Debian.yml
apply:
tags:
- firewall
tags: firewall
- name: Configure firewall (Ubuntu) - name: Install Debian firewall packages
when: ansible_distribution == 'Ubuntu' when: ansible_distribution_version is version('11', '>=')
ansible.builtin.include_tasks: ansible.builtin.apt:
file: firewall_Ubuntu.yml name: nftables
apply: state: present
tags: cache_valid_time: 3600
- firewall
tags: firewall
- name: Remove iptables on newer Debian
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Configure nftables
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.include_tasks: nftables.yml
- name: Configure fail2ban
when: ansible_distribution_version is version('9', '>=')
ansible.builtin.include_tasks: fail2ban.yml
# vim: set sw=2 ts=2:

View File

@@ -1,28 +0,0 @@
---
# Debian 11+ will use nftables directly, with no firewalld.
- name: Install Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package:
name:
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Configure nftables
ansible.builtin.include_tasks: nftables.yml
when: ansible_distribution_version is version('11', '>=')
- ansible.builtin.include_tasks: fail2ban.yml
when:
- ansible_distribution_major_version is version('9', '>=')
# vim: set sw=2 ts=2:

View File

@@ -1,27 +0,0 @@
---
# Ubuntu 20.04 will use nftables directly, with no firewalld.
- name: Install Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.package:
name:
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Remove ufw
ansible.builtin.package:
name: ufw
state: absent
- name: Configure nftables
ansible.builtin.include_tasks: nftables.yml
when: ansible_distribution_version is version('20.04', '>=')
- ansible.builtin.include_tasks: fail2ban.yml
when:
- ansible_distribution_version is version('16.04', '>=')
# vim: set sw=2 ts=2:

View File

@@ -8,13 +8,7 @@
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
ansible.builtin.include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages.yml
when: ansible_distribution == 'Debian'
tags: packages
- name: Install common packages
ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
@@ -28,13 +22,23 @@
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template:
src: "sysctl_{{ ansible_distribution }}.j2"
dest: /etc/sysctl.conf
owner: root
group: root
mode: "0644"
notify: notify:
- reload sysctl - Reload sysctl
tags: sysctl tags: sysctl
- name: Set I/O scheduler - name: Set I/O scheduler
ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template:
src: etc/udev/rules.d/60-scheduler.rules.j2
dest: /etc/udev/rules.d/60-scheduler.rules
owner: root
group: root
mode: "0644"
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys

View File

@@ -1,6 +1,5 @@
--- ---
# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11, # Common nftables tasks for Debian 11 and Debian 12.
# and Debian 12.
- name: Copy nftables.conf - name: Copy nftables.conf
ansible.builtin.template: ansible.builtin.template:
@@ -9,8 +8,8 @@
owner: root owner: root
mode: "0644" mode: "0644"
notify: notify:
- restart nftables - Restart nftables
- restart fail2ban - Restart fail2ban
- name: Create /etc/nftables extra config directory - name: Create /etc/nftables extra config directory
ansible.builtin.file: ansible.builtin.file:
@@ -30,8 +29,8 @@
loop: loop:
- { src: firehol_level1-ipv4.nft, force: false } - { src: firehol_level1-ipv4.nft, force: false }
notify: notify:
- restart nftables - Restart nftables
- restart fail2ban - Restart fail2ban
- name: Copy nftables update scripts - name: Copy nftables update scripts
ansible.builtin.template: ansible.builtin.template:
@@ -59,8 +58,8 @@
- /etc/systemd/system/update-spamhaus-nftables.timer - /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl - /usr/local/bin/aggregate-cidr-addresses.pl
notify: notify:
- restart nftables - Restart nftables
- restart fail2ban - Restart fail2ban
- name: Copy nftables systemd units - name: Copy nftables systemd units
ansible.builtin.copy: ansible.builtin.copy:
@@ -76,12 +75,12 @@
# need to reload to pick up service/timer/environment changes # need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon - name: Reload systemd daemon
ansible.builtin.systemd: # noqa no-handler
daemon_reload: true
when: nftables_systemd_units is changed when: nftables_systemd_units is changed
ansible.builtin.systemd_service: # noqa no-handler
daemon_reload: true
- name: Start and enable nftables update timers - name: Start and enable nftables update timers
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: "{{ item }}" name: "{{ item }}"
state: started state: started
enabled: true enabled: true
@@ -89,7 +88,7 @@
- update-firehol-nftables.timer - update-firehol-nftables.timer
- name: Start and enable nftables - name: Start and enable nftables
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: nftables name: nftables
state: started state: started
enabled: true enabled: true

