alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:alpine
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
...
compare: alanorth:e06a0c40935994b742c82d04643e89d2773630a6
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

19 Commits
alpine ... e06a0c4093

Author SHA1 Message Date
Alan Orth
e06a0c4093 host_vars/web19: WordPress 5.7.1 2021-04-16 19:51:55 +03:00
Alan Orth
7ba5afcec4 roles/nginx: Opt out of Google FLoC 
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
 2021-04-16 12:41:09 +03:00
Alan Orth
d3978e5b07 Pipfile.lock: run pipenv update 2021-04-13 14:28:34 +03:00
Alan Orth
4150dac57b roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-04-13 12:11:11 +03:00
Alan Orth
58bc9d191f roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-03-24 10:02:43 +02:00
Alan Orth
96cefc7f74 roles/nginx: Parameterize HSTS header 
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
 2021-03-23 15:36:28 +02:00
Alan Orth
f85eb2841a roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
Alan Orth
5d506ebc65 README.md: Update copyright year 2021-03-20 00:16:16 +02:00
Alan Orth
af49f27551 roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
Alan Orth
f341d2e5eb roles/nginx: Remove nginx pre/post hooks 
We are now using the well-known webroot.
 2021-03-19 23:46:22 +02:00
Alan Orth
ceba0ea417 roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
Alan Orth
a34cb1e666 roles/nginx: Switch to acme.sh for Let's Encrypt 
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
 2021-03-19 23:39:30 +02:00
Alan Orth
65fc52c5e5 roles/nginx: Use variable for nginx_ssl_dhparam 
I went years without realizing that I was hard coding the file dest
in this particular task.
 2021-03-19 18:13:55 +02:00
Alan Orth
7f13c8c675 host_vars/web19: WordPress 3.7 2021-03-19 13:27:34 +02:00
Alan Orth
9c36cfb8e5 Pipfile.lock: Run pipenv update 2021-03-19 13:18:19 +02:00
Alan Orth
7f72a9eda4 roles/nginx: Use RFC 7919 4096-bit dhparams 
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
 2021-03-19 13:13:56 +02:00
Alan Orth
6e96d48ea6 Pipfile.lock: Run pipenv update 
Ansible 3.0.0
 2021-03-01 15:27:58 +02:00
Alan Orth
db412066b3 roles/mariadb: Only create users on 127.0.0.1 and ::1 
A few months ago I disabled hostname lookups so only IP addresses
work now anyways.
 2021-02-13 13:11:28 +02:00
Alan Orth
63a836e2a7 roles/common: Update Tarsnap GPG key 
Apparently this changed since I last ran the tarsnap task.
 2021-02-13 12:57:17 +02:00
19 changed files with 7568 additions and 7625 deletions
Expand all files Collapse all files

