alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:alpine
Branches Tags
alanorth:master alanorth:alpine
...
compare: alanorth:b663d27fd8baa117706aefec6ce13f5a7e36cea5
Branches Tags
alanorth:master alanorth:alpine

152 Commits
alpine ... b663d27fd8

Author SHA1 Message Date
Alan Orth
b663d27fd8 roles/common: rework firewall_Debian.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
 2022-09-12 17:25:40 +03:00
Alan Orth
67c99dacf6 roles/common: rework firewall_Ubuntu.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
 2022-09-12 17:18:33 +03:00
Alan Orth
4abf2b10e4 ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
Alan Orth
f5199264f9 ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
Alan Orth
b259f09cbd roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
Alan Orth
f4b32e516b roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
Alan Orth
fcb12ecee0 roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
Alan Orth
5bc03ceacc roles/mariadb: install packages in single transaction 
Using a list we can install these in a single apt transaction. Also
use the newer task format.
 2022-09-12 10:12:07 +03:00
Alan Orth
c317429f6d roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
Alan Orth
b512a7f765 roles/common: create /etc/apt/keyrings 
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
 2022-09-12 10:05:12 +03:00
Alan Orth
e3a87d4f79 roles/mariadb: MariaDB 10.6 
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
 2022-09-12 09:25:46 +03:00
Alan Orth
dec2d50fbc host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
Alan Orth
34be0013b7 Remove Debian 10 support 2022-09-11 09:21:08 +03:00
Alan Orth
399585f4e7 roles: don't compare literal true and false 
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
 2022-09-11 08:41:25 +03:00
Alan Orth
0240897b1b Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
Alan Orth
1da0da53ec roles: use longer format for when conditionals 
When the condition is an AND we can use this more succinct format.
 2022-09-10 23:12:49 +03:00
Alan Orth
677cc9f160 roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
Alan Orth
ffe7a872dd roles: strict truthy values 
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
 2022-09-10 22:33:19 +03:00
Alan Orth
95d0005978 Add ansible-lint 2022-09-10 18:36:53 +03:00
Alan Orth
498766fdc4 Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
Alan Orth
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
Alan Orth
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
Alan Orth
92a4c72809 Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
Alan Orth
a2d61abba2 roles/mariadb: update mirror 
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
 2022-08-14 22:09:47 -07:00
Alan Orth
d2a5a28809 Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
Alan Orth
84c0589aee host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
Alan Orth
2961578a54 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-28 18:51:35 +03:00
Alan Orth
4d74f76b3c Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
Alan Orth
9e737466c5 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-04 21:47:37 +03:00
Alan Orth
0ffb1b1a36 roles/common: use pyinotify backend for nginx fail2ban jail 
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
 2022-01-04 15:10:02 +02:00
Alan Orth
68f0b85eb3 Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
Alan Orth
ebbde530d2 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
 2021-12-22 11:40:27 +02:00
Alan Orth
ab47df6031 Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
Alan Orth
de75b2ffb6 host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
Alan Orth
e10d83dadd Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
Alan Orth
f070fd9a64 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-11-07 10:12:43 +02:00
Alan Orth
6e1527b1a8 Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
Alan Orth
ebd8b0632b roles/common: Disable unsafe Diffie-Hellman SSH moduli 
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
 2021-10-10 16:57:05 +03:00
Alan Orth
df26b6c17e roles/common: notify fail2ban after updating firewall 
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
 2021-09-28 10:45:51 +03:00
Alan Orth
d92151b8a6 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
 2021-09-28 10:28:02 +03:00
Alan Orth
b13ead0657 roles/common: use a range for mosh ports in nftables 
This is better than a loop in Jinja (though that is useful!).
 2021-09-28 07:34:25 +03:00
Alan Orth
89ced6f952 Pipfile.lock: run pipenv update 2021-09-27 17:28:41 +03:00
Alan Orth
ae5ba0607a Remove host_vars/nomad01 
Replaced by web23.
 2021-09-27 14:17:48 +03:00
Alan Orth
89fd642b78 roles/nginx: minor rework of acme.sh tasks 
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
 2021-09-27 13:40:17 +03:00
Alan Orth
65e6dd34cd roles/common: Add missing section to Debian 11 sshd_config 
We need to be able to configure the list of SSH users.
 2021-09-27 12:59:27 +03:00
Alan Orth
0421807e4d Add web23 
Will replace nomad01
 2021-09-27 12:22:45 +03:00
Alan Orth
d5eed5055e roles/nginx: Add support for gitea 
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
 2021-09-27 12:15:47 +03:00
Alan Orth
f8752bb3e7 roles/nginx: add todo about document roots 
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
 2021-09-27 12:05:53 +03:00
Alan Orth
170e591701 roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
Alan Orth
8d6c3c57c3 roles/nginx: install acme.sh after downloading 
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
 2021-09-27 11:28:02 +03:00
Alan Orth
79b29f0c51 roles/nginx: generate snakeoil cert manually 
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
 2021-09-27 10:48:24 +03:00
Alan Orth
a4acc85704 roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
Alan Orth
f7b9aa67f5 roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
Alan Orth
0a39c4f0ef README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
Alan Orth
85323d789c Remove host_vars/web19 
Replaced by web22.
 2021-09-13 11:49:32 +03:00
Alan Orth
341a1bf11e roles/php-fpm: Install php7.4-xml 
The RSS feeds in the WordPress admin dashboard need this.
 2021-09-13 10:19:33 +03:00
Alan Orth
6ee389eda5 roles/php-fpm: Use concrete dependencies 
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
 2021-09-13 10:18:40 +03:00
Alan Orth
83fea62b0f host_vars/web22: WordPress 5.8.1 2021-09-13 07:37:40 +03:00
Alan Orth
0d1a5fbb25 Add host_vars/web22 
Will replace web19 soon.
 2021-09-12 21:59:38 +03:00
Alan Orth
4d8444abf2 host_vars/web21: Fix path to cert 2021-09-12 20:39:45 +03:00
Alan Orth
e8486f6c9e host_vars/nomad02: Update Drone to version 2 2021-09-10 21:49:00 +03:00
Alan Orth
20cd6f213c roles/common: cache_valid_time explicitly sets update_cache 
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
 2021-09-08 21:59:51 +03:00
Alan Orth
eb80e797c6 Add host_vars/web21 
Replaces web20.
 2021-09-08 21:57:04 +03:00
Alan Orth
736bb8eb38 Remove host_vars/web20 
Will be replaced by web21.
 2021-09-08 21:56:43 +03:00
Alan Orth
34a30c4d13 roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
Alan Orth
c03e75d736 roles/common: explicitly install systemd-timesyncd 
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
 2021-09-08 17:04:46 +03:00
Alan Orth
d08f10f9c8 roles/common: Fix comment in ntp playbook 2021-09-08 17:04:20 +03:00
Alan Orth
8467dc1300 roles/mariadb: Change socket location 
Instead of using /var/run, just use /run directly. This is the real
path and it's the default anyways.
 2021-09-08 15:50:48 +03:00
Alan Orth
635bb5234d roles/common: fix logic for copying AbuseIPDB.com nft sets 
We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
 2021-09-08 09:58:13 +03:00
Alan Orth
37901da5b5 roles/common: update AbuseIPDB lists for nftables 2021-09-08 09:57:58 +03:00
Alan Orth
e36ae3b11e roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-09-08 09:35:36 +03:00
Alan Orth
81c1231a28 roles/php-fpm: Fix logic 
First, we cannot do a global check for has_wordpress or needs_php,
as those are defined per nginx vhost. Second, I realized that this
was only working in the past because vhosts that had WordPress or
needed PHP were listed first in the nginx_vhosts dict.

This changes the logic to first check if any vhosts have WordPress
or need PHP, then sets a fact that we can use to decide whether to
run php-fpm tasks or not.
 2021-09-08 09:32:06 +03:00
Alan Orth
bb6f058025 roles/php-fpm: whitespace 2021-09-07 20:12:31 +03:00
Alan Orth
547395b26e roles/nginx: Use php7.4-fpm socket on Debian 11 as well 2021-09-07 17:51:54 +03:00
Alan Orth
15208241d3 roles/common: Add git-lfs to base packages 2021-09-07 17:51:33 +03:00
Alan Orth
0fd05d496e roles/nginx: Set mode of downloaded acme.sh 2021-09-07 17:10:35 +03:00
Alan Orth
023a0d48ba roles/nginx: Remove old comment 2021-09-07 17:07:53 +03:00
Alan Orth
c687b7a91a roles/nginx: Run Let's Encrypt on Debian 11 too 2021-09-07 17:07:33 +03:00
Alan Orth
bd4ae36bb6 roles/mariadb: use socket for all operations 
Otherwise Ansible will try to connect with host 'localhost', which
we do not use (and we have disabled name resolution anyways).
 2021-09-07 16:48:15 +03:00
Alan Orth
b60637c7d9 roles/mariadb: Update comments for Ansible module 2021-09-07 16:47:47 +03:00
Alan Orth
479127a5e4 roles/common: Fix nftables handler in Debian firewall 
We used to use reload, but now the idempotent thing to do is to use
restart instead of reload.
 2021-09-07 15:43:33 +03:00
Alan Orth
d261f81642 roles/php-fpm: Use Ubuntu 20.04 configs on Debian 11 
They both use PHP 7.4.
 2021-09-06 21:19:57 +03:00
Alan Orth
6bc044d454 host_vars: remove mosh rules 
They are in roles/common now.
 2021-09-05 16:33:45 +03:00
Alan Orth
9e07e27fbe host_vars/web19: remove extra mosh rules 
These are now in the common role for all hosts.
 2021-09-05 16:24:28 +03:00
Alan Orth
575a9fdfe6 roles/common: Add mosh ports to common 
These have been in each hosts's "extra" rules lists forever and I
use them on every single host so they might as well be in the base
rules.
 2021-09-05 16:23:42 +03:00
Alan Orth
35fa3b0d72 roles/common: Fix typo in handlers 2021-09-05 16:19:31 +03:00
Alan Orth
ba5760bf8c host_vars/web19: WordPress 5.8 2021-09-05 15:55:58 +03:00
Alan Orth
5e918da88e Pipfile.lock: run pipenv update 2021-09-05 15:38:51 +03:00
Alan Orth
f7e87ea7be roles/common: Fix fail2ban ignoreip 
According to jail.conf we actually need to separate multiple values
with spaces instead of commas. On some versions of fail2ban this is
a fatal error:

> CRITICAL Unhandled exception in Fail2Ban:
> Traceback (most recent call last):
>   File "/usr/lib/python3/dist-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
>     run(*args, **kwargs)
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filtersystemd.py", line 246, in run
>     *self.formatJournalEntry(logentry))
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 432, in processLineAndAdd
>     if self.inIgnoreIPList(ip, log_ignore=True):
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 371, in inIgnoreIPList
>     "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group())
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 928, in addr2bin
>     return struct.unpack("!L", socket.inet_aton(ipstring))[0]
> OSError: illegal IP address string passed to inet_aton

This affects (at least) fail2ban 0.9.3 on Ubuntu 16.04, but I never
noticed.
 2021-08-12 15:24:50 +03:00
Alan Orth
7b233eb31d Pipfile.lock: Run pipenv update 
Ansible 4.3.0
 2021-08-01 16:14:42 +03:00
Alan Orth
b5ea575d8d roles/common: Always restart nftables service 
The "reload" capability only exists on Ubuntu, and it is exactly
the same as the "restart" functionality.
 2021-08-01 14:23:00 +03:00
Alan Orth
98cc3a8c2e Add nginx filter for fail2ban 
Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.
 2021-08-01 09:56:43 +03:00
Alan Orth
a67d901641 roles/common: Use AbuseIPDB.com list in nftables 
For now I am still manually updating this, as we can only hit their
API five times per day, so it is not possible to have each host get
the list themselves every day with our one API key.
 2021-07-31 21:46:50 +03:00
Alan Orth
7ae100faeb roles/common: Add comments to nftables.conf 2021-07-30 09:37:30 +03:00
Alan Orth
debcb21161 roles/common: Install curl for Abuse.ch update scripts 2021-07-29 10:24:32 +03:00
Alan Orth
8dd7663b3c roles/common: Use Abuse.ch's SSL Blacklist in nftables 
This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/
 2021-07-29 10:16:00 +03:00
Alan Orth
cba2a7a996 roles/common: Fix nftables in Debian firewall 
The previous commit meant to move the service start, not the config
copying task.
 2021-07-29 10:10:04 +03:00
Alan Orth
197bdf7666 roles/common: Start nftables service later 
We should only try to start the nftables service after we finish
copying all the config files just in case there is some unclean
state in one of them. On a first run this shouldn't matter, but
after nftables and some abuse list update scripts have run this
can happen (mostly in testing!).
 2021-07-29 10:05:15 +03:00
Alan Orth
46fc2ce3d4 roles/common: Move cleanup to a one-off play 
We only need to run this once on existing hosts that are using the
old firewalld/ipsets setup before applying the new nftables config.
 2021-07-29 10:00:30 +03:00
Alan Orth
b4d50166f4 roles/common: Fix loop in firewall cleanup 2021-07-28 23:46:53 +03:00
Alan Orth
c336b217c5 Remove extra TCP ports from firewall rules 
Now all web hosts get TCP 80 and 443 open automatically.
 2021-07-28 14:49:50 +03:00
Alan Orth
af6c3dd12a roles/common: Update cache in firewall playbook 
cron-apt updates the system against the security-only databases at
night so many packages are "missing" unless you run apt update. We
need to update the cache on all apt tasks actually because I might
be running them by their tag and they currently only get updated at
the beginning of the playbook.
 2021-07-28 14:46:58 +03:00
Alan Orth
b66c724109 roles/common: Use nftables on Ubuntu 20.04 as well 
This mostly copies the Debian 11 nftables setup and includes a play
to clean up the old firewalld settings, timers, etc.
 2021-07-28 14:18:41 +03:00
Alan Orth
8bc2b6f493 roles/common: Retab nftables.conf.j2 2021-07-27 22:03:23 +03:00
Alan Orth
a74d6dfc08 roles/common: Don't overwrite spamhaus nft sets 
The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.
 2021-07-27 22:01:57 +03:00
Alan Orth
d3922e7878 roles/common: Port configurable firewall logic to nftables 
This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts
in the web group, and allows configuration of "extra" rules in the
host or group vars.
 2021-07-27 21:22:32 +03:00
Alan Orth
14814aa5d9 roles/common: Wire up fail2ban 
The nftables support works easily and creates the table, chains, and
sets on demand.
 2021-07-26 22:07:31 +03:00
Alan Orth
3b053167b1 roles/common: Fix sources.list for Debian 11 Bullseye 
Seems the path to the security updates repo changed.
 2021-07-26 21:12:05 +03:00
Alan Orth
9bba0d96bb roles/common: Add initial support for nftables on Debian 11 
I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.
 2021-07-26 13:09:41 +03:00
Alan Orth
38c333045b roles/common: bring Ubuntu firewall changes to Debian 11 
Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
 2021-07-24 23:09:33 +03:00
Alan Orth
d4ede33099 roles/common: Don't configure apt sources on ARM 
I was using this on Ubuntu, but might as well bring it here too so
that I can run Debian on Scaleway's ARM instances, for example.
 2021-07-24 22:32:20 +03:00
Alan Orth
0bad75788d roles/common: Add encryption settings to Debian 11 sshd_config 
Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any
algorithms using less than 256 bits removed. NSA's Suite B removed
these long ago, and the new CNSA suite only uses 256 and up.

See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 2021-07-24 22:28:59 +03:00
Alan Orth
892033b880 roles/common: port common settings to Debian 11 sshd_config 
Still need to add the encryption settings.
 2021-07-22 14:16:20 +03:00
Alan Orth
7c6ab2a652 roles/common: Add sshd_config from Debian 11 RC2 2021-07-22 14:15:00 +03:00
Alan Orth
1c95c1faa8 roles/common: Update KexAlgorithms in Ubuntu 20.04 sshd_config 
Recommended by ssh-audit. Note that curve25519-sha256 is the new name
for the previously private implementation in libssh.
 2021-07-22 12:57:31 +03:00
Alan Orth
9ea14de6f5 roles/common: Remove Encrypt-and-MAC modes from Ubuntu 20.04 sshd_config 
Recommended by ssh-audit, but also generally the concensus for a few
years that Encrypt-and-MAC is hard to get right. OpenSSH has several
Encrypt-then-MAC schemes available so we can use those.

See: https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
 2021-07-22 12:48:12 +03:00
Alan Orth
9b7a31ebf9 roles/common: Remove 00-persistent-journal.conf 
This was to enable the persistent systemd journal, but it is no lo-
nger needed as of Ubuntu 18.04 and Debian 11. I had removed the ta-
asks long ago, but forgot to remove this file.
 2021-07-21 10:02:33 +03:00
Alan Orth
d7c34a30a3 roles/common: Add Spamhaus DROP lists to firewalld ipsets 
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
 2021-07-21 09:34:51 +03:00
Alan Orth
ee5f4cdf74 host_vars: don't hard code python path 
We now use auto mode in ansible.cfg, so we don't need to hard code
this in every single host's vars file.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
 2021-07-07 12:23:05 +03:00
Alan Orth
b014c09a2c ansible.cfg: Use auto discovery of Python interpreter 
Uses a built-in table of OSes and Python versions to decide which
Python interpreter to use. This is better than hard coding python3
in every single host's host_vars.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
 2021-07-07 12:22:00 +03:00
Alan Orth
531ff99af0 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-07-04 11:15:32 +03:00
Alan Orth
82d3a7ff2a roles/nginx: Add convenience tags to fact task 2021-07-01 18:17:14 +03:00
Alan Orth
6c3cf40a16 roles/nginx: Use snakeoil cert from ssl-cert 
Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.
 2021-07-01 18:11:34 +03:00
Alan Orth
681be5eb19 Pipfile.lock: run pipenv update 
Ansible 4.2.0 and Ansible Core 2.11.2
 2021-07-01 18:11:11 +03:00
Alan Orth
4fae56a386 host_vars/web19: WordPress 5.7.2 2021-06-13 16:14:22 +03:00
Alan Orth
1d5db7bdbe Pipfile.lock: run pipenv update 2021-06-13 16:14:05 +03:00
Alan Orth
32da3a3341 Pipfile.lock: Re-create pipenv environment for Ansible 4.0.0 
Seems we need to manually uninstall and re-install.
 2021-05-20 10:21:01 +03:00
Alan Orth
31a3f5832a roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-05-20 10:20:47 +03:00
Alan Orth
3e7130b519 Pipfile.lock: run pipenv update 2021-05-14 13:56:56 +03:00
Alan Orth
bd0b6a16de roles/nginx/defaults/main.yml: Update version comment 
Stable is now 1.20.0
 2021-05-10 16:00:44 +03:00
Alan Orth
7145298f90 Pipfile.lock: Run pipenv update 2021-05-10 15:59:34 +03:00
Alan Orth
1bfd2bc441 Pipfile.lock: Run pipenv update 
Ansible 3.3.0
 2021-04-28 12:49:23 +03:00
Alan Orth
884b3b8425 host_vars/web19: remove dead host 2021-04-24 20:17:17 +03:00
Alan Orth
e06a0c4093 host_vars/web19: WordPress 5.7.1 2021-04-16 19:51:55 +03:00
Alan Orth
7ba5afcec4 roles/nginx: Opt out of Google FLoC 
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
 2021-04-16 12:41:09 +03:00
Alan Orth
d3978e5b07 Pipfile.lock: run pipenv update 2021-04-13 14:28:34 +03:00
Alan Orth
4150dac57b roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-04-13 12:11:11 +03:00
Alan Orth
58bc9d191f roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-03-24 10:02:43 +02:00
Alan Orth
96cefc7f74 roles/nginx: Parameterize HSTS header 
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
 2021-03-23 15:36:28 +02:00
Alan Orth
f85eb2841a roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
Alan Orth
5d506ebc65 README.md: Update copyright year 2021-03-20 00:16:16 +02:00
Alan Orth
af49f27551 roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
Alan Orth
f341d2e5eb roles/nginx: Remove nginx pre/post hooks 
We are now using the well-known webroot.
 2021-03-19 23:46:22 +02:00
Alan Orth
ceba0ea417 roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
Alan Orth
a34cb1e666 roles/nginx: Switch to acme.sh for Let's Encrypt 
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
 2021-03-19 23:39:30 +02:00
Alan Orth
65fc52c5e5 roles/nginx: Use variable for nginx_ssl_dhparam 
I went years without realizing that I was hard coding the file dest
in this particular task.
 2021-03-19 18:13:55 +02:00
Alan Orth
7f13c8c675 host_vars/web19: WordPress 3.7 2021-03-19 13:27:34 +02:00
Alan Orth
9c36cfb8e5 Pipfile.lock: Run pipenv update 2021-03-19 13:18:19 +02:00
Alan Orth
7f72a9eda4 roles/nginx: Use RFC 7919 4096-bit dhparams 
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
 2021-03-19 13:13:56 +02:00
Alan Orth
6e96d48ea6 Pipfile.lock: Run pipenv update 
Ansible 3.0.0
 2021-03-01 15:27:58 +02:00
Alan Orth
db412066b3 roles/mariadb: Only create users on 127.0.0.1 and ::1 
A few months ago I disabled hostname lookups so only IP addresses
work now anyways.
 2021-02-13 13:11:28 +02:00
Alan Orth
63a836e2a7 roles/common: Update Tarsnap GPG key 
Apparently this changed since I last ran the tarsnap task.
 2021-02-13 12:57:17 +02:00
88 changed files with 12152 additions and 15953 deletions
Expand all files Collapse all files