View File

@@ -1,7 +1,6 @@
--- ---
# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should # Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
# use systemd-timesyncd as a network time client instead of the standalone ntp # as a network time client instead of the standalone ntp client.
# client.
- name: Set timezone - name: Set timezone
when: when:
@@ -13,10 +12,9 @@
# Apparently some cloud images don't have this installed by default. From what # Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on # I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11. # Debian 11 and Debian 12.
- name: Install systemd-timesyncd - name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version when: ansible_distribution_version is version('11', '>=')
is version('11', '>='))
ansible.builtin.apt: ansible.builtin.apt:
name: systemd-timesyncd name: systemd-timesyncd
state: present state: present
@@ -24,13 +22,17 @@
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: systemd-timesyncd name: systemd-timesyncd
state: started state: started
enabled: true enabled: true
- name: Uninstall ntp on modern Ubuntu/Debian # On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
when: ansible_service_mgr == 'systemd' # remove it to be sure.
- name: Uninstall ntp on Debian 12
when:
- ansible_service_mgr == 'systemd'
- ansible_distribution_major_version is version('12', '==')
ansible.builtin.apt: ansible.builtin.apt:
name: ntp name: ntp
state: absent state: absent

View File

@@ -1,5 +1,6 @@
--- ---
- name: Configure Debian packages - name: Configure Debian packages
tags: packages
block: block:
# Scaleway seems to use a weird sources.list format as of Debian 12? # Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources - name: Check for weird Debian sources
@@ -16,7 +17,7 @@
dest: /etc/apt/sources.list dest: /etc/apt/sources.list
owner: root owner: root
group: root group: root
mode: 0644 mode: "0644"
- name: Set fact for base packages - name: Set fact for base packages
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -47,11 +48,10 @@
cache_valid_time: 3600 cache_valid_time: 3600
- name: Remove cron-apt - name: Remove cron-apt
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
ansible.builtin.import_tasks: cron-apt.yml
- name: Install tarsnap - name: Install tarsnap
ansible.builtin.import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@@ -1,60 +0,0 @@
---
- name: Configure Ubuntu packages
block:
- name: Configure apt mirror
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Upgrade base OS
ansible.builtin.apt: upgrade=dist cache_valid_time=3600
- name: Set Ubuntu base packages
ansible.builtin.set_fact:
ubuntu_base_packages:
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- rsync
- lsof
- name: Install base packages
ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
- name: Disable annoying Canonical spam in MOTD
ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: true
- name: Disable annoying Canonical spam in MOTD
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd'
loop:
- motd-news.service
- motd-news.timer
- name: Configure cron-apt
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
ansible.builtin.import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

View File

@@ -1,9 +1,11 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file:
dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
state: absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