132
Pipfile.lock generated
View File

@@ -18,79 +18,77 @@
"default": { "default": {
"ansible": { "ansible": {
"hashes": [ "hashes": [
"sha256:ae97002e4fb1ed3de947428ff43906c76c66751fe104721cf6b25fa115dbbe8d" "sha256:01774d8b4778844f29920812f0dab7a90c8643e8f826460a941565b2620e5b7d"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.10.6" "version": "==3.2.0"
}, },
"ansible-base": { "ansible-base": {
"hashes": [ "hashes": [
"sha256:33ae323923b841f3d822f355380ce7c92610440362efeed67b4b39db41e555af" "sha256:f45df824051339d8bec32d7ab4e9e676498c05e2d9cfce6d54c9698a577e15e2"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==2.10.5" "version": "==2.10.8"
}, },
"cffi": { "cffi": {
"hashes": [ "hashes": [
"sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e", "sha256:005a36f41773e148deac64b08f233873a4d0c18b053d37da83f6af4d9087b813",
"sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d", "sha256:0857f0ae312d855239a55c81ef453ee8fd24136eaba8e87a2eceba644c0d4c06",
"sha256:045d792900a75e8b1e1b0ab6787dd733a8190ffcf80e8c8ceb2fb10a29ff238a", "sha256:1071534bbbf8cbb31b498d5d9db0f274f2f7a865adca4ae429e147ba40f73dea",
"sha256:0638c3ae1a0edfb77c6765d487fee624d2b1ee1bdfeffc1f0b58c64d149e7eec", "sha256:158d0d15119b4b7ff6b926536763dc0714313aa59e320ddf787502c70c4d4bee",
"sha256:105abaf8a6075dc96c1fe5ae7aae073f4696f2905fde6aeada4c9d2926752362", "sha256:1f436816fc868b098b0d63b8920de7d208c90a67212546d02f84fe78a9c26396",
"sha256:155136b51fd733fa94e1c2ea5211dcd4c8879869008fc811648f16541bf99668", "sha256:2894f2df484ff56d717bead0a5c2abb6b9d2bf26d6960c4604d5c48bbc30ee73",
"sha256:1a465cbe98a7fd391d47dce4b8f7e5b921e6cd805ef421d04f5f66ba8f06086c", "sha256:29314480e958fd8aab22e4a58b355b629c59bf5f2ac2492b61e3dc06d8c7a315",
"sha256:1d2c4994f515e5b485fd6d3a73d05526aa0fcf248eb135996b088d25dfa1865b", "sha256:34eff4b97f3d982fb93e2831e6750127d1355a923ebaeeb565407b3d2f8d41a1",
"sha256:2c24d61263f511551f740d1a065eb0212db1dbbbbd241db758f5244281590c06", "sha256:35f27e6eb43380fa080dccf676dece30bef72e4a67617ffda586641cd4508d49",
"sha256:51a8b381b16ddd370178a65360ebe15fbc1c71cf6f584613a7ea08bfad946698", "sha256:3d3dd4c9e559eb172ecf00a2a7517e97d1e96de2a5e610bd9b68cea3925b4892",
"sha256:594234691ac0e9b770aee9fcdb8fa02c22e43e5c619456efd0d6c2bf276f3eb2", "sha256:43e0b9d9e2c9e5d152946b9c5fe062c151614b262fda2e7b201204de0b99e482",
"sha256:5cf4be6c304ad0b6602f5c4e90e2f59b47653ac1ed9c662ed379fe48a8f26b0c", "sha256:48e1c69bbacfc3d932221851b39d49e81567a4d4aac3b21258d9c24578280058",
"sha256:64081b3f8f6f3c3de6191ec89d7dc6c86a8a43911f7ecb422c60e90c70be41c7", "sha256:51182f8927c5af975fece87b1b369f722c570fe169f9880764b1ee3bca8347b5",
"sha256:6bc25fc545a6b3d57b5f8618e59fc13d3a3a68431e8ca5fd4c13241cd70d0009", "sha256:58e3f59d583d413809d60779492342801d6e82fefb89c86a38e040c16883be53",
"sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03", "sha256:5de7970188bb46b7bf9858eb6890aad302577a5f6f75091fd7cdd3ef13ef3045",
"sha256:7c6b1dece89874d9541fc974917b631406233ea0440d0bdfbb8e03bf39a49b3b", "sha256:65fa59693c62cf06e45ddbb822165394a288edce9e276647f0046e1ec26920f3",
"sha256:7ef7d4ced6b325e92eb4d3502946c78c5367bc416398d387b39591532536734e", "sha256:69e395c24fc60aad6bb4fa7e583698ea6cc684648e1ffb7fe85e3c1ca131a7d5",
"sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909", "sha256:6c97d7350133666fbb5cf4abdc1178c812cb205dc6f41d174a7b0f18fb93337e",
"sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53", "sha256:6e4714cc64f474e4d6e37cfff31a814b509a35cb17de4fb1999907575684479c",
"sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35", "sha256:72d8d3ef52c208ee1c7b2e341f7d71c6fd3157138abf1a95166e6165dd5d4369",
"sha256:9f7a31251289b2ab6d4012f6e83e58bc3b96bd151f5b5262467f4bb6b34a7c26", "sha256:8ae6299f6c68de06f136f1f9e69458eae58f1dacf10af5c17353eae03aa0d827",
"sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b", "sha256:8b198cec6c72df5289c05b05b8b0969819783f9418e0409865dac47288d2a053",
"sha256:a5ed8c05548b54b998b9498753fb9cadbfd92ee88e884641377d8a8b291bcc01", "sha256:99cd03ae7988a93dd00bcd9d0b75e1f6c426063d6f03d2f90b89e29b25b82dfa",
"sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb", "sha256:9cf8022fb8d07a97c178b02327b284521c7708d7c71a9c9c355c178ac4bbd3d4",
"sha256:af5c59122a011049aad5dd87424b8e65a80e4a6477419c0c1015f73fb5ea0293", "sha256:9de2e279153a443c656f2defd67769e6d1e4163952b3c622dcea5b08a6405322",
"sha256:b18e0a9ef57d2b41f5c68beefa32317d286c3d6ac0484efd10d6e07491bb95dd", "sha256:9e93e79c2551ff263400e1e4be085a1210e12073a31c2011dbbda14bda0c6132",
"sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d", "sha256:9ff227395193126d82e60319a673a037d5de84633f11279e336f9c0f189ecc62",
"sha256:ba4e9e0ae13fc41c6b23299545e5ef73055213e466bd107953e4a013a5ddd7e3", "sha256:a465da611f6fa124963b91bf432d960a555563efe4ed1cc403ba5077b15370aa",