3
Pipfile
View File

@ -7,6 +7,7 @@ verify_ssl = true
[packages] [packages]
ansible = "*" ansible = "*"
ansible-lint = "*"
[requires] [requires]
python_version = "3.9" python_version = "3.10"

607
Pipfile.lock generated
View File

@ -1,11 +1,11 @@
{ {
"_meta": { "_meta": {
"hash": { "hash": {
"sha256": "65b615b857250757470e21fc3a4b1cdfe75b4b012c0d1d633a5ebf1988d9cb91" "sha256": "2422e2d1b897e5e036bfa5bb03973c181899742b53c49abcdcc428da8820ac4c"
}, },
"pipfile-spec": 6, "pipfile-spec": 6,
"requires": { "requires": {
"python_version": "3.9" "python_version": "3.10"
}, },
"sources": [ "sources": [
{ {
@ -18,204 +18,493 @@
"default": { "default": {
"ansible": { "ansible": {
"hashes": [ "hashes": [
"sha256:ae97002e4fb1ed3de947428ff43906c76c66751fe104721cf6b25fa115dbbe8d" "sha256:74f5c3bd7441dcdb7cace8a3c2a44b0be7002be346bf8137e5c67fd8ba743fd3",
"sha256:d5fa9fc15a8d45c8d5247a9645b0b48f995d735b12c4da655666d48506273526"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.10.6" "version": "==6.3.0"
}, },
"ansible-base": { "ansible-compat": {
"hashes": [ "hashes": [
"sha256:33ae323923b841f3d822f355380ce7c92610440362efeed67b4b39db41e555af" "sha256:676db8ec0449d1f07038625b8ebb8ceef5f8ad3a1af3ee82d4ed66b9b04cb6fa",
"sha256:ce69a67785ae96e8962794a47494339991a0ae242ab5dd14a76ee2137d09072e"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.8'",
"version": "==2.10.5" "version": "==2.2.0"
},
"ansible-core": {
"hashes": [
"sha256:449dbcfbfe18e4f23dec0c29b9aa60d76d205657a8e136484f4edea49faf7614",
"sha256:eec5042530ff1c0c8d13a36fa047c6dd9157efeefd464a856b4ce38be4cd1988"
],
"markers": "python_version >= '3.8'",
"version": "==2.13.3"
},
"ansible-lint": {
"hashes": [
"sha256:ac8241d3ce1b161f0e052b44f0d226fbda7d8f318d4f24269de7f2b87e32ff6f",
"sha256:f4432c74c0f28b2870a188b4999592f6338042f30d0c6f4ee11b32440ca9ffe4"
],
"index": "pypi",
"version": "==6.5.2"
},
"attrs": {
"hashes": [
"sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6",
"sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c"
],
"markers": "python_version >= '3.5'",
"version": "==22.1.0"
},
"black": {
"hashes": [
"sha256:0a12e4e1353819af41df998b02c6742643cfef58282915f781d0e4dd7a200411",
"sha256:0ad827325a3a634bae88ae7747db1a395d5ee02cf05d9aa7a9bd77dfb10e940c",
"sha256:32a4b17f644fc288c6ee2bafdf5e3b045f4eff84693ac069d87b1a347d861497",
"sha256:3b2c25f8dea5e8444bdc6788a2f543e1fb01494e144480bc17f806178378005e",
"sha256:4a098a69a02596e1f2a58a2a1c8d5a05d5a74461af552b371e82f9fa4ada8342",
"sha256:5107ea36b2b61917956d018bd25129baf9ad1125e39324a9b18248d362156a27",
"sha256:53198e28a1fb865e9fe97f88220da2e44df6da82b18833b588b1883b16bb5d41",
"sha256:5594efbdc35426e35a7defa1ea1a1cb97c7dbd34c0e49af7fb593a36bd45edab",
"sha256:5b879eb439094751185d1cfdca43023bc6786bd3c60372462b6f051efa6281a5",
"sha256:78dd85caaab7c3153054756b9fe8c611efa63d9e7aecfa33e533060cb14b6d16",
"sha256:792f7eb540ba9a17e8656538701d3eb1afcb134e3b45b71f20b25c77a8db7e6e",
"sha256:8ce13ffed7e66dda0da3e0b2eb1bdfc83f5812f66e09aca2b0978593ed636b6c",
"sha256:a05da0430bd5ced89176db098567973be52ce175a55677436a271102d7eaa3fe",
"sha256:a983526af1bea1e4cf6768e649990f28ee4f4137266921c2c3cee8116ae42ec3",
"sha256:bc4d4123830a2d190e9cc42a2e43570f82ace35c3aeb26a512a2102bce5af7ec",
"sha256:c3a73f66b6d5ba7288cd5d6dad9b4c9b43f4e8a4b789a94bf5abfb878c663eb3",
"sha256:ce957f1d6b78a8a231b18e0dd2d94a33d2ba738cd88a7fe64f53f659eea49fdd",
"sha256:cea1b2542d4e2c02c332e83150e41e3ca80dc0fb8de20df3c5e98e242156222c",
"sha256:d2c21d439b2baf7aa80d6dd4e3659259be64c6f49dfd0f32091063db0e006db4",
"sha256:d839150f61d09e7217f52917259831fe2b689f5c8e5e32611736351b89bb2a90",
"sha256:dd82842bb272297503cbec1a2600b6bfb338dae017186f8f215c8958f8acf869",
"sha256:e8166b7bfe5dcb56d325385bd1d1e0f635f24aae14b3ae437102dedc0c186747",
"sha256:e981e20ec152dfb3e77418fb616077937378b322d7b26aa1ff87717fb18b4875"
],
"markers": "python_full_version >= '3.6.2'",
"version": "==22.8.0"
},
"bracex": {
"hashes": [
"sha256:351b7f20d56fb9ea91f9b9e9e7664db466eb234188c175fd943f8f755c807e73",
"sha256:e7b23fc8b2cd06d3dec0692baabecb249dda94e06a617901ff03a6c56fd71693"
],
"markers": "python_version >= '3.7'",
"version": "==2.3.post1"
}, },
"cffi": { "cffi": {
"hashes": [ "hashes": [
"sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e", "sha256:00a9ed42e88df81ffae7a8ab6d9356b371399b91dbdf0c3cb1e84c03a13aceb5",
"sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d", "sha256:03425bdae262c76aad70202debd780501fabeaca237cdfddc008987c0e0f59ef",
"sha256:045d792900a75e8b1e1b0ab6787dd733a8190ffcf80e8c8ceb2fb10a29ff238a", "sha256:04ed324bda3cda42b9b695d51bb7d54b680b9719cfab04227cdd1e04e5de3104",
"sha256:0638c3ae1a0edfb77c6765d487fee624d2b1ee1bdfeffc1f0b58c64d149e7eec", "sha256:0e2642fe3142e4cc4af0799748233ad6da94c62a8bec3a6648bf8ee68b1c7426",
"sha256:105abaf8a6075dc96c1fe5ae7aae073f4696f2905fde6aeada4c9d2926752362", "sha256:173379135477dc8cac4bc58f45db08ab45d228b3363adb7af79436135d028405",
"sha256:155136b51fd733fa94e1c2ea5211dcd4c8879869008fc811648f16541bf99668", "sha256:198caafb44239b60e252492445da556afafc7d1e3ab7a1fb3f0584ef6d742375",
"sha256:1a465cbe98a7fd391d47dce4b8f7e5b921e6cd805ef421d04f5f66ba8f06086c", "sha256:1e74c6b51a9ed6589199c787bf5f9875612ca4a8a0785fb2d4a84429badaf22a",
"sha256:1d2c4994f515e5b485fd6d3a73d05526aa0fcf248eb135996b088d25dfa1865b", "sha256:2012c72d854c2d03e45d06ae57f40d78e5770d252f195b93f581acf3ba44496e",
"sha256:2c24d61263f511551f740d1a065eb0212db1dbbbbd241db758f5244281590c06", "sha256:21157295583fe8943475029ed5abdcf71eb3911894724e360acff1d61c1d54bc",
"sha256:51a8b381b16ddd370178a65360ebe15fbc1c71cf6f584613a7ea08bfad946698", "sha256:2470043b93ff09bf8fb1d46d1cb756ce6132c54826661a32d4e4d132e1977adf",
"sha256:594234691ac0e9b770aee9fcdb8fa02c22e43e5c619456efd0d6c2bf276f3eb2", "sha256:285d29981935eb726a4399badae8f0ffdff4f5050eaa6d0cfc3f64b857b77185",
"sha256:5cf4be6c304ad0b6602f5c4e90e2f59b47653ac1ed9c662ed379fe48a8f26b0c", "sha256:30d78fbc8ebf9c92c9b7823ee18eb92f2e6ef79b45ac84db507f52fbe3ec4497",
"sha256:64081b3f8f6f3c3de6191ec89d7dc6c86a8a43911f7ecb422c60e90c70be41c7", "sha256:320dab6e7cb2eacdf0e658569d2575c4dad258c0fcc794f46215e1e39f90f2c3",
"sha256:6bc25fc545a6b3d57b5f8618e59fc13d3a3a68431e8ca5fd4c13241cd70d0009", "sha256:33ab79603146aace82c2427da5ca6e58f2b3f2fb5da893ceac0c42218a40be35",
"sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03", "sha256:3548db281cd7d2561c9ad9984681c95f7b0e38881201e157833a2342c30d5e8c",
"sha256:7c6b1dece89874d9541fc974917b631406233ea0440d0bdfbb8e03bf39a49b3b", "sha256:3799aecf2e17cf585d977b780ce79ff0dc9b78d799fc694221ce814c2c19db83",
"sha256:7ef7d4ced6b325e92eb4d3502946c78c5367bc416398d387b39591532536734e", "sha256:39d39875251ca8f612b6f33e6b1195af86d1b3e60086068be9cc053aa4376e21",
"sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909", "sha256:3b926aa83d1edb5aa5b427b4053dc420ec295a08e40911296b9eb1b6170f6cca",
"sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53", "sha256:3bcde07039e586f91b45c88f8583ea7cf7a0770df3a1649627bf598332cb6984",
"sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35", "sha256:3d08afd128ddaa624a48cf2b859afef385b720bb4b43df214f85616922e6a5ac",
"sha256:9f7a31251289b2ab6d4012f6e83e58bc3b96bd151f5b5262467f4bb6b34a7c26", "sha256:3eb6971dcff08619f8d91607cfc726518b6fa2a9eba42856be181c6d0d9515fd",
"sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b", "sha256:40f4774f5a9d4f5e344f31a32b5096977b5d48560c5592e2f3d2c4374bd543ee",
"sha256:a5ed8c05548b54b998b9498753fb9cadbfd92ee88e884641377d8a8b291bcc01", "sha256:4289fc34b2f5316fbb762d75362931e351941fa95fa18789191b33fc4cf9504a",
"sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb", "sha256:470c103ae716238bbe698d67ad020e1db9d9dba34fa5a899b5e21577e6d52ed2",
"sha256:af5c59122a011049aad5dd87424b8e65a80e4a6477419c0c1015f73fb5ea0293", "sha256:4f2c9f67e9821cad2e5f480bc8d83b8742896f1242dba247911072d4fa94c192",
"sha256:b18e0a9ef57d2b41f5c68beefa32317d286c3d6ac0484efd10d6e07491bb95dd", "sha256:50a74364d85fd319352182ef59c5c790484a336f6db772c1a9231f1c3ed0cbd7",
"sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d", "sha256:54a2db7b78338edd780e7ef7f9f6c442500fb0d41a5a4ea24fff1c929d5af585",
"sha256:ba4e9e0ae13fc41c6b23299545e5ef73055213e466bd107953e4a013a5ddd7e3", "sha256:5635bd9cb9731e6d4a1132a498dd34f764034a8ce60cef4f5319c0541159392f",
"sha256:c6332685306b6417a91b1ff9fae889b3ba65c2292d64bd9245c093b1b284809d", "sha256:59c0b02d0a6c384d453fece7566d1c7e6b7bae4fc5874ef2ef46d56776d61c9e",
"sha256:d5ff0621c88ce83a28a10d2ce719b2ee85635e85c515f12bac99a95306da4b2e", "sha256:5d598b938678ebf3c67377cdd45e09d431369c3b1a5b331058c338e201f12b27",
"sha256:d9efd8b7a3ef378dd61a1e77367f1924375befc2eba06168b6ebfa903a5e59ca", "sha256:5df2768244d19ab7f60546d0c7c63ce1581f7af8b5de3eb3004b9b6fc8a9f84b",
"sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d", "sha256:5ef34d190326c3b1f822a5b7a45f6c4535e2f47ed06fec77d3d799c450b2651e",
"sha256:ebb253464a5d0482b191274f1c8bf00e33f7e0b9c66405fbffc61ed2c839c775", "sha256:6975a3fac6bc83c4a65c9f9fcab9e47019a11d3d2cf7f3c0d03431bf145a941e",
"sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375", "sha256:6c9a799e985904922a4d207a94eae35c78ebae90e128f0c4e521ce339396be9d",
"sha256:f032b34669220030f905152045dfa27741ce1a6db3324a5bc0b96b6c7420c87b", "sha256:70df4e3b545a17496c9b3f41f5115e69a4f2e77e94e1d2a8e1070bc0c38c8a3c",
"sha256:f60567825f791c6f8a592f3c6e3bd93dd2934e3f9dac189308426bd76b00ef3b", "sha256:7473e861101c9e72452f9bf8acb984947aa1661a7704553a9f6e4baa5ba64415",
"sha256:f803eaa94c2fcda012c047e62bc7a51b0bdabda1cad7a92a522694ea2d76e49f" "sha256:8102eaf27e1e448db915d08afa8b41d6c7ca7a04b7d73af6514df10a3e74bd82",
"sha256:87c450779d0914f2861b8526e035c5e6da0a3199d8f1add1a665e1cbc6fc6d02",
"sha256:8b7ee99e510d7b66cdb6c593f21c043c248537a32e0bedf02e01e9553a172314",
"sha256:91fc98adde3d7881af9b59ed0294046f3806221863722ba7d8d120c575314325",
"sha256:94411f22c3985acaec6f83c6df553f2dbe17b698cc7f8ae751ff2237d96b9e3c",
"sha256:98d85c6a2bef81588d9227dde12db8a7f47f639f4a17c9ae08e773aa9c697bf3",
"sha256:9ad5db27f9cabae298d151c85cf2bad1d359a1b9c686a275df03385758e2f914",
"sha256:a0b71b1b8fbf2b96e41c4d990244165e2c9be83d54962a9a1d118fd8657d2045",
"sha256:a0f100c8912c114ff53e1202d0078b425bee3649ae34d7b070e9697f93c5d52d",
"sha256:a591fe9e525846e4d154205572a029f653ada1a78b93697f3b5a8f1f2bc055b9",
"sha256:a5c84c68147988265e60416b57fc83425a78058853509c1b0629c180094904a5",
"sha256:a66d3508133af6e8548451b25058d5812812ec3798c886bf38ed24a98216fab2",
"sha256:a8c4917bd7ad33e8eb21e9a5bbba979b49d9a97acb3a803092cbc1133e20343c",
"sha256:b3bbeb01c2b273cca1e1e0c5df57f12dce9a4dd331b4fa1635b8bec26350bde3",
"sha256:cba9d6b9a7d64d4bd46167096fc9d2f835e25d7e4c121fb2ddfc6528fb0413b2",
"sha256:cc4d65aeeaa04136a12677d3dd0b1c0c94dc43abac5860ab33cceb42b801c1e8",
"sha256:ce4bcc037df4fc5e3d184794f27bdaab018943698f4ca31630bc7f84a7b69c6d",
"sha256:cec7d9412a9102bdc577382c3929b337320c4c4c4849f2c5cdd14d7368c5562d",
"sha256:d400bfb9a37b1351253cb402671cea7e89bdecc294e8016a707f6d1d8ac934f9",
"sha256:d61f4695e6c866a23a21acab0509af1cdfd2c013cf256bbf5b6b5e2695827162",
"sha256:db0fbb9c62743ce59a9ff687eb5f4afbe77e5e8403d6697f7446e5f609976f76",
"sha256:dd86c085fae2efd48ac91dd7ccffcfc0571387fe1193d33b6394db7ef31fe2a4",
"sha256:e00b098126fd45523dd056d2efba6c5a63b71ffe9f2bbe1a4fe1716e1d0c331e",
"sha256:e229a521186c75c8ad9490854fd8bbdd9a0c9aa3a524326b55be83b54d4e0ad9",
"sha256:e263d77ee3dd201c3a142934a086a4450861778baaeeb45db4591ef65550b0a6",
"sha256:ed9cb427ba5504c1dc15ede7d516b84757c3e3d7868ccc85121d9310d27eed0b",
"sha256:fa6693661a4c91757f4412306191b6dc88c1703f780c8234035eac011922bc01",
"sha256:fcd131dd944808b5bdb38e6f5b53013c5aa4f334c5cad0c72742f6eba4b73db0"
], ],
"version": "==1.14.4" "version": "==1.15.1"
},
"click": {
"hashes": [
"sha256:7682dc8afb30297001674575ea00d1814d808d6a36af415a82bd481d37ba7b8e",
"sha256:bb4d8133cb15a609f44e8213d9b391b0809795062913b383c62be0ee95b1db48"
],
"markers": "python_version >= '3.7'",
"version": "==8.1.3"
},
"commonmark": {
"hashes": [
"sha256:452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60",
"sha256:da2f38c92590f83de410ba1a3cbceafbc74fee9def35f9251ba9a971d6d66fd9"
],
"version": "==0.9.1"
}, },
"cryptography": { "cryptography": {
"hashes": [ "hashes": [
"sha256:0003a52a123602e1acee177dc90dd201f9bb1e73f24a070db7d36c588e8f5c7d", "sha256:0297ffc478bdd237f5ca3a7dc96fc0d315670bfa099c04dc3a4a2172008a405a",
"sha256:0e85aaae861d0485eb5a79d33226dd6248d2a9f133b81532c8f5aae37de10ff7", "sha256:10d1f29d6292fc95acb597bacefd5b9e812099d75a6469004fd38ba5471a977f",
"sha256:594a1db4511bc4d960571536abe21b4e5c3003e8750ab8365fafce71c5d86901", "sha256:16fa61e7481f4b77ef53991075de29fc5bacb582a1244046d2e8b4bb72ef66d0",
"sha256:69e836c9e5ff4373ce6d3ab311c1a2eed274793083858d3cd4c7d12ce20d5f9c", "sha256:194044c6b89a2f9f169df475cc167f6157eb9151cc69af8a2a163481d45cc407",
"sha256:788a3c9942df5e4371c199d10383f44a105d67d401fb4304178020142f020244", "sha256:1db3d807a14931fa317f96435695d9ec386be7b84b618cc61cfa5d08b0ae33d7",
"sha256:7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6", "sha256:3261725c0ef84e7592597606f6583385fed2a5ec3909f43bc475ade9729a41d6",
"sha256:83d9d2dfec70364a74f4e7c70ad04d3ca2e6a08b703606993407bf46b97868c5", "sha256:3b72c360427889b40f36dc214630e688c2fe03e16c162ef0aa41da7ab1455153",
"sha256:84ef7a0c10c24a7773163f917f1cb6b4444597efd505a8aed0a22e8c4780f27e", "sha256:3e3a2599e640927089f932295a9a247fc40a5bdf69b0484532f530471a382750",
"sha256:9e21301f7a1e7c03dbea73e8602905a4ebba641547a462b26dd03451e5769e7c", "sha256:3fc26e22840b77326a764ceb5f02ca2d342305fba08f002a8c1f139540cdfaad",
"sha256:9f6b0492d111b43de5f70052e24c1f0951cb9e6022188ebcb1cc3a3d301469b0", "sha256:5067ee7f2bce36b11d0e334abcd1ccf8c541fc0bbdaf57cdd511fdee53e879b6",
"sha256:a69bd3c68b98298f490e84519b954335154917eaab52cf582fa2c5c7efc6e812", "sha256:52e7bee800ec869b4031093875279f1ff2ed12c1e2f74923e8f49c916afd1d3b",
"sha256:b4890d5fb9b7a23e3bf8abf5a8a7da8e228f1e97dc96b30b95685df840b6914a", "sha256:64760ba5331e3f1794d0bcaabc0d0c39e8c60bf67d09c93dc0e54189dfd7cfe5",
"sha256:c366df0401d1ec4e548bebe8f91d55ebcc0ec3137900d214dd7aac8427ef3030", "sha256:765fa194a0f3372d83005ab83ab35d7c5526c4e22951e46059b8ac678b44fa5a",
"sha256:dc42f645f8f3a489c3dd416730a514e7a91a59510ddaadc09d04224c098d3302" "sha256:79473cf8a5cbc471979bd9378c9f425384980fcf2ab6534b18ed7d0d9843987d",
"sha256:896dd3a66959d3a5ddcfc140a53391f69ff1e8f25d93f0e2e7830c6de90ceb9d",
"sha256:89ed49784ba88c221756ff4d4755dbc03b3c8d2c5103f6d6b4f83a0fb1e85294",
"sha256:ac7e48f7e7261207d750fa7e55eac2d45f720027d5703cd9007e9b37bbb59ac0",
"sha256:ad7353f6ddf285aeadfaf79e5a6829110106ff8189391704c1d8801aa0bae45a",
"sha256:b0163a849b6f315bf52815e238bc2b2346604413fa7c1601eea84bcddb5fb9ac",
"sha256:b6c9b706316d7b5a137c35e14f4103e2115b088c412140fdbd5f87c73284df61",
"sha256:c2e5856248a416767322c8668ef1845ad46ee62629266f84a8f007a317141013",
"sha256:ca9f6784ea96b55ff41708b92c3f6aeaebde4c560308e5fbbd3173fbc466e94e",
"sha256:d1a5bd52d684e49a36582193e0b89ff267704cd4025abefb9e26803adeb3e5fb",
"sha256:d3971e2749a723e9084dd507584e2a2761f78ad2c638aa31e80bc7a15c9db4f9",
"sha256:d4ef6cc305394ed669d4d9eebf10d3a101059bdcf2669c366ec1d14e4fb227bd",
"sha256:d9e69ae01f99abe6ad646947bba8941e896cb3aa805be2597a0400e0764b5818"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", "markers": "python_version >= '3.6'",
"version": "==3.3.1" "version": "==38.0.1"
},
"enrich": {
"hashes": [
"sha256:0a2ab0d2931dff8947012602d1234d2a3ee002d9a355b5d70be6bf5466008893",
"sha256:f29b2c8c124b4dbd7c975ab5c3568f6c7a47938ea3b7d2106c8a3bd346545e4f"
],
"markers": "python_version >= '3.6'",
"version": "==1.2.7"
},
"filelock": {
"hashes": [
"sha256:55447caa666f2198c5b6b13a26d2084d26fa5b115c00d065664b2124680c4edc",
"sha256:617eb4e5eedc82fc5f47b6d61e4d11cb837c56cb4544e39081099fa17ad109d4"
],
"markers": "python_version >= '3.7'",
"version": "==3.8.0"
}, },
"jinja2": { "jinja2": {
"hashes": [ "hashes": [
"sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419", "sha256:31351a702a408a9e7595a8fc6150fc3f43bb6bf7e319770cbc0db9df9437e852",
"sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6" "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.7'",
"version": "==2.11.3" "version": "==3.1.2"
},
"jsonschema": {
"hashes": [
"sha256:165059f076eff6971bae5b742fc029a7b4ef3f9bcf04c14e4776a7605de14b23",
"sha256:9e74b8f9738d6a946d70705dc692b74b5429cd0960d58e79ffecfc43b2221eb9"
],
"markers": "python_version >= '3.7'",
"version": "==4.16.0"
}, },
"markupsafe": { "markupsafe": {
"hashes": [ "hashes": [
"sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473", "sha256:0212a68688482dc52b2d45013df70d169f542b7394fc744c02a57374a4207003",
"sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161", "sha256:089cf3dbf0cd6c100f02945abeb18484bd1ee57a079aefd52cffd17fba910b88",
"sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235", "sha256:10c1bfff05d95783da83491be968e8fe789263689c02724e0c691933c52994f5",
"sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5", "sha256:33b74d289bd2f5e527beadcaa3f401e0df0a89927c1559c8566c066fa4248ab7",
"sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42", "sha256:3799351e2336dc91ea70b034983ee71cf2f9533cdff7c14c90ea126bfd95d65a",
"sha256:195d7d2c4fbb0ee8139a6cf67194f3973a6b3042d742ebe0a9ed36d8b6f0c07f", "sha256:3ce11ee3f23f79dbd06fb3d63e2f6af7b12db1d46932fe7bd8afa259a5996603",
"sha256:22c178a091fc6630d0d045bdb5992d2dfe14e3259760e713c490da5323866c39", "sha256:421be9fbf0ffe9ffd7a378aafebbf6f4602d564d34be190fc19a193232fd12b1",
"sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff", "sha256:43093fb83d8343aac0b1baa75516da6092f58f41200907ef92448ecab8825135",
"sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b", "sha256:46d00d6cfecdde84d40e572d63735ef81423ad31184100411e6e3388d405e247",
"sha256:2beec1e0de6924ea551859edb9e7679da6e4870d32cb766240ce17e0a0ba2014", "sha256:4a33dea2b688b3190ee12bd7cfa29d39c9ed176bda40bfa11099a3ce5d3a7ac6",
"sha256:3b8a6499709d29c2e2399569d96719a1b21dcd94410a586a18526b143ec8470f", "sha256:4b9fe39a2ccc108a4accc2676e77da025ce383c108593d65cc909add5c3bd601",
"sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1", "sha256:56442863ed2b06d19c37f94d999035e15ee982988920e12a5b4ba29b62ad1f77",
"sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e", "sha256:671cd1187ed5e62818414afe79ed29da836dde67166a9fac6d435873c44fdd02",
"sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183", "sha256:694deca8d702d5db21ec83983ce0bb4b26a578e71fbdbd4fdcd387daa90e4d5e",
"sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66", "sha256:6a074d34ee7a5ce3effbc526b7083ec9731bb3cbf921bbe1d3005d4d2bdb3a63",
"sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b", "sha256:6d0072fea50feec76a4c418096652f2c3238eaa014b2f94aeb1d56a66b41403f",
"sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1", "sha256:6fbf47b5d3728c6aea2abb0589b5d30459e369baa772e0f37a0320185e87c980",
"sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15", "sha256:7f91197cc9e48f989d12e4e6fbc46495c446636dfc81b9ccf50bb0ec74b91d4b",
"sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1", "sha256:86b1f75c4e7c2ac2ccdaec2b9022845dbb81880ca318bb7a0a01fbf7813e3812",
"sha256:6f1e273a344928347c1290119b493a1f0303c52f5a5eae5f16d74f48c15d4a85", "sha256:8dc1c72a69aa7e082593c4a203dcf94ddb74bb5c8a731e4e1eb68d031e8498ff",
"sha256:6fffc775d90dcc9aed1b89219549b329a9250d918fd0b8fa8d93d154918422e1", "sha256:8e3dcf21f367459434c18e71b2a9532d96547aef8a871872a5bd69a715c15f96",
"sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e", "sha256:8e576a51ad59e4bfaac456023a78f6b5e6e7651dcd383bcc3e18d06f9b55d6d1",
"sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b", "sha256:96e37a3dc86e80bf81758c152fe66dbf60ed5eca3d26305edf01892257049925",
"sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905", "sha256:97a68e6ada378df82bc9f16b800ab77cbf4b2fada0081794318520138c088e4a",
"sha256:7fed13866cf14bba33e7176717346713881f56d9d2bcebab207f7a036f41b850", "sha256:99a2a507ed3ac881b975a2976d59f38c19386d128e7a9a18b7df6fff1fd4c1d6",
"sha256:84dee80c15f1b560d55bcfe6d47b27d070b4681c699c572af2e3c7cc90a3b8e0", "sha256:a49907dd8420c5685cfa064a1335b6754b74541bbb3706c259c02ed65b644b3e",
"sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735", "sha256:b09bf97215625a311f669476f44b8b318b075847b49316d3e28c08e41a7a573f",
"sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d", "sha256:b7bd98b796e2b6553da7225aeb61f447f80a1ca64f41d83612e6139ca5213aa4",
"sha256:98bae9582248d6cf62321dcb52aaf5d9adf0bad3b40582925ef7c7f0ed85fceb", "sha256:b87db4360013327109564f0e591bd2a3b318547bcef31b468a92ee504d07ae4f",
"sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e", "sha256:bcb3ed405ed3222f9904899563d6fc492ff75cce56cba05e32eff40e6acbeaa3",
"sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d", "sha256:d4306c36ca495956b6d568d276ac11fdd9c30a36f1b6eb928070dc5360b22e1c",
"sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c", "sha256:d5ee4f386140395a2c818d149221149c54849dfcfcb9f1debfe07a8b8bd63f9a",
"sha256:a6a744282b7718a2a62d2ed9d993cad6f5f585605ad352c11de459f4108df0a1", "sha256:dda30ba7e87fbbb7eab1ec9f58678558fd9a6b8b853530e176eabd064da81417",
"sha256:acf08ac40292838b3cbbb06cfe9b2cb9ec78fce8baca31ddb87aaac2e2dc3bc2", "sha256:e04e26803c9c3851c931eac40c695602c6295b8d432cbe78609649ad9bd2da8a",
"sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21", "sha256:e1c0b87e09fa55a220f058d1d49d3fb8df88fbfab58558f1198e08c1e1de842a",
"sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2", "sha256:e72591e9ecd94d7feb70c1cbd7be7b3ebea3f548870aa91e2732960fa4d57a37",
"sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5", "sha256:e8c843bbcda3a2f1e3c2ab25913c80a3c5376cd00c6e8c4a86a89a28c8dc5452",
"sha256:b1dba4527182c95a0db8b6060cc98ac49b9e2f5e64320e2b56e47cb2831978c7", "sha256:efc1913fd2ca4f334418481c7e595c00aad186563bbc1ec76067848c7ca0a933",
"sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b", "sha256:f121a1420d4e173a5d96e47e9a0c0dcff965afdf1626d28de1460815f7c4ee7a",
"sha256:b7d644ddb4dbd407d31ffb699f1d140bc35478da613b441c582aeb7c43838dd8", "sha256:fc7b548b17d238737688817ab67deebb30e8073c95749d55538ed473130ec0c7"
"sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
"sha256:bf5aa3cbcfdf57fa2ee9cd1822c862ef23037f5c832ad09cfea57fa846dec193",
"sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
"sha256:caabedc8323f1e93231b52fc32bdcde6db817623d33e100708d9a68e1f53b26b",
"sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
"sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2",
"sha256:d53bc011414228441014aa71dbec320c66468c1030aae3a6e29778a3382d96e5",
"sha256:d73a845f227b0bfe8a7455ee623525ee656a9e2e749e4742706d80a6065d5e2c",
"sha256:d9be0ba6c527163cbed5e0857c451fcd092ce83947944d6c14bc95441203f032",
"sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7",
"sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be",
"sha256:feb7b34d6325451ef96bc0e36e1a6c0c1c64bc1fbec4b854f4529e51887b1621"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.7'",
"version": "==1.1.1" "version": "==2.1.1"
},
"mypy-extensions": {
"hashes": [
"sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d",
"sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8"
],
"version": "==0.4.3"
}, },
"packaging": { "packaging": {
"hashes": [ "hashes": [
"sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", "sha256:dd47c42927d89ab911e606518907cc2d3a1f38bbd026385970643f9c5b8ecfeb",
"sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" "sha256:ef103e05f519cdc783ae24ea4e2e0f508a9c99b2d4969652eed6a2e1ea5bd522"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.6'",
"version": "==20.9" "version": "==21.3"
},
"pathspec": {
"hashes": [
"sha256:46846318467efc4556ccfd27816e004270a9eeeeb4d062ce5e6fc7a87c573f93",
"sha256:7ace6161b621d31e7902eb6b5ae148d12cfd23f4a249b9ffb6b9fee12084323d"
],
"markers": "python_version >= '3.7'",
"version": "==0.10.1"
},
"platformdirs": {
"hashes": [
"sha256:027d8e83a2d7de06bbac4e5ef7e023c02b863d7ea5d079477e722bb41ab25788",
"sha256:58c8abb07dcb441e6ee4b11d8df0ac856038f944ab98b7be6b27b2a3c7feef19"
],
"markers": "python_version >= '3.7'",
"version": "==2.5.2"
}, },
"pycparser": { "pycparser": {
"hashes": [ "hashes": [
"sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0", "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9",
"sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705" "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.20" "version": "==2.21"
},
"pygments": {
"hashes": [
"sha256:56a8508ae95f98e2b9bdf93a6be5ae3f7d8af858b43e02c5a2ff083726be40c1",
"sha256:f643f331ab57ba3c9d89212ee4a2dabc6e94f117cf4eefde99a0574720d14c42"
],
"markers": "python_version >= '3.6'",
"version": "==2.13.0"
}, },
"pyparsing": { "pyparsing": {
"hashes": [ "hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:2b020ecf7d21b687f219b71ecad3631f644a47f01403fa1d1036b0c6416d70fb",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" "sha256:5026bae9a10eeaefb61dab2f09052b9f4307d44aee4eda64b309723d8d206bbc"
], ],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_full_version >= '3.6.8'",
"version": "==2.4.7" "version": "==3.0.9"
},
"pyrsistent": {
"hashes": [
"sha256:0e3e1fcc45199df76053026a51cc59ab2ea3fc7c094c6627e93b7b44cdae2c8c",
"sha256:1b34eedd6812bf4d33814fca1b66005805d3640ce53140ab8bbb1e2651b0d9bc",
"sha256:4ed6784ceac462a7d6fcb7e9b663e93b9a6fb373b7f43594f9ff68875788e01e",
"sha256:5d45866ececf4a5fff8742c25722da6d4c9e180daa7b405dc0a2a2790d668c26",
"sha256:636ce2dc235046ccd3d8c56a7ad54e99d5c1cd0ef07d9ae847306c91d11b5fec",
"sha256:6455fc599df93d1f60e1c5c4fe471499f08d190d57eca040c0ea182301321286",
"sha256:6bc66318fb7ee012071b2792024564973ecc80e9522842eb4e17743604b5e045",
"sha256:7bfe2388663fd18bd8ce7db2c91c7400bf3e1a9e8bd7d63bf7e77d39051b85ec",
"sha256:7ec335fc998faa4febe75cc5268a9eac0478b3f681602c1f27befaf2a1abe1d8",
"sha256:914474c9f1d93080338ace89cb2acee74f4f666fb0424896fcfb8d86058bf17c",
"sha256:b568f35ad53a7b07ed9b1b2bae09eb15cdd671a5ba5d2c66caee40dbf91c68ca",
"sha256:cdfd2c361b8a8e5d9499b9082b501c452ade8bbf42aef97ea04854f4a3f43b22",
"sha256:d1b96547410f76078eaf66d282ddca2e4baae8964364abb4f4dcdde855cd123a",
"sha256:d4d61f8b993a7255ba714df3aca52700f8125289f84f704cf80916517c46eb96",
"sha256:d7a096646eab884bf8bed965bad63ea327e0d0c38989fc83c5ea7b8a87037bfc",
"sha256:df46c854f490f81210870e509818b729db4488e1f30f2a1ce1698b2295a878d1",
"sha256:e24a828f57e0c337c8d8bb9f6b12f09dfdf0273da25fda9e314f0b684b415a07",
"sha256:e4f3149fd5eb9b285d6bfb54d2e5173f6a116fe19172686797c056672689daf6",
"sha256:e92a52c166426efbe0d1ec1332ee9119b6d32fc1f0bbfd55d5c1088070e7fc1b",
"sha256:f87cc2863ef33c709e237d4b5f4502a62a00fab450c9e020892e8e2ede5847f5",
"sha256:fd8da6d0124efa2f67d86fa70c851022f87c98e205f0594e1fae044e7119a5a6"
],
"markers": "python_version >= '3.7'",
"version": "==0.18.1"
}, },
"pyyaml": { "pyyaml": {
"hashes": [ "hashes": [
"sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", "sha256:0283c35a6a9fbf047493e3a0ce8d79ef5030852c51e9d911a27badfde0605293",
"sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", "sha256:055d937d65826939cb044fc8c9b08889e8c743fdc6a32b33e2390f66013e449b",
"sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", "sha256:07751360502caac1c067a8132d150cf3d61339af5691fe9e87803040dbc5db57",
"sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", "sha256:0b4624f379dab24d3725ffde76559cff63d9ec94e1736b556dacdfebe5ab6d4b",
"sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", "sha256:0ce82d761c532fe4ec3f87fc45688bdd3a4c1dc5e0b4a19814b9009a29baefd4",
"sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", "sha256:1e4747bc279b4f613a09eb64bba2ba602d8a6664c6ce6396a4d0cd413a50ce07",
"sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", "sha256:213c60cd50106436cc818accf5baa1aba61c0189ff610f64f4a3e8c6726218ba",
"sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", "sha256:231710d57adfd809ef5d34183b8ed1eeae3f76459c18fb4a0b373ad56bedcdd9",
"sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", "sha256:277a0ef2981ca40581a47093e9e2d13b3f1fbbeffae064c1d21bfceba2030287",
"sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", "sha256:2cd5df3de48857ed0544b34e2d40e9fac445930039f3cfe4bcc592a1f836d513",
"sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", "sha256:40527857252b61eacd1d9af500c3337ba8deb8fc298940291486c465c8b46ec0",
"sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", "sha256:473f9edb243cb1935ab5a084eb238d842fb8f404ed2193a915d1784b5a6b5fc0",
"sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", "sha256:48c346915c114f5fdb3ead70312bd042a953a8ce5c7106d5bfb1a5254e47da92",
"sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", "sha256:50602afada6d6cbfad699b0c7bb50d5ccffa7e46a3d738092afddc1f9758427f",
"sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", "sha256:68fb519c14306fec9720a2a5b45bc9f0c8d1b9c72adf45c37baedfcd949c35a2",
"sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", "sha256:77f396e6ef4c73fdc33a9157446466f1cff553d979bd00ecb64385760c6babdc",
"sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", "sha256:819b3830a1543db06c4d4b865e70ded25be52a2e0631ccd2f6a47a2822f2fd7c",
"sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", "sha256:897b80890765f037df3403d22bab41627ca8811ae55e9a722fd0392850ec4d86",
"sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", "sha256:98c4d36e99714e55cfbaaee6dd5badbc9a1ec339ebfc3b1f52e293aee6bb71a4",
"sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", "sha256:9df7ed3b3d2e0ecfe09e14741b857df43adb5a3ddadc919a2d94fbdf78fea53c",
"sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc" "sha256:9fa600030013c4de8165339db93d182b9431076eb98eb40ee068700c9c813e34",
"sha256:a80a78046a72361de73f8f395f1f1e49f956c6be882eed58505a15f3e430962b",
"sha256:b3d267842bf12586ba6c734f89d1f5b871df0273157918b0ccefa29deb05c21c",
"sha256:b5b9eccad747aabaaffbc6064800670f0c297e52c12754eb1d976c57e4f74dcb",
"sha256:c5687b8d43cf58545ade1fe3e055f70eac7a5a1a0bf42824308d868289a95737",
"sha256:cba8c411ef271aa037d7357a2bc8f9ee8b58b9965831d9e51baf703280dc73d3",
"sha256:d15a181d1ecd0d4270dc32edb46f7cb7733c7c508857278d3d378d14d606db2d",
"sha256:d4db7c7aef085872ef65a8fd7d6d09a14ae91f691dec3e87ee5ee0539d516f53",
"sha256:d4eccecf9adf6fbcc6861a38015c2a64f38b9d94838ac1810a9023a0609e1b78",
"sha256:d67d839ede4ed1b28a4e8909735fc992a923cdb84e618544973d7dfc71540803",
"sha256:daf496c58a8c52083df09b80c860005194014c3698698d1a57cbcfa182142a3a",
"sha256:e61ceaab6f49fb8bdfaa0f92c4b57bcfbea54c09277b1b4f7ac376bfb7a7c174",
"sha256:f84fbc98b019fef2ee9a1cb3ce93e3187a6df0b2538a651bfb890254ba9f90b5"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", "markers": "python_version >= '3.6'",
"version": "==5.4.1" "version": "==6.0"
}, },
"six": { "resolvelib": {
"hashes": [ "hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", "sha256:c6ea56732e9fb6fca1b2acc2ccc68a0b6b8c566d8f3e78e0443310ede61dbd37",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" "sha256:d9b7907f055c3b3a2cfc56c914ffd940122915826ff5fb5b1de0c99778f4de98"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.8.1"
"version": "==1.15.0" },
"rich": {
"hashes": [
"sha256:2eb4e6894cde1e017976d2975ac210ef515d7548bc595ba20e195fb9628acdeb",
"sha256:63a5c5ce3673d3d5fbbf23cd87e11ab84b6b451436f1b7f19ec54b6bc36ed7ca"
],
"markers": "python_full_version >= '3.6.3' and python_full_version < '4.0.0'",
"version": "==12.5.1"
},
"ruamel.yaml": {
"hashes": [
"sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7",
"sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"
],
"markers": "python_version >= '3'",
"version": "==0.17.21"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:066f886bc90cc2ce44df8b5f7acfc6a7e2b2e672713f027136464492b0c34d7c",
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1070ba9dd7f9370d0513d649420c3b362ac2d687fe78c6e888f5b12bf8bc7bee",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:1b4139a6ffbca8ef60fdaf9b33dec05143ba746a6f0ae0f9d11d38239211d335",
"sha256:210c8fcfeff90514b7133010bf14e3bad652c8efde6b20e00c43854bf94fa5a6",
"sha256:221eca6f35076c6ae472a531afa1c223b9c29377e62936f61bc8e6e8bdc5f9e7",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:61bc5e5ca632d95925907c569daa559ea194a4d16084ba86084be98ab1cec1c6",
"sha256:6e7be2c5bcb297f5b82fee9c665eb2eb7001d1050deaba8471842979293a80b0",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:77df077d32921ad46f34816a9a16e6356d8100374579bc35e15bab5d4e9377de",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d3c620a54748a3d4cf0bcfe623e388407c8e85a4b06b8188e126302bcab93ea8",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
],
"markers": "python_version < '3.11' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
},
"setuptools": {
"hashes": [
"sha256:2e24e0bec025f035a2e72cdd1961119f557d78ad331bb00ff82efb2ab8da8e82",
"sha256:7732871f4f7fa58fb6bdcaeadb0161b2bd046c85905dbaa066bdcbcc81953b57"
],
"markers": "python_version >= '3.7'",
"version": "==65.3.0"
},
"subprocess-tee": {
"hashes": [
"sha256:d34186c639aa7f8013b5dfba80e17f52589539137c9d9205f2ae1c1bd03549e1",
"sha256:ff5cced589a4b8ac973276ca1ba21bb6e3de600cde11a69947ff51f696efd577"
],
"markers": "python_version >= '3.6'",
"version": "==0.3.5"
},
"tomli": {
"hashes": [
"sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc",
"sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"
],
"markers": "python_full_version < '3.11.0a7'",
"version": "==2.0.1"
},
"wcmatch": {
"hashes": [
"sha256:ba4fc5558f8946bf1ffc7034b05b814d825d694112499c86035e0e4d398b6a67",
"sha256:dc7351e5a7f8bbf4c6828d51ad20c1770113f5f3fd3dfe2a03cfde2a63f03f98"
],
"markers": "python_version >= '3.7'",
"version": "==8.4"
},
"yamllint": {
"hashes": [
"sha256:e688324b58560ab68a1a3cff2c0a474e3fed371dfe8da5d1b9817b7df55039ce"
],
"markers": "python_version >= '3.6'",
"version": "==1.27.1"
} }
}, },
"develop": {} "develop": {}