View File

@@ -1,17 +1,13 @@
--- ---
# SSH configs don't change in Debian minor versions # SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root ansible.builtin.template:
mode=0600 src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
when: ansible_distribution == 'Debian' dest: /etc/ssh/sshd_config
notify: reload sshd owner: root
group: root
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, mode: "0600"
# ie with new ciphers supported etc. notify: Reload sshd
- name: Reconfigure /etc/ssh/sshd_config
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu'
notify: reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html # See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +20,30 @@
register: check_unsafe_moduli register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli - name: Extract safe Diffie-Hellman SSH moduli
when: check_unsafe_moduli.stdout | length > 0
ansible.builtin.shell: ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh chdir: /etc/ssh
creates: moduli.safe creates: moduli.safe
when: check_unsafe_moduli.stdout | length > 0
register: extract_safe_moduli register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli - name: Replace unsafe Diffie-Hellman SSH moduli
when: extract_safe_moduli is changed
ansible.builtin.command: ansible.builtin.command:
cmd: mv moduli.safe moduli cmd: mv moduli.safe moduli
chdir: /etc/ssh chdir: /etc/ssh
register: replace_small_moduli register: replace_small_moduli
when: extract_safe_moduli is changed notify: Reload sshd
notify: reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file:
name: "/etc/ssh/{{ item }}"
state: absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key - ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub - ssh_host_ecdsa_key.pub
notify: reload sshd notify: Reload sshd
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@@ -5,6 +5,7 @@
register: tarsnap_signing_key_stat register: tarsnap_signing_key_stat
- name: Download tarsnap apt signing key - name: Download tarsnap apt signing key
when: not tarsnap_signing_key_stat.stat.exists
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
group: root group: root
mode: "0644" mode: "0644"
register: download_tarsnap_signing_key register: download_tarsnap_signing_key
when: not tarsnap_signing_key_stat.stat.exists
- name: Add tarsnap.org repo - name: Add tarsnap.org repo
when: ansible_architecture != 'armv7l'
ansible.builtin.template: ansible.builtin.template:
src: tarsnap_sources.list.j2 src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
group: root group: root
mode: "0644" mode: "0644"
register: add_tarsnap_apt_repository register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l'
- name: Update apt cache - name: Update apt cache
when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
ansible.builtin.apt: # noqa no-handler ansible.builtin.apt: # noqa no-handler
update_cache: true update_cache: true
when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
ansible.builtin.apt: ansible.builtin.apt:

View File

@@ -6,14 +6,14 @@ PartOf=nftables.service
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectHome=read-only ProtectHome=read-only
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %} {% if ansible_distribution_version is version('11','>=') %}
ProtectSystem=strict ProtectSystem=strict
{% else %} {% else %}
{# Older systemd versions don't have ProtectSystem=strict #} {# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full ProtectSystem=full
{% endif %} {% endif %}
NoNewPrivileges=yes NoNewPrivileges=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %} {% if ansible_distribution_version is version('11','>=') %}
ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log ReadWritePaths=-/var/log/fail2ban.log

View File

@@ -1,16 +1,6 @@
{% if ansible_distribution == 'Ubuntu' %}
{% set apt_mirror = apt_mirror | default("ubuntu.mirror.ac.ke") %}
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
{% else %}
{% set apt_mirror = apt_mirror | default('deb.debian.org') %} {% set apt_mirror = apt_mirror | default('deb.debian.org') %}
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
{% endif %} {# ansible_distribution #}

View File

@@ -1,143 +0,0 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

View File

@@ -1,100 +0,0 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# CIS Benchmark Adjustments
# See: https://github.com/alanorth/securekickstarts
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
# TCP stuff
# See: http://fasterdata.es.net/host-tuning/linux/
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# increase Linux autotuning TCP buffer limit
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
# recommended for hosts with jumbo frames enabled
#net.ipv4.tcp_mtu_probing=1
# increase quadruplets (src ip, src port, dest ip, dest port)
# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
net.ipv4.ip_local_port_range = 10240 65535
# recommended for web servers, especially if running SPDY
# see: http://www.chromium.org/spdy/spdy-best-practices
net.ipv4.tcp_slow_start_after_idle = 0

View File

@@ -1,5 +1,7 @@
--- ---
- name: restart mariadb - name: restart mariadb
ansible.builtin.systemd: name=mariadb state=restarted ansible.builtin.systemd_service:
name: mariadb
state: restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -16,6 +16,7 @@
- mariadb - mariadb
- name: Download MariaDB package signing key - name: Download MariaDB package signing key
when: not mariadb_signing_key_stat.stat.exists
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://mariadb.org/mariadb_release_signing_key.asc url: https://mariadb.org/mariadb_release_signing_key.asc
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
@@ -23,7 +24,6 @@
group: root group: root
mode: "0644" mode: "0644"
register: download_mariadb_signing_key register: download_mariadb_signing_key
when: not mariadb_signing_key_stat.stat.exists
tags: tags:
- packages - packages
- mariadb - mariadb
@@ -40,9 +40,9 @@
- mariadb - mariadb
- name: Update apt cache - name: Update apt cache
when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
ansible.builtin.apt: # noqa no-handler ansible.builtin.apt: # noqa no-handler
update_cache: true update_cache: true
when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
tags: tags:
- packages - packages
- mariadb - mariadb
@@ -87,16 +87,17 @@
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
when: mariadb_databases is defined
community.mysql.mysql_db: community.mysql.mysql_db:
db: "{{ item.name }}" db: "{{ item.name }}"
state: present state: present
encoding: utf8mb4 encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}" login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
when: mariadb_databases is defined
community.mysql.mysql_user: community.mysql.mysql_user:
name: "{{ item.user }}" name: "{{ item.user }}"
password: "{{ item.pass }}" password: "{{ item.pass }}"
@@ -105,7 +106,6 @@
state: present state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}" login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined
tags: mariadb tags: mariadb
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,4 +1,4 @@
--- ---
# ansible.builtin.file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
ansible.builtin.systemd: name=munin-node state=restarted ansible.builtin.systemd_service: name=munin-node state=restarted