"sha256:c6332685306b6417a91b1ff9fae889b3ba65c2292d64bd9245c093b1b284809d", "sha256:ad17025d226ee5beec591b52800c11680fca3df50b8b29fe51d882576e039ee0",
"sha256:d5ff0621c88ce83a28a10d2ce719b2ee85635e85c515f12bac99a95306da4b2e", "sha256:afb29c1ba2e5a3736f1c301d9d0abe3ec8b86957d04ddfa9d7a6a42b9367e396",
"sha256:d9efd8b7a3ef378dd61a1e77367f1924375befc2eba06168b6ebfa903a5e59ca", "sha256:b85eb46a81787c50650f2392b9b4ef23e1f126313b9e0e9013b35c15e4288e2e",
"sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d", "sha256:bb89f306e5da99f4d922728ddcd6f7fcebb3241fc40edebcb7284d7514741991",
"sha256:ebb253464a5d0482b191274f1c8bf00e33f7e0b9c66405fbffc61ed2c839c775", "sha256:cbde590d4faaa07c72bf979734738f328d239913ba3e043b1e98fe9a39f8b2b6",
"sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375", "sha256:cd2868886d547469123fadc46eac7ea5253ea7fcb139f12e1dfc2bbd406427d1",
"sha256:f032b34669220030f905152045dfa27741ce1a6db3324a5bc0b96b6c7420c87b", "sha256:d42b11d692e11b6634f7613ad8df5d6d5f8875f5d48939520d351007b3c13406",
"sha256:f60567825f791c6f8a592f3c6e3bd93dd2934e3f9dac189308426bd76b00ef3b", "sha256:f2d45f97ab6bb54753eab54fffe75aaf3de4ff2341c9daee1987ee1837636f1d",
"sha256:f803eaa94c2fcda012c047e62bc7a51b0bdabda1cad7a92a522694ea2d76e49f" "sha256:fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
], ],
"version": "==1.14.4" "version": "==1.14.5"
}, },
"cryptography": { "cryptography": {
"hashes": [ "hashes": [
"sha256:0003a52a123602e1acee177dc90dd201f9bb1e73f24a070db7d36c588e8f5c7d", "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
"sha256:0e85aaae861d0485eb5a79d33226dd6248d2a9f133b81532c8f5aae37de10ff7", "sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
"sha256:594a1db4511bc4d960571536abe21b4e5c3003e8750ab8365fafce71c5d86901", "sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
"sha256:69e836c9e5ff4373ce6d3ab311c1a2eed274793083858d3cd4c7d12ce20d5f9c", "sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
"sha256:788a3c9942df5e4371c199d10383f44a105d67d401fb4304178020142f020244", "sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
"sha256:7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6", "sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
"sha256:83d9d2dfec70364a74f4e7c70ad04d3ca2e6a08b703606993407bf46b97868c5", "sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
"sha256:84ef7a0c10c24a7773163f917f1cb6b4444597efd505a8aed0a22e8c4780f27e", "sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
"sha256:9e21301f7a1e7c03dbea73e8602905a4ebba641547a462b26dd03451e5769e7c", "sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
"sha256:9f6b0492d111b43de5f70052e24c1f0951cb9e6022188ebcb1cc3a3d301469b0", "sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
"sha256:a69bd3c68b98298f490e84519b954335154917eaab52cf582fa2c5c7efc6e812", "sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
"sha256:b4890d5fb9b7a23e3bf8abf5a8a7da8e228f1e97dc96b30b95685df840b6914a", "sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
"sha256:c366df0401d1ec4e548bebe8f91d55ebcc0ec3137900d214dd7aac8427ef3030",
"sha256:dc42f645f8f3a489c3dd416730a514e7a91a59510ddaadc09d04224c098d3302"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", "markers": "python_version >= '3.6'",
"version": "==3.3.1" "version": "==3.4.7"
}, },
"jinja2": { "jinja2": {
"hashes": [ "hashes": [
@@ -196,26 +194,26 @@
"sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
"sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
"sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
"sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
"sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
"sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
"sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
"sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
"sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
"sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
"sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
"sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
"sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
"sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
"sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
"sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
"sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc" "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
"sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
"sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
"sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
"version": "==5.4.1" "version": "==5.4.1"
},
"six": {
"hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.15.0"
} }
}, },
"develop": {} "develop": {}