4
README.md
View File

@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions ## Assumptions
Before you can run this, a few things are assumed: Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running - You have a clean, minimal Ubuntu 20.04 or Debian 11 host up and running
- Python 3 is installed on the remote server (requirement of Ansible) - Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine - You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host - You have sudo privileges on the remote host
@ -25,7 +25,7 @@ Once you've satisfied the the above assumptions, you can execute:
- Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades) - Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)
## License ## License
Copyright (C) 20142020 Alan Orth Copyright (C) 20142021 Alan Orth
The contents of this repository are free software: you can redistribute The contents of this repository are free software: you can redistribute
it and/or modify it under the terms of the GNU General Public License it and/or modify it under the terms of the GNU General Public License

7
ansible.cfg
View File

@ -2,9 +2,16 @@
retry_files_enabled=False retry_files_enabled=False
force_handlers=True force_handlers=True
inventory=hosts inventory=hosts
gathering = smart
# instead of using --ask-vault-pass # instead of using --ask-vault-pass
ask_vault_pass=True ask_vault_pass=True
remote_user = provisioning remote_user = provisioning
interpreter_python=auto
# Don't warn on unknown SSH host keys because it's super annoying for new hosts
# or if you get a new laptop and run Ansible there!
#
# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
host_key_checking = False
ansible_managed = This file is managed by Ansible.%n ansible_managed = This file is managed by Ansible.%n
template: {file} template: {file}

8
group_vars/web Normal file
View File

@ -0,0 +1,8 @@
---
# file: group_vars/web
# all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters:
- nginx
# vim: set ts=2 sw=2:

87
host_vars/nomad01
View File

@ -1,87 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
37356463383831623061363666396235346361663734326234323239633332383431656534636337
3238613566336363636235393535373330363562333135630a626531343430396666323139633833
37656533353537393335393966323637326335666134613633643330313334383237383736623637
6533343338396536640a376466633436643162393533646464343930346665616165613835373630
66353037653339633038353033316463393234313630646138636633643066653636343739383730
65343161306339343931323737336531646131363034343163366137616231363638313330343365
31663932343436313364326331373733373830646637313733323335306161626135616438656363
32623333646637633636316139613234613232393462306364633966666639623231643735663266
35396266313936326532383139346361626532323263633662373139363638303961616638636535
65343862623865386436643930353834323566356164386432373434336536363262356638313333
64626633353565303538353634626438363131633164636263643938386538323932346337343730
31336266343532306531626234323962353930343333656436356436343666336335633233386462
34623332393734633761303762306336656232326533313131316331326639376338393437363834
32663766633037316266373064376638643237343434356166613862383963633231353531646432
36393438653234326330316438333862396163383231623034383963336435393533393263653739
38373764373034313231373536653233666230333437626431383161346636376434383135393434
30353361343136663135356536316630643163613930306363343830323932393635343936396535
38366638353737336637356237646332353438303632396238356364343464323064373031656331
31346134323965646336666336303835326463656339356131613633336539613234653332353539
35613362653335663863626532363433663634393036373462663833636333646661643865353533
39376535313635373434633466643135323762613539366135376536653761303134303964343534
65333934396638373239646339343732623139303037336133363533653330383261383437393061
37336334363237333437633664313637366566396232336337303235366337616530333261356662
39666531653762326364353534623431333530653935316161383535663762636136316239336233
35373962623934633663656337306439616431316165666563336532373135323566386431303733
36313264323066653164346338653433393337623666646162383666303930613939396662373965
38653863623935336632666366373764383136376163663137313234663761343066336235626232
35303532376537643663653431323830623364623362346437396664386363396632646364666130
62663265363334383663626661363632646432393463373564396633393235353434636437623261
30323866636332356136396662363930613961613961343963313733343033616539316131323262
65666665663731636633623464353430623135373430313065626438396363366335363466316132
64353730383761386563353133396262366265343637643931643565386461303138613565303239
37646339316366316431663237653230346464643433376639356462643133643234386131613965
66333831663832326131343134633231636633373735333634663861393531633738366136356130
38653534666662303539353534636537343665366231346565376437313037646162663365666630
33366631653530326234326333623333346535343362666263376561333334633533356264393637
64633864616430653663366133343962376233656562643335633336326335626664653861323334
65653864323062616234343636633435396332636635653266353032623637356133383538383034
36383936666238333366386637313434656332626266346439346566666537623039323936303936
62353130663632636636623466326663623639313433353766346230383138323461643962666562
65646234346631613139393265666663663537323236383832373532393662643566636164653364
39636133613937393433636231626238386463376434666166643662313661663635356436636165
38333830313638643863373162636530346433613366613437643932383035643464363732663633
38633065366638656635356462393935383665386532633936366437333233316563366231393935
32393736343365383164346634326336373436386630386630616436373139646531353038333562
39646132643332373563613664303931633735656135376561646166343934396130343834653461
62343662386239313731336538393430316263333966306530616161633763306331633834323633
35633237333136366439376666636461356131663830323832646462653035643561396337633362
64323532663637323966663262353266316361353931333738323762656532343165626266653035
36353462306361383233303464353766323466393862313037386139326231656230343630616139
34626533323065646636643736323535356461623063663262656562333466666634376239356633
38373362363030346434316261643236363337663237323032623339393936303130393662666434
33386134386633623930376334333466666137356432636131373562306533333836353332316136
63653533336232336632353465373263363037313933663131633763343366663034353364373661
63333166306332663837313334623231653561363964306337353564326266353366343538366433
63383335336566366564333735383337353765613035383135616135653662346133333338303730
36303334623335613836333938646366376634353664633731666235346638346662656634393631
35396262323939393562306530323763353939363264666331373266363937653063366138636364
36623835383961336331303439613731633734343135323938306263363637616235336461333732
65303636623766313038356266363666316665343832623662643263623233356232333062333933
65373763376430366565363161333330376138313130363534623364653434616438363732643333
61336631653762613231373236613164623566663730396163383136366430353439346637623965
39356138633037313165333034633234353666646132656532386332393962626239383633383833
64396430343535346438623233326632663839336233316336383261346330353739633331396362
65643161396430646436376636613061656566623038633665623938656232633665633365613837
36386633313032306238373063346662333539313931366232323931613165343639666437386630
63343766633336346632393231303566323562373236656135366135376262613163646235646635
31356264393231353335363331663666623832643638653064366438373063623462333631663631
32356664663332356538636462383364633036303733393161366565393361363530626431623532
34303538653032313138373339663833613637356364376561316535643238356633356130376665
37643231333037626164663634383666323333316235353832333335393262366235613461623166
30343933643637656262613337313962666432656632323631353066353838373864383734646361
35393966646331633466316636326162343831393639383034396133383537313138646339646163
37363736613135326634363031626132326664343732646161623362373036323337623063653064
37373839396261653764626338393438643634666463336263346566653366336536376464643934
31366261353734383064346433363730623762636463613432373338356337656665376338353965
34353866343734633661633466313132663463323962653431316536643565666364386438336236
35376163313462383130366337653239623866663837666238346262636238623932333435623634
65333132373436353533333834653131656638336362623535613366346266653863326431666137
32613563316138333837333131663637346634663962616230623534383239616132623130646137
62613863626632323838343736633765393666336664313563316535346130333462353063656166
62376237663566396665366238323937343434363964653133393163343932353761353038373234
33303462613837653730646462643765396631656536353335353532663033663433613032623833
36656534646163353266316531343137626131316536396338666262336136653734613838333133
62663937346566626131323033313432333562633337326634623866656363393165363235386265
6332653639336330336135333865633662363738613565303766