View File

@@ -1,16 +1,22 @@
--- ---
- name: Install munin-node - name: Install munin-node
ansible.builtin.apt: name=munin-node state=present ansible.builtin.apt:
name: munin-node
state: present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
ansible.builtin.apt: name=libwww-perl state=present ansible.builtin.apt:
name: libwww-perl
state: present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template:
src: munin-node.conf.j2
dest: /etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
@@ -20,6 +26,9 @@
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
ansible.builtin.systemd: name=munin-node state=started enabled=true ansible.builtin.systemd_service:
name: munin-node
state: started
enabled: true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,9 +1,16 @@
--- ---
- name: Install munin package - name: Install munin package
ansible.builtin.apt: name=munin state=present ansible.builtin.apt:
name: munin
state: present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template:
src: munin.conf.j2
dest: /etc/munin/munin.conf
owner: root
group: root
mode: "0644"
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,5 +1,7 @@
--- ---
- name: reload nginx - name: Reload nginx
ansible.builtin.systemd: name=nginx state=reloaded ansible.builtin.systemd_service:
name: nginx
state: reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,7 +1,12 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via # Use acme.sh instead of certbot because they only support installation via
# snap now. # snap now.
- block: - name: Install and configure Let's Encrypt
tags: letsencrypt
when:
- ansible_distribution == 'Debian'
- ansible_distribution_version is version('11', '>='))
block:
- name: Remove certbot - name: Remove certbot
ansible.builtin.apt: ansible.builtin.apt:
name: certbot name: certbot
@@ -21,31 +26,31 @@
register: acme_home register: acme_home
- name: Download acme.sh - name: Download acme.sh
when: not acme_home.stat.exists
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}" dest: "{{ letsencrypt_acme_script_temp }}"
mode: "0700" mode: "0700"
register: acme_download register: acme_download
when: not acme_home.stat.exists
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it # have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...). # fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh - name: Install acme.sh
when: acme_download is changed
ansible.builtin.command: ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron" cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh" creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root chdir: /root
register: acme_install register: acme_install
when: acme_download is changed
- name: Remove temporary acme.sh script - name: Remove temporary acme.sh script
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when: when:
- acme_install.rc is defined - acme_install.rc is defined
- acme_install.rc == 0 - acme_install.rc == 0
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
- name: Set default certificate authority for acme.sh - name: Set default certificate authority for acme.sh
ansible.builtin.command: ansible.builtin.command:
@@ -77,14 +82,10 @@
# always issues daemon-reload just in case the service/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: renew-letsencrypt.timer name: renew-letsencrypt.timer
state: started state: started
enabled: true enabled: true
daemon_reload: true daemon_reload: true
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -33,9 +33,9 @@
- packages - packages
- name: Update apt cache - name: Update apt cache
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
ansible.builtin.apt: # noqa no-handler ansible.builtin.apt: # noqa no-handler
update_cache: true update_cache: true
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
ansible.builtin.apt: ansible.builtin.apt:
@@ -54,7 +54,7 @@
owner: root owner: root
group: root group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
@@ -68,7 +68,7 @@
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
@@ -87,13 +87,13 @@
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
ansible.builtin.include_tasks: vhosts.yml
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
ansible.builtin.include_tasks: wordpress.yml
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
@@ -104,7 +104,7 @@
owner: root owner: root
group: root group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
@@ -115,11 +115,11 @@
owner: root owner: root
group: root group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: nginx name: nginx
state: started state: started
enabled: true enabled: true