2
README.md
View File

@@ -25,7 +25,7 @@ Once you've satisfied the the above assumptions, you can execute:
- Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades) - Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)
## License ## License
Copyright (C) 20142020 Alan Orth Copyright (C) 20142021 Alan Orth
The contents of this repository are free software: you can redistribute The contents of this repository are free software: you can redistribute
it and/or modify it under the terms of the GNU General Public License it and/or modify it under the terms of the GNU General Public License

228
host_vars/web19
View File

@@ -1,111 +1,119 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
66313066303030333063353236313063303262626561316535646263633936336534356437353265 35373333633865326230626536646430383333343435616235343963643061393332616135643163
3432356362393665303438333166643066666164363861610a643434356531666366393936353233 6131393561363934306564656262306662313962633134310a653163613663376230653830363534
37353036656435616361613164323038663364666464373964653337396465373061666533373938 61343934636265313664646264373665646337376539626231373930383234333762353964343032
6536323936393135370a666134613830306533623365363933376631313534326265666634366235 3735636262363534310a303534323963613830316133393738366637653164396637306435643461
36623637383636396437333735336238343434353733303764326237303033303562353237353165 63373433366235303331336461376232316532613630616464303436373865396165303430343461
31653866633363623764353533356262643239613531643039393335313731383038343638663830 34323033386232623133383964303466373939376339336262323762633331613165336461643238
36356139336363343437666230656366636132613531613339353962373435643563313734646135 63326162653564626336643237613435313031633434653539323264663034656536316433646635
61613330323938363063313430343738306536636233353963636665393132643162303562666531 30363730366466623261343636633461643335353739323163333239366231653033396239306637
61343365326634303730656133633632353936386431303631363731313730666132656334353731 61353965643538306136623337653430373964326139303566353437366236356461376435646638
33616537313230666462653165643535386134663166346262363535383365616431613838383863 34323136386230313634393131373266303832643030313761353966346363613032366436613964
65326163303966373938653033613238326634393166643630316230613065353437306237313933 61393038656237393938346530386536383239346533336334643339653932366364663838616530
65366131396266393236373162343866383565633030356465613461353131643562343630336566 35326536646234626632343339303131626166376136646638313662626661636238376237393039
30633534636634616666616462383136373830623137396366626639373230373834316563343464 32623831396438663164323532636631316264393635396563336135373436643230353364643466
38303333366166323238346237646165383633383264333431663530326462323432366332333630 62636464613631393462376531326534613031616337373937323062663731666163393661626533
62633132666439313034616465663861323064646564303963633565353734353665313138373636 36626538386239656163383832353439656563343432373263613862363762646633636162656366
34653639353333373737613238626535356333633833363737646330643163326131386364646365 37613739653166663932323137383232626264373631316163656239336165343966393666363763
64356435636635663737376239313236356361363061313731626230366336326535663866373231 39623133303735343561343138386433323337313039383864613937323734336338646636393539
37623262613135636538343934336262633662383266653238613965356639626339303437306633 33333034386138396262356338306630393138653333613766666631333536383731613666323666
38373837653737313465376231363637353561303937336138343465376638326163643065336462 32346139313238373336393263363865366439613036633138373231333138313161363434313063
61633236373737363633646135396565303835643336393763393933613964663435306336346636 65376165323732333332386332303235343363316130376236306238366466356437633837656538
38316231383363616533616437366362376664393135623765646330323161366134323263376466 39323130666338376361393861663239323933353764666436396134633764383835376437373830
31386332333565643764343863353039313466643962373736643533666562353766383862326134 37666665383264336266306161336162316632316336373034613336366666376431643438346532
31633366636365313231366337313334333130373833656135396262373136393135353039623739 39373063663037373132633932663564313230343230303531303762396234656636343964623030
63626463636237633963323739303961663632376330336236663134666461383965303861333835 31616237633664636436643734303464306138623639383261303339383265323834666339383265
38663337393930383834653936636365663966333033346562356331306430306338333761353762 39356139306632623937356532396439373933623335303132363564663635373336363165303839
38363733356262363161353135633836336363376232326261623264623338663230663838386330 32356666326432336235656430323637313035663030393263376430613038666166363563306336
35353762393839646338366365313763346339666433306532353530353261363838356639623436 37383935306462663066373763313335356665323537333538643237313763366334633763303337
62306437616630663039653862393466353933333763386163373035373335343834663439633039 36333536653239383033646433323164316239373131623338386533663763316538623230396463
34613463303436366631396462363866656533343063356265333539353038326637613063326164 38666131376538343731633336666438646631373937643466373434653034313864646430656138
62663833363165643436343538666565386561383335393964313839626237623031343564656632 64653332393165306238633865306432643936303236643338313333383730353938386664353835
35613534636437306463373466653431336562303132313462326233663561343837323331353035 37386438323739643836356664366334376638313962326266346462336135363035373036373438
33303336356237306464363564666136633230396635623066376564373737353335356432343231 63613230313733353230303765636564396662656431643538386239353839666634623734636630
66633735316466633039663338316566343739373664316335366462356237366139363731643366 32646538366231303439363435623264633765393831616139613933363165343533643066663835
33353039373665333232383235303932623435366638313465396333316565646134343463336330 37623533366662383232316430383164386165343737663632336536656165653066306561356537
65306334623631386364353364313638643930306265343363666366663164643435333834376439 37316266366233383535666661626566303965666130376232666632623665633665663565356332