288
host_vars/nomad02
View File

@ -1,127 +1,163 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
35356461313263333464373365643730653766393437316133336138313761343130646131363861 36643866316634653430343333316233346137663238373035376232643132663036343736376464
3834623038366139376261326439633334393565346666650a323963393665366134386535316530 3033313234383933656361343938653362623265653030360a396638643333633137376231663538
61316264343737383331663361353838656333623335393635393762303533313036373161393462 65313537316564303330663730333131633165633238643532646435386436623163346366383533
6664616164633039360a613766323932323266613166646635376333626333356364316233633931 3965636630393834620a343531623964626135636337313861653361393733333463633234363435
37646436383339343938356164646262363032663063393038616535346139633435623265343762 64643934346466663934613962613230623562323666353231326363343430336637323666383634
33663036393761643861386538336665366537626464373931386535666237636439383133393636 36626136643432343332343665343734653435383336313862383863626466663633363738313563
31383938376331313531366237336463323563323134313037393435333239613663663234376239 30303666306439333836306161633432346636396333653434666531353966353430666436623531
62346163663061316666636138353962383336623133333030396534323033626632343561386466 31636562656161333830313362653764306137396231346334613336346538306432636639386561
30356266313566316565626562376364643238386561323165633730383262343638326337636264 65323737383865313264623934613365373465323065616130333837386665666333623832626239
35636264386262363264633833653265393962373435653639363733636562343238363931663031 33333230643332373238363432306466613737373132643134363563613535376365616130333433
63666135613437366166643130623034616636616632633838653464666130383365326434666234 35653262356233626331643432396237306237363135623830643536653938363461303738613130
32643164353766323131343137373438613663646635326338303934613065653466613036323961 66613036393338393037386162383831663866323233383736303532363837663039376166363639
38353034636434663061353138393130316432366539643937623935643834633964653630326564 34666237333562643665653165393730646632316237663337383937353365333532336462656362
31636563336138623433366536663632313863313435333531353865623066656631343032383937 31353934393363363765616335626565343238336262653361306164383030303835303666326532
65313535303563653762646261396366333737306331643037366433323030303265613638616164 31386332346362633433356161643536333862373030306364393935663061396538616637623230
36336338333837393235326539303964323261393039393533643538623634613432643532333863 66383163396139306430343639346264336464646233316636666239643132376164613666363538
66376166336662306564323433356330336662333433633061313266323638396165656665663965 33356365643430383732396235623038643566623131616461376261343563353236306663656634
38376465383662626633396366326466333436333338373361363039306539396337333061643264 64643035373039383031303464346264383066623762323161643561366164313461613038633531
37356562623130373765366331643332376337353065366561656261353131666533636466386432 36383161363065366164383932623231626633646166313835343264373366393236626336353039
31643438633464356464333065316139626166326164616666363666393562356239343637333030 66646338303731346337363962353135346239306562663737363038306433386230326636336162
39366231316462663265346464613333306336316163643131303235616432613565613733333466 65313132626564663738633531333662666661326463643032656136376564643938623061346464
33343036326435643736336465303861643739663536343965346433363231323065643733336634 66653239663464306430613563666336643839323537626338666435336138613763313364323637
63646133633037613964393935373161666161383862616333376638616336616537616363643661 30666566326463623438316263623233333434623366306330656564636163336636623433646631
36326665316332303537663935633431626533323838393638653661343665306332396130393866 65316562616136626330333166646332366537666664303766346239316535333031396235303466
66303231666533393132396538393963626132643366373539656437386663653261323465613366 34393664373361356231333530323865646333653237613636386632393730623330653437393164
39633964366362353866326562313834313266656265363161316261386638623737393034663665 65343266373237386364373862656138633263666633333465623836366233663537393539393638
66303966623830366431316432323863386332383362396534396166343238616534346335323761 34643963363865383434633163623832646632393234636136346137366361393638393461306337
31366164623465643331323330323736336337653230623362626230623365636364633261653765 64653436313065326637363632336565306137613131306364336537613835306332633366313130
38613566626537386134373133376139623062383736356634393739353665326164343131323833 34393732643361663731383661646631353035353064613931333330653031626435353163323633
31313038363663316636356431613032636131303964373564633462303735323364636131373033 65326135376462666435643837333131313863313630336566333835613132383365343234366133
30623336306663346639326638303930383466323938356163633964623565313261363139303238 39336131363366616136663636663334386361646465336331343836626439316532376566353565
31326666363164376261393062616339643039316163346362633865356433346636323664656262 37643361646435643133336333643837633331316432303062623062396564373137613235363762
65323565346137333338363864346437373261383936626531316330316539653339303464623462 32363838333337363035343631353261653063316138626133303937623233326531333837383033
32616635373631323465646632323732323432316332353033656339366639663732313939303733 39366536333434303864616164313137613337643730306261626138343764663662393161613730
37306130656662383237613361326161313039326561396538396333373362633365353130343963 36303736306631636266336131396336646635653131336265623364633038363339353933636632
35613833616635353266636265313766323635303764346236306664346432366632376132333034 39626134353866313439333962376663393831303261633431303035663130613265333739616135
65303235366137356634666138343232366533613966363030376537386162396638656637663932 62623138386235653935383364623230343662333138653562633266336534383963326237663132
66663939393737313634383430323339663634333533653265656163326637636635386163313333 38646335623532383565303466386261613931666438313261653434633934353739613431636132
38666236626131333139633834373534316638303364666135396361616130303061313431643936 39633133656230666231383936396264313630353434313035643565333661393736386637313264
64666134623666363937356334356134306463386466613365363136663136393833616430623836 63636337373334313937643261313564333564383566633730396364653533666236643433643436
65373663363664333766373136336636393663376535623532626632396665366436623661636665 33363061356362386535323038383637613364393639646363366630373735353234333134636565
62333961383034353664323333353766343939666636616539653236646634313333373639643765 37653064636536376638626135393332626539346365353661636439323338653137383866663734
32353161633665306463386633616131333130303139306134646134663865306463353838323565 62303139363436646464383266396464313565376132393937356665396536623332376134393366
39313538393034323065333031386634396261336131333763393466633335666238373663623564 30346435313566313237326461346362353633353261373038656130323365383765613739323239
38316633663536383730376532633830623939633662346636356632653031633335313732666663 38633934643531633037623036623839386637663762366631633033646138323936353433326430
33613133653666313564626261353730373637396137323964363866653964373838613130643337 34396466653230643766636636393735373363616637386662333535643536626261653264346332
32376165356236663332366566626639313038363138343061306438313435613862626564613830 34336337646133646261353939353166393530323730333063393365626365383366633464633236
61306262613262366539663338643962313066613665353063306537643561666462333763623866 64656535613838313461623864666362373030636366373038373863616462373939356238353362
30643230313334646535336662616137326437323438336361376562663361376230316362323235 36363535653734343533666532343166313964303236313135386134623963386535306435656330
65363630666464323638323761343033313763633866623361376636653631396263626239613764 38386430303330303837326138356364373439313836636234656331643131646363386138653065
64656163343435643838353033316364306134663833616231343831613338653330643466643630 64353837396533303463643130613339663166333933643362303565623432643064353865393635
62323039396231366136353432373732613465336163326132353731313765356163323866633736 65663362666130623933623733323933343065633432613965373764383035316338316338373934
35326665613165373339353165613036646665313065343432663563306664323163306535613338 65383061386635316331366532626437303664636436306535663365373064346136393063623335
31663138333639666133323139326339313733663334336637373866636661636538666630346233 35643062363536633332313531356637313032666262366466626462666663303161653635666331
31393364313433626565616661313265336165613534666232333835383963646433316632303533 32343130383231323239363235313031346438323330383938303733323436646336353163356132
62626134623830363533393833633439313034633965346163393932636464326664653335643833 30336136646261323866663530336335636464623035626635333961623363396239353935636531
35386332663736343766656232313031306534653434363164623530613232306531336561373534 64373231386163663962313834333538333133376433623363306239393462383930306432396562
37333763626135373538313561303737623035653832333533663534313035313530373037616634 65393761633834663431353032393032396330393338343863333939323632393438646331613463
30613937626664373333643735633164663930316235336663376132353338356333623431343535 35363530653161653266616331356531666434353663643364316564623438316132383463356437
37623138363937646665626535303463643330333233363136313134383939343535646539346363 38626365343733383735383939646331376531376563623231323535323735356630336130383835
61633966396234393961663735646634373266373264626635306162386632376262646336316266 39633335373163656431336130333664306164336536356431323438333933636365303330393233
36363166393332626533613736353038656266323263333036303964656662663436616532396665 32353437393133646632373234376431626332626333343866643463653662373861346539663131
64366638386164313466313630663138333066653061666362336661336539653339616234646538 32393333633766633738393937356134313236343633636533376665316134653632623061353866
30316334346162363065313438663865346434313564363863613532313637313430653439333962 36373761366264653737386331383235306137323965363265653937353833343362633433313462
34643039383030623564666230623264303338343564643961653531366463623166333661653630 32316466356335366630373635376561636233336165666661653632323835336563313134343064
38613062626464663963626233663837653533626532653239343065383036663162646261386535 30333033333331303164323133613536613636373333663131633162616235316636346337333462
36356231383263396365653639613664346361643666336463623136616330336161373336643535 64306336636562353733613538343462626233303661363131333665366135306332346135323136
36613530396266633861643530633732333436373966613437343736653537333531663466383438 31306535643539303936346632623930333339353439376462633462626165633437393830373739
64323064356262646133363463316639353630653766663731653030616461393139396265343033 61653230646366623830353630336661623466316136373264353762313065346632366164653261
31336662366465633264643065386432376435346236323565326562663161396435373762613839 64313830303466306135313964613537633236383535343132613332613733316161623365333163
36316365633937636330643837646335613262363734396261313633373731363466356632636532 38633930323439303030316433343764356538313632366635653437346161646439663563323832
37653036336665393733343832363739323739383730306635306666333566366663396230623433 38363731353734303932653662326138646239306261383232643537313365393061383663643632
64663338626239313265623838383933653539666666383633623939343461393036303230663562 31343736373739643164623437663239616663373335643262336664326365656137643066383463
35363232636635613739356536386439326537363965626261363962383231386532623565343662 37356666306666353339626662326135636530386462613061326631366535383034303830323237
61633931613131303836356366653030656333623235663266636535666632353666386666386630 65316135343135383230656638363564303635363333623833373163326365393430663235623231
36303134613262663335623330356639383432353133333137363665633565363037333136653933 35646632643735363730613462656562356139323863616266343566343861356238623564326430
64396230613837396435333835343265633638346232303738663764663032343061346539393135 31306366366330363036616137363163663136316565313334616164346639663465666338316439
63303064366130333030663739326331633762386332333162393631346234306363313737663261 33643732343062313536313233333039366435386235333736333937633266653761616262346566
31303437376339353634393438316139663862333530653339393030633932343765326435303530 32636337623266656464636634643632316134376334653932363134613336346539656438633137
30326566336361646563313433663063396338663661353832666561393437306131336465343332 31306439663834663431346133653532636664636463376337616539393239316465636537633630
63316533623362613062626337306530633833323132616662613366653566396136643936653435 30363461343733653465666332646236386633396530333863616236383437333931643731626364
33323938333666333439653037383335353763386132643362643361386232383964366237326538 38393337656130666237373538393430306333333033306466343866303038643234646339306233
32343061643462343265383234366465366232666434623634383132303138643333343663613039 32336364363838636563643939626665643231636633666166653539313461393238333461383262
65663339663030326364663561383833333432633437313232356265396532303735316234353565 62346634633236343433336531396361323238386262313565396265663162353765343037303862
39313532306437333238373064643238666632383166313832326662663762316165323936623239 63633034363664313733633433356332333633366530643863316364653065623161663932323831
62366239393530366666343866376566623863373333666266316334346138396566613263333539 31646530613933613735333834373532616136393662346431656363346364353031303262326134
38373438653663353537323961373434363735303838306262323330616538636333306366373663 31343332386166646530373635343039323163323366616263346431353765303430353636373539
62666462336331623761363036353331356632643664373665656332663530613931376666353261 36346461303730313630373637346266323331373733383465323037343633313739306233336339
64346531363265316439393633346334383439623338653334343739353464316436626635653139 63646137643332623834343462333263356432366631663065383962373634366639656133323964
39633232626463303463646162633131626538353232646663356335363663613234376338623539 64343035323863373139313163323562643066306139363235626532396436663137653635353035
30303765636635633331326337373334626664343063623130393438633863306531653631323763 31396334346137626461633436343539366635356537306231353961333963616334323037346637
63323661356362346536646430623864306135663766313833366165653066343439663064336331 33626161333264643261656661643933653835356236333831343563653938303266323730363865
33353135383830373831623463646461616665326139623565666464363961306461343361343665 31363562383666633636343935386535306361386234346535613363613363393065363832306363
30633331666533383161623130613963376266613533366334393262313730313630323836623162 63643238383363646137306361306265666435363739306463663637343761643831633261633531
33613637363431306632366230336537373732613337613830666635353632383834383465303261 36626562636333336434613365316232343832646163396338613839643064653834633832376230
39633334616561386163353661306564333632653731363434666562353561363462376563626563 33343265386162303266373033353332393931633663623734396133326232303465666432356363
63353666653637336666376138333966643237633434396561386164623435333836653238383261 66306338616634616631363662313963386638343266383063313166353437373433623736333361
30643331373138313062616532366265313831613938373865336435383564636266663462636461 36333163386630376262616362613530346563383637656130363365366634633135323863646363
63663230626532613130623566376437356337653564303033393737663735316130633234643163 35323430343033323734363533326334303438663065656535666432376661613435623365316139
30373264363331366435383837303762363531333335613738613463336139643333626239346232 30623835373535623662633131393831376231623663316331313661646531393338613532623063
31393631663861623330353536313731353332313135363436643161353435653865313666373639 66343665356338636438646339663761336636653332646233326264373435346263386130383861
37313734306461633338363033623535653066633135666463303261383366333266613830623138 34623265373463653165383665306334643233373066356231343666663866373739336436653933
37303963666139306632666537633137326434366231333435323335623130356332313165353733 65623134306536333538333061303066636339376636333438623666366362666137653261376539
37656238613138396635303765376666303631633034306133393639363662313066653062373638 31346435613134303866333065306237343162333138643339313461663934643234303132613961
63313961343932393964643538663863313664616164363264663438393639306161373539653265 65393037396463663034636534323566366161623365666466393634373764333437383263656535
34346535373939316563353437663066656439353161623337343935396463363231636262656565 33643461636362646135626164373335386130303766633434633062356630336463623661396639
61653766616238393030333837616631373736323837363136623337623539336661633533653663 32646565623164363631383731666161343762393639343839373234326337643766336263353166
37376530303630313861376261323231303464653666323237373466353037313230333861373366 62633964303733643035326535656561366139626565643938356264646239336166316534373261
61323964636235373030343462326166323533343266353236653138326639363664633066346239 30623765623338616537353062666338376262393966373033346233383132653839323731626663
66636439373262646536333134306363313531333437316536656337633764356339633933336131 66393938313132653538313031323538333263333361303661646633366633353534373837313935
64366565323438343864666462356232616263623530613631303265313861383135333562343263 37323635633431623365643738623834653631323564393436326562326439666462306263653331
39633938313435313266386538346132336638303938373964616535313035653063636435643538 66316134616432323939373366343564623264336632376132663462396362663134643236643832
31636134393930363635613733343538326637366661623833396531623832616238323637633866 31393366653961323763333335303135383934633538636335303435636334343737306232373561
35666266656465323830356432653839633763643430363431326632393664656464363238363364 31343139363863326536613163663862343263313630336438666132306162646130613233393935
64356132326561376330316434393765663661356466346463366538323439393531343632316134 37336330643361323032366433313939616134366134393032613862616136393339643232356139
65313436623664613230616562323138343831623033643338363839343837303334346361356433 35326534623263353766326132623330323639303230616263636536366263643339663838376238
63356163626432343733336531366333636466613863613438373662643266636134633934326432 35323731303163616236306439343632353561646339663933313937363739303864336438626638
31386634363161653965303230306336373434613232613237343836353061613533616237666462 64633139633338623431343236333534373835356365343536636261386437613538303334663739
35393935383431323764646465636563363633336463353064346631363531383061333135386161 62396532353832323262343763353365333561643633353638313534393164366539353431396336
64363366303262336464646232316231613332333732373932643562626534666634316565343164 36653563633237333730376331326432663561343463616135613738663130323936373136393538
39336436366163326137396236393034363162366634616233376465303063663330386137343733 65636634363631313364326665336164653939356133333031633632373030623666373562623564
65393231343634316365326663666532646162623633373530393563313861653638353932396137 64616365616435393231646236623333333037346363666664666233306661353337343066626136
38666161336432303666316263396538663665353334376637343762613262303062313932363831 35666164356537323735636131383266393064373538303966353531636561623032643233346566
65346637366163333233633562393535306263666330666636613363383939393035643132326162 61633465376631656636366662373865623764336135323865316336663731383335303330616231
35656130366237363136643938633931363731623662343536623136313436616265333138646239 64313836373063313061626365316538653831316562333165616531643434633964333438333665
3765356139356136346264386137316437303865646335643530 66376634323531356538343837326636636636393639396535346264656531613733386337353966
31363730646365313834316234626532663563613234643563366566373662616335623035393536
61653334346336613539313732383438313132653738393339373661336531633565303635353665
31383939643261666538356633326666363934643738636430383537636165623264616236633863
35336134386437383539303061343261313530313366316338663539383238663966653837663331
33386464653161376335316536633532383035363066653234626363343232393165313463343930
63323435613932626435363235396236313365636166663238323534623038663034303365326566
66306635373433313730343536633931643935323062643136383434643138306138363366663834
66613964303634616139323832363633363063653237366135613964663733376161373937323462
30313833623733336366356635323261613132393734613735393062333232313236326264323366
32376535616334376137663636633333323665333939363366313432633436653864306532393966
61636337356534373164653637633162613235623364396539623961353466303036383031363162
37313364613939613939343538633665666136363135656330623332656466383139656234336133
62366262663064623137626363613066366666313733623463623562636131323435346264653564
31323431663339653966336230356339303534353139663739363263633564373364323937386434
37306462653630326366316530656462316539373263366262313930356663376334343562303361
61623161613939616666386336626537333135346136643537326635383939663863623332373033
32643730313861636163623133323061333631333332373838636163326562633936363631653062
37336661626336623462616562333264373330323363363630313739363962323735393332303562
62393161323962393039346432353066646162336332663636343739343566363833333738316437
64333337363137643931366536396333633538633830353865323765616264356335383031353534
33376363386630303332643263383738386532373434613963613764326636333133303262393832
35373930383662383064333465633736363063363434333662396331633032353733353334363162
32393361643562623362333963663262363235326536396131643435306665343438333933616466
34326634373965313638666337326633653938343561663739333464343135346437636436633034
62333039373136656664363531373430356363363736306533386135323061316339326636643739
38363763653331646638613963646138666165666439643065363335343132613731623264376536
37366533636564346661343966373964353731623861633463363638356163346165643164373535
30373564326263393436326337653631383731313139636339356433333830666265343165323330
36616538616534626237623862636536303336343331383237333333656637303266616137336439
61653631636632366563373034346365313337356266636338336663643538303063613036383831
65613635336366316263336131666238386237366264396438383966313762626639643236313532
30663235666662396231376631366139653937646132343639396430643339393165656266636235
38356135666433323434613238356537306630643861353436323037353461326534313632386232
63643261373263646437373535333036336634396331616330353233613564363361396437326435
38396462643833313362633436303637323163663166653231653866643733616432323663316362
3037356363643462356137346638313963376637643162623062

111
host_vars/web19
View File

@ -1,111 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
66313066303030333063353236313063303262626561316535646263633936336534356437353265
3432356362393665303438333166643066666164363861610a643434356531666366393936353233
37353036656435616361613164323038663364666464373964653337396465373061666533373938
6536323936393135370a666134613830306533623365363933376631313534326265666634366235
36623637383636396437333735336238343434353733303764326237303033303562353237353165
31653866633363623764353533356262643239613531643039393335313731383038343638663830
36356139336363343437666230656366636132613531613339353962373435643563313734646135
61613330323938363063313430343738306536636233353963636665393132643162303562666531
61343365326634303730656133633632353936386431303631363731313730666132656334353731
33616537313230666462653165643535386134663166346262363535383365616431613838383863
65326163303966373938653033613238326634393166643630316230613065353437306237313933
65366131396266393236373162343866383565633030356465613461353131643562343630336566
30633534636634616666616462383136373830623137396366626639373230373834316563343464
38303333366166323238346237646165383633383264333431663530326462323432366332333630
62633132666439313034616465663861323064646564303963633565353734353665313138373636
34653639353333373737613238626535356333633833363737646330643163326131386364646365
64356435636635663737376239313236356361363061313731626230366336326535663866373231
37623262613135636538343934336262633662383266653238613965356639626339303437306633
38373837653737313465376231363637353561303937336138343465376638326163643065336462
61633236373737363633646135396565303835643336393763393933613964663435306336346636
38316231383363616533616437366362376664393135623765646330323161366134323263376466
31386332333565643764343863353039313466643962373736643533666562353766383862326134
31633366636365313231366337313334333130373833656135396262373136393135353039623739
63626463636237633963323739303961663632376330336236663134666461383965303861333835
38663337393930383834653936636365663966333033346562356331306430306338333761353762
38363733356262363161353135633836336363376232326261623264623338663230663838386330
35353762393839646338366365313763346339666433306532353530353261363838356639623436
62306437616630663039653862393466353933333763386163373035373335343834663439633039
34613463303436366631396462363866656533343063356265333539353038326637613063326164
62663833363165643436343538666565386561383335393964313839626237623031343564656632
35613534636437306463373466653431336562303132313462326233663561343837323331353035
33303336356237306464363564666136633230396635623066376564373737353335356432343231
66633735316466633039663338316566343739373664316335366462356237366139363731643366
33353039373665333232383235303932623435366638313465396333316565646134343463336330
65306334623631386364353364313638643930306265343363666366663164643435333834376439
64396434366362343733323366343232653930646565313762376436663965626562636238623066
63303236326362323966666630343136336563343564393833636465333832396666396638653661
61323561393563326437386462656266303830353730313839613136656331323938616631386235
30633730303838313038313263363363633136623861326662623366613461343133356261633030
34333732343037396131343764366535343639326333353036353038656533333339306363653435
39656166393265356338656631353065653630303237663761386332323530663966343864663438
65356365386131333236396234623537323062363539383061323832363563326435306465663234
66316638376436613265353662646264666138666165343763393330613765346163356138616633
66373338393163333435666236386239663735653135386532633135646539316665313036323763
38666464363432656534313263306266323066646133353765386463343264633131633936373036
31326138633131393962633861333036373537366163613562383033336333616130636435326331
66653766653065306164613335623933616135393335383438356337633239363131303237653566
62636263383236656136376237646363363234363232643636623333396531363461303538373662
36313537393238626337613964623731666261316366346666323261386661643035353164613637
32303061336363306335306431613263646266303038323739636662326465303961616339333461
65626263366333333562386461636231636438623966626136663932303035343531363234356663
37313661353764343764396666633666613238323638646233353138383638353938303933396431
65366564353533363039383838313562663561633434393833636365303561333534393930653630
63663464613334623864313663383630353166363862373132343532393135313666626464376436
34616566663764363566663530646638363338653538353661393835383035346236646233363564
34656165303737326261353032363435333731363031343366353863313138653865346535636564
31393134336534616161303132353764343833636465356661376638633163643739383830616534
65386262663734356134303039623265303935363764623537326565633030613465666435636232
61623334393734616262613232306339396639643636373762653738333463616361653430656438
63316265303634323033303330353232636136333863366261656532383065313334386335666636
34303564636333356364663565333932343064333266383638663365366636643866353132373966
66336563346233656531643735663062393630616537656264323136353266623161353261333239
33636563376566333331366336353338343730383962653138636535623039643461303763333961
63373264333037653563643937373664373665343136396635316634613632653232353033666266
31333064623765326536386630353435333438326232633565663531303730636530386564366633
63326335333639376266396562343838636430643664303737373565363635643037616231393665
36636337633564373561343266666632656235646662633965663733383731633832373334646335
34396163636635633637393834396566663062633135383330396564656536333330623737636332
36646362623131366166626639386238616566323135323334636638393934663336663532306336
38396634393433623963316261303061616634333566306239366666373238376466633166623464
33313538663838373465626638316432613135386262376233633362616463623363646433353666
32633838303837656335333336353564343461373236353736623032663139333338646463323533
65326131616433666563343163663462393235366135633661366564623662303932626164366632
38306430356238633162656337303536663065653639353562343965663366373861646162653562
62306236326163393336643232663336656637623539353835613536653164393038623966316433
32623462343037616465623736306530633736623061343430356638633530313331306363323837
63396263393136363137643632623938316363386238346237333862303735363065386633366263
31313834646239323631393335633534383930373630663538653864383930666465653731616263
35333830633430343436646266663231303466343138643338343634346133613666613734313037
34383931643631633539346262653631336565623366343564303332333831346436373162356362
66383864313732303962653662333036373239343335623765616536306465623030393138663838
30313861636631393462653836626164373034666533323338383262393132396436666639363262
39356132343939366534666665393231346566663432653236376333323363643166393431316161
33343666316138353333346263346266343731613065356631336231373266343338393939663038
35343235393563623434313266306163323266346662623063353631663433646436613130636663
38356335616438633638383236333131663163613436303934386335363432323063303234383331
34636432653262643438653931313233626462623034346137303738643932353334373531303439
30366233373535343431373365393566383538363763313036623262343066346236303061326631
64376463336538363132656464666365343861393330313637356237666361343666633436346534
33636332386336646333616330613738343264626438613135313962336534373130316330366233
30316333636564326165663565666361643430656366393939616538323530383632636661326331
35366663646533313034333764626237623637363164356163636432653765656439326438383134
62623638633934336334393636333336633164343066336161333138653637333435306230653865
35363032393633623331363933373463623032333361616365373037666333643634343963663835
34363033363731346663643363383965336536353332646262326136353965353137383737336165
33613733656463376333376264633935373239363337323538356636636439393564373332323031
31623733663530326632373235313830396133373430613061613438653336653462316336623438
30343032346133363830656231663966653734326635333831626639393666303033653437326238
65333566643066393331323466366662383135383734313537663664376161323265613436653535
63643832616663303632623433636161333339376635333635626137326662396562633830343337
65376165376564396433343736313134656332383533356138383039386266636238613936653962
32373337346335383136303838343034376432363436356465613836366230313463303239373531
65383334646431346565656638353537333765623430333133663663326134646566306137643663
65643338386439666636376461356466396261326165333030623633613364343631343830653939
64323266626131666332666433386434313936306361633164373532626231366234623735333932
62306362346164336433336139313561366162303666353635653634396139313734626463663735
38306466626237626634666138363665326636316563356431333432313534363638613833613539
38306237353764376462323238663034646662393433623830616361623735343162666465626230
30633731323939633265323338373537383261333235303262633336636433316339383433653861
3861653261646632636364623830626561393864666135346634

49
host_vars/web20
View File

@ -1,49 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
30313139316131383630353236343338323465653163323838616464396137656365393639613766
3733323562386139353933626339663039653437363037350a356263643762313634613736356363
30383534346664353030346233653163616330376562346164613731346566393330623165306234
3833306632616536650a386239363931326463663665346363313462646464646632643961343631
63393164366163353461633038653833623963363233396464663839653330386231303461636564
39613265343765323636373736646462333665303333373737633632346465343439386335623334
35333933363966623730643632313361356661303562393535646230626639363335623861323033
32356664663539343262336535623233326234356463373031356361633536366430346338393831
34666232373761643430356662653431646661646165663134633135663933616262393763356133
61323063383036313166643866303136656164386239326437303238623338306433633762303630
39396438396639666433376533333765313431383862383031333031616334656136643262636438
65626565333939616631336237633063396430376434626437313666646165333239376463383837
64656635343661353735666666306134653530303033326662613230663061613034383461326534
65306131326634643732326530336136623731663336656138383635383730653633373737386335
31316136643634613536366439393565633964643735333336613865366138396539663534646435
61626530353836366337643062366532323538326161633137353336626537633739393464646632
32343730356362393336313535303034363531373961616265623934393161306261663562653464
63336164366531636130343939353235343261316534613665316363346266396332633763346536
65633038366530356138373661306234316161343762343638366639653132333438613766343939
61316232386465643236326430396130333831666363313032623537383032646663396239663338
38313939306465353033663066633435626635353138336330336333616231363634653665386532
65326463663933343966356437353433313565316139366365323934643131346636323737626437
36343435643231366663323134656561666133303030383734316237386532396662366461646365
38303434363763363866383761386535383262323432333730323236353439653163613966333032
39306533333132373736313834326464643134393432303537643835336438393461663233333239
32333365663337653436303662393263366161326465663036373934373764363438656436666232
32326134393161656133613266633966396663353631616537363361396537623164373964636666
61613731306333303336316337343635316134363431646433333932633336363065393637343030
39366537656430663932616335323661316533643763643161613463646363656232346333303331
38363234333261653135316266313736366439343138666165366533353035613731633466396363
31663166336431653461663463383333623664356365396230353130386138363261356331663965
66636338336466366132633437396535643736333733633430373964343533366338666532346263
38353233303437663339616532636662373761393461666439663133373633653139613531393738
32383937373833323938356333343963306534633734393162363965356163643862643037636231
65366461663161353939633866323162613761663836626232346236343263386364303233313161
32313265366562313731656630393166336662616661313964666661616439343265383566383332
33386266366534383934363839636636316532613133636664323136373130363534333531613663
35333964626634643135663639373339626335643366333766386631363439393435626439636166
37616339313336656634393538323935383964343437646433636636383061366437386330643334
34383237353036396563643730373663383165623633326336313031326435623538376130393130
64636538663963303938623866626431313238646465633437333863363865666435636564323764
39303638663830656162393836366262663161633763656630663434386435643462353661353035
63336461333464363838313765653037393964633536636435666162346461633561386364333966
32623761373435366665363239626632646364323934383163346637356562653332373536343462
31323036356132373930656364393061306130353632623661663032343230633635336664376134
38363239396139333230346138386337313364353934396362373233376266383537346431653234
34323835306165613739383336303964656565373636343639303831386466623031396665343234
33373164663339653839