View File

@@ -1,16 +1,23 @@
--- ---
- block: - name: Configure https vhosts
tags: nginx
block:
- name: Configure https vhosts - name: Configure https vhosts
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template:
src: vhost.conf.j2
dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - Reload nginx
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify: notify:
- reload nginx - Reload nginx
- name: Download 4096-bit RFC 7919 dhparams - name: Download 4096-bit RFC 7919 dhparams
ansible.builtin.get_url: ansible.builtin.get_url:
@@ -18,12 +25,16 @@
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}" dest: "{{ nginx_ssl_dhparam }}"
notify: notify:
- reload nginx - Reload nginx
# TODO: this could break because we can override the document root in host vars # TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
mode: "0755"
owner: nginx
group: nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: nginx
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,19 +1,29 @@
--- ---
- block: - name: Install and configure WordPress
tags: wordpress
block:
- name: Install WordPress - name: Install WordPress
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
}} depth=1 force=true
when: when:
- item.has_wordpress is defined - item.has_wordpress is defined
- item.has_wordpress - item.has_wordpress
ansible.builtin.git:
repo: https://github.com/WordPress/WordPress.git
dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
version: "{{ item.wordpress_version }}"
depth: 1
force: true
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when: when:
- item.has_wordpress is defined - item.has_wordpress is defined
- item.has_wordpress - item.has_wordpress
ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
owner: nginx
group: nginx
recurse: true
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: wordpress
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,19 +1,7 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %}
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
{% endif %}
{% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %} {% endif %}
{% endif %}

View File

@@ -77,7 +77,7 @@ server {
# See: https://httpoxy.org/ # See: https://httpoxy.org/
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %} {% if ansible_distribution_major_version is version('12', '==') %}
fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock; fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
{% endif %} {% endif %}
fastcgi_index index.php; fastcgi_index index.php;

View File

@@ -1,7 +1,7 @@
--- ---
# For Debian 12 # For Debian 12
- name: reload php8.2-fpm - name: Reload php8.2-fpm
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: php8.2-fpm name: php8.2-fpm
state: reloaded state: reloaded

View File

@@ -1,5 +1,8 @@
--- ---
- block: - name: Install and configure php-fpm
tags: php-fpm
when: install_php
block:
- name: Set php-fpm packages - name: Set php-fpm packages
ansible.builtin.set_fact: ansible.builtin.set_fact:
php_fpm_packages: php_fpm_packages:
@@ -26,13 +29,13 @@
mode: "0644" mode: "0644"
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php8.2-fpm notify: Reload php8.2-fpm
- name: Remove default www pool - name: Remove default www pool
ansible.builtin.file: ansible.builtin.file:
path: /etc/php/8.2/fpm/pool.d/www.conf path: /etc/php/8.2/fpm/pool.d/www.conf
state: absent state: absent
notify: reload php8.2-fpm notify: Reload php8.2-fpm
# re-configure php.ini # re-configure php.ini
- name: Update php.ini - name: Update php.ini
@@ -42,9 +45,6 @@
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
notify: reload php8.2-fpm notify: Reload php8.2-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,10 +0,0 @@
---
# sshd service name is `ssh` on Debian/Ubuntu, but it's
# `sshd` on CentOS
sshd_service_name: ssh
# provisioning user vars
provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
# vim: set ts=2 sw=2:

View File

@@ -9,7 +9,7 @@
- { role: mariadb, when: mariadb_databases is defined} - { role: mariadb, when: mariadb_databases is defined}
- { role: nginx, when: webserver is defined and webserver == 'nginx' } - { role: nginx, when: webserver is defined and webserver == 'nginx' }
- { role: caddy, when: webserver is defined and webserver == 'caddy' } - { role: caddy, when: webserver is defined and webserver == 'caddy' }
- php-fpm - php_fpm
- munin - munin
vars_files: vars_files:
- vars/ipsets.yml - vars/ipsets.yml