64396434366362343733323366343232653930646565313762376436663965626562636238623066 38643861333234343439323630323234383566303539656161643366383662626138306330643338
63303236326362323966666630343136336563343564393833636465333832396666396638653661 39323262383133353433343631626333663338623335646134343761313865393932343738663730
61323561393563326437386462656266303830353730313839613136656331323938616631386235 39316663393262646363393037643032663834366330346534643033306636636338616132343162
30633730303838313038313263363363633136623861326662623366613461343133356261633030 35646664646561353238343362373566666664656431623135303730626637303830316331303363
34333732343037396131343764366535343639326333353036353038656533333339306363653435 34376262336634303232646462663337323461653865333830616338346333636166366561363439
39656166393265356338656631353065653630303237663761386332323530663966343864663438 38643662363137333436323536376233366533383563613537366339663764346233353236396231
65356365386131333236396234623537323062363539383061323832363563326435306465663234 66663762666632343266326261396432323861356238376437626231306563316638323934356235
66316638376436613265353662646264666138666165343763393330613765346163356138616633 31393862323930366530353962373338303662393737613330366535313964303266626437313539
66373338393163333435666236386239663735653135386532633135646539316665313036323763 31356133633032336630353439343433636366653662636365383531303038376634393134666562
38666464363432656534313263306266323066646133353765386463343264633131633936373036 62316462346662313866316336666636623763633866656665353634333431343330633837316338
31326138633131393962633861333036373537366163613562383033336333616130636435326331 65663431343234663131636637316166386538623638306230626338623166363036643838373538
66653766653065306164613335623933616135393335383438356337633239363131303237653566 62353631303338303566386134306432326439306164333866326336346234356531663766393166
62636263383236656136376237646363363234363232643636623333396531363461303538373662 38343131323134396633363463343466366233353366303033623539353832366131646233636635
36313537393238626337613964623731666261316366346666323261386661643035353164613637 39326436393034316531363633363061393336643936653637623763333639633431313730333031
32303061336363306335306431613263646266303038323739636662326465303961616339333461 31343063323763633932346263393837366436333131643961373537353062353331306462646333
65626263366333333562386461636231636438623966626136663932303035343531363234356663 61363831623337356635616465653834386131346138626633626534373161333464616436343132
37313661353764343764396666633666613238323638646233353138383638353938303933396431 31333462303630393634626230666635356663656465366534656137316336383337663838396661
65366564353533363039383838313562663561633434393833636365303561333534393930653630 66366633623863353265343165383935303035663066306261346563663530356364623238303037
63663464613334623864313663383630353166363862373132343532393135313666626464376436 38396234646662333039643839636334623065663065343331613966626265393136313462326133
34616566663764363566663530646638363338653538353661393835383035346236646233363564 35633463326537306234656461343162393864393235333234636666633064383538633439653064
34656165303737326261353032363435333731363031343366353863313138653865346535636564 66396537336362343065303862653961613663373162306536363539636637383466656136376461
31393134336534616161303132353764343833636465356661376638633163643739383830616534 65323836316466626333633534303365356364633766363834393263373831376466336364656664
65386262663734356134303039623265303935363764623537326565633030613465666435636232 65363534633639666465383965313835613938626331633334396539393435393566643630363364
61623334393734616262613232306339396639643636373762653738333463616361653430656438 32613839653166656532363135393237316139623863643830616466613233316462333438623438
63316265303634323033303330353232636136333863366261656532383065313334386335666636 38343136323334333364373561366230616430373365623866383366653636356663393231616665
34303564636333356364663565333932343064333266383638663365366636643866353132373966 31646561303565653130323062343966633839666661633862653066383637333934666238616663
66336563346233656531643735663062393630616537656264323136353266623161353261333239 65626263336662323261333039313630396134616330643662353534396563336339316465636430
33636563376566333331366336353338343730383962653138636535623039643461303763333961 32633664356466356462633837656134623138383232633837346637323133623861373166646265
63373264333037653563643937373664373665343136396635316634613632653232353033666266 63353862356563623565373262666463386432623664343262383832386437336161373234623564
31333064623765326536386630353435333438326232633565663531303730636530386564366633 39633232323330343134643366366330376565613333386265303965316266636137613531336536
63326335333639376266396562343838636430643664303737373565363635643037616231393665 33663039343832326134343864643866333035363038643837333337653938383965643461353630
36636337633564373561343266666632656235646662633965663733383731633832373334646335 38386136373561323234326163353831313832363736646132303134623433626564346138376235
34396163636635633637393834396566663062633135383330396564656536333330623737636332 36346263326261643839373666303438326566333934346135643130393636363434663836376238
36646362623131366166626639386238616566323135323334636638393934663336663532306336 61313834383164656132653930643433303136393232353463633635323964383263303030313464
38396634393433623963316261303061616634333566306239366666373238376466633166623464 37316634646334666565366436306563356533653466363262613930306434643465393261353232
33313538663838373465626638316432613135386262376233633362616463623363646433353666 37373236353461326330353036383338616232626464363231343436363761356263333235333762
32633838303837656335333336353564343461373236353736623032663139333338646463323533 66313537373466636362346162376432346264336461653465356563643631346238623038626435
65326131616433666563343163663462393235366135633661366564623662303932626164366632 63346434613566663937343339653237653631356563663161386631343331336564393164356166
38306430356238633162656337303536663065653639353562343965663366373861646162653562 30346566326637326634316530633734383832626436326131366433653961303637613566653135