46
host_vars/web21 Normal file
View File

@ -0,0 +1,46 @@
$ANSIBLE_VAULT;1.1;AES256
31303064616130313334356131393461656264376237303838313334366562376338343931333036
3165636436393538633063303338636464663634643539310a323766633431376166393134303038
34316264643034386661343566656139306234383430613032343332643363323534333238376233
6262383039383065660a313138653738643838346365633238326534646637353033623638306161
31336565373635663661343930396463333632366665633464646264333732373431633463343462
64303538343234613532323431643765643738396233376138343561306361313864376165393064
37313964656461353466306433366538346131313034316633626265346665666332666665336635
64386261643536386536366337313938343134346532393866663065306434353766666132383666
37623138653430363964313566666165326130656239333965346234386233643537643231613163
61333336383265613930613239393663356566633464343732383133336435393036646536353834
31626235343330666233616533636636316637643665333861386263646363613237613638313835
39393736313734393539386563333331636361376137313631373833643763623338653462653066
31633061323161663139633761623662653434363362386235623061626662343535626461663934
33633966353263613466616439663631363162376466346535383963383332376130303265633935
31646533633330616136346239356366616530363539323466333765656537623862653633643930
64646261636239343866663238613834376339366666353534373666333966366264626663326430
61343530636536613032646630346136656231633730646331666633623634623235666535336536
36303735373331383332653731616136376163396337323536616431633934633830323531656633
65666565363133366166323866366137663332343633333262643433396531333833626532313663
62303265623764613231306365323362303565623232326137386135363262623366343330666134
64376435363164636332383061343066336439363433653939353235383934346331383933333130
36623437393461613137316634626638353039343465333161623632363735346438383537306236
37306531336433346461656466396566623263353632323364643963323835356666393062343137
36323065323639646330643437373965613563366663363739646237396563336633653232643466
30336534373463643733613536343762633435343636333632613936383930316532333933613961
31313535653639653331343364383662653434333833663464623164636538353763346134643762
36383132326134353632336334303264376162316162646331656434663435326535636164663238
62383435343366663932346131636530386434333064323734363061633166323363383566383931
30626337656133613632313136656431623761343036613865663261653437343139303734383231
33613938643264313138626639393132663032326235383439326132363361616463366266383439
36656161386531303230396562356438356537653133666336306439303630393665623665396130
37356633356165333737303235373062663664643434346366613536343164626339633039386538
30653962373361626436616366396362343739613937633830613235373866613665306334663166
63643965303465306637663666336563633234333437643565353262623963653562623662323337
31353636353830336362643536396232333732663937616666383431616161646265313834393232
66646338303134393232363133653837346638613165323035363266333566663163336338613335
37303964326663303338643233353939633735616231356430663931646363613565653764303637
36643063306362373666653531656534646465666134353866313333316239663363663062373038
33393938663363376530303463636665663539626537373262366536363830653632663736356632
35653465306236356166653739623461636434636132653237333932333965366464633365326430
32306533303966373662353061343130306662623735363930626663393139323236613730356336
34306436333734626339616438383934353934306233323863653964623435663863333330643061
64626333623436623230613362373533343237313165313030616662633739373065376231313237
61303561303432613336366238326534616631346364616135363562303161313334303866336434
6164

130
host_vars/web22 Normal file
View File

@ -0,0 +1,130 @@
$ANSIBLE_VAULT;1.1;AES256
38656665633261633138336335373266363136353736393735633130373737316562383130666636
6561646263333036333763366562326661353032316564330a383634366236376563613861353932
63653365343662356634653231633364353062373539323165633339326364643933373464376166
6236613532633734640a626636316566373431323837656263663065303534343639356165313338
37316361373062623233343265346334613337313765306162336430653563393631633532363661
33626138346232363635623365613632313536646236633736653931363931343062613738653162
36393565633535633939666530613765623738316263313839323139306134346530303664623861
63376230303062303262376534323332333336363832353630363262383931356139613539386133
34643961336134643262623634363839633463613365653839356364333961383737303263373632
30333063383835353961636333363564353664636132363930656136396638303431353738653937
66656335363933326162323036313930336465373763323161643437653338636635643064376635
37346461386136643332363961366638653531633239336631373933643336643066313062636132
37356134336666396265346466346465633139313239393636663931356431643936613830643033
32333036396365356362356332353265643765666466666464653265666562306534396530663530
39666465336663396436343436373434383537346262626663366337366163306133663530346461
63376237373230303063316439386630373566613134303631373362336538633531386233616238
65643662653130346165386338633965636431636237656162613634393530636138633937646639
62353433346664343332656166366161623330353934653631383961303931366231363030633262
37623235373438653037343033393365323365653561633736373930396261663638356163626630
63356639383231616339323530636338303465336462333036336636623964333834336234316163
34323866636239316634633236383635656265323133346534343435656561643034613337313336
32626234366532663033396561313838626437663961393131393962396137323531366262666362
62373332663532333061666332623261636239346137373933646335353238386232613739303634
39336331373231653635663330323539366563363135663863393632396332313464653533653138
36343364393063633437356638383935346131313932636131663965383465643561613633383962
39623830313463633437653364343339633939663831623565393039646666613062356562356237
33623463323336663664356334656130613665363739623263613032663732353435313639363130
33336263653039336139326164303565666661323737666533643837633438343762336462393534
65663932343635646435333362663237663835623332623038616465356632306663326433333463
34343830646535303638303033356630663534343435333237623462663466633062346131333163
38636539626539613431393336303935666334623638653134343637393930663561316339383664
31363532646636343439383539613738646163306336313862653465373636353136383666663163
63626139613031316665653330313565313831656561333830633735343861323134636237343562
62653834663035616665633761636631383233343037653034643064623932356239336366396266
36353462623732373831366661393266376561313563323730663165613737656136353831333232
64366461353264303434656161353639616133376465346232383437336537383463366466303839
64623730333037396162613762383962326135633934306338343635346463666135386364656665
65326161356539613362376635306231656465306262333936323234653538663963383838323062
65363330336137363163373661373464313164663630393761363366363635313139643163633834
39613334336336613434313364306134643332633332393466383265336537663231636663613464
36323436343136323538643134376430333331663738393134393032633838383966353866366337
35633838663230653930633665363664636333613538613839663937373139323738323133333938
66653432663330316537353364616664623935626666366533383539323830386530663131386130
36383831373965376666666165393266303465353738303962336563353531333364613765336432
35353232636663323231383932643532663330653337666563353735323436373436383639373363
35343465396265356336346134366437393238663861326332393135393432643335353563303362
64653033373461363865316237323264346535316163376162303839313734393865393137636530
63633733373430633332353264336566626262626565393832323164653534616636343164653339
36383536656463396239313863323835633937313963363439663535633036326634303239396233
32626433626338383434363331663864633436393663316239663362613734393132336638313466
66643965316466363362363136323336363862303661653161393234323361636135633838613739
34393662346430366666626136643434656131396463306462626538396236653466646331613735
34393035323038313932383631623961633761383734653132386562306430376365386464663238
66303036653866646633623266623736636361383339336164626439383031313162646632303963
31373864366661653033613165323061316138623462336236393933386431613736316635383938
63643332623465663432633139303231306162353035373338353162633530303934303436376535
64386535613861303064396666636363626137373336626334663631346566313732393065373532
36386436386537333561393336393363636133653737623431386531626163333961343162396139
63646631333063303033613533353963616634336230343930366566353664306430663263333835
38363937383363613932316130313236373932303763306335363136376362313931396139666334
30613639663163336363666664313737303561316164616234646630326432346134393738383834
61383734643337663138346533373339343733353332383863363234376330616531643931373161
66363938323764336161323437376463626661336234343739343632323936386265616531623863
30393830353064643138653233656135373032643065313663373039326462303866636462373835
63316365383331623063306334383861393535633536386236303130633530336130326536323461
32643761323533376637626366313133616232636161343334353362363261363262353532353336
37353232366337653030396239316631386665383866363966643139393763383035613535326334
64366164656338393831366136343465316534626661343431326333663664316331343438353236
34303165623062653934613532636163653263303837343561656136646333656261366530623766
39653239336562646234323261356266663030333139366466373931383866313139666239336161
37303462373637393139653762626430626431316362346233366466356337343831656635663431
38313465356538363066306163656236333839656437376233386361366232396536353964393630
35623331356630386164656237303262396339633939646133636636623266303765626138383365
37363962633332613062306536393431613934623530376639363331303238623866343237323232
66613437383837323466346230306330306532656632643337326264666532646330373530336437
63376330393364666635373066343132663239353038633539356537366338393861613037333336
38346230613233316435333637373234653566363537613737363534373138373036313338333161
38336561623662316537303033373061363137353262313866346262303365666535366463336366
64343336373936373034633335323533636531306463376364393962643133386337336431616535
36333937313466313339356130356232666466313934323433356539663239393335343865353636
66363565376234363933663033653763346439333331386139643661633734323833396462313763
64613735393030353965623839333134613664613264646439393934613865626133373138353962
66653733353362333539353934666135333133376338386536643238336462663432303132336438
33313532316264353635376132303237303639373132333039653063313733333266623838643963
63376138363539663963303265666330646138356163366663373237386264343263356362366664
64336432666639316664393237343532396337366239353930363330313464616162343037306336
62356361313331326139633864363861373936313163326139636464656165356635616466646662
34383830663932303239666139633766636265623364313462353730656563393763386230623530
30326630653165623965623164613235323837326466646338313936333631346437643438653939
62626661323866356136346161613661313438633165643464623764626537396632316363613534
65336337303634373766346265333332313663653831343861396238623264623134626462613065
30393932633337376338663033663365646366656134633665313936373531346366663766633032
33323431303130323133613764656164643861373035653962303565653866653362653834383561
39623035653862383836616165383963363064653036313563383561323236663931306165376532
32316666313231613565616562663736393630336336646362363039643462316432363330373339
34626133613166656166313565303436326563663239323334616533613561333263643365666135
66336265316166613039663937326164626439323038656562646237613439333535626462313162
64663332326533336436383364333735646534356631326262643736393364613137303736356365
39626463373735323062633939333865643237353435663464393262636433303861303537393031
33633864623730336136346434303762633932613938393432353230333230626539343962633564
35636335316537373138363330303962633839353537636361613237666135393632336330323331
36353235633935653333316331656465353030313765363237643865383231346439383335383665
63373462613564623261363264363936356130393831376164346464646361613132366137323038
65663030656338316166616635613934363965653165356331323165326635303431633764393365
33633966633662643536663135333666663264366265396537336637326537343736316332626166
34316331383438633133343432303837363339313561353737356535313663613361336162393636
33623231303764353533336631383232646365343035303064376662333830343738313238333636
30663435343538333135616366636162636637303930383131356663383631306431643036646361
62386531663739373066326666306235616662353835616166393739656564323737316131343134
36643063626464666337323634636536343365376233653363323565393731646536306637346630
33386633653165323762643638623739306363313433306338306162633333376463386261303466
64376531353238343435643865383061323364383362396432336539613230376235346537636362
34633637646230353463363763303239343766383935333861653137373266313534663335646230
66616339366532323766353365343433303432636134663834663834303932366663396131643337
61653733623361306336656333353664303165346238643738386536336335656165616131306131
33613139353839613764306161313764316233623361313037386163313238343031613931353332
62383839616365636435653634313736346438303565643133626161326534376636366537633037
33356533363234353263613662623334653465303561353934343230633664643536353538336437
34633631356363323836363439303131656361633162626232396636643436303032626335353534
36376437616533633934383034376464323530383965326432333834636132306438363334326262
61363532663439653937363935353831623562363737643066306537643433623262646535663166
31336661653539343236646361313930316562343630613535306231333734623265623064653031
37653633326131363433343732363264383366663965313836346561383833383138376136663164
35363835643630623037633032323162366333653963363736653537643739656665353638376132
61393639316336343731353038303033656164353839613764633635396438616336343533333065
31396337656433663736646338313062383337343466316137303032356266386562353833303636
64646637323836323930646530383339336636623934333833636565323164653862306462376365
30623031663832303265616563353164643336646131613963663530396336333637623836343137
6566

85
host_vars/web23 Normal file
View File

@ -0,0 +1,85 @@
$ANSIBLE_VAULT;1.1;AES256
30633037383332656130363532373262623063623730666337373430336363383964343039663832
3633313230323565376234336433383330626238373665360a393234643435376431613363313036
32386236343262643662356563633038333434333730616332353234333363356465326133623139
3830316433303631640a613231373138336330646639376135326238383230323534316464383135
35333631356666323161313261633134636364396232323130333666373864333165346233666232
62346362353033636464323866343334633565373265623431613866623234633133633466383735
31343439646166633237643364386638306539626562636235666535333438343664323932383865
39333533363131633930353962336238363234393161623966376365326661643431303263653164
63666436616437326137303765303730303135663434663235373363323966623166376332393661
62336336366265623035346162303730323762353961376333313662626232343366653930656338
36353134333463663034363737653133633536356166353966373563316235636132383530643339
37326661346666663139326239396466373630633363373431346635626561623665366566653731
36396138643936623632613934633965663166313364396466633263303738666164316231366662
64636362356564663330363763323139623065336162353734626539663231663734333962343665
32613563363130376665333666313733303963633161313633636337646466353064653866623265
30653762316433653631306535303463663738653731633964666466623534396663326263643437
62663366613635373832316538653066623733336631663261666564333634643161653962373932
30313065656238663063313737383432393433656439383033346634373030643166306565646230
62353930336664393733663462343062323332323030356338316133393838656536306164623435
64393634363665643862346564326138336136393235316433313538383162396563303937356335
33646334646630646233323762323335303030393331636532656132313536663465383237623536
39633364363036636434323963613633353238346134643837316232653038616138373731643033
64396563353839386334313933653664613230323430383434653964636538393838386639356361
63643565643636653434343363333966653163616236363366356539313532393133666239376530
62663930343462633864373138633364636634643361363935303263353766373936386561376638
65316138646534396435636563326165643737326533303338323665656334346264643262636437
63303530363063316461333536333433366461356533393139313435396136353439323435366266
32343566616161636466663339613434643835613831346366613866343536663530326431343139
38653165383430653064613837343738623134303766373133623131646134613663383637336264
35313966646639613262623836393933376137623535323365393837326631663930313336313737
35626139386264303162393636306136306161383565353739643166653262366164386539353266
38323266343833323063343263346365383534643835353435626335333637303237633239646330
32643235666331613364616535326230346634333363633938646633633831633364653337373235
30316161633634303562613263633962376365363038346137316164323036616664626132386461
65323764383733666634643635633834396635343835663266623839383130343563386231376537
62326338643833303538343566616461353135333863626462663830366435636564626538346361
33646661613334636239653636383436653438376235376665363235653837303037363164633931
32633733326139346261323464393734316661633239643437373235303237643932633433313564
36643739613330303362663861626637613130383965646639356532353539373437326439356362
39643137666633313262356366616561353461633033376235313965646132343233326366353264
35393561633632306265373032306636326261646235623266636662646334363233623330333734
37663266363639623036323433656166383631386633313131303030306437643761343965353063
39373435363238616566643239306136366637646437633335313431623839616264616261633339
33313364323039373531346335333963343034323637643134653566666562373137656335633932
39653862653465626432663534663965653933623430616561363430666235363666613833656463
65326430383137663034623233393339623135356535666161366564383564336132363038646663
61353465393265613337643338326436333237336339326262356362643932623163616638643835
31323739646335383532396665326535373161666661306538653365346465366434346463663438
64323766353933633736313266386564656436666534326534663531613936633830386238303861
37363231656365383531613764386662356334313330333236363734646431383166636132383338
35343138353232663135366438386366626239326632333937666530626364313463613831313162
30363933623561396137616130656535393138346339663266353764653931316639636562666164
61333938363466623031653766313139306439396435663665386665663663306134666563373238
36316261363063666335363462353066313735386139313465623338366266383434643464643162
34383836636336316232343132363464383565366162313563393864376433386236376565623631
64656164646635666139396539353763333065323266663262643233306261656532613362346432
33373631613137336366666266633331303966653138393539326335653463303033613565663638
30663465643832643637643836323462633163643534663465336664313265353966306261613339
32616139353263663033373835653632386262396164343731613836336435616131356632653830
61613461333632666366653330626537396232323733663930633966663239356130306666376137
62636333373635356461633431346636643731656338306366396430323537626233316137656465
65643339346565376166373066643339356666663735313063303130313663393966623866613337
31386663363166336337633266646363666236623837303634643337316636353531653765323637
62313330326363303932633336383337353062643865383730613435353832663364643262626162
63303439383164333037306231613538313639626537323039366561363233303735323032653432
35643432336666616665386238353034333037353630323234316266373936356439353632336365
37646462666537306534623937393939326663316532623837326564303330373261323630353863
38343438316539336464376664326362353831396132393566396333613164646462636361646234
35313837666463376233623762663239613134356632333730343363346238613334383861306635
31623665666461643661383265633965386566656165663566376235343338636336336330336661
64653032656365363835616634656663623365323766396537303361336533313132316631316533
31353036663766643131386135653366313535366232636538346237613461383761393666336432
31623364653166356565376463363437386533303062373930393761646163613962636462643865
33376561323366363936386531663637343465626666623133396162306139366665616132326161
63663535636465383836333061396239313463343635633135323464646135393031386361633539
64396534396361323466326364326266386336643831643536383866313033366534636135613736
34316661313335383239316536623862316637396465616563386361636261313330313466656239
37626431613464363965343233666534323736363865373734633535343632393335346265643361
65326436393631353264613761343237386561306261353261356364386137393362306566353032
31313363613963323136303262323934333961343563626533666563636432653436393937303037
37336566663932663062633534303632646162316262323935366661313938393735666561343237
31616366363339353231643561373362613266343266623464323238356261303762316334333266
39303633316164376330343864336636313333363862323835303735383866363334643933653337
35373030353264323761

4
misc-plays/change_password.yml
View File

@ -13,13 +13,13 @@
- hosts: all - hosts: all
user: provisioning user: provisioning
become: yes become: true
vars_files: vars_files:
- "../vars/{{ ansible_distribution }}.yml" - "../vars/{{ ansible_distribution }}.yml"
tasks: tasks:
- name: Set password, shell, homedir for provisioning user - name: Set password, shell, homedir for provisioning user
when: provisioning_user is defined when: provisioning_user is defined
user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

2
nomads.yml
View File

@ -2,7 +2,7 @@
# file: nomads.yml # file: nomads.yml
- hosts: nomads - hosts: nomads
become: yes become: true
roles: roles:
- common - common
- munin - munin

4
roles/common/defaults/main.yml
View File

@ -1,11 +1,13 @@
--- ---
#file - roles/common/defaults/main.yml #file - roles/common/defaults/main.yml
# add a dummy API key for AbuseIPDB.com (override with real one in host_vars)
abuseipdb_api_key: dummy
fail2ban_maxretry: 6 fail2ban_maxretry: 6
# 1 hour in seconds # 1 hour in seconds
fail2ban_findtime: 3600 fail2ban_findtime: 3600
# 2 weeks in seconds # 2 weeks in seconds
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

2
roles/common/files/00-persistent-journal.conf
View File

@ -1,2 +0,0 @@
[Journal]
Storage=persistent

5
roles/common/files/abusech-ipv4.nft Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
192.168.254.254
}

10004
roles/common/files/abuseipdb-ipv4.nft Normal file
View File

File diff suppressed because it is too large Load Diff

5
roles/common/files/abuseipdb-ipv6.nft Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = {
fd21:3523:74e0:7301::
}

9998
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

14
roles/common/files/abusers-ipv6.xml
View File

@ -1,14 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="family" value="inet6" />
<short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description>
<entry>2001:41d0:1:f934::1</entry>
<entry>2001:41d0:602:238d::</entry>
<entry>2001:41d0:a:2a31::</entry>
<entry>2400:6180:0:d1::476:7001</entry>
<entry>2402:1f00:8001:8bd::</entry>
<entry>2604:a880:800:10::5bf:2001</entry>
<entry>2a00:d680:20:50::bcb2</entry>
<entry>2a02:2168:a01:33ee::1</entry>
</ipset>

89
roles/common/files/aggregate-cidr-addresses.pl Executable file
View File

@ -0,0 +1,89 @@
#!/usr/bin/perl
#
# aggregate-cidr-addresses - combine a list of CIDR address blocks
# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see L<http://www.gnu.org/licenses/>.
#
# [MJS 22 Oct 2001] Aggregate CIDR addresses
# [MJS 9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
use strict;
use warnings;
use English qw( -no_match_vars );
use Net::IP;
## Read in all the IP addresses
my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
## Split any ranges into prefixes
@addrs = map {
defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
$_->find_prefixes
} @addrs;
## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
## Handle overlaps
my $count = 0;
my $current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
my $r = $current->overlaps($next);
if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
$current = $next;
$count++;
}
elsif ( $r == $IP_A_IN_B_OVERLAP ) {
$current = $next;
splice @addrs, $count, 1;
}
elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
splice @addrs, $count + 1, 1;
}
else {
die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
}
}
## Keep aggregating until we don't change anything
my $change = 1;
while ($change) {
$change = 0;
my @new_addrs = ();
$current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
if ( my $total = $current->aggregate($next) ) {
$current = $total;
$change = 1;
}
else {
push @new_addrs, $current;
$current = $next;
}
}
push @new_addrs, $current;
@addrs = @new_addrs;
}
## Print out the IP addresses
foreach (@addrs) {
print $_->prefix(), "\n";
}
# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

5
roles/common/files/spamhaus-ipv4.nft Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
192.168.254.254/32
}

5
roles/common/files/spamhaus-ipv6.nft Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
fd21:3523:74e0:7301::/64
}

1
roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

27
roles/common/files/update-abusech-nftables.service Normal file
View File

@ -0,0 +1,27 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-abusech-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-abusech-nftables
ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
/usr/local/bin/update-abusech-nftables.sh
[Install]
WantedBy=multi-user.target

63
roles/common/files/update-abusech-nftables.sh Executable file
View File

@ -0,0 +1,63 @@
#!/usr/bin/env bash
#
# update-abuseipdb-nftables.sh v0.0.1
#
# Download IP addresses seen using a blacklisted SSL certificate and load them
# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
#
# See: https://sslbl.abuse.ch/blacklist
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
abusech_list_temp=$(mktemp)
echo "Downloading Abuse.sh SSL Blacklist IPs"
abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
if [[ $abusech_response -ne 200 ]]; then
echo "Abuse.ch responded: HTTP $abusech_response"
exit 1
fi
if [[ -f "$abusech_list_temp" ]]; then
echo "Processing IPv4 list"
abusech_ipv4_list_temp=$(mktemp)
abusech_ipv4_set_temp=$(mktemp)
# Remove comments, DOS carriage returns, and IPv6 addresses (even though
# Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
# that assumption some time down the line).
sed -e '/#/d' -e 's/
//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
echo "Building abusech-ipv4 set"
cat << NFT_HEAD > "$abusech_ipv4_set_temp"
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$abusech_ipv4_set_temp"
done < $abusech_ipv4_list_temp
echo "}" >> "$abusech_ipv4_set_temp"
install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
fi
echo "Reloading nftables"
# The abusech nftables sets are included by nftables.conf

12
roles/common/files/update-abusech-nftables.timer Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

27
roles/common/files/update-spamhaus-nftables.service Normal file
View File

@ -0,0 +1,27 @@
[Unit]
Description=Update Spamhaus lists
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-spamhaus-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-nftables
ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
/usr/local/bin/update-spamhaus-nftables.sh
[Install]
WantedBy=multi-user.target

91
roles/common/files/update-spamhaus-nftables.sh Executable file
View File

@ -0,0 +1,91 @@
#!/usr/bin/env bash
#
# update-spamhaus-nftables.sh v0.0.1
#
# Download Spamhaus DROP lists and load them into nftables sets.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
spamhaus_ipv4_list_temp=$(mktemp)
spamhaus_ipv4_set_temp=$(mktemp)
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
# ranges to work around a firewalld bug.
#
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
echo "Building spamhaus-ipv4 set"
cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$spamhaus_ipv4_set_temp"
done < $spamhaus_ipv4_list_temp
echo "}" >> "$spamhaus_ipv4_set_temp"
install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP lists"
spamhaus_ipv6_list_temp=$(mktemp)
spamhaus_ipv6_set_temp=$(mktemp)
sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
echo "Building spamhaus-ipv6 set"
cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
NFT_HEAD
while read -r network; do
echo "$network," >> "$spamhaus_ipv6_set_temp"
done < $spamhaus_ipv6_list_temp
echo "}" >> "$spamhaus_ipv6_set_temp"
install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
fi
echo "Reloading nftables"
# The spamhaus nftables sets are included by nftables.conf
/usr/sbin/nft -f /etc/nftables.conf
rm -v drop.txt edrop.txt dropv6.txt

12
roles/common/files/update-spamhaus-nftables.timer Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Update Spamhaus lists
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

21
roles/common/handlers/main.yml
View File

@ -1,17 +1,20 @@
--- ---
# file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: reload sshd
systemd: name={{ sshd_service_name }} state=reloaded ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
- name: reload sysctl - name: reload sysctl
command: sysctl -p /etc/sysctl.conf command: sysctl -p /etc/sysctl.conf
- name: restart firewalld
systemd: name=firewalld state=restarted
- name: restart fail2ban
systemd: name=fail2ban state=restarted
- name: reload systemd - name: reload systemd
systemd: daemon_reload=yes ansible.builtin.systemd: daemon_reload=true
- name: restart nftables
ansible.builtin.systemd: name=nftables state=restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
ansible.builtin.systemd: name=fail2ban state=restarted

4
roles/common/tasks/cron-apt.yml
View File

@ -1,12 +1,12 @@
--- ---
- name: Configure cron-apt (config) - name: Configure cron-apt (config)
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
loop: loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
- name: Configure cron-apt (security) - name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

35
roles/common/tasks/fail2ban.yml
View File

@ -1,20 +1,45 @@
--- ---
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: 0644
notify: restart fail2ban
- name: Configure fail2ban nginx filter
when:
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: 0644
notify: restart fail2ban notify: restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: 0755
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override - name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 ansible.builtin.template:
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: 0644
notify: notify:
- reload systemd - reload systemd
- restart fail2ban - restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

144
roles/common/tasks/firewall_Debian.yml
View File

@ -1,59 +1,115 @@
--- ---
# Debian 11 will use nftables directly, with no firewalld.
- block: - block:
- name: Set Debian firewall packages - name: Install Debian firewall packages
set_fact: when: ansible_distribution_major_version is version('11', '>=')
debian_firewall_packages: ansible.builtin.package:
- firewalld name:
- tidy
- fail2ban - fail2ban
- python3-systemd # for fail2ban systemd backend - libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
state: present
cache_valid_time: 3600
- name: Install firewalld and deps - name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('11', '>=')
apt: pkg={{ debian_firewall_packages }} state=present ansible.builtin.apt:
pkg: iptables
state: absent
- name: Use iptables backend in firewalld - name: Copy nftables.conf
when: ansible_distribution_major_version is version('10', '>=') when: ansible_distribution_major_version is version('11', '>=')
lineinfile: ansible.builtin.template:
dest: /etc/firewalld/firewalld.conf src: nftables.conf.j2
regexp: '^FirewallBackend=nftables$' dest: /etc/nftables.conf
line: 'FirewallBackend=iptables' owner: root
mode: 0644
notify: notify:
- restart firewalld - restart nftables
- restart fail2ban
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables - name: Create /etc/nftables extra config directory
# backend. Using individual calls seems to work around it. when: ansible_distribution_major_version is version('11', '>=')
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 ansible.builtin.file:
- name: Use individual iptables calls path: /etc/nftables
when: ansible_distribution_major_version is version('10', '>=') state: directory
lineinfile: owner: root
dest: /etc/firewalld/firewalld.conf mode: 0755
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- name: Copy firewalld public zone file - name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('11', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 ansible.builtin.copy:
src: "{{ item.src }}"
- name: Format public.xml firewalld zone file dest: "/etc/nftables/{{ item.src }}"
when: ansible_distribution_major_version is version('9', '>=') owner: root
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml group: root
notify: mode: 0644
- restart firewalld force: "{{ item.force }}"
- name: Copy ipsets of abusive IPs
when: ansible_distribution_major_version is version('9', '>=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop: loop:
- abusers-ipv4.xml - { src: "spamhaus-ipv4.nft", force: "no" }
- abusers-ipv6.xml - { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify: notify:
- restart firewalld - restart nftables
- restart fail2ban
- include_tasks: fail2ban.yml - name: Copy nftables update scripts
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
owner: root
group: root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
owner: root
group: root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd:
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('9', '>=')
tags: firewall tags: firewall

144
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -1,63 +1,113 @@
--- ---
# Ubuntu 20.04 will use nftables directly, with no firewalld.
- block: - block:
- name: Set Ubuntu firewall packages - name: Install Ubuntu firewall packages
set_fact: ansible.builtin.package:
ubuntu_firewall_packages: name:
- firewalld
- tidy
- fail2ban - fail2ban
- python3-systemd # for fail2ban systemd backend - libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- name: Install firewalld and deps - python3-systemd
when: ansible_distribution_version is version('16.04', '>=') - curl # for nftables update scripts
apt: pkg={{ ubuntu_firewall_packages }} state=present state: present
cache_valid_time: 3600
- name: Remove ufw - name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=') ansible.builtin.package:
apt: pkg=ufw state=absent name: ufw
state: absent
# I'm not sure why, but you can use firewalld with the nftables backend even - name: Copy nftables.conf
# if nftables itself is not installed. In that case the only way to see the when: ansible_distribution_version is version('20.04', '>=')
# currently active rules is with firewall-cmd. I prefer installing nftables ansible.builtin.template:
# so that we can have somewhat of a parallel with iptables: src: nftables.conf.j2
# dest: /etc/nftables.conf
# nft list ruleset owner: root
# mode: 0644
# See: https://firewalld.org/2018/07/nftables-backend
- name: Install nftables
when: ansible_distribution_version is version('20.04', '==')
apt: pkg=nftables state=present
- name: Use nftables backend in firewalld
when: ansible_distribution_version is version('20.04', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=iptables$'
line: 'FirewallBackend=nftables'
notify: notify:
- restart firewalld - restart nftables
- restart fail2ban
- name: Copy firewalld public zone file - name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: 0755
- name: Format public.xml firewalld zone file - name: Copy extra nftables configuration files
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml ansible.builtin.copy:
notify: src: "{{ item.src }}"
- restart firewalld dest: "/etc/nftables/{{ item.src }}"
owner: root
- name: Copy ipsets of abusive IPs group: root
when: ansible_distribution_version is version('16.04', '>=') mode: 0644
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 force: "{{ item.force }}"
loop: loop:
- abusers-ipv4.xml - { src: "spamhaus-ipv4.nft", force: "no" }
- abusers-ipv6.xml - { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify: notify:
- restart firewalld - restart nftables
- restart fail2ban
- include_tasks: fail2ban.yml - name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/usr/local/bin/{{ item }}"
mode: 0755
owner: root
group: root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy:
src: "{{ item }}"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
owner: root
group: root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd:
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('16.04', '>=')
tags: firewall tags: firewall

24
roles/common/tasks/main.yml
View File

@ -1,54 +1,50 @@
--- ---
- name: Import OS-specific variables - name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml" ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
tags: always tags: always
- name: Configure network time - name: Configure network time
import_tasks: ntp.yml ansible.builtin.import_tasks: ntp.yml
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages_Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
tags: packages tags: packages
- name: Install common packages - name: Install common packages
include_tasks: packages_Ubuntu.yml ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Debian.yml ansible.builtin.include_tasks: firewall_Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
tags: firewall tags: firewall
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Ubuntu.yml ansible.builtin.include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
tags: firewall tags: firewall
- name: Configure secure shell daemon - name: Configure secure shell daemon
import_tasks: sshd.yml ansible.builtin.import_tasks: sshd.yml
tags: sshd tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
notify: notify:
- reload sysctl - reload sysctl
tags: sysctl tags: sysctl
- name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler - name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys
import_tasks: ssh-keys.yml ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys tags: ssh-keys
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

15
roles/common/tasks/ntp.yml
View File

@ -1,18 +1,27 @@
--- ---
# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should # Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
# use timedatectl as a network time client instead of the standalone ntp client. # use systemd-timesyncd as a network time client instead of the standalone ntp
# client.
- name: Set timezone - name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd' when: timezone is defined and ansible_service_mgr == 'systemd'
command: /usr/bin/timedatectl set-timezone {{ timezone }} command: /usr/bin/timedatectl set-timezone {{ timezone }}
tags: timezone tags: timezone
# Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11.
- name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
- name: Uninstall ntp on modern Ubuntu/Debian - name: Uninstall ntp on modern Ubuntu/Debian
apt: name=ntp state=absent update_cache=yes ansible.builtin.apt: name=ntp state=absent
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

30
roles/common/tasks/packages_Debian.yml
View File

@ -1,13 +1,29 @@
--- ---
- block: - name: Configure Debian packages
block:
# Create directory for third-party package signing keys. Required on distros
# older than Debian 12 / Ubuntu 22.04.
#
# See: https://wiki.debian.org/DebianRepository/UseThirdParty
- name: Create /etc/apt/keyrings
file:
path: /etc/apt/keyrings
mode: 0755
owner: root
group: root
state: directory
when: ansible_distribution_major_version is version('12', '<')
- name: Configure apt mirror - name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Set fact for base packages - name: Set fact for base packages
set_fact: ansible.builtin.set_fact:
base_packages: base_packages:
- git - git
- git-lfs
- tmux - tmux
- iotop - iotop
- htop - htop
@ -22,16 +38,18 @@
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- gnupg2 - gnupg2
- zstd - zstd
- rsync
- lsof
- name: Install base packages - name: Install base packages
apt: name={{ base_packages }} state=present update_cache=yes cache_valid_time=3600 ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
- name: Configure cron-apt - name: Configure cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

69
roles/common/tasks/packages_Ubuntu.yml
View File

@ -1,17 +1,32 @@
--- ---
- block: - name: Configure Ubuntu packages
block:
# Create directory for third-party package signing keys. Required on distros
# older than Debian 12 / Ubuntu 22.04.
#
# See: https://wiki.debian.org/DebianRepository/UseThirdParty
- name: Create /etc/apt/keyrings
file:
path: /etc/apt/keyrings
mode: 0755
owner: root
group: root
state: directory
when: ansible_distribution_major_version is version('22.04', '<')
- name: Configure apt mirror - name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Upgrade base OS - name: Upgrade base OS
apt: upgrade=dist update_cache=yes cache_valid_time=3600 ansible.builtin.apt: upgrade=dist cache_valid_time=3600
- name: Set Ubuntu base packages - name: Set Ubuntu base packages
set_fact: ansible.builtin.set_fact:
ubuntu_base_packages: ubuntu_base_packages:
- git - git
- git-lfs
- tmux - tmux
- iotop - iotop
- htop - htop
@ -25,45 +40,31 @@
- unzip - unzip
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- zstd - zstd
- rsync
- lsof
- name: Install base packages - name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present update_cache=yes cache_valid_time=3600 ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend # We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages. # on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap - name: Remove lxd snap
snap: name=lxd state=absent community.general.snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes ignore_errors: true
- name: Remove core18 snap - name: Remove core18 snap
snap: name=core18 state=absent community.general.snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes ignore_errors: true
- name: Remove snapd snap - name: Remove snapd snap
snap: name=snapd state=absent community.general.snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes ignore_errors: true
- name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd # annoying (Ubuntu >= 16.04)
- lxd-client # annoying (Ubuntu >= 16.04)
- liblxc1 # annoying (Ubuntu >= 16.04)
- lxc-common # annoying (Ubuntu >= 16.04)
- lxcfs #annoying (Ubuntu >= 16.04)
when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04) - name: Set fact for packages to remove (Ubuntu 20.04)
set_fact: ansible.builtin.set_fact:
ubuntu_annoying_packages: ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1) - whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1) - apport # security (CIS 4.1)
@ -75,31 +76,31 @@
when: ansible_distribution_version is version('20.04', '==') when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages - name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
- name: Disable annoying Canonical spam in MOTD - name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop: loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04 - /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+ - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+ - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+ - /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+ - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: yes ignore_errors: true
- name: Disable annoying Canonical spam in MOTD - name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
loop: loop:
- motd-news.service - motd-news.service
- motd-news.timer - motd-news.timer
- name: Configure cron-apt - name: Configure cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

4
roles/common/tasks/ssh-keys.yml
View File

@ -1,9 +1,9 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

32
roles/common/tasks/sshd.yml
View File

@ -2,19 +2,45 @@
# SSH configs don't change in Debian minor versions # SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
notify: reload sshd notify: reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc. # ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
notify: reload sshd notify: reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli
block:
- name: Check unsafe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 < 3071' moduli
chdir: /etc/ssh
creates: moduli.safe
register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh
creates: moduli.safe
when: check_unsafe_moduli.stdout | length > 0
register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli
ansible.builtin.command:
cmd: mv moduli.safe moduli
chdir: /etc/ssh
register: replace_small_moduli
when: extract_safe_moduli is changed
notify: reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub

12
roles/common/tasks/tarsnap.yml
View File

@ -1,24 +1,24 @@
--- ---
- name: Add Tarsnap apt mirror - name: Add Tarsnap apt mirror
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
register: add_tarsnap_apt_repository register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap - name: Add GPG key for Tarsnap
apt_key: id=0xFC72A10BF6B692AA url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key register: add_tarsnap_apt_key
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: true
when: when:
add_tarsnap_apt_key is changed or add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600 ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
- name: Copy tarsnaprc - name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

13
roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2 Normal file
View File

@ -0,0 +1,13 @@
[nginx]
enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch
# Integrate with nftables
banaction=nftables[type=allports]
backend = pyinotify
logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck.
maxretry = 1
findtime = {{ fail2ban_findtime }}
bantime = {{ fail2ban_bantime }}
ignoreip = {{ fail2ban_ignoreip }}

4
roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
View File

@ -2,8 +2,8 @@
enabled = true enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf # See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd filter = sshd
# Integrate with firewalld and ipsets # Integrate with nftables
banaction = firewallcmd-ipset banaction=nftables[type=allports]
backend = systemd backend = systemd
maxretry = {{ fail2ban_maxretry }} maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }} findtime = {{ fail2ban_findtime }}

4
roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
View File

@ -2,14 +2,14 @@
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectHome=read-only ProtectHome=read-only
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ProtectSystem=strict ProtectSystem=strict
{% else %} {% else %}
{# Older systemd versions don't have ProtectSystem=strict #} {# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full ProtectSystem=full
{% endif %} {% endif %}
NoNewPrivileges=yes NoNewPrivileges=yes
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log ReadWritePaths=-/var/log/fail2ban.log

116
roles/common/templates/nftables.conf.j2 Executable file
View File

@ -0,0 +1,116 @@
#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#
flush ruleset
# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"
# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"
# Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft"
# Notes:
# - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6
table inet filter {
set spamhaus-ipv4 {
type ipv4_addr
# if the set contains prefixes we need to use the interval flag
flags interval
elements = $SPAMHAUS_IPV4
}
set spamhaus-ipv6 {
type ipv6_addr
flags interval
elements = $SPAMHAUS_IPV6
}
set abusech-ipv4 {
type ipv4_addr
elements = $ABUSECH_IPV4
}
set abuseipdb-ipv4 {
type ipv4_addr
elements = $ABUSEIPDB_IPV4
}
set abuseipdb-ipv6 {
type ipv6_addr
elements = $ABUSEIPDB_IPV6
}
chain input {
type filter hook input priority 0;
ct state {established, related} accept comment "Allow traffic from established and related packets"
ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
iifname lo accept comment "Allow from loopback"
ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
{# SSH rules #}
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
{# Web rules #}
{% if 'web' in group_names %}
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
{% endif %}
ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
{# Extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% endif %}
{% endfor %}
{% endif %}
# everything else
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
}
}

72
roles/common/templates/public.xml.j2
View File

@ -1,72 +0,0 @@
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interface name="{{ ansible_default_ipv4.interface }}"/>
{# ssh rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# ipv6 ssh rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# web rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# ipv6 web rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# munin rules #}
{% if munin_master_host is defined %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
<port protocol="tcp" port="{{ munin_node_port }}"/>
<accept/>
</rule>
{% endif %}
{# extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[rule.acl].src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{# ipv6 extra rules #}
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
<rule family="ipv6">
<source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{% endif %}
{% endfor %}
{% endif %}
<rule>
<source ipset="abusers-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="abusers-ipv6"/>
<drop/>
</rule>
</zone>

14
roles/common/templates/rc.local_Ubuntu.j2
View File

@ -1,14 +0,0 @@
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0

2
roles/common/templates/sources.list.j2
View File

@ -9,7 +9,7 @@ deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-securi
{% set apt_mirror = apt_mirror | default('deb.debian.org') %} {% set apt_mirror = apt_mirror | default('deb.debian.org') %}
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free

28
roles/common/templates/sshd_config_Ubuntu-18.04.j2 → roles/common/templates/sshd_config_Debian-11.j2
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
@ -10,6 +10,8 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
@ -94,7 +96,6 @@ X11Forwarding no
PrintMotd no PrintMotd no
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no #PermitUserEnvironment no
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
@ -122,12 +123,21 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # with less than 256 bits removed, as NSA's Suite B removed them years ago and
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user {% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ provisioning_user.name }} # Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

4
roles/common/templates/sshd_config_Ubuntu-20.04.j2
View File

@ -128,8 +128,8 @@ PasswordAuthentication yes
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users? # Is there a list of allowed users?