62306236326163393336643232663336656637623539353835613536653164393038623966316433 36323333653764373138386365633961323930613535356565333535306430626365383135383332
32623462343037616465623736306530633736623061343430356638633530313331306363323837 39373139326234353763323265376330383332666137666263656637393230346637616630306437
63396263393136363137643632623938316363386238346237333862303735363065386633366263 66663332333036643837343065353663333733643337383436343866353431353164323039363634
31313834646239323631393335633534383930373630663538653864383930666465653731616263 33333739633635336230316638396635666366313161333532653931386138396134373633633137
35333830633430343436646266663231303466343138643338343634346133613666613734313037 63633432316263636135356232653861353335666264393334373162633531343862666534643062
34383931643631633539346262653631336565623366343564303332333831346436373162356362 30383563356463303730366330636334616533343762346162623437396664646235326135633630
66383864313732303962653662333036373239343335623765616536306465623030393138663838 62626461656232316539393862656431623766396637343734363831343166643339643638336663
30313861636631393462653836626164373034666533323338383262393132396436666639363262 61323430663864653431363936393132616462356436323239623035653362653033303533633239
39356132343939366534666665393231346566663432653236376333323363643166393431316161 38323164663966623366346666376130323937663564333732626362323734363533316265386339
33343666316138353333346263346266343731613065356631336231373266343338393939663038 31323837313730383635363133363262316232306634346436306461373837356561636633626239
35343235393563623434313266306163323266346662623063353631663433646436613130636663 34633064646435353936306432303534393135316563613034663961653838303036383439373937
38356335616438633638383236333131663163613436303934386335363432323063303234383331 61613061623335303161343766323064616435303236353639353766353038313232366337386432
34636432653262643438653931313233626462623034346137303738643932353334373531303439 61643564633635633765383135303231343230643439393234366232393164663363646139626533
30366233373535343431373365393566383538363763313036623262343066346236303061326631 65653965626337353530323738346633663861333936623832646536643935623465343964623163
64376463336538363132656464666365343861393330313637356237666361343666633436346534 66626130353663313863663735626438323232353662666334623431353965313536336465663436
33636332386336646333616330613738343264626438613135313962336534373130316330366233 38663534643662303564656237623235313333326135393936303762646464633765623164346361
30316333636564326165663565666361643430656366393939616538323530383632636661326331 65396236656565626431656437303636376561383637623732313435373162366135373336373638
35366663646533313034333764626237623637363164356163636432653765656439326438383134 39386265643464323638623663343533343936316664356439343432396430353535353439373937
62623638633934336334393636333336633164343066336161333138653637333435306230653865 62363039646430353463623135393332613937343931323363643933383933663238613236376435
35363032393633623331363933373463623032333361616365373037666333643634343963663835 66626166326439666539643563356533646630653733663036663832303437353937353630393766
34363033363731346663643363383965336536353332646262326136353965353137383737336165 37623237626239393561353566623934373064626361366164313664386630383661336537666639
33613733656463376333376264633935373239363337323538356636636439393564373332323031 62663261363739656265356265616432643135626263326639653433646131623661383937623163
31623733663530326632373235313830396133373430613061613438653336653462316336623438 34356438346438376162663436303037356633396631353662393662623061376539613462356561
30343032346133363830656231663966653734326635333831626639393666303033653437326238 36323639366632383536316265663766613431313862373565653732306530363736313563353537
65333566643066393331323466366662383135383734313537663664376161323265613436653535 33663637366439383963643563643333383139306362386233653465306131373562353465373837
63643832616663303632623433636161333339376635333635626137326662396562633830343337 30356466383561376438323436396334636361316234393762656264373136306362353763373339
65376165376564396433343736313134656332383533356138383039386266636238613936653962 34353730313964313831363334376332633230633366396262646333346532666135333137613164
32373337346335383136303838343034376432363436356465613836366230313463303239373531 34626264363530366431623663363036646537623364323064663931636638613637316564626238
65383334646431346565656638353537333765623430333133663663326134646566306137643663 65333036356431613038376162313939633839663130613265663438356434633730336638336263
65643338386439666636376461356466396261326165333030623633613364343631343830653939 33666561376237333930363138663964343331356139616131383133343830326634653264326530
64323266626131666332666433386434313936306361633164373532626231366234623735333932 36663431653331616330633439346334316339643161653536363862616136396632666639313339
62306362346164336433336139313561366162303666353635653634396139313734626463663735 62633161323030653065326637363332353465663664373764653464353732656333653766626538
38306466626237626634666138363665326636316563356431333432313534363638613833613539 63373931636235646636306161393839356432396439376339363231623035616564623933633335
38306237353764376462323238663034646662393433623830616361623735343162666465626230 63303265653231393436383834353163613638336335326437383235633534333161353163656536
30633731323939633265323338373537383261333235303262633336636433316339383433653861 30666130613831326134353866383730623234396537616261396334323539333763636665303233
3861653261646632636364623830626561393864666135346634 65336631643363336535306530306436323038653531363666316438616166333539376630363836
34383465663639316262313763353035373836383961393735326238613338663766333433373032
63333361373161656164666461646266373233653865303564643634333066343836316232623139
30626432396335666436386634663534396264613331666537396431643730333966386363386366
64633530366330623766323063636134626564393434313535393461666239336132373861646532
37653766313438633037386437323236613763653238373239373736333034346432316633653766
62303635356664326230323535663137653834313738346139346262633831633664636232626463
36303336643164656463396130336237313932333830323961663064313334626561316231626364
3566646131386363613137353736613630653330633138356336

14579
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

19
roles/common/files/abusers-ipv6.xml
View File

@@ -3,12 +3,15 @@
<option name="family" value="inet6" /> <option name="family" value="inet6" />
<short>abusers-ipv6</short> <short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description> <description>A list of abusive IPv6 addresses.</description>
<entry>2001:41d0:1:f934::1</entry> <entry>2001:19f0:200:3191:225:90ff:fe88:27a8</entry>
<entry>2001:41d0:602:238d::</entry> <entry>2001:41d0:2:5137::</entry>
<entry>2001:41d0:a:2a31::</entry> <entry>2402:1f00:8101:4::</entry>
<entry>2400:6180:0:d1::476:7001</entry> <entry>2604:2dc0:200:1424::</entry>
<entry>2402:1f00:8001:8bd::</entry> <entry>2604:a880:0:1010::76:f001</entry>
<entry>2604:a880:800:10::5bf:2001</entry> <entry>2607:5300:60:2540::</entry>
<entry>2a00:d680:20:50::bcb2</entry> <entry>2607:f1c0:842:3400::5c:29d</entry>
<entry>2a02:2168:a01:33ee::1</entry> <entry>2a00:d680:20:50::cdb4</entry>
<entry>2a01:4f8:192:62c7::2</entry>
<entry>2a01:4f8:251:15ea::2</entry>
<entry>2a04:3543:1000:2310:cc4:41ff:fe7a:54cc</entry>
</ipset> </ipset>

2
roles/common/tasks/tarsnap.yml
View File

@@ -5,7 +5,7 @@
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap - name: Add GPG key for Tarsnap
apt_key: id=0xFC72A10BF6B692AA url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key register: add_tarsnap_apt_key
- name: Update apt cache - name: Update apt cache

2
roles/mariadb/tasks/main.yml
View File

@@ -34,10 +34,8 @@
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
loop: loop:
- "{{ inventory_hostname }}"
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
- localhost
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials

15
roles/nginx/defaults/main.yml
View File

@@ -20,15 +20,22 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
# install certbot + dependencies? # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/
nginx_hsts_max_age: 31536000
# install acme.sh?
# True unless you're in development and using "localhost" + snakeoil certs # True unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True use_letsencrypt: True
# Directory root for Let's Encrypt certs # Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live letsencrypt_root: /etc/ssl
# Location of Let's Encrypt's certbot script # Location where to save initial acme.sh script. After installation the script
letsencrypt_certbot_dest: /opt/certbot-auto # will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself).
letsencrypt_acme_script: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.18.x # stable is 1.18.x
# mainline is 1.19.x # mainline is 1.19.x

3
roles/nginx/files/extra-security.conf
View File

@@ -15,3 +15,6 @@ add_header X-XSS-Protection "1; mode=block" always;
# CSP can be quite difficult to configure, and cause real issues if you get it wrong # CSP can be quite difficult to configure, and cause real issues if you get it wrong
# There is website that helps you generate a policy here http://cspisawesome.com/ # There is website that helps you generate a policy here http://cspisawesome.com/
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always; # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
add_header Permissions-Policy interest-cohort=() always;