4
roles/mariadb/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
# file: roles/mariadb/defaults/main.yml # ansible.builtin.file: roles/mariadb/defaults/main.yml
# #
# Based on my running of mysqltuner.pl on a host with three WordPress databases # Based on my running of mysqltuner.pl on a host with three WordPress databases
# #
@ -17,7 +17,7 @@ innodb_buffer_pool_size: 256M
# Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should # Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should
# force it to use a Unix socket. # force it to use a Unix socket.
# See: https://github.com/ansible/ansible/issues/47736 # See: https://github.com/ansible/ansible/issues/47736
mariadb_login_unix_socket: /var/run/mysqld/mysqld.sock mariadb_login_unix_socket: /run/mysqld/mysqld.sock
# default is 100 but the max I've seen used is 5, so let's reduce it # default is 100 but the max I've seen used is 5, so let's reduce it
max_connections: 33 max_connections: 33

2
roles/mariadb/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: restart mariadb - name: restart mariadb
systemd: name=mariadb state=restarted ansible.builtin.systemd: name=mariadb state=restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

99
roles/mariadb/tasks/main.yml
View File

@ -1,57 +1,110 @@
--- ---
- name: Add GPG key for MariaDB repo - name: Remove MariaDB key from apt-key
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc ansible.builtin.apt_key:
register: add_mariadb_apt_key id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
tags: mariadb, packages state: absent
tags:
- packages
- mariadb
- name: Add MariaDB 10.5 repo - name: Check MariaDB package signing key
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/mariadb_release_signing_key.asc
register: mariadb_signing_key_stat
tags:
- packages
- mariadb
- name: Download MariaDB package signing key
ansible.builtin.get_url:
url: https://mariadb.org/mariadb_release_signing_key.asc
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: 0644
register: download_mariadb_signing_key
when: not mariadb_signing_key_stat.stat.exists
tags:
- packages
- mariadb
- name: Add MariaDB 10.6 repo
ansible.builtin.apt_repository:
repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
filename: mariadb
state: present
register: add_mariadb_apt_repository register: add_mariadb_apt_repository
tags: mariadb, packages tags:
- packages
- mariadb
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when:
add_mariadb_apt_key is changed or (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
add_mariadb_apt_repository is changed add_mariadb_apt_repository is changed
tags:
- packages
- mariadb
- name: Install mariadb-server - name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600 ansible.builtin.apt:
loop: name: ['mariadb-server', 'python3-pymysql']
- mariadb-server state: present
- python3-pymysql # for ansible cache_valid_time: 3600
tags: mariadb, packages tags: mariadb, packages
- name: Create system my.cnf - name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 ansible.builtin.template:
src: my.cnf.j2
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: 0644
notify: notify:
- restart mariadb - restart mariadb
tags: mariadb tags: mariadb
# 'localhost' needs to be the last item for idempotency, see # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
# https://docs.ansible.com/ansible/latest/mysql_user_module.html
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user:
name: root
host: "{{ item }}"
password: "{{ mariadb_root_password }}"
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: loop:
- "{{ inventory_hostname }}"
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
- localhost
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 ansible.builtin.template:
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: 0600
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4 community.mysql.mysql_db:
db: "{{ item.name }}"
state: present
encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present community.mysql.mysql_user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
priv: "{{ item.name }}.*:ALL"
host: 127.0.0.1
state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb

3
roles/mariadb/templates/mariadb.list.j2
View File

@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.5/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

8
roles/mariadb/templates/my.cnf.j2
View File

@ -19,14 +19,14 @@
# Remember to edit /etc/mysql/debian.cnf when changing the socket location. # Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client] [client]
port = 3306 port = 3306
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
# Here is entries for some specific programs # Here is entries for some specific programs
# The following values assume you have at least 32M ram # The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed. # This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe] [mysqld_safe]
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
nice = 0 nice = 0
[mysqld] [mysqld]
@ -34,8 +34,8 @@ nice = 0
# * Basic Settings # * Basic Settings
# #
user = mysql user = mysql
pid-file = /var/run/mysqld/mysqld.pid pid-file = /run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
port = 3306 port = 3306
basedir = /usr basedir = /usr
datadir = /var/lib/mysql datadir = /var/lib/mysql

4
roles/munin/handlers/main.yml
View File

@ -1,4 +1,4 @@
--- ---
# file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
systemd: name=munin-node state=restarted ansible.builtin.systemd: name=munin-node state=restarted

4
roles/munin/tasks/main.yml
View File

@ -1,8 +1,8 @@
--- ---
- name: Configure munin scraper - name: Configure munin scraper
import_tasks: munin.yml ansible.builtin.import_tasks: munin.yml
tags: munin tags: munin
- name: Configure munin listener - name: Configure munin listener
import_tasks: munin-node.yml ansible.builtin.import_tasks: munin-node.yml
tags: munin-node tags: munin-node

10
roles/munin/tasks/munin-node.yml
View File

@ -1,25 +1,25 @@
--- ---
- name: Install munin-node - name: Install munin-node
apt: name=munin-node state=present ansible.builtin.apt: name=munin-node state=present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
apt: name=libwww-perl state=present ansible.builtin.apt: name=libwww-perl state=present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
- name: Configure munin-node - name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify: notify:
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
systemd: name=munin-node state=started enabled=true ansible.builtin.systemd: name=munin-node state=started enabled=true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

4
roles/munin/tasks/munin.yml
View File

@ -1,9 +1,9 @@
--- ---
- name: Install munin package - name: Install munin package
apt: name=munin state=present ansible.builtin.apt: name=munin state=present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

25
roles/nginx/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
# file: roles/nginx/defaults/main.yml # ansible.builtin.file: roles/nginx/defaults/main.yml
# path config # path config
nginx_confd_path: /etc/nginx/conf.d nginx_confd_path: /etc/nginx/conf.d
@ -20,18 +20,25 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
# install certbot + dependencies? # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# True unless you're in development and using "localhost" + snakeoil certs # in seconds, see: https://hstspreload.org/
use_letsencrypt: True nginx_hsts_max_age: 31536000
# install acme.sh?
# true unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: true
# Directory root for Let's Encrypt certs # Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live letsencrypt_root: /etc/ssl
# Location of Let's Encrypt's certbot script # Location where to save initial acme.sh script. After installation the script
letsencrypt_certbot_dest: /opt/certbot-auto # will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.18.x # stable is 1.20.x
# mainline is 1.19.x # mainline is 1.21.x
nginx_version: mainline nginx_version: mainline
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

3
roles/nginx/files/extra-security.conf
View File

@ -15,3 +15,6 @@ add_header X-XSS-Protection "1; mode=block" always;
# CSP can be quite difficult to configure, and cause real issues if you get it wrong # CSP can be quite difficult to configure, and cause real issues if you get it wrong
# There is website that helps you generate a policy here http://cspisawesome.com/ # There is website that helps you generate a policy here http://cspisawesome.com/
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always; # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
add_header Permissions-Policy interest-cohort=() always;

3
roles/nginx/files/start-nginx.sh
View File

@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl start nginx

3
roles/nginx/files/stop-nginx.sh
View File

@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl stop nginx

2
roles/nginx/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: reload nginx - name: reload nginx
systemd: name=nginx state=reloaded ansible.builtin.systemd: name=nginx state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

204
roles/nginx/tasks/letsencrypt.yml
View File

@ -1,137 +1,91 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block: - block:
- name: Remove certbot
ansible.builtin.apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700
register: acme_download
when: not acme_home.stat.exists
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
when: acme_download is changed
- name: Remove temporary acme.sh script
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when:
- acme_install.rc is defined
- acme_install.rc == 0
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory
ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs - name: Copy systemd service to renew Let's Encrypt certs
template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs - name: Copy systemd timer to renew Let's Encrypt certs
copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644
owner: root
group: root
# always issues daemon-reload just in case the server/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes ansible.builtin.systemd:
name: renew-letsencrypt.timer
state: started
enabled: true
daemon_reload: true
- name: Download certbot when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700 or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
# Dependencies certbot checks for on its first run. I set them in a fact so that
# I can pass the list directly to the apt module to install in one transaction.
- name: Set certbot dependencies (Debian 10)
when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==')
set_fact:
certbot_dependencies:
- augeas-lenses
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-8
- gcc
- gcc-8
- libasan5
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libexpat1-dev
- libffi-dev
- libgcc-8-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpfr6
- libmpx2
- libpython-dev
- libpython2-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan1
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2-dev
- python2.7-dev
- python3-distutils
- python3-lib2to3
- python3-virtualenv
- virtualenv
# Dependencies certbot checks for on its first run. I set them in a fact so that
# I can pass the list directly to the apt module to install in one transaction.
- name: Set certbot dependencies (Ubuntu 18.04)
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
set_fact:
certbot_dependencies:
- augeas-lenses
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-7
- gcc
- gcc-7
- gcc-7-base
- libasan4
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libcilkrts5
- libexpat1-dev
- libffi-dev
- libgcc-7-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpx2
- libpython-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan0
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2.7-dev
- python3-virtualenv
- virtualenv
- name: Install certbot dependencies
apt: name={{ certbot_dependencies }} state=present update_cache=yes
when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=')
tags: letsencrypt
# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone
# certbot-auto so I guess we need to use the one from the repositories.
- block:
- name: Install certbot (Ubuntu 20.04)
apt: name=certbot state=present update_cache=yes
- name: Copy certbot post and pre hooks for nginx
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755
with_items:
- { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh' }
- { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' }
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

31
roles/nginx/tasks/main.yml
View File

@ -1,33 +1,33 @@
--- ---
- name: Add nginx.org apt signing key - name: Add nginx.org apt signing key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
register: add_nginx_apt_key register: add_nginx_apt_key
tags: nginx, packages tags: nginx, packages
- name: Add nginx.org repo - name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags: nginx, packages
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt:
update_cache: yes update_cache: true
when: when:
add_nginx_apt_key is changed or add_nginx_apt_key is changed or
add_nginx_apt_repository is changed add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
apt: pkg=nginx cache_valid_time=3600 state=present ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
tags: nginx, packages tags: nginx, packages
- name: Copy nginx.conf - name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
@ -36,42 +36,41 @@
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
include_tasks: vhosts.yml ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
include_tasks: wordpress.yml ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes ansible.builtin.systemd: name=nginx state=started enabled=true
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt
include_tasks: letsencrypt.yml ansible.builtin.include_tasks: letsencrypt.yml
when: use_letsencrypt is defined and use_letsencrypt
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

14
roles/nginx/tasks/vhosts.yml
View File

@ -2,23 +2,27 @@
- block: - block:
- name: Configure https vhosts - name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - reload nginx
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify: notify:
- reload nginx - reload nginx
- name: Generate 2048-bit dhparam - name: Download 4096-bit RFC 7919 dhparams
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify: notify:
- reload nginx - reload nginx
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: nginx tags: nginx

12
roles/nginx/tasks/wordpress.yml
View File

@ -2,13 +2,17 @@
- block: - block:
- name: Install WordPress - name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
when: item.has_wordpress is defined and item.has_wordpress when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when: item.has_wordpress is defined and item.has_wordpress when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: wordpress tags: wordpress

2
roles/nginx/templates/blank-vhost.conf.j2
View File

@ -16,7 +16,7 @@ server {
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;
server_name _; server_name _;
# "snakeoil" certificate (self signed!) # self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;

5
roles/nginx/templates/gitea.j2 Normal file
View File

@ -0,0 +1,5 @@
location / {
proxy_pass http://localhost:3000;
}

14
roles/nginx/templates/https.j2
View File

@ -1,7 +1,7 @@
{# helper variables and per-site defaults that we can't set in role defaults #} {# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to True #} {# assume HSTS is off unless a vhost explicitly sets it to true #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{# first, check if the current vhost has a custom cert (perhaps self-signed) #} {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
{% if item.tls_certificate_path is defined and item.tls_key_path is defined %} {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@ -16,8 +16,8 @@
# concatenated key + cert # concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html # See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem; ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem; ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;
{% endif %} {% endif %}
@ -31,7 +31,7 @@
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
{# OSCP stapling only works with real certs #} {# OSCP stapling only works with real certs #}
{% if use_letsencrypt == True or item.tls_certificate_path %} {% if use_letsencrypt == true or item.tls_certificate_path %}
# OCSP stapling... # OCSP stapling...
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
@ -47,9 +47,9 @@
# of such infrastructure, consider turning off session tickets: # of such infrastructure, consider turning off session tickets:
ssl_session_tickets off; ssl_session_tickets off;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}

6
roles/nginx/templates/renew-letsencrypt.service.j2
View File

@ -1,7 +1,9 @@
[Unit] [Unit]
Description=Renew Let's Encrypt certificates Description=Renew Let's Encrypt certificates
ConditionFileIsExecutable={{ letsencrypt_certbot_dest }} ConditionFileIsExecutable={{ letsencrypt_acme_home }}/acme.sh
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx" ExecStart={{ letsencrypt_acme_home }}/acme.sh --cron --home {{ letsencrypt_acme_home }} --reloadcmd "/bin/systemctl reload nginx" -w /var/lib/letsencrypt
SuccessExitStatus=0 2

34
roles/nginx/templates/vhost.conf.j2
View File

@ -4,9 +4,10 @@
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %} {% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #} {# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{% set has_wordpress = item.has_wordpress | default(False) %} {% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(False) %} {% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
# http -> https vhost # http -> https vhost
server { server {
@ -14,6 +15,8 @@ server {
listen [::]:80; listen [::]:80;
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
{% include 'well-known.j2' %}
# redirect http -> https # redirect http -> https
location / { location / {
# ? in rewrite makes sure nginx doesn't append query string again # ? in rewrite makes sure nginx doesn't append query string again
@ -36,23 +39,27 @@ server {
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #} {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %}; index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
access_log /var/log/nginx/{{ domain_name }}-access.log; access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log; error_log /var/log/nginx/{{ domain_name }}-error.log;
{% include 'https.j2' %} {% include 'https.j2' %}
{% if has_wordpress == True %} {% if has_wordpress == true %}
{% include 'wordpress.j2' %} {% include 'wordpress.j2' %}
{% endif %} {% endif %}
{% if has_gitea == true %}
{% include 'gitea.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;
} }
{% if has_wordpress == True or needs_php == True %} {% if has_wordpress == true or needs_php == true %}
location ~ [^/]\.php(/|$) { location ~ [^/]\.php(/|$) {
# Zero-day exploit defense. # Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3 # http://forum.nginx.org/read.php?2,88845,page=3
@ -68,14 +75,7 @@ server {
# See: https://httpoxy.org/ # See: https://httpoxy.org/
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #} {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) %}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock; fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
{% else %} {% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock; fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
@ -92,11 +92,11 @@ server {
fastcgi_cache_bypass $http_pragma $wordpress_logged_in; fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in; fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
include extra-security.conf; include extra-security.conf;
@ -106,7 +106,7 @@ server {
include extra-security.conf; include extra-security.conf;
} }
{% if has_wordpress == True %} {% if has_wordpress == true %}
# Check if a user is logged in # Check if a user is logged in
# if so, set $wordpress_logged_in = 1 # if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0 # otherwise, set $wordpress_logged_in = 0

6
roles/nginx/templates/well-known.j2 Normal file
View File

@ -0,0 +1,6 @@
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}

8
roles/nginx/templates/wordpress.j2
View File

@ -5,22 +5,22 @@
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }
location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ { location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
add_header Cache-Control "max-age=604800"; add_header Cache-Control "max-age=604800";
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }

2
roles/php-fpm/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
# file: roles/php-fpm/defaults/main.yml # ansible.builtin.file: roles/php-fpm/defaults/main.yml
# default is on, but turn it off because of protection in nginx vhosts # default is on, but turn it off because of protection in nginx vhosts
cgi_fix_pathinfo: 0 cgi_fix_pathinfo: 0

12
roles/php-fpm/handlers/main.yml
View File

@ -1,14 +1,6 @@
--- ---
# For Ubuntu 18.04 # For Ubuntu 20.04 and Debian 11
- name: reload php7.2-fpm
systemd: name=php7.2-fpm state=reloaded
# For Debian 10
- name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04
- name: reload php7.4-fpm - name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded ansible.builtin.systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

34
roles/php-fpm/tasks/Debian_10.yml
View File

@ -1,34 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.3-fpm
- name: Remove default www pool
file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
notify: reload php7.3-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.3-fpm
tags: php-fpm
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
# vim: set ts=2 sw=2:

34
roles/php-fpm/tasks/Ubuntu_18.04.yml
View File

@ -1,34 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.2-fpm
- name: Remove default www pool
file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
notify: reload php7.2-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.2-fpm
tags: php-fpm
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
# vim: set ts=2 sw=2:

22
roles/php-fpm/tasks/Ubuntu_20.04.yml
View File

@ -2,33 +2,35 @@
- block: - block:
- name: Set php-fpm packages - name: Set php-fpm packages
set_fact: ansible.builtin.set_fact:
php_fpm_packages: php_fpm_packages:
- php-fpm - php7.4-fpm
# for WordPress # for WordPress
- php-mysql - php7.4-mysql
- php-gd - php7.4-gd
- php-curl - php7.4-curl
- php7.4-xml
- name: Install php-fpm and deps - name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
# only copy php-fpm config for vhosts that need WordPress or PHP # only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config - name: Copy php-fpm pool config
template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm notify: reload php7.4-fpm
- name: Remove default www pool - name: Remove default www pool
file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm notify: reload php7.4-fpm
# re-configure php.ini # re-configure php.ini
- name: Update php.ini - name: Update php.ini
template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644 ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm notify: reload php7.4-fpm
tags: php-fpm tags: php-fpm
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) when: install_php
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

47
roles/php-fpm/tasks/main.yml
View File

@ -1,21 +1,44 @@
--- ---
# Ubuntu 18.04 uses php-fpm 7.2
# Debian 10 uses php-fpm 7.3
# Ubuntu 20.04 uses PHP 7.4 # Ubuntu 20.04 uses PHP 7.4
# Debian 11 uses PHP 7.4
- name: Configure php-fpm on Ubuntu 18.04 # If any of the vhosts on this host need WordPress then we need to install PHP.
include_tasks: Ubuntu_18.04.yml # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') # any that have has_wordpress defined, and has_wordpress set to true.
tags: php-fpm #
# See: https://stackoverflow.com/a/31896249
- name: Check if any vhost needs WordPress
ansible.builtin.set_fact:
install_php: true
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
- name: Configure php-fpm on Debian 10 # Legacy, was only for Piwik, but leaving for now.
include_tasks: Debian_10.yml - name: Check if any vhost needs PHP
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') ansible.builtin.set_fact:
tags: php-fpm install_php: true
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
# If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else.
- name: Set install_php to false
ansible.builtin.set_fact:
install_php: false
when: install_php is not defined
- name: Configure php-fpm on Ubuntu 20.04 - name: Configure php-fpm on Ubuntu 20.04
include_tasks: Ubuntu_20.04.yml ansible.builtin.include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_version is version('20.04', '==')
- install_php == true
tags: php-fpm
- name: Configure php-fpm on Debian 11
ansible.builtin.include_tasks: Ubuntu_20.04.yml
when:
- ansible_distribution == 'Debian'
- ansible_distribution_version is version('11', '==')
- install_php == true
tags: php-fpm tags: php-fpm
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

1915
roles/php-fpm/templates/php7.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

415
roles/php-fpm/templates/php7.2-pool.conf.j2
View File

@ -1,415 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1946
roles/php-fpm/templates/php7.3-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

428
roles/php-fpm/templates/php7.3-pool.conf.j2
View File

@ -1,428 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.3-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

2
web.yml
View File

@ -3,7 +3,7 @@
- name: Configure web servers - name: Configure web servers
hosts: web hosts: web
become: yes become: true
roles: roles:
- common - common
- { role: mariadb, when: mariadb_databases is defined} - { role: mariadb, when: mariadb_databases is defined}