3
roles/nginx/files/start-nginx.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl start nginx

3
roles/nginx/files/stop-nginx.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl stop nginx

170
roles/nginx/tasks/letsencrypt.yml
View File

@@ -1,135 +1,57 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block: - block:
- name: Remove certbot
apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Download acme.sh
get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script }}"
- name: Prepare Let's Encrypt well-known directory
file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs - name: Copy systemd service to renew Let's Encrypt certs
template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs - name: Copy systemd timer to renew Let's Encrypt certs
copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644
owner: root
group: root
# always issues daemon-reload just in case the server/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes systemd:
name: renew-letsencrypt.timer
- name: Download certbot state: started
get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700 enabled: yes
daemon_reload: yes
# Dependencies certbot checks for on its first run. I set them in a fact so that
# I can pass the list directly to the apt module to install in one transaction.
- name: Set certbot dependencies (Debian 10)
when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==')
set_fact:
certbot_dependencies:
- augeas-lenses
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-8
- gcc
- gcc-8
- libasan5
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libexpat1-dev
- libffi-dev
- libgcc-8-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpfr6
- libmpx2
- libpython-dev
- libpython2-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan1
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2-dev
- python2.7-dev
- python3-distutils
- python3-lib2to3
- python3-virtualenv
- virtualenv
# Dependencies certbot checks for on its first run. I set them in a fact so that
# I can pass the list directly to the apt module to install in one transaction.
- name: Set certbot dependencies (Ubuntu 18.04)
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
set_fact:
certbot_dependencies:
- augeas-lenses
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-7
- gcc
- gcc-7
- gcc-7-base
- libasan4
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libcilkrts5
- libexpat1-dev
- libffi-dev
- libgcc-7-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpx2
- libpython-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan0
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2.7-dev
- python3-virtualenv
- virtualenv
- name: Install certbot dependencies
apt: name={{ certbot_dependencies }} state=present update_cache=yes
when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=')
tags: letsencrypt
# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone
# certbot-auto so I guess we need to use the one from the repositories.
- block:
- name: Install certbot (Ubuntu 20.04)
apt: name=certbot state=present update_cache=yes
- name: Copy certbot post and pre hooks for nginx
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755
with_items:
- { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh' }
- { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' }
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
tags: letsencrypt tags: letsencrypt

2
roles/nginx/tasks/main.yml
View File

@@ -71,7 +71,7 @@
- name: Configure Let's Encrypt - name: Configure Let's Encrypt
include_tasks: letsencrypt.yml include_tasks: letsencrypt.yml
when: use_letsencrypt is defined and use_letsencrypt #when: use_letsencrypt is defined and use_letsencrypt
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

7
roles/nginx/tasks/vhosts.yml
View File

@@ -12,8 +12,11 @@
notify: notify:
- reload nginx - reload nginx
- name: Generate 2048-bit dhparam - name: Download 4096-bit RFC 7919 dhparams
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify: notify:
- reload nginx - reload nginx

6
roles/nginx/templates/https.j2
View File

@@ -16,8 +16,8 @@
# concatenated key + cert # concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html # See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem; ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem; ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;
{% endif %} {% endif %}
@@ -51,5 +51,5 @@
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}

6
roles/nginx/templates/renew-letsencrypt.service.j2
View File

@@ -1,7 +1,9 @@
[Unit] [Unit]
Description=Renew Let's Encrypt certificates Description=Renew Let's Encrypt certificates
ConditionFileIsExecutable={{ letsencrypt_certbot_dest }} ConditionFileIsExecutable={{ letsencrypt_acme_home }}/acme.sh
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx" ExecStart={{ letsencrypt_acme_home }}/acme.sh --cron --home {{ letsencrypt_acme_home }} --reloadcmd "/bin/systemctl reload nginx" -w /var/lib/letsencrypt
SuccessExitStatus=0 2

4
roles/nginx/templates/vhost.conf.j2
View File

@@ -14,6 +14,8 @@ server {
listen [::]:80; listen [::]:80;
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
{% include 'well-known.j2' %}
# redirect http -> https # redirect http -> https
location / { location / {
# ? in rewrite makes sure nginx doesn't append query string again # ? in rewrite makes sure nginx doesn't append query string again
@@ -96,7 +98,7 @@ server {
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
include extra-security.conf; include extra-security.conf;

6
roles/nginx/templates/well-known.j2 Normal file
View File

@@ -0,0 +1,6 @@
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}

4
roles/nginx/templates/wordpress.j2
View File

@@ -9,7 +9,7 @@
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }
@@ -20,7 +20,7 @@
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }