alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:ba5760bf8c406fcf9594a55e344262e361d6b7a3
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
..
compare: alanorth:debian13
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

232 Commits
ba5760bf8c ... debian13

Author SHA1 Message Date
Alan Orth
43dad7c261 roles: use ansible_facts["foo"] pattern 
Instead of ansible_foo. Ansible recently started warning that this
is deprecated.
 2025-12-02 20:42:58 +03:00
Alan Orth
8439b674dd roles/nginx: git clone as nginx 2025-11-21 22:07:55 +03:00
Alan Orth
c2c9f1b88d roles/nginx: fix syntax 2025-11-21 21:08:29 +03:00
Alan Orth
3763ce80e1 roles/mariadb: rework to use Debian's mariadb 
There are no MariaDB builds for Debian 13 (trixie) yet. This seems
to happen every new release. Surprisingly Debian's mariadb-server
is very new and we can simplify our tasks and templates a lot.
 2025-11-20 08:47:27 +03:00
Alan Orth
a8e4821ad0 roles/nginx: remove apt-key task 2025-11-20 08:47:27 +03:00
Alan Orth
6ff4cf30f7 roles/mariadb: remove apt-key task 
This is not longer present as of Debian 13, and the old MariaDB key
should not be present on any of my hosts anymore anyway.
 2025-11-20 08:47:27 +03:00
Alan Orth
8f57a5a974 roles/php_fpm: rework for Debian 13 
We can use metapackages like php-fpm on each version as those pull
in the correct package. This allows us to use the same playbook lo-
gic for Debian 12 (PHP 8.2) and Debian 13 (PHP 8.4).
 2025-11-20 08:47:26 +03:00
Alan Orth
cac74c53ef roles/common: minor configuration of Debian 13 SSH 
Tweak some of the new OpenSSH per-source penalty settings on Debian
13. For now only adjusting the source network masks and reusing the
list of IPs to exempt from fail2ban.

These being built in makes them easier to use, but I think I will
end up sticking with fail2ban for the heavy lifting because it per-
sists across restarts of the daemon, whereas OpenSSH's doesn't. I
will monitor OpenSSH on Debian 13 to see how to best use it along
side fail2ban.
 2025-11-20 08:47:26 +03:00
Alan Orth
078c5b36d8 roles/common: use 127.0.0.0/8 for fail2ban ignoreip 
We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH
PerSourcePenaltyExemptList, but OpenSSH is more strict with regards
to masks not being applied to the host portion. I had never noticed
that fail2ban's default was applying the mask on the host portion!
 2025-11-20 08:47:25 +03:00
Alan Orth
a18c1e6a16 roles/common: sshd overrides for Debian 13 2025-11-20 08:47:25 +03:00
Alan Orth
36cf98026b Pipfile.lock: run pipenv update 2025-11-20 08:46:41 +03:00
Alan Orth
98746b3eb8 host_vars/web22: WordPress 6.8.3 2025-11-20 08:44:23 +03:00
Alan Orth
afffd87201 roles/common: remove old firewall cleanup 2025-11-14 22:38:43 +03:00
Alan Orth
d21f3d9371 roles/common: remove loops with one item 2025-11-14 22:38:17 +03:00
Alan Orth
a6ef7a1c4e roles/common: don't notify fail2ban 
We set the fail2ban service as "PartOf" the nftables service, so it
receives stop and restart events already.
 2025-11-14 22:26:09 +03:00
Alan Orth
602734acce roles: update ansible.builtin.systemd builtin 
Use ansible.builtin.systemd_service instead.
 2025-09-23 10:33:11 +03:00
Alan Orth
0db7911b70 roles/common: remove sudoers.d 
We are not using this.
 2025-09-21 23:09:40 +03:00
Alan Orth
ee4c62e5f9 roles: remove tests for Debian 
We only run on Debian now.
 2025-09-21 22:20:31 +03:00
Alan Orth
a315db8a7c roles/common: use ansible_distribution_version 
In most cases it is enough to use the full version (ie 12.12) since
we use Ansible's version comparison function. We rarely need to use
the major version (ie 12) directly.
 2025-09-21 22:19:00 +03:00
Alan Orth
5f00892df3 roles/common: adjust when in tasks 2025-09-21 22:04:25 +03:00
Alan Orth
9357265d27 roles/common: use ansible.builtin.apt module 2025-09-21 22:00:39 +03:00
Alan Orth
dd62266340 roles/common: update comment in ntp task 2025-09-21 21:58:11 +03:00
Alan Orth
a1bec20824 roles/common: simplify when logic in ntp task 2025-09-21 21:57:34 +03:00
Alan Orth
8e91c44529 roles/common: fix syntax error in npt when 2025-09-21 21:56:15 +03:00
Alan Orth
02d4135c79 roles/common: adjust ntp task 
On Debian 12 we need to explicitly remove ntp because it does not
conflict with other time daemons.
 2025-09-21 21:55:09 +03:00
Alan Orth
37e148d009 Re-work ansible_managed 
This is no longer a configuration setting. Now we must set it like
any other template variabled.
 2025-09-21 21:15:12 +03:00
Alan Orth
73dbbd23b6 roles/common: adjust handlers 
Should start with an upper case letter.
 2025-09-21 20:22:58 +03:00
Alan Orth
b84283aa38 roles/common: remove unneeded firewall packages 
We don't need curl or libnet-ip-perl anymore.
 2025-09-21 20:15:11 +03:00
Alan Orth
1695fdf8d1 roles/common: syntax in firewall play 2025-09-21 20:11:46 +03:00
Alan Orth
9f1f7b1c69 roles/nginx: more syntax fixes to tasks 2025-09-21 20:08:51 +03:00
Alan Orth
7d725f2084 roles/nginx: adjust task syntax 
Tasks should start with an upper case letter and we should not use
free form syntax anymore.
 2025-09-21 20:04:53 +03:00
Alan Orth
4c39b0d48c roles/php_fpm: adjust task syntax 
All tasks need names, and we can use name, tags, when, block order
for task keys. Suggested by ansible-lint.
 2025-09-21 20:02:46 +03:00
Alan Orth
f4023d0b20 roles/php_fpm: rename handler 
Suggested by ansible-lint.
 2025-09-21 19:59:23 +03:00
Alan Orth
6aaface4a2 Rename roles/php-fpm to roles/php_fpm 
Suggested by ansible-lint.
 2025-09-21 19:56:20 +03:00
Alan Orth
333e1cbeb9 roles/mariadb/handlers/main.yml: update syntax 2025-09-21 17:32:57 +03:00
Alan Orth
0c62f4bdf0 roles/common/tasks/packages.yml: improve task key order 
Suggested by ansible-lint. Makes it easier to see the tags after the
very long block.
 2025-09-21 17:30:54 +03:00
Alan Orth
26f22c0447 roles/munin: update task syntax 2025-09-21 17:29:22 +03:00
Alan Orth
05881e2585 roles: fix unquoted octal modes 2025-09-21 17:25:22 +03:00
Alan Orth
d4d326c2f7 roles/common: use FQCN in handler 2025-09-21 17:09:45 +03:00
Alan Orth
1d4a6f208b roles/common: update default fail2ban ignores 2025-09-21 17:06:48 +03:00
Alan Orth
8b22076d4a roles/common: json spacing 2025-09-21 17:06:01 +03:00
Alan Orth
38176cb34c roles/nginx: update task syntax for plays 2025-09-21 16:59:08 +03:00
Alan Orth
da737b71f7 roles/mariadb: update task syntax for mariadb play 2025-09-21 16:54:19 +03:00
Alan Orth
c28189a1a5 roles/common: update task syntax for fail2ban play 2025-09-21 16:54:03 +03:00
Alan Orth
b600141e89 roles/common: update task syntax for sshd play 2025-09-21 16:51:23 +03:00
Alan Orth
4be98d1a33 roles/common: update task syntax for ssh-keys play 2025-09-21 16:49:32 +03:00
Alan Orth
2bb018a40c roles/common: rename firewall and packages task files 
Don't use firewall_Debian.yml or packages_Debian.yml since I am not
deploying Ubuntu anymore there is no need to distinguish.
 2025-09-21 16:45:51 +03:00
Alan Orth
89a1e11b7a roles/common: update task syntax in main play 2025-09-21 16:40:37 +03:00
Alan Orth
0c0cad9084 Remove Ubuntu logic 
For a few years now I have only been deploying Debian for personal
use.
 2025-09-21 16:34:57 +03:00
Alan Orth
9dce701a19 roles/common: update task syntax in packages play 2025-09-21 16:23:10 +03:00
Alan Orth
3e9ee44d5b roles/common: update task syntax in ntp play 2025-09-21 16:18:32 +03:00
Alan Orth
599b5e5e83 Pipfile.lock: run pipenv update 2025-09-21 15:57:28 +03:00
Alan Orth
bc700ea532 Pipfile.lock: pipenv update 2025-08-17 10:28:23 +03:00
Alan Orth
8016701b57 host_vars/web22: WordPress 6.8.2 2025-08-17 10:26:43 +03:00
Alan Orth
00558c7dea roles/common: re-work fail2ban and nftables 
Re-work the fail2ban and nftables interaction. Use systemd's PartOf
to indicate that fail2ban is part of the nftables service, which
tells systemd to propogate stop/start signals to it. Then we tell
the firehol update script to restart nftables instead of reload.
The different between restart and reload is meaningless for nftables
but we want systemd to propagate the stop/start signals to fail2ban.
 2025-07-08 10:39:17 +03:00
Alan Orth
c927186837 roles/common: adjust update-firehol-nftables.service 
This service does not actually depend on nftables, at least not in
the systemd sense of dependency. Furthermore, this hard dependency
was causing the service to fail when it restarts nftables at the
end, which causes systemd to start it again and again until it hits
a restarting too quickly error.
 2025-07-08 10:37:39 +03:00
Alan Orth
690774c862 host_vars/web22: WordPress 6.8.1 2025-07-08 10:34:34 +03:00
Alan Orth
cc021bd14a Pipfile.lock: run pipenv update 2025-07-08 10:25:09 +03:00
Alan Orth
73fd06fe3a roles/common: remove cron-apt 
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
 2025-04-07 09:51:09 +03:00
Alan Orth
88cb3a370e Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
Alan Orth
027a43ddbe roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
Alan Orth
bb30c3be20 host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
Alan Orth
d8d9790d21 roles/nginx: enable nginx ssl_session_tickets 
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
 2025-03-29 22:35:56 +03:00
Alan Orth
9a500ebc0d roles/nginx: disable nginx ssl_prefer_server_ciphers 
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
 2025-03-29 22:34:41 +03:00
Alan Orth
4bae942585 roles/nginx: add nginx ssl_ecdh_curve 
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:37 +03:00
Alan Orth
99866c0c90 roles/nginx: use one day for nginx ssl_session_timeout 
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:32 +03:00
Alan Orth
0afb8a4493 roles/nginx: update nginx ssl_buffer_size 
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
 2025-03-29 22:34:27 +03:00
Alan Orth
506695da31 roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
Alan Orth
f67ed7762c roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
Alan Orth
014f4d9502 roles/nginx: add newline 2025-03-29 22:19:41 +03:00
Alan Orth
22c16e1ed3 roles/caddy/templates: closer to supporting WordPress 
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
 2025-03-29 22:09:37 +03:00
Alan Orth
5aa6a33e51 roles/php-fpm: set user and group based on webserver 
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
 2025-03-29 21:01:56 +03:00
Alan Orth
7f9b06af9c roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
Alan Orth
84db337fea roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
Alan Orth
7b23f5f94f roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
Alan Orth
9830338be3 Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
Alan Orth
e3eed26765 roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
Alan Orth
8b31c7e148 host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
Alan Orth
3ff8043aaf Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
Alan Orth
cb79f7ef70 roles/common: minor change to firehol update script 
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
 2025-01-28 09:14:48 +03:00
Alan Orth
bb14f05d2a roles/common: use Ansible timezone module 
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
 2025-01-27 23:11:56 +03:00
Alan Orth
5b1530fa91 roles/common: rework firewall 
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
 2025-01-27 23:05:45 +03:00
Alan Orth
5312dc6bd5 roles/common: use common nftables task 
Use a common nftables task on Debian and Ubuntu.
 2025-01-27 23:05:38 +03:00
Alan Orth
d6e060d3af roles/common: simplify firewall tasks 
Apply firewall tag to included tasks, then we don't need to use a
block.
 2025-01-27 22:30:50 +03:00
Alan Orth
b873af004a roles/common: single firewall task include 
Use one include from the main tasks file.
 2025-01-27 22:28:27 +03:00
Alan Orth
7ea3ab46f8 host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
Alan Orth
0561bd5b52 Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
Alan Orth
d62572f02c Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
Alan Orth
2ffe5e87d9 host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
Alan Orth
38d4f1a303 Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
Alan Orth
ed8cb88038 host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
Alan Orth
c31e447861 roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
Alan Orth
545684467c host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
Alan Orth
24ae5eaab1 host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
Alan Orth
dac23f1427 Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
Alan Orth
41fbc73dd1 host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
Alan Orth
fee794bcf0 Update Pipfile 2024-03-20 20:28:00 +03:00
Alan Orth
8bce1d8b1b host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
Alan Orth
6dc2ea36b6 roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
Alan Orth
af71a9b5f8 roles/php-fpm: remove fmt strings 
Ansible confuses them for jinja2 tokens.
 2023-09-11 19:52:18 +03:00
Alan Orth
4dd57803e2 roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
Alan Orth
18d4245fc0 roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
Alan Orth
1bddf3cccd Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
Alan Orth
20dbe61fe1 roles/mariadb: use MariaDB 10.11 
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
 2023-09-10 22:53:10 +03:00
Alan Orth
899e87321b host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
Alan Orth
06416a3b64 roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
Alan Orth
7a9a24ef5d roles/common: rework fail2ban again 
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
 2023-08-23 22:15:24 +03:00
Alan Orth
067adcd9f5 roles/common: rework fail2ban tasks 
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
 2023-08-23 21:59:28 +03:00
Alan Orth
84d210cfab roles/common: re-format handlers 
Use the newer Ansible format.
 2023-08-23 21:35:28 +03:00
Alan Orth
17736a4f14 roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
Alan Orth
b9e91c4a3d roles/common: minor updates to tarsnap task 
Use modern Ansible task format
 2023-08-23 21:20:22 +03:00
Alan Orth
51c95e5d4c roles/common: update tarsnap task 
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
 2023-08-23 21:18:27 +03:00
Alan Orth
8dbec29d2a roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
Alan Orth
d3bf3dab04 roles/php-fpm: add support for PHP 8.2 
This is used in Debian 12.
 2023-08-23 20:56:35 +03:00
Alan Orth
8f50b7756b host_vars/web22: WordPress 6.3 2023-08-22 21:33:49 +03:00
Alan Orth
e86ccc9979 roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
Alan Orth
cea8529f49 Pipfile.lock: run pipenv update 2023-08-22 21:02:17 +03:00
Alan Orth
d77718edae host_vars: add fail2ban_ignoreip 2023-08-14 16:37:07 +02:00
Alan Orth
14d57fc477 roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
Alan Orth
5c39f1abd8 roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
Alan Orth
6794eb0432 roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
Alan Orth
11614e3725 host_vars: replace nomad02 with nomad03 
The former is Ubuntu 20.04, the latter is Debian 12. Running Drone
CI.
 2023-08-10 08:37:09 +02:00
Alan Orth
b106f9d9e5 roles/common: ignore apt sources.list on Scaleway 
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
 2023-08-10 08:08:42 +02:00
Alan Orth
3c8250e6ac Pipfile.lock: run pipenv update 2023-08-09 22:07:54 +02:00
Alan Orth
d280859b0d roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
Alan Orth
bca1629d2f Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
Alan Orth
4fa82faf18 roles/common: adjust sshd_config for Debian 12 
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
 2023-08-09 21:27:19 +02:00
Alan Orth
b8f0b4b1fb roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
Alan Orth
68e5d05bbb host_vars/web22: WordPress 6.2.2 2023-07-27 18:48:37 +03:00
Alan Orth
446d402778 roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
Alan Orth
67379fc2e4 host_vars/web22: WordPress 6.2 2023-05-04 07:10:40 +03:00
Alan Orth
73546967b6 Pipfile.lock: run pipenv update 2023-05-04 06:58:25 +03:00
Alan Orth
16b661efe1 Pipfile.lock: run pipenv update 2023-04-14 10:09:29 -07:00
Alan Orth
fdb9a75489 roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
Alan Orth
232d7a0348 host_vars/web22: WordPress 6.1.1 2022-11-24 18:31:48 +03:00
Alan Orth
6e4bb5bc34 host_vars/web21: use caddy 2022-11-13 18:58:57 +03:00
Alan Orth
c840ffe018 roles/caddy: improve vhost template 
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
 2022-11-13 18:54:03 +03:00
Alan Orth
45c9d7ea0a Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
Alan Orth
a62bc446e8 host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
Alan Orth
62a6a491db host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
Alan Orth
4867d6da6a Add basic caddy role 2022-11-02 22:29:30 +03:00
Alan Orth
d9f7c7a93b group_vars/web: set default webserver to nginx 
While I'm still getting experience with caddy and adapting it to my
workloads.
 2022-11-02 22:12:36 +03:00
Alan Orth
bc8c030700 roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
Alan Orth
f7598d8f1c Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
Alan Orth
c353e84a84 site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
Alan Orth
99ca23f258 Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
Alan Orth
b663d27fd8 roles/common: rework firewall_Debian.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
 2022-09-12 17:25:40 +03:00
Alan Orth
67c99dacf6 roles/common: rework firewall_Ubuntu.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
 2022-09-12 17:18:33 +03:00
Alan Orth
4abf2b10e4 ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
Alan Orth
f5199264f9 ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
Alan Orth
b259f09cbd roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
Alan Orth
f4b32e516b roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
Alan Orth
fcb12ecee0 roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
Alan Orth
5bc03ceacc roles/mariadb: install packages in single transaction 
Using a list we can install these in a single apt transaction. Also
use the newer task format.
 2022-09-12 10:12:07 +03:00
Alan Orth
c317429f6d roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
Alan Orth
b512a7f765 roles/common: create /etc/apt/keyrings 
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
 2022-09-12 10:05:12 +03:00
Alan Orth
e3a87d4f79 roles/mariadb: MariaDB 10.6 
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
 2022-09-12 09:25:46 +03:00
Alan Orth
dec2d50fbc host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
Alan Orth
34be0013b7 Remove Debian 10 support 2022-09-11 09:21:08 +03:00
Alan Orth
399585f4e7 roles: don't compare literal true and false 
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
 2022-09-11 08:41:25 +03:00
Alan Orth
0240897b1b Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
Alan Orth
1da0da53ec roles: use longer format for when conditionals 
When the condition is an AND we can use this more succinct format.
 2022-09-10 23:12:49 +03:00
Alan Orth
677cc9f160 roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
Alan Orth
ffe7a872dd roles: strict truthy values 
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
 2022-09-10 22:33:19 +03:00
Alan Orth
95d0005978 Add ansible-lint 2022-09-10 18:36:53 +03:00
Alan Orth
498766fdc4 Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
Alan Orth
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
Alan Orth
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
Alan Orth
92a4c72809 Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
Alan Orth
a2d61abba2 roles/mariadb: update mirror 
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
 2022-08-14 22:09:47 -07:00
Alan Orth
d2a5a28809 Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
Alan Orth
84c0589aee host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
Alan Orth
2961578a54 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-28 18:51:35 +03:00
Alan Orth
4d74f76b3c Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
Alan Orth
9e737466c5 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-04 21:47:37 +03:00
Alan Orth
0ffb1b1a36 roles/common: use pyinotify backend for nginx fail2ban jail 
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
 2022-01-04 15:10:02 +02:00
Alan Orth
68f0b85eb3 Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
Alan Orth
ebbde530d2 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
 2021-12-22 11:40:27 +02:00
Alan Orth
ab47df6031 Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
Alan Orth
de75b2ffb6 host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
Alan Orth
e10d83dadd Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
Alan Orth
f070fd9a64 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-11-07 10:12:43 +02:00
Alan Orth
6e1527b1a8 Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
Alan Orth
ebd8b0632b roles/common: Disable unsafe Diffie-Hellman SSH moduli 
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
 2021-10-10 16:57:05 +03:00
Alan Orth
df26b6c17e roles/common: notify fail2ban after updating firewall 
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
 2021-09-28 10:45:51 +03:00
Alan Orth
d92151b8a6 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
 2021-09-28 10:28:02 +03:00
Alan Orth
b13ead0657 roles/common: use a range for mosh ports in nftables 
This is better than a loop in Jinja (though that is useful!).
 2021-09-28 07:34:25 +03:00
Alan Orth
89ced6f952 Pipfile.lock: run pipenv update 2021-09-27 17:28:41 +03:00
Alan Orth
ae5ba0607a Remove host_vars/nomad01 
Replaced by web23.
 2021-09-27 14:17:48 +03:00
Alan Orth
89fd642b78 roles/nginx: minor rework of acme.sh tasks 
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
 2021-09-27 13:40:17 +03:00
Alan Orth
65e6dd34cd roles/common: Add missing section to Debian 11 sshd_config 
We need to be able to configure the list of SSH users.
 2021-09-27 12:59:27 +03:00
Alan Orth
0421807e4d Add web23 
Will replace nomad01
 2021-09-27 12:22:45 +03:00
Alan Orth
d5eed5055e roles/nginx: Add support for gitea 
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
 2021-09-27 12:15:47 +03:00
Alan Orth
f8752bb3e7 roles/nginx: add todo about document roots 
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
 2021-09-27 12:05:53 +03:00
Alan Orth
170e591701 roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
Alan Orth
8d6c3c57c3 roles/nginx: install acme.sh after downloading 
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
 2021-09-27 11:28:02 +03:00
Alan Orth
79b29f0c51 roles/nginx: generate snakeoil cert manually 
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
 2021-09-27 10:48:24 +03:00
Alan Orth
a4acc85704 roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
Alan Orth
f7b9aa67f5 roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
Alan Orth
0a39c4f0ef README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
Alan Orth
85323d789c Remove host_vars/web19 
Replaced by web22.
 2021-09-13 11:49:32 +03:00
Alan Orth
341a1bf11e roles/php-fpm: Install php7.4-xml 
The RSS feeds in the WordPress admin dashboard need this.
 2021-09-13 10:19:33 +03:00
Alan Orth
6ee389eda5 roles/php-fpm: Use concrete dependencies 
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
 2021-09-13 10:18:40 +03:00
Alan Orth
83fea62b0f host_vars/web22: WordPress 5.8.1 2021-09-13 07:37:40 +03:00
Alan Orth
0d1a5fbb25 Add host_vars/web22 
Will replace web19 soon.
 2021-09-12 21:59:38 +03:00
Alan Orth
4d8444abf2 host_vars/web21: Fix path to cert 2021-09-12 20:39:45 +03:00
Alan Orth
e8486f6c9e host_vars/nomad02: Update Drone to version 2 2021-09-10 21:49:00 +03:00
Alan Orth
20cd6f213c roles/common: cache_valid_time explicitly sets update_cache 
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
 2021-09-08 21:59:51 +03:00
Alan Orth
eb80e797c6 Add host_vars/web21 
Replaces web20.
 2021-09-08 21:57:04 +03:00
Alan Orth
736bb8eb38 Remove host_vars/web20 
Will be replaced by web21.
 2021-09-08 21:56:43 +03:00
Alan Orth
34a30c4d13 roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
Alan Orth
c03e75d736 roles/common: explicitly install systemd-timesyncd 
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
 2021-09-08 17:04:46 +03:00
Alan Orth
d08f10f9c8 roles/common: Fix comment in ntp playbook 2021-09-08 17:04:20 +03:00
Alan Orth
8467dc1300 roles/mariadb: Change socket location 
Instead of using /var/run, just use /run directly. This is the real
path and it's the default anyways.
 2021-09-08 15:50:48 +03:00
Alan Orth
635bb5234d roles/common: fix logic for copying AbuseIPDB.com nft sets 
We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
 2021-09-08 09:58:13 +03:00
Alan Orth
37901da5b5 roles/common: update AbuseIPDB lists for nftables 2021-09-08 09:57:58 +03:00
Alan Orth
e36ae3b11e roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-09-08 09:35:36 +03:00
Alan Orth
81c1231a28 roles/php-fpm: Fix logic 
First, we cannot do a global check for has_wordpress or needs_php,
as those are defined per nginx vhost. Second, I realized that this
was only working in the past because vhosts that had WordPress or
needed PHP were listed first in the nginx_vhosts dict.

This changes the logic to first check if any vhosts have WordPress
or need PHP, then sets a fact that we can use to decide whether to
run php-fpm tasks or not.
 2021-09-08 09:32:06 +03:00
Alan Orth
bb6f058025 roles/php-fpm: whitespace 2021-09-07 20:12:31 +03:00
Alan Orth
547395b26e roles/nginx: Use php7.4-fpm socket on Debian 11 as well 2021-09-07 17:51:54 +03:00
Alan Orth
15208241d3 roles/common: Add git-lfs to base packages 2021-09-07 17:51:33 +03:00
Alan Orth
0fd05d496e roles/nginx: Set mode of downloaded acme.sh 2021-09-07 17:10:35 +03:00
Alan Orth
023a0d48ba roles/nginx: Remove old comment 2021-09-07 17:07:53 +03:00
Alan Orth
c687b7a91a roles/nginx: Run Let's Encrypt on Debian 11 too 2021-09-07 17:07:33 +03:00
Alan Orth
bd4ae36bb6 roles/mariadb: use socket for all operations 
Otherwise Ansible will try to connect with host 'localhost', which
we do not use (and we have disabled name resolution anyways).
 2021-09-07 16:48:15 +03:00
Alan Orth
b60637c7d9 roles/mariadb: Update comments for Ansible module 2021-09-07 16:47:47 +03:00
Alan Orth
479127a5e4 roles/common: Fix nftables handler in Debian firewall 
We used to use reload, but now the idempotent thing to do is to use
restart instead of reload.
 2021-09-07 15:43:33 +03:00
Alan Orth
d261f81642 roles/php-fpm: Use Ubuntu 20.04 configs on Debian 11 
They both use PHP 7.4.
 2021-09-06 21:19:57 +03:00
Alan Orth
6bc044d454 host_vars: remove mosh rules 
They are in roles/common now.
 2021-09-05 16:33:45 +03:00
Alan Orth
9e07e27fbe host_vars/web19: remove extra mosh rules 
These are now in the common role for all hosts.
 2021-09-05 16:24:28 +03:00
Alan Orth
575a9fdfe6 roles/common: Add mosh ports to common 
These have been in each hosts's "extra" rules lists forever and I
use them on every single host so they might as well be in the base
rules.
 2021-09-05 16:23:42 +03:00
Alan Orth
35fa3b0d72 roles/common: Fix typo in handlers 2021-09-05 16:19:31 +03:00
116 changed files with 3005 additions and 25651 deletions
Expand all files Collapse all files

3
Pipfile
View File

@@ -7,6 +7,7 @@ verify_ssl = true
[packages]
ansible = "*"
ansible-lint = "*"
[requires]
python_version = "3.9"
python_version = "3.13"

889
Pipfile.lock generated
View File

@@ -1,11 +1,11 @@
{
"_meta": {
"hash": {
"sha256": "65b615b857250757470e21fc3a4b1cdfe75b4b012c0d1d633a5ebf1988d9cb91"
"sha256": "47970866f4ffc7775e3a95dd04ee8b75f9784c457baadd8a31fe1783584fa73f"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.9"
"python_version": "3.13"
},
"sources": [
{
@@ -18,224 +18,757 @@
"default": {
"ansible": {
"hashes": [
"sha256:cc5352b2351a381015ece79eab783a1b0668f97b377810fed3c746e2f1d50db1"
"sha256:c5efd095be1e4d15aa39691e3ce8233727269da4a17043f16f67c6899b98a239",
"sha256:fd0f4a29c3e77617011b98d80e4579c31e1d58f40928d3e8fd5e434696676797"
],
"index": "pypi",
"version": "==4.5.0"
"markers": "python_version >= '3.12'",
"version": "==13.0.0"
},
"ansible-compat": {
"hashes": [
"sha256:b9e6655d8f4942c427a39fa1df6697830d987fe5d311bc7be2b2f81c1edd48f5",
"sha256:e6f013b8a7d1fd87a9624b9dc125e4e76a61eb90680800cb4119d97d8ce63ae7"
],
"markers": "python_version >= '3.10'",
"version": "==25.11.0"
},
"ansible-core": {
"hashes": [
"sha256:22eaa7c2dfe6c875e9ae380323f1cba6259c6050a5e4c8819f85f92b3683ea49"
"sha256:665f9e46401509f1f799b0fc624ce162127765885d61607c5e31a0f77652d7b6",
"sha256:cd73faf28a056c933bc1eee8f66ab597e7ec7309d42c8a6e5d6e4294c4a78b54"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==2.11.4"
"markers": "python_version >= '3.12'",
"version": "==2.20.0"
},
"ansible-lint": {
"hashes": [
"sha256:4a0f83e292fa70e9922ad2c02e10708013b7e77a93364d729abc2cbf165c75c4",
"sha256:79e35246c8bdaacdbe37aa30a6ea471177482ac58fbcf1868f765bdafca3427e"
],
"index": "pypi",
"markers": "python_version >= '3.10'",
"version": "==25.11.0"
},
"attrs": {
"hashes": [
"sha256:16d5969b87f0859ef33a48b35d55ac1be6e42ae49d5e853b597db70c35c57e11",
"sha256:adcf7e2a1fb3b36ac48d97835bb6d8ade15b8dcce26aba8bf1d14847b57a3373"
],
"markers": "python_version >= '3.9'",
"version": "==25.4.0"
},
"black": {
"hashes": [
"sha256:0a1d40348b6621cc20d3d7530a5b8d67e9714906dfd7346338249ad9c6cedf2b",
"sha256:0c0f7c461df55cf32929b002335883946a4893d759f2df343389c4396f3b6b37",
"sha256:1032639c90208c15711334d681de2e24821af0575573db2810b0763bcd62e0f0",
"sha256:35690a383f22dd3e468c85dc4b915217f87667ad9cce781d7b42678ce63c4170",
"sha256:43945853a31099c7c0ff8dface53b4de56c41294fa6783c0441a8b1d9bf668bc",
"sha256:51c65d7d60bb25429ea2bf0731c32b2a2442eb4bd3b2afcb47830f0b13e58bfd",
"sha256:5bd4a22a0b37401c8e492e994bce79e614f91b14d9ea911f44f36e262195fdda",
"sha256:6cb2d54a39e0ef021d6c5eef442e10fd71fcb491be6413d083a320ee768329dd",
"sha256:6cced12b747c4c76bc09b4db057c319d8545307266f41aaee665540bc0e04e96",
"sha256:7eebd4744dfe92ef1ee349dc532defbf012a88b087bb7ddd688ff59a447b080e",
"sha256:80e7486ad3535636657aa180ad32a7d67d7c273a80e12f1b4bfa0823d54e8fac",
"sha256:895571922a35434a9d8ca67ef926da6bc9ad464522a5fe0db99b394ef1c0675a",
"sha256:92285c37b93a1698dcbc34581867b480f1ba3a7b92acf1fe0467b04d7a4da0dc",
"sha256:936c4dd07669269f40b497440159a221ee435e3fddcf668e0c05244a9be71993",
"sha256:9815ccee1e55717fe9a4b924cae1646ef7f54e0f990da39a34fc7b264fcf80a2",
"sha256:9a323ac32f5dc75ce7470501b887250be5005a01602e931a15e45593f70f6e08",
"sha256:a3bb5ce32daa9ff0605d73b6f19da0b0e6c1f8f2d75594db539fdfed722f2b06",
"sha256:aa211411e94fdf86519996b7f5f05e71ba34835d8f0c0f03c00a26271da02664",
"sha256:ae263af2f496940438e5be1a0c1020e13b09154f3af4df0835ea7f9fe7bfa409",
"sha256:cb4f4b65d717062191bdec8e4a442539a8ea065e6af1c4f4d36f0cdb5f71e170",
"sha256:d81a44cbc7e4f73a9d6ae449ec2317ad81512d1e7dce7d57f6333fd6259737bc",
"sha256:dae49ef7369c6caa1a1833fd5efb7c3024bb7e4499bf64833f65ad27791b1545",
"sha256:e3f562da087791e96cefcd9dda058380a442ab322a02e222add53736451f604b",
"sha256:ec311e22458eec32a807f029b2646f661e6859c3f61bc6d9ffb67958779f392e",
"sha256:f42c0ea7f59994490f4dccd64e6b2dd49ac57c7c84f38b8faab50f8759db245c",
"sha256:f9786c24d8e9bd5f20dc7a7f0cdd742644656987f6ea6947629306f937726c03"
],
"markers": "python_version >= '3.9'",
"version": "==25.11.0"
},
"bracex": {
"hashes": [
"sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952",
"sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7"
],
"markers": "python_version >= '3.9'",
"version": "==2.6"
},
"cffi": {
"hashes": [
"sha256:06c54a68935738d206570b20da5ef2b6b6d92b38ef3ec45c5422c0ebaf338d4d",
"sha256:0c0591bee64e438883b0c92a7bed78f6290d40bf02e54c5bf0978eaf36061771",
"sha256:19ca0dbdeda3b2615421d54bef8985f72af6e0c47082a8d26122adac81a95872",
"sha256:22b9c3c320171c108e903d61a3723b51e37aaa8c81255b5e7ce102775bd01e2c",
"sha256:26bb2549b72708c833f5abe62b756176022a7b9a7f689b571e74c8478ead51dc",
"sha256:33791e8a2dc2953f28b8d8d300dde42dd929ac28f974c4b4c6272cb2955cb762",
"sha256:3c8d896becff2fa653dc4438b54a5a25a971d1f4110b32bd3068db3722c80202",
"sha256:4373612d59c404baeb7cbd788a18b2b2a8331abcc84c3ba40051fcd18b17a4d5",
"sha256:487d63e1454627c8e47dd230025780e91869cfba4c753a74fda196a1f6ad6548",
"sha256:48916e459c54c4a70e52745639f1db524542140433599e13911b2f329834276a",
"sha256:4922cd707b25e623b902c86188aca466d3620892db76c0bdd7b99a3d5e61d35f",
"sha256:55af55e32ae468e9946f741a5d51f9896da6b9bf0bbdd326843fec05c730eb20",
"sha256:57e555a9feb4a8460415f1aac331a2dc833b1115284f7ded7278b54afc5bd218",
"sha256:5d4b68e216fc65e9fe4f524c177b54964af043dde734807586cf5435af84045c",
"sha256:64fda793737bc4037521d4899be780534b9aea552eb673b9833b01f945904c2e",
"sha256:6d6169cb3c6c2ad50db5b868db6491a790300ade1ed5d1da29289d73bbe40b56",
"sha256:7bcac9a2b4fdbed2c16fa5681356d7121ecabf041f18d97ed5b8e0dd38a80224",
"sha256:80b06212075346b5546b0417b9f2bf467fea3bfe7352f781ffc05a8ab24ba14a",
"sha256:818014c754cd3dba7229c0f5884396264d51ffb87ec86e927ef0be140bfdb0d2",
"sha256:8eb687582ed7cd8c4bdbff3df6c0da443eb89c3c72e6e5dcdd9c81729712791a",
"sha256:99f27fefe34c37ba9875f224a8f36e31d744d8083e00f520f133cab79ad5e819",
"sha256:9f3e33c28cd39d1b655ed1ba7247133b6f7fc16fa16887b120c0c670e35ce346",
"sha256:a8661b2ce9694ca01c529bfa204dbb144b275a31685a075ce123f12331be790b",
"sha256:a9da7010cec5a12193d1af9872a00888f396aba3dc79186604a09ea3ee7c029e",
"sha256:aedb15f0a5a5949ecb129a82b72b19df97bbbca024081ed2ef88bd5c0a610534",
"sha256:b315d709717a99f4b27b59b021e6207c64620790ca3e0bde636a6c7f14618abb",
"sha256:ba6f2b3f452e150945d58f4badd92310449876c4c954836cfb1803bdd7b422f0",
"sha256:c33d18eb6e6bc36f09d793c0dc58b0211fccc6ae5149b808da4a62660678b156",
"sha256:c9a875ce9d7fe32887784274dd533c57909b7b1dcadcc128a2ac21331a9765dd",
"sha256:c9e005e9bd57bc987764c32a1bee4364c44fdc11a3cc20a40b93b444984f2b87",
"sha256:d2ad4d668a5c0645d281dcd17aff2be3212bc109b33814bbb15c4939f44181cc",
"sha256:d950695ae4381ecd856bcaf2b1e866720e4ab9a1498cba61c602e56630ca7195",
"sha256:e22dcb48709fc51a7b58a927391b23ab37eb3737a98ac4338e2448bef8559b33",
"sha256:e8c6a99be100371dbb046880e7a282152aa5d6127ae01783e37662ef73850d8f",
"sha256:e9dc245e3ac69c92ee4c167fbdd7428ec1956d4e754223124991ef29eb57a09d",
"sha256:eb687a11f0a7a1839719edd80f41e459cc5366857ecbed383ff376c4e3cc6afd",
"sha256:eb9e2a346c5238a30a746893f23a9535e700f8192a68c07c0258e7ece6ff3728",
"sha256:ed38b924ce794e505647f7c331b22a693bee1538fdf46b0222c4717b42f744e7",
"sha256:f0010c6f9d1a4011e429109fda55a225921e3206e7f62a0c22a35344bfd13cca",
"sha256:f0c5d1acbfca6ebdd6b1e3eded8d261affb6ddcf2186205518f1428b8569bb99",
"sha256:f10afb1004f102c7868ebfe91c28f4a712227fe4cb24974350ace1f90e1febbf",
"sha256:f174135f5609428cc6e1b9090f9268f5c8935fddb1b25ccb8255a2d50de6789e",
"sha256:f3ebe6e73c319340830a9b2825d32eb6d8475c1dac020b4f0aa774ee3b898d1c",
"sha256:f627688813d0a4140153ff532537fbe4afea5a3dffce1f9deb7f91f848a832b5",
"sha256:fd4305f86f53dfd8cd3522269ed7fc34856a8ee3709a5e28b2836b2db9d4cd69"
"sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb",
"sha256:07b271772c100085dd28b74fa0cd81c8fb1a3ba18b21e03d7c27f3436a10606b",
"sha256:087067fa8953339c723661eda6b54bc98c5625757ea62e95eb4898ad5e776e9f",
"sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9",
"sha256:0cf2d91ecc3fcc0625c2c530fe004f82c110405f101548512cce44322fa8ac44",
"sha256:0f6084a0ea23d05d20c3edcda20c3d006f9b6f3fefeac38f59262e10cef47ee2",
"sha256:12873ca6cb9b0f0d3a0da705d6086fe911591737a59f28b7936bdfed27c0d47c",
"sha256:19f705ada2530c1167abacb171925dd886168931e0a7b78f5bffcae5c6b5be75",
"sha256:1cd13c99ce269b3ed80b417dcd591415d3372bcac067009b6e0f59c7d4015e65",
"sha256:1e3a615586f05fc4065a8b22b8152f0c1b00cdbc60596d187c2a74f9e3036e4e",
"sha256:1f72fb8906754ac8a2cc3f9f5aaa298070652a0ffae577e0ea9bd480dc3c931a",
"sha256:1fc9ea04857caf665289b7a75923f2c6ed559b8298a1b8c49e59f7dd95c8481e",
"sha256:203a48d1fb583fc7d78a4c6655692963b860a417c0528492a6bc21f1aaefab25",
"sha256:2081580ebb843f759b9f617314a24ed5738c51d2aee65d31e02f6f7a2b97707a",
"sha256:21d1152871b019407d8ac3985f6775c079416c282e431a4da6afe7aefd2bccbe",
"sha256:24b6f81f1983e6df8db3adc38562c83f7d4a0c36162885ec7f7b77c7dcbec97b",
"sha256:256f80b80ca3853f90c21b23ee78cd008713787b1b1e93eae9f3d6a7134abd91",
"sha256:28a3a209b96630bca57cce802da70c266eb08c6e97e5afd61a75611ee6c64592",
"sha256:2c8f814d84194c9ea681642fd164267891702542f028a15fc97d4674b6206187",
"sha256:2de9a304e27f7596cd03d16f1b7c72219bd944e99cc52b84d0145aefb07cbd3c",
"sha256:38100abb9d1b1435bc4cc340bb4489635dc2f0da7456590877030c9b3d40b0c1",
"sha256:3925dd22fa2b7699ed2617149842d2e6adde22b262fcbfada50e3d195e4b3a94",
"sha256:3e17ed538242334bf70832644a32a7aae3d83b57567f9fd60a26257e992b79ba",
"sha256:3e837e369566884707ddaf85fc1744b47575005c0a229de3327f8f9a20f4efeb",
"sha256:3f4d46d8b35698056ec29bca21546e1551a205058ae1a181d871e278b0b28165",
"sha256:44d1b5909021139fe36001ae048dbdde8214afa20200eda0f64c068cac5d5529",
"sha256:45d5e886156860dc35862657e1494b9bae8dfa63bf56796f2fb56e1679fc0bca",
"sha256:4647afc2f90d1ddd33441e5b0e85b16b12ddec4fca55f0d9671fef036ecca27c",
"sha256:4671d9dd5ec934cb9a73e7ee9676f9362aba54f7f34910956b84d727b0d73fb6",
"sha256:53f77cbe57044e88bbd5ed26ac1d0514d2acf0591dd6bb02a3ae37f76811b80c",
"sha256:5eda85d6d1879e692d546a078b44251cdd08dd1cfb98dfb77b670c97cee49ea0",
"sha256:5fed36fccc0612a53f1d4d9a816b50a36702c28a2aa880cb8a122b3466638743",
"sha256:61d028e90346df14fedc3d1e5441df818d095f3b87d286825dfcbd6459b7ef63",
"sha256:66f011380d0e49ed280c789fbd08ff0d40968ee7b665575489afa95c98196ab5",
"sha256:6824f87845e3396029f3820c206e459ccc91760e8fa24422f8b0c3d1731cbec5",
"sha256:6c6c373cfc5c83a975506110d17457138c8c63016b563cc9ed6e056a82f13ce4",
"sha256:6d02d6655b0e54f54c4ef0b94eb6be0607b70853c45ce98bd278dc7de718be5d",
"sha256:6d50360be4546678fc1b79ffe7a66265e28667840010348dd69a314145807a1b",
"sha256:730cacb21e1bdff3ce90babf007d0a0917cc3e6492f336c2f0134101e0944f93",
"sha256:737fe7d37e1a1bffe70bd5754ea763a62a066dc5913ca57e957824b72a85e205",
"sha256:74a03b9698e198d47562765773b4a8309919089150a0bb17d829ad7b44b60d27",
"sha256:7553fb2090d71822f02c629afe6042c299edf91ba1bf94951165613553984512",
"sha256:7a66c7204d8869299919db4d5069a82f1561581af12b11b3c9f48c584eb8743d",
"sha256:7cc09976e8b56f8cebd752f7113ad07752461f48a58cbba644139015ac24954c",
"sha256:81afed14892743bbe14dacb9e36d9e0e504cd204e0b165062c488942b9718037",
"sha256:8941aaadaf67246224cee8c3803777eed332a19d909b47e29c9842ef1e79ac26",
"sha256:89472c9762729b5ae1ad974b777416bfda4ac5642423fa93bd57a09204712322",
"sha256:8ea985900c5c95ce9db1745f7933eeef5d314f0565b27625d9a10ec9881e1bfb",
"sha256:8eca2a813c1cb7ad4fb74d368c2ffbbb4789d377ee5bb8df98373c2cc0dee76c",
"sha256:92b68146a71df78564e4ef48af17551a5ddd142e5190cdf2c5624d0c3ff5b2e8",
"sha256:9332088d75dc3241c702d852d4671613136d90fa6881da7d770a483fd05248b4",
"sha256:94698a9c5f91f9d138526b48fe26a199609544591f859c870d477351dc7b2414",
"sha256:9a67fc9e8eb39039280526379fb3a70023d77caec1852002b4da7e8b270c4dd9",
"sha256:9de40a7b0323d889cf8d23d1ef214f565ab154443c42737dfe52ff82cf857664",
"sha256:a05d0c237b3349096d3981b727493e22147f934b20f6f125a3eba8f994bec4a9",
"sha256:afb8db5439b81cf9c9d0c80404b60c3cc9c3add93e114dcae767f1477cb53775",
"sha256:b18a3ed7d5b3bd8d9ef7a8cb226502c6bf8308df1525e1cc676c3680e7176739",
"sha256:b1e74d11748e7e98e2f426ab176d4ed720a64412b6a15054378afdb71e0f37dc",
"sha256:b21e08af67b8a103c71a250401c78d5e0893beff75e28c53c98f4de42f774062",
"sha256:b4c854ef3adc177950a8dfc81a86f5115d2abd545751a304c5bcf2c2c7283cfe",
"sha256:b882b3df248017dba09d6b16defe9b5c407fe32fc7c65a9c69798e6175601be9",
"sha256:baf5215e0ab74c16e2dd324e8ec067ef59e41125d3eade2b863d294fd5035c92",
"sha256:c649e3a33450ec82378822b3dad03cc228b8f5963c0c12fc3b1e0ab940f768a5",
"sha256:c654de545946e0db659b3400168c9ad31b5d29593291482c43e3564effbcee13",
"sha256:c6638687455baf640e37344fe26d37c404db8b80d037c3d29f58fe8d1c3b194d",
"sha256:c8d3b5532fc71b7a77c09192b4a5a200ea992702734a2e9279a37f2478236f26",
"sha256:cb527a79772e5ef98fb1d700678fe031e353e765d1ca2d409c92263c6d43e09f",
"sha256:cf364028c016c03078a23b503f02058f1814320a56ad535686f90565636a9495",
"sha256:d48a880098c96020b02d5a1f7d9251308510ce8858940e6fa99ece33f610838b",
"sha256:d68b6cef7827e8641e8ef16f4494edda8b36104d79773a334beaa1e3521430f6",
"sha256:d9b29c1f0ae438d5ee9acb31cadee00a58c46cc9c0b2f9038c6b0b3470877a8c",
"sha256:d9b97165e8aed9272a6bb17c01e3cc5871a594a446ebedc996e2397a1c1ea8ef",
"sha256:da68248800ad6320861f129cd9c1bf96ca849a2771a59e0344e88681905916f5",
"sha256:da902562c3e9c550df360bfa53c035b2f241fed6d9aef119048073680ace4a18",
"sha256:dbd5c7a25a7cb98f5ca55d258b103a2054f859a46ae11aaf23134f9cc0d356ad",
"sha256:dd4f05f54a52fb558f1ba9f528228066954fee3ebe629fc1660d874d040ae5a3",
"sha256:de8dad4425a6ca6e4e5e297b27b5c824ecc7581910bf9aee86cb6835e6812aa7",
"sha256:e11e82b744887154b182fd3e7e8512418446501191994dbf9c9fc1f32cc8efd5",
"sha256:e6e73b9e02893c764e7e8d5bb5ce277f1a009cd5243f8228f75f842bf937c534",
"sha256:f73b96c41e3b2adedc34a7356e64c8eb96e03a3782b535e043a986276ce12a49",
"sha256:f93fd8e5c8c0a4aa1f424d6173f14a892044054871c771f8566e4008eaa359d2",
"sha256:fc33c5141b55ed366cfaad382df24fe7dcbc686de5be719b207bb248e3053dc5",
"sha256:fc7de24befaeae77ba923797c7c87834c73648a05a4bde34b3b7e5588973a453",
"sha256:fe562eb1a64e67dd297ccc4f5addea2501664954f2692b69a76449ec7913ecbf"
],
"version": "==1.14.6"
"markers": "python_version >= '3.9'",
"version": "==2.0.0"
},
"click": {
"hashes": [
"sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a",
"sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6"
],
"markers": "python_version >= '3.10'",
"version": "==8.3.1"
},
"cryptography": {
"hashes": [
"sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e",
"sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b",
"sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7",
"sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085",
"sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc",
"sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a",
"sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498",
"sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9",
"sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c",
"sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7",
"sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb",
"sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14",
"sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af",
"sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e",
"sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5",
"sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06",
"sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7"
"sha256:00a5e7e87938e5ff9ff5447ab086a5706a957137e6e433841e9d24f38a065217",
"sha256:01ca9ff2885f3acc98c29f1860552e37f6d7c7d013d7334ff2a9de43a449315d",
"sha256:09859af8466b69bc3c27bdf4f5d84a665e0f7ab5088412e9e2ec49758eca5cbc",
"sha256:0abf1ffd6e57c67e92af68330d05760b7b7efb243aab8377e583284dbab72c71",
"sha256:1000713389b75c449a6e979ffc7dcc8ac90b437048766cef052d4d30b8220971",
"sha256:109d4ddfadf17e8e7779c39f9b18111a09efb969a301a31e987416a0191ed93a",
"sha256:10b01676fc208c3e6feeb25a8b83d81767e8059e1fe86e1dc62d10a3018fa926",
"sha256:10ca84c4668d066a9878890047f03546f3ae0a6b8b39b697457b7757aaf18dbc",
"sha256:15ab9b093e8f09daab0f2159bb7e47532596075139dd74365da52ecc9cb46c5d",
"sha256:191bb60a7be5e6f54e30ba16fdfae78ad3a342a0599eb4193ba88e3f3d6e185b",
"sha256:22d7e97932f511d6b0b04f2bfd818d73dcd5928db509460aaf48384778eb6d20",
"sha256:23b1a8f26e43f47ceb6d6a43115f33a5a37d57df4ea0ca295b780ae8546e8044",
"sha256:36e627112085bb3b81b19fed209c05ce2a52ee8b15d161b7c643a7d5a88491f3",
"sha256:39b6755623145ad5eff1dab323f4eae2a32a77a7abef2c5089a04a3d04366715",
"sha256:3b51b8ca4f1c6453d8829e1eb7299499ca7f313900dd4d89a24b8b87c0a780d4",
"sha256:402b58fc32614f00980b66d6e56a5b4118e6cb362ae8f3fda141ba4689bd4506",
"sha256:416260257577718c05135c55958b674000baef9a1c7d9e8f306ec60d71db850f",
"sha256:46acf53b40ea38f9c6c229599a4a13f0d46a6c3fa9ef19fc1a124d62e338dfa0",
"sha256:4b7387121ac7d15e550f5cb4a43aef2559ed759c35df7336c402bb8275ac9683",
"sha256:50fc3343ac490c6b08c0cf0d704e881d0d660be923fd3076db3e932007e726e3",
"sha256:516ea134e703e9fe26bcd1277a4b59ad30586ea90c365a87781d7887a646fe21",
"sha256:549e234ff32571b1f4076ac269fcce7a808d3bf98b76c8dd560e42dbc66d7d91",
"sha256:5d7f93296ee28f68447397bf5198428c9aeeab45705a55d53a6343455dcb2c3c",
"sha256:5ecfccd2329e37e9b7112a888e76d9feca2347f12f37918facbb893d7bb88ee8",
"sha256:6276eb85ef938dc035d59b87c8a7dc559a232f954962520137529d77b18ff1df",
"sha256:6b5063083824e5509fdba180721d55909ffacccc8adbec85268b48439423d78c",
"sha256:6eae65d4c3d33da080cff9c4ab1f711b15c1d9760809dad6ea763f3812d254cb",
"sha256:6f61efb26e76c45c4a227835ddeae96d83624fb0d29eb5df5b96e14ed1a0afb7",
"sha256:71e842ec9bc7abf543b47cf86b9a743baa95f4677d22baa4c7d5c69e49e9bc04",
"sha256:760f83faa07f8b64e9c33fc963d790a2edb24efb479e3520c14a45741cd9b2db",
"sha256:78a97cf6a8839a48c49271cdcbd5cf37ca2c1d6b7fdd86cc864f302b5e9bf459",
"sha256:7ce938a99998ed3c8aa7e7272dca1a610401ede816d36d0693907d863b10d9ea",
"sha256:8a6e050cb6164d3f830453754094c086ff2d0b2f3a897a1d9820f6139a1f0914",
"sha256:9394673a9f4de09e28b5356e7fff97d778f8abad85c9d5ac4a4b7e25a0de7717",
"sha256:94cd0549accc38d1494e1f8de71eca837d0509d0d44bf11d158524b0e12cebf9",
"sha256:a04bee9ab6a4da801eb9b51f1b708a1b5b5c9eb48c03f74198464c66f0d344ac",
"sha256:a23582810fedb8c0bc47524558fb6c56aac3fc252cb306072fd2815da2a47c32",
"sha256:a2c0cd47381a3229c403062f764160d57d4d175e022c1df84e168c6251a22eec",
"sha256:a8b17438104fed022ce745b362294d9ce35b4c2e45c1d958ad4a4b019285f4a1",
"sha256:a9a3008438615669153eb86b26b61e09993921ebdd75385ddd748702c5adfddb",
"sha256:b02cf04496f6576afffef5ddd04a0cb7d49cf6be16a9059d793a30b035f6b6ac",
"sha256:b419ae593c86b87014b9be7396b385491ad7f320bde96826d0dd174459e54665",
"sha256:c0a7bb1a68a5d3471880e264621346c48665b3bf1c3759d682fc0864c540bd9e",
"sha256:c70cc23f12726be8f8bc72e41d5065d77e4515efae3690326764ea1b07845cfb",
"sha256:c8daeb2d2174beb4575b77482320303f3d39b8e81153da4f0fb08eb5fe86a6c5",
"sha256:cb3d760a6117f621261d662bccc8ef5bc32ca673e037c83fbe565324f5c46936",
"sha256:d55f3dffadd674514ad19451161118fd010988540cee43d8bc20675e775925de",
"sha256:d89c3468de4cdc4f08a57e214384d0471911a3830fcdaf7a8cc587e42a866372",
"sha256:db391fa7c66df6762ee3f00c95a89e6d428f4d60e7abc8328f4fe155b5ac6e54",
"sha256:dfb781ff7eaa91a6f7fd41776ec37c5853c795d3b358d4896fdbb5df168af422",
"sha256:e5bf0ed4490068a2e72ac03d786693adeb909981cc596425d09032d372bcc849",
"sha256:e7aec276d68421f9574040c26e2a7c3771060bc0cff408bae1dcb19d3ab1e63c",
"sha256:ef639cb3372f69ec44915fafcd6698b6cc78fbe0c2ea41be867f6ed612811963",
"sha256:f260d0d41e9b4da1ed1e0f1ce571f97fe370b152ab18778e9e8f67d6af432018"
],
"markers": "python_version >= '3.8' and python_full_version not in '3.9.0, 3.9.1'",
"version": "==46.0.3"
},
"distro": {
"hashes": [
"sha256:2fa77c6fd8940f116ee1d6b94a2f90b13b5ea8d019b98bc8bafdcabcdd9bdbed",
"sha256:7bffd925d65168f85027d8da9af6bddab658135b840670a223589bc0c8ef02b2"
],
"markers": "python_version >= '3.6'",
"version": "==3.4.8"
"version": "==1.9.0"
},
"filelock": {
"hashes": [
"sha256:339b4732ffda5cd79b13f4e2711a31b0365ce445d95d243bb996273d072546a2",
"sha256:711e943b4ec6be42e1d4e6690b48dc175c822967466bb31c0c293f34334c13f4"
],
"markers": "python_version >= '3.10'",
"version": "==3.20.0"
},
"importlib-metadata": {
"hashes": [
"sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000",
"sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd"
],
"markers": "python_version >= '3.9'",
"version": "==8.7.0"
},
"jinja2": {
"hashes": [
"sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4",
"sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4"
"sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d",
"sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"
],
"markers": "python_version >= '3.6'",
"version": "==3.0.1"
"markers": "python_version >= '3.7'",
"version": "==3.1.6"
},
"jsonschema": {
"hashes": [
"sha256:3fba0169e345c7175110351d456342c364814cfcf3b964ba4587f22915230a63",
"sha256:e4a9655ce0da0c0b67a085847e00a3a51449e1157f4f75e9fb5aa545e122eb85"
],
"markers": "python_version >= '3.9'",
"version": "==4.25.1"
},
"jsonschema-specifications": {
"hashes": [
"sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe",
"sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d"
],
"markers": "python_version >= '3.9'",
"version": "==2025.9.1"
},
"markupsafe": {
"hashes": [
"sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298",
"sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64",
"sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b",
"sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567",
"sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff",
"sha256:0d4b31cc67ab36e3392bbf3862cfbadac3db12bdd8b02a2731f509ed5b829724",
"sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74",
"sha256:168cd0a3642de83558a5153c8bd34f175a9a6e7f6dc6384b9655d2697312a646",
"sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35",
"sha256:1f2ade76b9903f39aa442b4aadd2177decb66525062db244b35d71d0ee8599b6",
"sha256:2a7d351cbd8cfeb19ca00de495e224dea7e7d919659c2841bbb7f420ad03e2d6",
"sha256:2d7d807855b419fc2ed3e631034685db6079889a1f01d5d9dac950f764da3dad",
"sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26",
"sha256:36bc903cbb393720fad60fc28c10de6acf10dc6cc883f3e24ee4012371399a38",
"sha256:37205cac2a79194e3750b0af2a5720d95f786a55ce7df90c3af697bfa100eaac",
"sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7",
"sha256:3dd007d54ee88b46be476e293f48c85048603f5f516008bee124ddd891398ed6",
"sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75",
"sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f",
"sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135",
"sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8",
"sha256:5855f8438a7d1d458206a2466bf82b0f104a3724bf96a1c781ab731e4201731a",
"sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a",
"sha256:5bb28c636d87e840583ee3adeb78172efc47c8b26127267f54a9c0ec251d41a9",
"sha256:60bf42e36abfaf9aff1f50f52644b336d4f0a3fd6d8a60ca0d054ac9f713a864",
"sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914",
"sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18",
"sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8",
"sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2",
"sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d",
"sha256:6fcf051089389abe060c9cd7caa212c707e58153afa2c649f00346ce6d260f1b",
"sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b",
"sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f",
"sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb",
"sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833",
"sha256:99df47edb6bda1249d3e80fdabb1dab8c08ef3975f69aed437cb69d0a5de1e28",
"sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415",
"sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902",
"sha256:add36cb2dbb8b736611303cd3bfcee00afd96471b09cda130da3581cbdc56a6d",
"sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9",
"sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d",
"sha256:baa1a4e8f868845af802979fcdbf0bb11f94f1cb7ced4c4b8a351bb60d108145",
"sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066",
"sha256:bf5d821ffabf0ef3533c39c518f3357b171a1651c1ff6827325e4489b0e46c3c",
"sha256:c47adbc92fc1bb2b3274c4b3a43ae0e4573d9fbff4f54cd484555edbf030baf1",
"sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f",
"sha256:d8446c54dc28c01e5a2dbac5a25f071f6653e6e40f3a8818e8b45d790fe6ef53",
"sha256:e0f138900af21926a02425cf736db95be9f4af72ba1bb21453432a07f6082134",
"sha256:e9936f0b261d4df76ad22f8fee3ae83b60d7c3e871292cd42f40b81b70afae85",
"sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5",
"sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94",
"sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509",
"sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51",
"sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872"
"sha256:0303439a41979d9e74d18ff5e2dd8c43ed6c6001fd40e5bf2e43f7bd9bbc523f",
"sha256:068f375c472b3e7acbe2d5318dea141359e6900156b5b2ba06a30b169086b91a",
"sha256:0bf2a864d67e76e5c9a34dc26ec616a66b9888e25e7b9460e1c76d3293bd9dbf",
"sha256:0db14f5dafddbb6d9208827849fad01f1a2609380add406671a26386cdf15a19",
"sha256:0eb9ff8191e8498cca014656ae6b8d61f39da5f95b488805da4bb029cccbfbaf",
"sha256:0f4b68347f8c5eab4a13419215bdfd7f8c9b19f2b25520968adfad23eb0ce60c",
"sha256:1085e7fbddd3be5f89cc898938f42c0b3c711fdcb37d75221de2666af647c175",
"sha256:116bb52f642a37c115f517494ea5feb03889e04df47eeff5b130b1808ce7c219",
"sha256:12c63dfb4a98206f045aa9563db46507995f7ef6d83b2f68eda65c307c6829eb",
"sha256:133a43e73a802c5562be9bbcd03d090aa5a1fe899db609c29e8c8d815c5f6de6",
"sha256:1353ef0c1b138e1907ae78e2f6c63ff67501122006b0f9abad68fda5f4ffc6ab",
"sha256:15d939a21d546304880945ca1ecb8a039db6b4dc49b2c5a400387cdae6a62e26",
"sha256:177b5253b2834fe3678cb4a5f0059808258584c559193998be2601324fdeafb1",
"sha256:1872df69a4de6aead3491198eaf13810b565bdbeec3ae2dc8780f14458ec73ce",
"sha256:1b4b79e8ebf6b55351f0d91fe80f893b4743f104bff22e90697db1590e47a218",
"sha256:1b52b4fb9df4eb9ae465f8d0c228a00624de2334f216f178a995ccdcf82c4634",
"sha256:1ba88449deb3de88bd40044603fafffb7bc2b055d626a330323a9ed736661695",
"sha256:1cc7ea17a6824959616c525620e387f6dd30fec8cb44f649e31712db02123dad",
"sha256:218551f6df4868a8d527e3062d0fb968682fe92054e89978594c28e642c43a73",
"sha256:26a5784ded40c9e318cfc2bdb30fe164bdb8665ded9cd64d500a34fb42067b1c",
"sha256:2713baf880df847f2bece4230d4d094280f4e67b1e813eec43b4c0e144a34ffe",
"sha256:2a15a08b17dd94c53a1da0438822d70ebcd13f8c3a95abe3a9ef9f11a94830aa",
"sha256:2f981d352f04553a7171b8e44369f2af4055f888dfb147d55e42d29e29e74559",
"sha256:32001d6a8fc98c8cb5c947787c5d08b0a50663d139f1305bac5885d98d9b40fa",
"sha256:3524b778fe5cfb3452a09d31e7b5adefeea8c5be1d43c4f810ba09f2ceb29d37",
"sha256:3537e01efc9d4dccdf77221fb1cb3b8e1a38d5428920e0657ce299b20324d758",
"sha256:35add3b638a5d900e807944a078b51922212fb3dedb01633a8defc4b01a3c85f",
"sha256:38664109c14ffc9e7437e86b4dceb442b0096dfe3541d7864d9cbe1da4cf36c8",
"sha256:3a7e8ae81ae39e62a41ec302f972ba6ae23a5c5396c8e60113e9066ef893da0d",
"sha256:3b562dd9e9ea93f13d53989d23a7e775fdfd1066c33494ff43f5418bc8c58a5c",
"sha256:457a69a9577064c05a97c41f4e65148652db078a3a509039e64d3467b9e7ef97",
"sha256:4bd4cd07944443f5a265608cc6aab442e4f74dff8088b0dfc8238647b8f6ae9a",
"sha256:4e885a3d1efa2eadc93c894a21770e4bc67899e3543680313b09f139e149ab19",
"sha256:4faffd047e07c38848ce017e8725090413cd80cbc23d86e55c587bf979e579c9",
"sha256:509fa21c6deb7a7a273d629cf5ec029bc209d1a51178615ddf718f5918992ab9",
"sha256:5678211cb9333a6468fb8d8be0305520aa073f50d17f089b5b4b477ea6e67fdc",
"sha256:591ae9f2a647529ca990bc681daebdd52c8791ff06c2bfa05b65163e28102ef2",
"sha256:5a7d5dc5140555cf21a6fefbdbf8723f06fcd2f63ef108f2854de715e4422cb4",
"sha256:69c0b73548bc525c8cb9a251cddf1931d1db4d2258e9599c28c07ef3580ef354",
"sha256:6b5420a1d9450023228968e7e6a9ce57f65d148ab56d2313fcd589eee96a7a50",
"sha256:722695808f4b6457b320fdc131280796bdceb04ab50fe1795cd540799ebe1698",
"sha256:729586769a26dbceff69f7a7dbbf59ab6572b99d94576a5592625d5b411576b9",
"sha256:77f0643abe7495da77fb436f50f8dab76dbc6e5fd25d39589a0f1fe6548bfa2b",
"sha256:795e7751525cae078558e679d646ae45574b47ed6e7771863fcc079a6171a0fc",
"sha256:7be7b61bb172e1ed687f1754f8e7484f1c8019780f6f6b0786e76bb01c2ae115",
"sha256:7c3fb7d25180895632e5d3148dbdc29ea38ccb7fd210aa27acbd1201a1902c6e",
"sha256:7e68f88e5b8799aa49c85cd116c932a1ac15caaa3f5db09087854d218359e485",
"sha256:83891d0e9fb81a825d9a6d61e3f07550ca70a076484292a70fde82c4b807286f",
"sha256:8485f406a96febb5140bfeca44a73e3ce5116b2501ac54fe953e488fb1d03b12",
"sha256:8709b08f4a89aa7586de0aadc8da56180242ee0ada3999749b183aa23df95025",
"sha256:8f71bc33915be5186016f675cd83a1e08523649b0e33efdb898db577ef5bb009",
"sha256:915c04ba3851909ce68ccc2b8e2cd691618c4dc4c4232fb7982bca3f41fd8c3d",
"sha256:949b8d66bc381ee8b007cd945914c721d9aba8e27f71959d750a46f7c282b20b",
"sha256:94c6f0bb423f739146aec64595853541634bde58b2135f27f61c1ffd1cd4d16a",
"sha256:9a1abfdc021a164803f4d485104931fb8f8c1efd55bc6b748d2f5774e78b62c5",
"sha256:9b79b7a16f7fedff2495d684f2b59b0457c3b493778c9eed31111be64d58279f",
"sha256:a320721ab5a1aba0a233739394eb907f8c8da5c98c9181d1161e77a0c8e36f2d",
"sha256:a4afe79fb3de0b7097d81da19090f4df4f8d3a2b3adaa8764138aac2e44f3af1",
"sha256:ad2cf8aa28b8c020ab2fc8287b0f823d0a7d8630784c31e9ee5edea20f406287",
"sha256:b8512a91625c9b3da6f127803b166b629725e68af71f8184ae7e7d54686a56d6",
"sha256:bc51efed119bc9cfdf792cdeaa4d67e8f6fcccab66ed4bfdd6bde3e59bfcbb2f",
"sha256:bdc919ead48f234740ad807933cdf545180bfbe9342c2bb451556db2ed958581",
"sha256:bdd37121970bfd8be76c5fb069c7751683bdf373db1ed6c010162b2a130248ed",
"sha256:be8813b57049a7dc738189df53d69395eba14fb99345e0a5994914a3864c8a4b",
"sha256:c0c0b3ade1c0b13b936d7970b1d37a57acde9199dc2aecc4c336773e1d86049c",
"sha256:c47a551199eb8eb2121d4f0f15ae0f923d31350ab9280078d1e5f12b249e0026",
"sha256:c4ffb7ebf07cfe8931028e3e4c85f0357459a3f9f9490886198848f4fa002ec8",
"sha256:ccfcd093f13f0f0b7fdd0f198b90053bf7b2f02a3927a30e63f3ccc9df56b676",
"sha256:d2ee202e79d8ed691ceebae8e0486bd9a2cd4794cec4824e1c99b6f5009502f6",
"sha256:d53197da72cc091b024dd97249dfc7794d6a56530370992a5e1a08983ad9230e",
"sha256:d6dd0be5b5b189d31db7cda48b91d7e0a9795f31430b7f271219ab30f1d3ac9d",
"sha256:d88b440e37a16e651bda4c7c2b930eb586fd15ca7406cb39e211fcff3bf3017d",
"sha256:de8a88e63464af587c950061a5e6a67d3632e36df62b986892331d4620a35c01",
"sha256:df2449253ef108a379b8b5d6b43f4b1a8e81a061d6537becd5582fba5f9196d7",
"sha256:e1c1493fb6e50ab01d20a22826e57520f1284df32f2d8601fdd90b6304601419",
"sha256:e1cf1972137e83c5d4c136c43ced9ac51d0e124706ee1c8aa8532c1287fa8795",
"sha256:e2103a929dfa2fcaf9bb4e7c091983a49c9ac3b19c9061b6d5427dd7d14d81a1",
"sha256:e56b7d45a839a697b5eb268c82a71bd8c7f6c94d6fd50c3d577fa39a9f1409f5",
"sha256:e8afc3f2ccfa24215f8cb28dcf43f0113ac3c37c2f0f0806d8c70e4228c5cf4d",
"sha256:e8fc20152abba6b83724d7ff268c249fa196d8259ff481f3b1476383f8f24e42",
"sha256:eaa9599de571d72e2daf60164784109f19978b327a3910d3e9de8c97b5b70cfe",
"sha256:ec15a59cf5af7be74194f7ab02d0f59a62bdcf1a537677ce67a2537c9b87fcda",
"sha256:f190daf01f13c72eac4efd5c430a8de82489d9cff23c364c3ea822545032993e",
"sha256:f34c41761022dd093b4b6896d4810782ffbabe30f2d443ff5f083e0cbbb8c737",
"sha256:f3e98bb3798ead92273dc0e5fd0f31ade220f59a266ffd8a4f6065e0a3ce0523",
"sha256:f42d0984e947b8adf7dd6dde396e720934d12c506ce84eea8476409563607591",
"sha256:f71a396b3bf33ecaa1626c255855702aca4d3d9fea5e051b41ac59a9c1c41edc",
"sha256:f9e130248f4462aaa8e2552d547f36ddadbeaa573879158d721bbd33dfe4743a",
"sha256:fed51ac40f757d41b7c48425901843666a6677e3e8eb0abcff09e4ba6e664f50"
],
"markers": "python_version >= '3.6'",
"version": "==2.0.1"
"markers": "python_version >= '3.9'",
"version": "==3.0.3"
},
"mypy-extensions": {
"hashes": [
"sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505",
"sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558"
],
"markers": "python_version >= '3.8'",
"version": "==1.1.0"
},
"packaging": {
"hashes": [
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"
"sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484",
"sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f"
],
"markers": "python_version >= '3.6'",
"version": "==21.0"
"markers": "python_version >= '3.8'",
"version": "==25.0"
},
"pathspec": {
"hashes": [
"sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08",
"sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"
],
"markers": "python_version >= '3.8'",
"version": "==0.12.1"
},
"platformdirs": {
"hashes": [
"sha256:70ddccdd7c99fc5942e9fc25636a8b34d04c24b335100223152c2803e4063312",
"sha256:e578a81bb873cbb89a41fcc904c7ef523cc18284b7e3b3ccf06aca1403b7ebd3"
],
"markers": "python_version >= '3.10'",
"version": "==4.5.0"
},
"pycparser": {
"hashes": [
"sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0",
"sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"
"sha256:78816d4f24add8f10a06d6f05b4d424ad9e96cfebf68a4ddc99c65c0720d00c2",
"sha256:e5c6e8d3fbad53479cab09ac03729e0a9faf2bee3db8208a550daf5af81a5934"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.20"
"markers": "python_version >= '3.8'",
"version": "==2.23"
},
"pyparsing": {
"pytokens": {
"hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
"sha256:2f932b14ed08de5fcf0b391ace2642f858f1394c0857202959000b68ed7a458a",
"sha256:95b2b5eaf832e469d141a378872480ede3f251a5a5041b8ec6e581d3ac71bbf3"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
"markers": "python_version >= '3.8'",
"version": "==0.3.0"
},
"pyyaml": {
"hashes": [
"sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf",
"sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696",
"sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393",
"sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77",
"sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922",
"sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5",
"sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8",
"sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10",
"sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc",
"sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
"sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
"sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
"sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
"sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
"sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
"sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
"sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
"sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
"sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
"sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
"sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
"sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
"sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
"sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
"sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
"sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
"sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
"sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
"sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
"sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c",
"sha256:0150219816b6a1fa26fb4699fb7daa9caf09eb1999f3b70fb6e786805e80375a",
"sha256:02893d100e99e03eda1c8fd5c441d8c60103fd175728e23e431db1b589cf5ab3",
"sha256:02ea2dfa234451bbb8772601d7b8e426c2bfa197136796224e50e35a78777956",
"sha256:0f29edc409a6392443abf94b9cf89ce99889a1dd5376d94316ae5145dfedd5d6",
"sha256:10892704fc220243f5305762e276552a0395f7beb4dbf9b14ec8fd43b57f126c",
"sha256:16249ee61e95f858e83976573de0f5b2893b3677ba71c9dd36b9cf8be9ac6d65",
"sha256:1d37d57ad971609cf3c53ba6a7e365e40660e3be0e5175fa9f2365a379d6095a",
"sha256:1ebe39cb5fc479422b83de611d14e2c0d3bb2a18bbcb01f229ab3cfbd8fee7a0",
"sha256:214ed4befebe12df36bcc8bc2b64b396ca31be9304b8f59e25c11cf94a4c033b",
"sha256:2283a07e2c21a2aa78d9c4442724ec1eb15f5e42a723b99cb3d822d48f5f7ad1",
"sha256:22ba7cfcad58ef3ecddc7ed1db3409af68d023b7f940da23c6c2a1890976eda6",
"sha256:27c0abcb4a5dac13684a37f76e701e054692a9b2d3064b70f5e4eb54810553d7",
"sha256:28c8d926f98f432f88adc23edf2e6d4921ac26fb084b028c733d01868d19007e",
"sha256:2e71d11abed7344e42a8849600193d15b6def118602c4c176f748e4583246007",
"sha256:34d5fcd24b8445fadc33f9cf348c1047101756fd760b4dacb5c3e99755703310",
"sha256:37503bfbfc9d2c40b344d06b2199cf0e96e97957ab1c1b546fd4f87e53e5d3e4",
"sha256:3c5677e12444c15717b902a5798264fa7909e41153cdf9ef7ad571b704a63dd9",
"sha256:3ff07ec89bae51176c0549bc4c63aa6202991da2d9a6129d7aef7f1407d3f295",
"sha256:41715c910c881bc081f1e8872880d3c650acf13dfa8214bad49ed4cede7c34ea",
"sha256:418cf3f2111bc80e0933b2cd8cd04f286338bb88bdc7bc8e6dd775ebde60b5e0",
"sha256:44edc647873928551a01e7a563d7452ccdebee747728c1080d881d68af7b997e",
"sha256:4a2e8cebe2ff6ab7d1050ecd59c25d4c8bd7e6f400f5f82b96557ac0abafd0ac",
"sha256:4ad1906908f2f5ae4e5a8ddfce73c320c2a1429ec52eafd27138b7f1cbe341c9",
"sha256:501a031947e3a9025ed4405a168e6ef5ae3126c59f90ce0cd6f2bfc477be31b7",
"sha256:5190d403f121660ce8d1d2c1bb2ef1bd05b5f68533fc5c2ea899bd15f4399b35",
"sha256:5498cd1645aa724a7c71c8f378eb29ebe23da2fc0d7a08071d89469bf1d2defb",
"sha256:5cf4e27da7e3fbed4d6c3d8e797387aaad68102272f8f9752883bc32d61cb87b",
"sha256:5e0b74767e5f8c593e8c9b5912019159ed0533c70051e9cce3e8b6aa699fcd69",
"sha256:5ed875a24292240029e4483f9d4a4b8a1ae08843b9c54f43fcc11e404532a8a5",
"sha256:5fcd34e47f6e0b794d17de1b4ff496c00986e1c83f7ab2fb8fcfe9616ff7477b",
"sha256:5fdec68f91a0c6739b380c83b951e2c72ac0197ace422360e6d5a959d8d97b2c",
"sha256:6344df0d5755a2c9a276d4473ae6b90647e216ab4757f8426893b5dd2ac3f369",
"sha256:64386e5e707d03a7e172c0701abfb7e10f0fb753ee1d773128192742712a98fd",
"sha256:652cb6edd41e718550aad172851962662ff2681490a8a711af6a4d288dd96824",
"sha256:66291b10affd76d76f54fad28e22e51719ef9ba22b29e1d7d03d6777a9174198",
"sha256:66e1674c3ef6f541c35191caae2d429b967b99e02040f5ba928632d9a7f0f065",
"sha256:6adc77889b628398debc7b65c073bcb99c4a0237b248cacaf3fe8a557563ef6c",
"sha256:79005a0d97d5ddabfeeea4cf676af11e647e41d81c9a7722a193022accdb6b7c",
"sha256:7c6610def4f163542a622a73fb39f534f8c101d690126992300bf3207eab9764",
"sha256:7f047e29dcae44602496db43be01ad42fc6f1cc0d8cd6c83d342306c32270196",
"sha256:8098f252adfa6c80ab48096053f512f2321f0b998f98150cea9bd23d83e1467b",
"sha256:850774a7879607d3a6f50d36d04f00ee69e7fc816450e5f7e58d7f17f1ae5c00",
"sha256:8d1fab6bb153a416f9aeb4b8763bc0f22a5586065f86f7664fc23339fc1c1fac",
"sha256:8da9669d359f02c0b91ccc01cac4a67f16afec0dac22c2ad09f46bee0697eba8",
"sha256:8dc52c23056b9ddd46818a57b78404882310fb473d63f17b07d5c40421e47f8e",
"sha256:9149cad251584d5fb4981be1ecde53a1ca46c891a79788c0df828d2f166bda28",
"sha256:93dda82c9c22deb0a405ea4dc5f2d0cda384168e466364dec6255b293923b2f3",
"sha256:96b533f0e99f6579b3d4d4995707cf36df9100d67e0c8303a0c55b27b5f99bc5",
"sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4",
"sha256:9c7708761fccb9397fe64bbc0395abcae8c4bf7b0eac081e12b809bf47700d0b",
"sha256:9f3bfb4965eb874431221a3ff3fdcddc7e74e3b07799e0e84ca4a0f867d449bf",
"sha256:a33284e20b78bd4a18c8c2282d549d10bc8408a2a7ff57653c0cf0b9be0afce5",
"sha256:a80cb027f6b349846a3bf6d73b5e95e782175e52f22108cfa17876aaeff93702",
"sha256:b30236e45cf30d2b8e7b3e85881719e98507abed1011bf463a8fa23e9c3e98a8",
"sha256:b3bc83488de33889877a0f2543ade9f70c67d66d9ebb4ac959502e12de895788",
"sha256:b865addae83924361678b652338317d1bd7e79b1f4596f96b96c77a5a34b34da",
"sha256:b8bb0864c5a28024fac8a632c443c87c5aa6f215c0b126c449ae1a150412f31d",
"sha256:ba1cc08a7ccde2d2ec775841541641e4548226580ab850948cbfda66a1befcdc",
"sha256:bdb2c67c6c1390b63c6ff89f210c8fd09d9a1217a465701eac7316313c915e4c",
"sha256:c1ff362665ae507275af2853520967820d9124984e0f7466736aea23d8611fba",
"sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f",
"sha256:c3355370a2c156cffb25e876646f149d5d68f5e0a3ce86a5084dd0b64a994917",
"sha256:c458b6d084f9b935061bc36216e8a69a7e293a2f1e68bf956dcd9e6cbcd143f5",
"sha256:d0eae10f8159e8fdad514efdc92d74fd8d682c933a6dd088030f3834bc8e6b26",
"sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f",
"sha256:ebc55a14a21cb14062aa4162f906cd962b28e2e9ea38f9b4391244cd8de4ae0b",
"sha256:eda16858a3cab07b80edaf74336ece1f986ba330fdb8ee0d6c0d68fe82bc96be",
"sha256:ee2922902c45ae8ccada2c5b501ab86c36525b883eff4255313a253a3160861c",
"sha256:efd7b85f94a6f21e4932043973a7ba2613b059c4a000551892ac9f1d11f5baf3",
"sha256:f7057c9a337546edc7973c0d3ba84ddcdf0daa14533c2065749c9075001090e6",
"sha256:fa160448684b4e94d80416c0fa4aac48967a969efe22931448d853ada8baf926",
"sha256:fc09d0aa354569bc501d4e787133afc08552722d3ab34836a80547331bb5d4a0"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
"version": "==5.4.1"
"markers": "python_version >= '3.8'",
"version": "==6.0.3"
},
"referencing": {
"hashes": [
"sha256:381329a9f99628c9069361716891d34ad94af76e461dcb0335825aecc7692231",
"sha256:44aefc3142c5b842538163acb373e24cce6632bd54bdb01b21ad5863489f50d8"
],
"markers": "python_version >= '3.10'",
"version": "==0.37.0"
},
"resolvelib": {
"hashes": [
"sha256:8113ae3ed6d33c6be0bcbf03ffeb06c0995c099b7b8aaa5ddf2e9b3b3df4e915",
"sha256:9b9b80d5c60e4c2a8b7fbf0712c3449dc01d74e215632e5199850c9eca687628"
"sha256:7d08a2022f6e16ce405d60b68c390f054efcfd0477d4b9bd019cc941c28fad1c",
"sha256:fb06b66c8da04172d9e72a21d7d06186d8919e32ae5ab5cdf5b9d920be805ac2"
],
"version": "==0.5.4"
"markers": "python_version >= '3.9'",
"version": "==1.2.1"
},
"rpds-py": {
"hashes": [
"sha256:00e56b12d2199ca96068057e1ae7f9998ab6e99cda82431afafd32f3ec98cca9",
"sha256:0248b19405422573621172ab8e3a1f29141362d13d9f72bafa2e28ea0cdca5a2",
"sha256:05a2bd42768ea988294ca328206efbcc66e220d2d9b7836ee5712c07ad6340ea",
"sha256:070befbb868f257d24c3bb350dbd6e2f645e83731f31264b19d7231dd5c396c7",
"sha256:0a8896986efaa243ab713c69e6491a4138410f0fe36f2f4c71e18bd5501e8014",
"sha256:0ea962671af5cb9a260489e311fa22b2e97103e3f9f0caaea6f81390af96a9ed",
"sha256:115f48170fd4296a33938d8c11f697f5f26e0472e43d28f35624764173a60e4d",
"sha256:12597d11d97b8f7e376c88929a6e17acb980e234547c92992f9f7c058f1a7310",
"sha256:1585648d0760b88292eecab5181f5651111a69d90eff35d6b78aa32998886a61",
"sha256:16e9da2bda9eb17ea318b4c335ec9ac1818e88922cbe03a5743ea0da9ecf74fb",
"sha256:1a409b0310a566bfd1be82119891fefbdce615ccc8aa558aff7835c27988cbef",
"sha256:1c3c3e8101bb06e337c88eb0c0ede3187131f19d97d43ea0e1c5407ea74c0cbf",
"sha256:1d24564a700ef41480a984c5ebed62b74e6ce5860429b98b1fede76049e953e6",
"sha256:1de2345af363d25696969befc0c1688a6cb5e8b1d32b515ef84fc245c6cddba3",
"sha256:1ea59b23ea931d494459c8338056fe7d93458c0bf3ecc061cd03916505369d55",
"sha256:2023473f444752f0f82a58dfcbee040d0a1b3d1b3c2ec40e884bd25db6d117d2",
"sha256:20c51ae86a0bb9accc9ad4e6cdeec58d5ebb7f1b09dd4466331fc65e1766aae7",
"sha256:24a16cb7163933906c62c272de20ea3c228e4542c8c45c1d7dc2b9913e17369a",
"sha256:24a7231493e3c4a4b30138b50cca089a598e52c34cf60b2f35cebf62f274fdea",
"sha256:2549d833abdf8275c901313b9e8ff8fba57e50f6a495035a2a4e30621a2f7cc4",
"sha256:28de03cf48b8a9e6ec10318f2197b83946ed91e2891f651a109611be4106ac4b",
"sha256:28fd300326dd21198f311534bdb6d7e989dd09b3418b3a91d54a0f384c700967",
"sha256:295ce5ac7f0cf69a651ea75c8f76d02a31f98e5698e82a50a5f4d4982fbbae3b",
"sha256:2a21deb8e0d1571508c6491ce5ea5e25669b1dd4adf1c9d64b6314842f708b5d",
"sha256:2aba991e041d031c7939e1358f583ae405a7bf04804ca806b97a5c0e0af1ea5e",
"sha256:2b8e54d6e61f3ecd3abe032065ce83ea63417a24f437e4a3d73d2f85ce7b7cfe",
"sha256:2d6fb2ad1c36f91c4646989811e84b1ea5e0c3cf9690b826b6e32b7965853a63",
"sha256:33ca7bdfedd83339ca55da3a5e1527ee5870d4b8369456b5777b197756f3ca22",
"sha256:37d94eadf764d16b9a04307f2ab1d7af6dc28774bbe0535c9323101e14877b4c",
"sha256:3897924d3f9a0361472d884051f9a2460358f9a45b1d85a39a158d2f8f1ad71c",
"sha256:3919a3bbecee589300ed25000b6944174e07cd20db70552159207b3f4bbb45b8",
"sha256:394d27e4453d3b4d82bb85665dc1fcf4b0badc30fc84282defed71643b50e1a1",
"sha256:3fbd4e9aebf110473a420dea85a238b254cf8a15acb04b22a5a6b5ce8925b760",
"sha256:3fd2164d73812026ce970d44c3ebd51e019d2a26a4425a5dcbdfa93a34abc383",
"sha256:40f65470919dc189c833e86b2c4bd21bd355f98436a2cef9e0a9a92aebc8e57e",
"sha256:4448dad428f28a6a767c3e3b80cde3446a22a0efbddaa2360f4bb4dc836d0688",
"sha256:44a91e0ab77bdc0004b43261a4b8cd6d6b451e8d443754cfda830002b5745b32",
"sha256:453783477aa4f2d9104c4b59b08c871431647cb7af51b549bbf2d9eb9c827756",
"sha256:4a097b7f7f7274164566ae90a221fd725363c0e9d243e2e9ed43d195ccc5495c",
"sha256:4aa195e5804d32c682e453b34474f411ca108e4291c6a0f824ebdc30a91c973c",
"sha256:4ae4b88c6617e1b9e5038ab3fccd7bac0842fdda2b703117b2aa99bc85379113",
"sha256:521807963971a23996ddaf764c682b3e46459b3c58ccd79fefbe16718db43154",
"sha256:534dc9df211387547267ccdb42253aa30527482acb38dd9b21c5c115d66a96d2",
"sha256:539eb77eb043afcc45314d1be09ea6d6cafb3addc73e0547c171c6d636957f60",
"sha256:55d827b2ae95425d3be9bc9a5838b6c29d664924f98146557f7715e331d06df8",
"sha256:56838e1cd9174dc23c5691ee29f1d1be9eab357f27efef6bded1328b23e1ced2",
"sha256:5a572911cd053137bbff8e3a52d31c5d2dba51d3a67ad902629c70185f3f2181",
"sha256:5c9546cfdd5d45e562cc0444b6dddc191e625c62e866bf567a2c69487c7ad28a",
"sha256:5cc58aac218826d054c7da7f95821eba94125d88be673ff44267bb89d12a5866",
"sha256:6410e66f02803600edb0b1889541f4b5cc298a5ccda0ad789cc50ef23b54813e",
"sha256:66786c3fb1d8de416a7fa8e1cb1ec6ba0a745b2b0eee42f9b7daa26f1a495545",
"sha256:6e97846e9800a5d0fe7be4d008f0c93d0feeb2700da7b1f7528dabafb31dfadb",
"sha256:7033c1010b1f57bb44d8067e8c25aa6fa2e944dbf46ccc8c92b25043839c3fd2",
"sha256:715b67eac317bf1c7657508170a3e011a1ea6ccb1c9d5f296e20ba14196be6b3",
"sha256:72fdfd5ff8992e4636621826371e3ac5f3e3b8323e9d0e48378e9c13c3dac9d0",
"sha256:76054d540061eda273274f3d13a21a4abdde90e13eaefdc205db37c05230efce",
"sha256:76fe96632d53f3bf0ea31ede2f53bbe3540cc2736d4aec3b3801b0458499ef3a",
"sha256:7971bdb7bf4ee0f7e6f67fa4c7fbc6019d9850cc977d126904392d363f6f8318",
"sha256:799156ef1f3529ed82c36eb012b5d7a4cf4b6ef556dd7cc192148991d07206ae",
"sha256:7cdc0490374e31cedefefaa1520d5fe38e82fde8748cbc926e7284574c714d6b",
"sha256:7d9128ec9d8cecda6f044001fde4fb71ea7c24325336612ef8179091eb9596b9",
"sha256:7f437026dbbc3f08c99cc41a5b2570c6e1a1ddbe48ab19a9b814254128d4ea7a",
"sha256:80fdf53d36e6c72819993e35d1ebeeb8e8fc688d0c6c2b391b55e335b3afba5a",
"sha256:8238d1d310283e87376c12f658b61e1ee23a14c0e54c7c0ce953efdbdc72deed",
"sha256:89ca2e673ddd5bde9b386da9a0aac0cab0e76f40c8f0aaf0d6311b6bbf2aa311",
"sha256:8ae33ad9ce580c7a47452c3b3f7d8a9095ef6208e0a0c7e4e2384f9fc5bf8212",
"sha256:8c5a8ecaa44ce2d8d9d20a68a2483a74c07f05d72e94a4dff88906c8807e77b0",
"sha256:8e5bb73ffc029820f4348e9b66b3027493ae00bca6629129cd433fd7a76308ee",
"sha256:90f30d15f45048448b8da21c41703b31c61119c06c216a1bf8c245812a0f0c17",
"sha256:923248a56dd8d158389a28934f6f69ebf89f218ef96a6b216a9be6861804d3f4",
"sha256:9459a33f077130dbb2c7c3cea72ee9932271fb3126404ba2a2661e4fe9eb7b79",
"sha256:97c817863ffc397f1e6a6e9d2d89fe5408c0a9922dac0329672fb0f35c867ea5",
"sha256:9b9c764a11fd637e0322a488560533112837f5334ffeb48b1be20f6d98a7b437",
"sha256:9ba8028597e824854f0f1733d8b964e914ae3003b22a10c2c664cb6927e0feb9",
"sha256:9efe71687d6427737a0a2de9ca1c0a216510e6cd08925c44162be23ed7bed2d5",
"sha256:9f84c549746a5be3bc7415830747a3a0312573afc9f95785eb35228bb17742ec",
"sha256:a0891cfd8db43e085c0ab93ab7e9b0c8fee84780d436d3b266b113e51e79f954",
"sha256:a110e14508fd26fd2e472bb541f37c209409876ba601cf57e739e87d8a53cf95",
"sha256:a5d9da3ff5af1ca1249b1adb8ef0573b94c76e6ae880ba1852f033bf429d4588",
"sha256:a738f2da2f565989401bd6fd0b15990a4d1523c6d7fe83f300b7e7d17212feca",
"sha256:acd82a9e39082dc5f4492d15a6b6c8599aa21db5c35aaf7d6889aea16502c07d",
"sha256:ad7bd570be92695d89285a4b373006930715b78d96449f686af422debb4d3949",
"sha256:b016eddf00dca7944721bf0cd85b6af7f6c4efaf83ee0b37c4133bd39757a8c7",
"sha256:b1581fcde18fcdf42ea2403a16a6b646f8eb1e58d7f90a0ce693da441f76942e",
"sha256:b58f5c77f1af888b5fd1876c9a0d9858f6f88a39c9dd7c073a88e57e577da66d",
"sha256:b5f6134faf54b3cb83375db0f113506f8b7770785be1f95a631e7e2892101977",
"sha256:b9cf2359a4fca87cfb6801fae83a76aedf66ee1254a7a151f1341632acf67f1b",
"sha256:ba5e1aeaf8dd6d8f6caba1f5539cddda87d511331714b7b5fc908b6cfc3636b7",
"sha256:bb78b3a0d31ac1bde132c67015a809948db751cb4e92cdb3f0b242e430b6ed0d",
"sha256:bdb67151ea81fcf02d8f494703fb728d4d34d24556cbff5f417d74f6f5792e7c",
"sha256:c07d107b7316088f1ac0177a7661ca0c6670d443f6fe72e836069025e6266761",
"sha256:c4695dd224212f6105db7ea62197144230b808d6b2bba52238906a2762f1d1e7",
"sha256:c5523b0009e7c3c1263471b69d8da1c7d41b3ecb4cb62ef72be206b92040a950",
"sha256:c661132ab2fb4eeede2ef69670fd60da5235209874d001a98f1542f31f2a8a94",
"sha256:d37812c3da8e06f2bb35b3cf10e4a7b68e776a706c13058997238762b4e07f4f",
"sha256:d456e64724a075441e4ed648d7f154dc62e9aabff29bcdf723d0c00e9e1d352f",
"sha256:d472cf73efe5726a067dce63eebe8215b14beabea7c12606fd9994267b3cfe2b",
"sha256:d583d4403bcbf10cffc3ab5cee23d7643fcc960dff85973fd3c2d6c86e8dbb0c",
"sha256:de73e40ebc04dd5d9556f50180395322193a78ec247e637e741c1b954810f295",
"sha256:def48ff59f181130f1a2cb7c517d16328efac3ec03951cca40c1dc2049747e83",
"sha256:e6596b93c010d386ae46c9fba9bfc9fc5965fa8228edeac51576299182c2e31c",
"sha256:e71136fd0612556b35c575dc2726ae04a1669e6a6c378f2240312cf5d1a2ab10",
"sha256:e7fa2ccc312bbd91e43aa5e0869e46bc03278a3dddb8d58833150a18b0f0283a",
"sha256:ea7173df5d86f625f8dde6d5929629ad811ed8decda3b60ae603903839ac9ac0",
"sha256:f3b1b87a237cb2dba4db18bcfaaa44ba4cd5936b91121b62292ff21df577fc43",
"sha256:f475f103488312e9bd4000bc890a95955a07b2d0b6e8884aef4be56132adbbf1",
"sha256:f49196aec7c4b406495f60e6f947ad71f317a765f956d74bbd83996b9edc0352",
"sha256:f49d41559cebd608042fdcf54ba597a4a7555b49ad5c1c0c03e0af82692661cd",
"sha256:f7728653900035fb7b8d06e1e5900545d8088efc9d5d4545782da7df03ec803f",
"sha256:f9f436aee28d13b9ad2c764fc273e0457e37c2e61529a07b928346b219fcde3b",
"sha256:fc31a07ed352e5462d3ee1b22e89285f4ce97d5266f6d1169da1142e78045626",
"sha256:fc935f6b20b0c9f919a8ff024739174522abd331978f750a74bb68abd117bd19",
"sha256:fcae1770b401167f8b9e1e3f566562e6966ffa9ce63639916248a9e25fa8a244",
"sha256:fd7951c964069039acc9d67a8ff1f0a7f34845ae180ca542b17dc1456b1f1808",
"sha256:fe55fe686908f50154d1dc599232016e50c243b438c3b7432f24e2895b0e5359"
],
"markers": "python_version >= '3.10'",
"version": "==0.29.0"
},
"ruamel-yaml": {
"hashes": [
"sha256:048f26d64245bae57a4f9ef6feb5b552a386830ef7a826f235ffb804c59efbba",
"sha256:a6e587512f3c998b2225d68aa1f35111c29fad14aed561a26e73fab729ec5e5a"
],
"markers": "python_version >= '3.8'",
"version": "==0.18.16"
},
"ruamel-yaml-clib": {
"hashes": [
"sha256:014181cdec565c8745b7cbc4de3bf2cc8ced05183d986e6d1200168e5bb59490",
"sha256:04d21dc9c57d9608225da28285900762befbb0165ae48482c15d8d4989d4af14",
"sha256:05c70f7f86be6f7bee53794d80050a28ae7e13e4a0087c1839dcdefd68eb36b6",
"sha256:0ba6604bbc3dfcef844631932d06a1a4dcac3fee904efccf582261948431628a",
"sha256:11e5499db1ccbc7f4b41f0565e4f799d863ea720e01d3e99fa0b7b5fcd7802c9",
"sha256:1b45498cc81a4724a2d42273d6cfc243c0547ad7c6b87b4f774cb7bcc131c98d",
"sha256:1bb7b728fd9f405aa00b4a0b17ba3f3b810d0ccc5f77f7373162e9b5f0ff75d5",
"sha256:1f66f600833af58bea694d5892453f2270695b92200280ee8c625ec5a477eed3",
"sha256:27dc656e84396e6d687f97c6e65fb284d100483628f02d95464fd731743a4afe",
"sha256:2812ff359ec1f30129b62372e5f22a52936fac13d5d21e70373dbca5d64bb97c",
"sha256:2b216904750889133d9222b7b873c199d48ecbb12912aca78970f84a5aa1a4bc",
"sha256:331fb180858dd8534f0e61aa243b944f25e73a4dae9962bd44c46d1761126bbf",
"sha256:3cb75a3c14f1d6c3c2a94631e362802f70e83e20d1f2b2ef3026c05b415c4900",
"sha256:3eb199178b08956e5be6288ee0b05b2fb0b5c1f309725ad25d9c6ea7e27f962a",
"sha256:424ead8cef3939d690c4b5c85ef5b52155a231ff8b252961b6516ed7cf05f6aa",
"sha256:45702dfbea1420ba3450bb3dd9a80b33f0badd57539c6aac09f42584303e0db6",
"sha256:468858e5cbde0198337e6a2a78eda8c3fb148bdf4c6498eaf4bc9ba3f8e780bd",
"sha256:46895c17ead5e22bea5e576f1db7e41cb273e8d062c04a6a49013d9f60996c25",
"sha256:46e4cc8c43ef6a94885f72512094e482114a8a706d3c555a34ed4b0d20200600",
"sha256:480894aee0b29752560a9de46c0e5f84a82602f2bc5c6cde8db9a345319acfdf",
"sha256:4b293a37dc97e2b1e8a1aec62792d1e52027087c8eea4fc7b5abd2bdafdd6642",
"sha256:4be366220090d7c3424ac2b71c90d1044ea34fca8c0b88f250064fd06087e614",
"sha256:4d1032919280ebc04a80e4fb1e93f7a738129857eaec9448310e638c8bccefcf",
"sha256:4d3b58ab2454b4747442ac76fab66739c72b1e2bb9bd173d7694b9f9dbc9c000",
"sha256:4dcec721fddbb62e60c2801ba08c87010bd6b700054a09998c4d09c08147b8fb",
"sha256:512571ad41bba04eac7268fe33f7f4742210ca26a81fe0c75357fa682636c690",
"sha256:542d77b72786a35563f97069b9379ce762944e67055bea293480f7734b2c7e5e",
"sha256:56ea19c157ed8c74b6be51b5fa1c3aff6e289a041575f0556f66e5fb848bb137",
"sha256:5d3c9210219cbc0f22706f19b154c9a798ff65a6beeafbf77fc9c057ec806f7d",
"sha256:5fea0932358e18293407feb921d4f4457db837b67ec1837f87074667449f9401",
"sha256:617d35dc765715fa86f8c3ccdae1e4229055832c452d4ec20856136acc75053f",
"sha256:64da03cbe93c1e91af133f5bec37fd24d0d4ba2418eaf970d7166b0a26a148a2",
"sha256:65f48245279f9bb301d1276f9679b82e4c080a1ae25e679f682ac62446fac471",
"sha256:6f1d38cbe622039d111b69e9ca945e7e3efebb30ba998867908773183357f3ed",
"sha256:713cd68af9dfbe0bb588e144a61aad8dcc00ef92a82d2e87183ca662d242f524",
"sha256:71845d377c7a47afc6592aacfea738cc8a7e876d586dfba814501d8c53c1ba60",
"sha256:753faf20b3a5906faf1fc50e4ddb8c074cb9b251e00b14c18b28492f933ac8ef",
"sha256:7e74ea87307303ba91073b63e67f2c667e93f05a8c63079ee5b7a5c8d0d7b043",
"sha256:88eea8baf72f0ccf232c22124d122a7f26e8a24110a0273d9bcddcb0f7e1fa03",
"sha256:923816815974425fbb1f1bf57e85eca6e14d8adc313c66db21c094927ad01815",
"sha256:9b6f7d74d094d1f3a4e157278da97752f16ee230080ae331fcc219056ca54f77",
"sha256:a8220fd4c6f98485e97aea65e1df76d4fed1678ede1fe1d0eed2957230d287c4",
"sha256:ab0df0648d86a7ecbd9c632e8f8d6b21bb21b5fc9d9e095c796cacf32a728d2d",
"sha256:ac9b8d5fa4bb7fd2917ab5027f60d4234345fd366fe39aa711d5dca090aa1467",
"sha256:badd1d7283f3e5894779a6ea8944cc765138b96804496c91812b2829f70e18a7",
"sha256:bdc06ad71173b915167702f55d0f3f027fc61abd975bd308a0968c02db4a4c3e",
"sha256:bf0846d629e160223805db9fe8cc7aec16aaa11a07310c50c8c7164efa440aec",
"sha256:bfd309b316228acecfa30670c3887dcedf9b7a44ea39e2101e75d2654522acd4",
"sha256:c583229f336682b7212a43d2fa32c30e643d3076178fb9f7a6a14dde85a2d8bd",
"sha256:cb15a2e2a90c8475df45c0949793af1ff413acfb0a716b8b94e488ea95ce7cff",
"sha256:d290eda8f6ada19e1771b54e5706b8f9807e6bb08e873900d5ba114ced13e02c",
"sha256:da3d6adadcf55a93c214d23941aef4abfd45652110aed6580e814152f385b862",
"sha256:dcc7f3162d3711fd5d52e2267e44636e3e566d1e5675a5f0b30e98f2c4af7974",
"sha256:def5663361f6771b18646620fca12968aae730132e104688766cf8a3b1d65922",
"sha256:e5e9f630c73a490b758bf14d859a39f375e6999aea5ddd2e2e9da89b9953486a",
"sha256:e9fde97ecb7bb9c41261c2ce0da10323e9227555c674989f8d9eb7572fc2098d",
"sha256:ef71831bd61fbdb7aa0399d5c4da06bea37107ab5c79ff884cc07f2450910262",
"sha256:f4421ab780c37210a07d138e56dd4b51f8642187cdfb433eb687fe8c11de0144",
"sha256:f6d3655e95a80325b84c4e14c080b2470fe4f33b6846f288379ce36154993fb1",
"sha256:fd4c928ddf6bce586285daa6d90680b9c291cfd045fc40aad34e445d57b1bf51",
"sha256:fe239bdfdae2302e93bd6e8264bd9b71290218fff7084a9db250b55caaccf43f"
],
"markers": "python_version >= '3.9'",
"version": "==0.2.15"
},
"subprocess-tee": {
"hashes": [
"sha256:21942e976715af4a19a526918adb03a8a27a8edab959f2d075b777e3d78f532d",
"sha256:91b2b4da3aae9a7088d84acaf2ea0abee3f4fd9c0d2eae69a9b9122a71476590"
],
"markers": "python_version >= '3.8'",
"version": "==0.4.2"
},
"wcmatch": {
"hashes": [
"sha256:5848ace7dbb0476e5e55ab63c6bbd529745089343427caa5537f230cc01beb8a",
"sha256:f11f94208c8c8484a16f4f48638a85d771d9513f4ab3f37595978801cb9465af"
],
"markers": "python_version >= '3.9'",
"version": "==10.1"
},
"yamllint": {
"hashes": [
"sha256:364f0d79e81409f591e323725e6a9f4504c8699ddf2d7263d8d2b539cd66a583",
"sha256:81f7c0c5559becc8049470d86046b36e96113637bcbe4753ecef06977c00245d"
],
"markers": "python_version >= '3.9'",
"version": "==1.37.1"
},
"zipp": {
"hashes": [
"sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e",
"sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166"
],
"markers": "python_version >= '3.9'",
"version": "==3.23.0"
}
},
"develop": {}

2
README.md
View File

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions
Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running
- You have a clean, minimal Debian 12 host up and running
- Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host

12
ansible.cfg
View File

@@ -2,16 +2,16 @@
retry_files_enabled=False
force_handlers=True
inventory=hosts
gathering = smart
# instead of using --ask-vault-pass
ask_vault_pass=True
remote_user = provisioning
interpreter_python=auto
ansible_managed = This file is managed by Ansible.%n
template: {file}
date: %Y-%m-%d %H:%M:%S
user: {uid}
host: {host}
# Don't warn on unknown SSH host keys because it's super annoying for new hosts
# or if you get a new laptop and run Ansible there!
#
# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
host_key_checking = False
[privilege_escalation]
# instead of using -K

8
group_vars/all
View File

@@ -3,4 +3,12 @@
tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ansible_managed: |-
This file is managed by Ansible.
{{ 'template: ' + template_path }}
{{ 'date: ' + (template_mtime | string) }}
{{ 'user: ' + template_uid }}
{{ 'host: ' + template_host }}
# vim: set ts=2 sw=2:

6
group_vars/web
View File

@@ -1,8 +1,14 @@
---
# file: group_vars/web
# run nginx by default
webserver: nginx
# all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters:
- nginx
# root prefix for all web servers
web_root_prefix: /var/www
# vim: set ts=2 sw=2:

78
host_vars/nomad01
View File

@@ -1,78 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
36393230656338633537393732613337376563663966343439326163396461366565363638366338
6437633162643934323336333664346662656563313664310a656262643830313264326333636636
63353463373835383435643433313739323134633661333866326536303864653665303834333538
6432663234643663340a663263303134663037616263333932656430313230646438653235613637
65303837373063663835356535356663633265316233393139363239333630663531303061623437
62363430666566623561323635636163376439313130356335666237623564353436613561396136
32393664306661316335323161353937306532353330616561643232633166626435363939633732
66376564353432346162333535643662356162316666373261663134383134636466303532393636
36633466353936656361656630383363376630623461306166663433656437616630333436363066
62396262313634623033363661323538383163643765363838393630343438373830623739323664
35363064376232303665656534626635383330363566303238356635383030613966663166636635
32313734376138323666323733633838353066316565396638313239326431616564613664383761
65636362663961613562376562613461643938353365383231643038306537646637356637366337
35343563616138376235663135333030323136323333633534373231633434646161383161343065
66343231386162303263363564363132316666636366396462666135643831666164366136363061
39633035363461646465376139633663396162366430373266396661626137343230316131643831
35316538623263623738356232636231626538636462393633666261316165353665343538316633
66653966313739336138346133306537386431376165623934643331336536356533646439646439
32653830316238623036383164303633323765313166396430613266396665373937366163636362
37393236643764313364326465626135623232393661613537366331373833373364616634363361
38353530386264346662393338353664346662306163363237626135333565363537616139386565
32343839393235316330623962386164313565363935626133386434323862646337613030663835
39343963643938356561633835326364666264356538383437613732646232623964626562326565
30643232633363656466666337646664393736376436303365313461646564366636396430363932
35366239353637356564306136323532626463346665376535396635326362626633643365633937
35643062336463666334366263613262396134393133356337356433396162393465336365666437
31386361396265633864656237633931363335323732653433376336343362666331646165646630
31653039643264663836336664383131656262373138336235346639393236666534653130643633
64663239346532356231343763336533613239313033333563343766393733346566656130333163
63316233373432386462323033363730393034653837346234346261336631643464333330376334
30386637313562303366653136313432303363653033663237303034366462343232343936383031
30613962623132306363366633306432623461623531393533303735373961363361363235663764
64386331333065323432393032663331626631316461666361353562306435326430666636636531
31393137626631366165626166363339343839633765356234633361376231353936353736366436
34613632663266333763306238616439373437316561373630393337613637623138656162643164
35643762623936316630376633393538393063346439386261336336366365653334353563666534
63353262383639643432363931623463303333666265333630663264613133316631613732313766
36383134666264633662653431623535653065346532393233393232666138366565663031626330
62386566363632316432363765633637383439616661363562323735613365326461373533383838
61363137633236323761613665393338653633616339653537393636623635646165373830303864
36326430376264623663613332643539396135643164646535366465663565613962326438616236
37666662363531643866356130663436646666343238373931353833343133633666373935646634
35356534396535393866356332666139316631663832376334323565663966393766313231613561
33303136363231333334343033356433376138633366656531376635323564343563663630393835
39356539623737363430306664306338336163383638386639333333643438373435343435386135
35643066393933373264623231316665306132653736366266646362656164623038653566306335
35396565343130393234306235393861306430393635643766313861323437646263326131316165
30376366383937396333666337633461633432336630633534643464393134663937383461346165
32323436326462316564636236386564623065393562636364303631633632356435616537663731
36383537633437326136346466303438376130383361633931653139336165666530653438666131
35346630613266333232363665353862666262646334613731336135643261636638366133323563
64643462313334373234373830623262666135393636633263353737393862303736346637376535
61656366373033343735333265613738623432663131666434643433663734646664313166343533
39636362396265633063346637643833623266383464316439346162303231346537653361333433
64623730353233633066663462373939666230353961346261633166323735666131303965386234
35643266653365633631363737643434633637623231646364636265616535633462613839353163
63353033366162666630636634366133643761633935396463366461633563306332303162663564
66383965633438633837373966353966633630336335626432323431313265663261376462343139
30653433373762363739333865646338636462306134663838396364666332386630613133623530
31646231616436313836363066633235616463353433393132343265616363373762323831363365
35633964643533346463336563396531663465386563323731303264323831616232623934636532
37316234313466363266353339343538313835396135653166613737663234643966656265636135
63383534616635653536303932656466346635303837343339646130393031313333373565336538
65326665303538306233643033616662323333613539313063363336643065666262303036393634
64306164343734656134336238356330306564393130376536343433396263633762363236666162
34393637336162353837393138386431343163336164353263303132663963343164616636363233
38653039613031366364633861313061373566396337396132636330626164623033323639383639
65343633653366343935366633313336363761613835383533363565303433356261366361336263
38643933383832653530353366616438386465653131333732373033346234353063656332386130
66653331323563646139326334643431396637636338383430343439353864343236323164613438
65343764336432363030663036383538316266323665363138356164643232643765333163333738
32613439336634323162323062303135393332643232633434646437393438383233383937363463
63656363393063336566633338343261636337626132663531373862663731333832323866393730
35393734336530373861303362393334333865663036396562653633306133313236323135396236
36386664666434323963303134663032346461623838353333326332333635653562356361316366
33383961613231363637643338383262663531383134303936303562623366653938656438633536
61346631383333323064323233333761616636653733616333313662643531313130

119
host_vars/nomad02
View File

@@ -1,119 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
32386436386163336365343261326164373935363466653365333631356465326434383765393538
3461323332643762393861303833303139643363303134610a366137306430663033396432303037
36373664386632623937326332353638383830386361656335633333383938383061313839356535
3861353330663634370a353039366130316231353165636664363136383335313732663437653330
35626362336663633134373531383235323466656633323334653336383366356634336332623132
64656130373032613864656531313865643962356332623764376163643666616463653564333733
32643337366562343833633966336563346665343764633437363531333439353239323161396666
63636133326331656463333162323039643433663263306262663530653362656266643162313437
37333561653132333562613231386337303030303731303038346534306435313461393333306561
31366637356162633530373136646435313833643363336335663465333361353138366663343039
34626561666232396638386164316665643464306132353663313036613935303035336534656639
34616437343237303035343062346332353231393738366161633461636632376236356165616165
30613438633964333064383762633865373965396364343961333338633965623738373037303331
61343030663361666262366339323335373538393930623834333866616431376435353236393830
66643137646361323063316665656531383135663862343339346335373734373532353563373337
66653561626361633031623836383037333962383834333338616561393334393066336664633339
63613033303431393566343163343364336637653664396164613765313465633632353664636463
39633634616432336436626135613662336437303939343165643562333761643637643137623161
33316262646266613033383638316238666538383233316433356332633537366564343063643630
39663634383639393765393935353431323735343139333361326361373362386561333534303665
61616366323161303865666365656365623162323637366134383937663263386162613265363634
32363662353466373865306266356139323962343963363366653431313566313263383464666233
31663063343830623034393761653763336230396363343237616331666638323336383461623035
66373339656661626665313661386164313864643035353561623265636135343336386138393036
34346362316636666232386337356337336134633532643537323165613333363337353138643761
39653162613833353236323363396532373063646162363334646136313631333336666131623563
63366337663933623534396562363333396136363831376332663265653232343034393036646130
62616664376563316239313931623863646663336266316630613966386661303836663539626135
65613661363834353561396332653965313834386231393761633139613830643734616465323239
62323562623233386135356333663364633934383833653335643261366263653232663339653536
36366632646437343661356137383066353863313537623737383865303937363330343837313963
33636266396232646363303166333066343862396131343530363234646261646466386332343539
30646532303666383730646439656334663533313039323130333733336331616263653037623735
36626565613331323766363032353036393562383732643734373333623036383661363565376162
37633438323763663261313761656662616263613739346639643666383734353534633536643934
35643038353738643437323530376130333662663433646537656261393166386663633535363331
39616534353565366639646161383434623463383332386335396231326332613933663965343431
64643731356464653365303537306536363739653431386438343339616431363863666130646163
62646530333461323330613734633966393437313862313965623161393430326335396239373464
63393338363362343031616137386638633636653461326464333264313764356235636536303830
33653832363535663638626132663761393533663361626261386561656661316131626637323037
33643239656330326631646531353664333564633761353539313838666462356566626234336630
66666233666134353563396530396430616335376436656162323031333037666433346561343566
64363061363738623032383738653430386439653361303633633161636238313565633964646664
38316632646431356261636263626461666338653232316235356237353361633661333134616336
30643162373738316266373531613136653735336535656530616465356533306230636662383966
35633337376532646439313563656465646434626632643332353233353361646234396263383136
64326539373234643435376161646437633333643536623634313964636434323334646339366133
62383430343864356564376632616336636163303535656365356133613766353066646463643032
34303934376462646537616661396265613566626561623435353532353032333431393238346361
66663766346132643363663331633934363835353934333531643238633662393339623663613464
62386462306236393838363363613563613463396665666463626163356337646334626365313831
35343533356633373230393334373362373937323231383139353364646337313266633861333261
33636366376661363263303336656163313634363330343965346230343434623234616432613938
37626431333030313532663631346164666338333566356333376364336664343438646665613638
61306461616166366530333664346434376263343833613263633032653832633966346436366634
64323131373364643963646661333063666635393864303935326562306231633262666330383032
36633539383238393830336462623435353632383863663837353466356131646161303164616538
34666362643531663763633433666535623832333562366535623230653639326135666233373863
39336561323439306533656233356638643531663663616166623631636161383664616235303839
33363132373563326536313537313832623038373164613166653466383034666131346332396331
64653565336139383163306333313233376538343137326365346339383339316532356132633861
32353534393563363631306463383139616537626261313633643236623033393034333734306536
30643261363731373831616531636165646230613333306536313331626639626437343037376436
37356239623531323430663166336163646139643264666538616437633736633831363032656134
61336434326165383966613439373338643635336564366338653965326561346130656563353937
63373864663237663730373065383237643830323834636636646164633365653031396332646133
61333263636337623962346638646533326230343633383065663266333137313332346139663035
32393334643337646131656634643836333862323136636562326131326633363834326462333637
62376131626636646631356466616666346431656463336239376136386632666530393961666633
64646264303237383661663233393062313030636566646164653633653462363835663635653834
31643037333362326437643130633166376436316335396164313966316261306532323731643462
63363331383761326161656533613137366433343763616561613664303139386430396331633539
35336630663634363264386632303330393033623831323030343139326234316639656462383062
34353936363063393364623161346332656137346563326438343136656633663234366433326436
33636432366361303536386435653938666263373662666532653137306631636363353162336161
63636362313834313364646265333134386164333534353365313633376561303131313863633063
31316635633432383966373530323964363264626661383563336161613135336635336335393036
31353831393531636364653334303836313333323536313364303563343464623836346637343064
32383038326261376562373631323632366138326364376431366330356561303239636439303736
35353763336330653766653864656661366532613939393537643236623735313263616132346636
66613961356662343338653164613962616232376262316364333764323764313536363430323338
62323535323539653564343066346366323435633062346338363066613638353236353939616663
37333461363562363936383165373934366566666334653230656662336663336435343932303264
66373131633161303061646639393631613666323037363131646332623136313061386266343930
31356633353437316361633133346136306137393434366434323237383230326631356636383038
66316663316164306434643634353431613532646563346231393835316362303134653430646365
66633737363038303564653232656265363939653238346561656630393439646134653066376338
61336236656664303232393837336538643762373566306636373939313632313036353538353566
35646139386662333736373530366236373532323733643132663437646135323932623866393030
64396337386161333136353363383761353062653662353064336535353731643336346237356333
66333461666664376431643234383561333564356464666436346436643830313465383264646331
34336130396235633966636134383862353562383235636133333365383030383766393065363135
35626365356666343862383264376163386362393538333335643563373564333433343238643462
64636431613837353731326635666134323831373766376464333739356462373664303232666336
37626131353263656666393662366336346130613161393636363264396532353435363937366561
62623061333334376338383861346335373530643366386361383233663165613865643037383339
33363865393338356361646630663566626665346237323035623234366336623964316233313663
63616530353232363765353234373534643463326262383939353439656537303232336361613230
36346464313565636563396435623031373534363065393462336665653766333963653437393333
30343634333632323166373130333832333135363133363437633964323835323164663331333535
66313635366633356231663865616538376338396331386133363634353166373732386533313837
63333039353266656533623231396136613466366661613164363732353436636563656265633331
38393437636261336534366630633933313565333161336139383061306637653361623439643365
61306462653632613038393664373033313735653836653138336330386666363235646233343166
33353164623931626534383939313939316164393434356133396561623939636332626339643737
30343335613338623961623732616162616131366635623631303666343630346134343966373861
39623461633231636265313032643361656633623237646234653161623966386134623362613430
64313132383262623635316539363461663866393638383765643034326262306631623163313234
61663563656362636563613533363936363733353664356331363239383532353035333664376530
32313035326133636633663933633630656261646532336239396434306465633539656237373734
34313764333030653766356238393965656663636632646165656135396631376666323236626530
30623935383033616331363332653434383030363638656133386165393035646235326137376632
64383462353031376233326265393065353361636338393065393731373462653330323065383839
34386433623736343064346533653630396661353133303962353034343135643433386361353538
62613434353039356563303239363864343737303863316230373337666331383665633133623266
30623635663833326536613135326465356538643133396464656165653834326137616238303863
6361323834633066353437393931303263626630396464343464

90
host_vars/web19
View File

@@ -1,90 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
61376263333338353039663339313165656563333836356665633836343361643566386564306333
3131323565373434326637643962353432626539383962330a656436656362363364356530363062
66303061343431353363653264366330336261356562383934306235623837313832303736313538
3533656561376239300a343236383439653063303863366539363430363236373131373737333639
38653733636663303834306464356235643532333733386563313536643161316134666633383136
66353564383264343864383233366562376532383131656339626164333533323637636132323864
34646363383333363836343665636138393963656533633765346134643962636138393661363862
32643834363935326566363738633136303239656337313438323661366135303338656438316463
35383537393639613537316664626663353430616661353965646632636639373830623836646137
66383939396635353730633434623438373739366436303437616262323863323333626465356335
37656363323434386432356632373462623432313632313039626634333764363533386630336363
37656134646362333638323761336331316536616638396530623032336162653163343161623430
62363263343836626536653661636163346166633266356562316436373831326633613131396536
32623236656132323736663631336339343366326338346366306132393461326666623332616239
35313333356437366334623139336235333463373261323930313461666138653664303938653666
65643266313261633938633330396638303664393631616366636239363462303034373662616565
35623139383266326539643834633738346234313364306564313234386330646265653361303438
62646134373963333430613661326130363530366265613635316365626636353366396338646439
31383637333739343965346263623136376533613935653563666466363237373762626565393232
32643862346663623032363137386338336137306433653539353732306637623230653433313663
38333161323465616338656638313463613138393933663563313262633639306239616535333535
32643937353139666332633530383439393064323739663132653661613364623237393761326431
31666339303733333662643763633333373730323735366137636533313632633333643162373035
32373436656334336534613637343238323137373834663439306337303033376465346639306138
36623234366230653037326634373735333766363536363538383038633534353664356437346563
65623534613731643761353665616530663331316661353030343531626135616137303266346261
31653734353166623762363137373763396635356365373361353466633538663636653664386439
66313632313034333365373438626331333739623036613238326362636263303839323436393735
66336665646330333961626364643838343763333661313665353332313461383464653935366163
63373065643837633335633437313664616137363266626336653766663833393263316531313237
32323639346537306437623936363431333161316561346265383138653135326432326266323063
64346138663031623263396563356234643166353837336165326434623339346139633137376636
35333339653562663435633433306331386565303166613762376362396238663332653536343464
65363863343037303462396636303730346639623131663439643131643634653634376334656664
65646166336138373266343037353532306233363538303431626165663665336435396530653135
66343365613165303937626564353136316631336338613034393533373861643662303238666565
61313137326466613834616234376135383464316137343331663530663635366130313635396362
30616364376432643539663266383761343735373664643833383539356531386562663030376639
64616664653365656464386263616563323063666366313037383633633061616263343661363662
33643635383031323266313562383061616539653730613930393336353539336236623532373362
38663338363235383434326639653936303231396534653836306132303862613736313135303161
61663332666433386635326165393338306536393030353265346135613836323036613861383137
32306137323562326532373933353835323665363366613634653039626461363633386362376231
32646662313930346466343862336266336266656132653934336435626237363364626465653262
66306638333262353238643664346163386231633732653366383537366532626164643638613638
35376337323539313563346363653933323031303861303065386531316233613163373130316530
64616362353563646665623734383134343061393737326163663438666431393836386436333961
36386530386530663334333738663130656239666339303533646232383362353438323635363436
33323337626565396638653466663338613436623862393230616132323932643033643936356261
34353734396534663039613934623865633931666466343464636139353463613036626439623963
36656637623464623239623133633836663933363837666539666466333139643765393335346465
66353536346165353966633162626333306636646138623164376139376165306263613766316137
37396631323964323162613134316438383531613534383066383134313233663439316136663338
64333733616162336231613163373734626537363130646266613637336463643333643561373762
39653234373035396563336438383064636539643764656231393862653366623861363063666565
62363336303164656239663632633838346264306331383432643031326132323834363930323538
63313366316562653638666261653739636262363737613537333931313764343033653466303162
32613734313835323432366362326562393431353866383966626631363761616564356634633637
64393166306465663966363531333630373964306335616132353461356566353334663038323965
39316335333637633864636437383962346536633034383561366431646431326231323835303765
62353933623161323330656439336166316661643735616365616361383561616264663035396638
39363732326661636465663666343730323934313961653937393338353966366637663038393563
36343865316265663137643033643934666333303962653966313064663730313066343666666238
32613463376536636663366630303661376336313238653133326530646531333462313336313233
66613935343964663537623631636265663130313965623334326532643233656465656161333738
64613261646463346330343061316563643537323535323561396336663232656332653033343334
36646134373865623436376566326563316430653639646661643865303031363939363031313934
33363137346536316532353030326239393433343032393737396432623062306138393235306364
33636262326533626339623465626135363030323262373432626236313866353939613632646436
38343430613662616337313137343862313633363137663565376164346365383565383139346233
39613932396439663837666263383932303536343465633837356130383339346163646339633137
31393338323539353434616234383165303033623934636230653534303338366666383235653461
61343765316639306264663633613839616234323261313833353231396637336465613966306139
64646366303737643130633033393235316630346266313162396630326466323666313065626163
37333937313637353835336465316231323862633436376236626139626130313930326131663262
62363461656535353037336435393337646366363431323963303435333163626335636431333434
63336230353663613437396231336563396133363766336466633732336330353865626538643765
36366462393766386239326361303836613965313061393134323139393764393537626437376364
39353235303935323930616330646432613230313538306130313239663265616239336463623961
61363464653435313462323762623630326136653735363830366632613465366534656363373737
34323462343761343539323563626433336135383266643764663039363665653934393264623734
33396263616135316631666237626162613731376536643961346362393866353039383734336339
66623735333732313134323430613236353464663335363437316164366634663061613139336466
39353435383436386364306336306536376562323432343764623762376331343435336262626363
33303564366238643231363039343163356361363362613638393966666563643264313661323736
36373161643530386634366562363961653163383737373637316336336162313466396532666239
63303536316337366132346566326265633936663432333637633065366537373039303735353038
35643963376537623930636239383936646233373635393930636332376566623830616631616562
38373434323465613131633438313630303438653365653261333561376537626332

38
host_vars/web20
View File

@@ -1,38 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
34326537633464633537356334326565663133373634616635346466646239653334373235316234
3766373939636238643137646430376534306331636333620a343535343563663237633034653936
36393639633362643835653863633937663734333965363932623438306436613139346538313762
3165303261303563380a393435316132373564663063663566623833336638393237326335333136
34323738383266626566326439363064366563353035643833633835626533306539383532326239
31303933386265643264376336393633613432343263346330353736323066626538363162643461
66366335656164313865373065636433333030656534356461663730613363613531653934636663
39636234623765386132663561613335373264326566663230653437376136303138393638363564
66386661653736373033616365336637343835316632336631306637643166366534303762626536
31376233626662646635376465626136653962616265346365643531363632643930653032306131
33653133363931666135663237323133653461323038653535633138653837363030363464323464
37663661643139343638393137636532303866623132303632353863353736323536313832373931
37366334636139396264656538336465666463393764326639366465613662343965393339623165
62303732316632343062313432316265356564376336633935373131333161396332346431633633
31313238376435326662613461373931356633336538613939356166363631646538373862636139
31376533323966663838366332613331313365643539643861626263303436316231623833626537
34333733393935326534343038633463363964393263396531383635633437376633616461656361
32613634643931666461363332353762623064306632303564633633373565373930326134313765
31613130326335323363306335303662376262383738383531303937346366333137373961393066
39663936636265386236646536666466653938663135386463346231626566303035616330643063
30363362643637303634636165313539383039653164653166656335333763666435323762613838
39306463643937306435376336616466376337633132326365313939363463613739663638663962
65303533663533303862383631363432636464653437376335376131333739663164336161356630
66323535306232333330383832356437653539393363336630303639626365613463363364353464
65356162346430636166343636663735393838636332396261343065363862346638323132323363
65343439383937633138303039376336333130313763326331373262343461626434633866383135
62306163613639646137386630643631383462653738313535333863663431303437383236643435
63643463323537633764653464366235633466663839333265663734663038366666336635363064
30343639353665336237363530313531363866376237656333313236643035383031646134653765
37616636613364613163343735633366303832633964633564356362643337613532396262393631
32373464343338636231323435393163346339646263333234636432313434333334636565333737
64363536666662656262393931646632303532373664616434316465393836336565343362616138
63666263653231353732336365383465623236656239653136323765653132376237306163653062
30316134623161323935383536353939393565313138333664646539663337383236336631303265
65363164626130633131636535623965383031353735373734656166633230303965303236626134
64633536366238336630366138323462653263653238343839393365383162366333333664646261
3638

27
host_vars/web21 Normal file
View File

@@ -0,0 +1,27 @@
$ANSIBLE_VAULT;1.1;AES256
38663333313561616264323430323162323837623430363739623561633331656664613936666665
6364373033623163393239663035306337383066343438310a383666313434323036643037363065
30396333626130303633663930663965666662646233393439376661346265616565616236623366
3930373433646231610a336233663132306263656465633034333030316362643939316465666534
38353961393038613961353732613434663565633466303265383231343336386330333464376363
33616330643364376332623634363766656366666239633964316439376463313063333162343963
61356634393438313063666434626338616264613639656462626639616263366531663135393466
66346635616439306364356133303664376134626636616131373138656562363363306633333164
62623135343633393834393165383231316562643062343165663235313930663039623135373263
61343336643235303962333938613230356465346436376334373438386461366231383737643137
36343832353730366131653430633465383163396336353065306638373166386438356264616139
65346635663338366463343932336231386235393836616238373864626235623935663661396663
31633565356465333737303339333435383162316530396563333335613062623138333232336162
62376363666431363931663231643561616562383230643737393261623934363633313231333137
39383238656237343661626662366465356463396336386261326334613436396364633062646532
61313136366636363861316166396134316562666435653437326331363563653035343138636163
66336139636533656334643966383962383734623565323435333665666164353732663736326364
35616264383237316330386539363065376334643432393636643464646238633034333166663665
33313166393738626133636136346637646437306335326263393634363133663736666338313838
64623139613037653461643563666539613237323934376534376461313833336338623032616661
64643062663633366436383232366137373936383430306332616634636331326361383931363961
62313236313563326438303935373837666434313435653236643135303739373763656562393537
31653265653739346433663937343439656231663963333633373066356231623762313438393763
36306336656566633034373834316363333233326130626639313130643935333437653934313636
32383034346234333561333466653561323834346166633831303566376266373933356536383031
6236303934323963336662386666653138313165366133303434

141
host_vars/web22 Normal file
View File

@@ -0,0 +1,141 @@
$ANSIBLE_VAULT;1.1;AES256
65636230346264393938656566653961393466306338353435333061356463363836616435333731
3537316534663335343333643435383663303438333433650a666133633965643939306661383536
33626364316338306530393036653134373339653264616537623731323063646531383137333131
6263363037613631360a343831393830646536326538363764643136613732636165316466316566
65346162383337626631663533626230643061633139663661656365333738353530316661313864
32373831396437386434313430666434363534656130613632643264393538663131336635653537
61613065336133343130353862646130386136333231393962353064666335363330623064626631
34333137363566313764343335646531326337616563366636316232633936333264373731653332
66366361643261626563633838663061303762386234336133366233356564343562323965663731
38326631333166643534313836323337663131313766306166333534336333613735643033326633
39396335613362363230333863396535343464346437366632316336626539623865313239353539
30643834633130333564666162623365323439396630333136616137633532363530623234376332
66353539306637633432353231326666643261386466633533313063353061643761313132623035
62653263636237666432336662633136653930323532623137386261333862623337326431336365
36663364386364346631393031326434326334636166663739366435616166363130623463633733
35383834326231363264623061303066326433613139333237656635643835393762313866356237
62616435613863616161376666333966323030326531323261646436633233613635383438373834
31343133326231636661353466396566656365396466343430613262316537623631376433633630
62336664346363393363306163333662323338343139646238633830326535313034613739616138
38313637333333383032316134316164363036396338306634633436633564306333336437393566
61656337343030393936353364386461643766636564333864396130343762323630393839393463
35343864393035333930313238663465663633633862623336663136626165666131383933626437
31323936653737646231363036383764333335313762356465333635303334663734636531343331
37386461643239363434373864373561353339343031346364383530663430393938333963333837
63303966366364626665303530356433643264343861346238353937386338383034356633623231
36663735386233396138306561326339626262326463336535646265666637383032396435333835
31363266666230366438313432356637663632333530646263663563373137313262663937636532
66633731333166386564386666363130633734643963653030386533393766623038383234646161
36343135663231323030306430623535373534353835623339333738376362663930343436343637
34383963306266623437323462356466336533643933653839366666393839626663353264326334
32663461663561396631363533383334363361373764363132643435373537333839613066396463
35386436326638353431363064626131306634363339653132396563356239653265303930333634
32376332643863376237383966623233323864393338346537393865363661616338333631383532
34373635316138663261633839333664353432666234306463306338653634633038373266646462
32336534356537306366656236356663616336333031306431653239343132336234626165333032
38303137666131363462363263333832356333616130346337663837376365346166306261373036
63383236323738303562623631633064363564663861336162356262373861383965623935343931
65663934623431363164356331353135633837616130363464353661663438323132363165343766
31393633306261303762613537343034316535373731363365666530623361623630633137326466
32326533313362333863383561343230626466303831623033613065363136396362373333306333
32336464356364663564626234653832323265313364343631646633396362373438666165353962
38396330333161356365626562383531323664636235643666613631636636323638376638396531
38646531666164653161353932643662363261323564373537343731666232666532633063353431
61386163363562313330393037656139303365396438313935306333656264373531373037303939
63373962356233346164383163323532373163376364623766323933623063653939346537306338
65353266656532636633326137356430666432333465626437633733356435363163626430303964
39343935623937616130326637323061373538616633393465653266656666376661393635333662
30363364653130356137393463613038663762396336306234363461396133306562323838336330
63303735646132353766313137303162366164613530303966383636393934393035306264626465
36613233376234633932663963623432663032656236323963353036356437383066373532323865
36643431373966613533646164303564653336396535343366303339303134613936656137653939
31333062623734613538333666636561386338306235633165386262383261333264623638383366
34313266333636376337393736343062363539366235393136663561303663386438333834613539
38623632656161653766363166653661336136653833336663616261663831656133666232633362
31373166306134653162313134333432323134623336666632613766386662653831643732326330
63643737333638626162646136373466613536653831663835616432343537323864343166316461
34393732353930343430356231626636373763636561343430616533663861346566326262313232
39623936366633363136353632346134643563383833376134363833336137613337326435613764
37653232613632333334316162383261383836613936376230393633343336346633386539356232
30316232373738363038356665366663623536626539376364303038643061386363636337386663
61383634336530666163346239343838326138373932383339396265653764313039653138643938
31613163653632656238376533363739346539623863623332653936643731623565613234663430
39363935306330386634363634363233376234613837353765353732646638663830323335616234
34366334636436633734333830306136333563666337623035653239313361626438316535313434
37343930643832383136343737313365316238373638323130653766646637343464653134616137
38313034383833626433326237633863313364353662326233636333333932633039396565356133
64376166383064343239633364363861616136643061646636323437376162313438396230393331
32633662323031666238643934646665303666383834336432363430363166356632353033336333
64383861663563653531643832656238643066323564656134633639666234363363363132623836
61386431643130333761376161646262346562363532353632633332343666393562313465303337
31333732626164363464323531323239333963303333626466623966346361383832353765346565
37303765363834376237636632386663373061346534643132636333623137366662646538306231
33353538623231636166653838333264396463616437396264353537633661313932353133316438
61323439363635383035316335363132383366613733383363306366356466333364633537393033
66636434623962633063306236303831633637656430376533353436613934636466363461333562
34613339373732343632343435333331353935303735633732656663643938663439656233613163
65356232633865656439643430636332386663333761376638323630373930663837653638363963
63656437323138633664613166353537306466666261353532326363346332343363343035386435
33326238333730303539363265383761663862313961383030326263353034303866626661623334
61623365373332366333376630626539343835663466666534636561643736646537646431386631
36366132663830336234613065626262336564316339383038333330323237363665373935326438
38646335346239316432636138633365373062663564326465643032633438306230363434323262
34313932653361346261623030623739313665356464373666346361663430336362383063666134
38323539653437623030333437373231646634333563306165393231653465313731633536323362
65613262633563653031306139383436663834616339316164393365336437653730393331636464
32313537313164386164313832396566353137376239303663656130383336336634313235376363
63326530333339356432343938306465623636336161363133613864336339393635306234656263
34343437336461303831393562653934633439336562663366643066393439396531653663386531
65623061643064396534353364663633653331653535306133386466356236623239646432373066
61313261366466663866613162323939646534653561356335393237376138633930663364636236
36613834303338646530663565303438363831663865323531386635303239646464343936303832
31323531363263333830623838666437636262306164386236643032356165323037656630383739
65666333656639333263346465666463616534353835656337353464336134303732323037393538
37366263656133643039373438636537343636663065646534616339303833666532396633616565
38353139323739656564623065613364346164633863343738633163383031663531663365616534
31663835323435643463666264623932396133336531626331303862356261306238326333366164
66306262386137363432376530366432356432653333393833376532623333373337393830316263
30326531613662313430663130613734663937613663353936346134356537393761373238393433
37356136393731626561303430626339386531386333386536656465646232633934393630613339
61333163613862346564316336353766346461626639303661353464633835626663313462613666
33343561613662303036643937656431393432333831383461323631393262346464393539353537
33633364383261663535323136393138333739356439663731636136393530323864333566323361
62643961323264336662316661303630636430323838633535343036303437393439656637326566
34363832366434316639393939313965633037653931323462363465643262653539623063326432
36616434366432303235663062663138623336336165373734353838333662363239333762323932
65393765326232373230666437656433373930643638386131363339343630636634636434326464
39366339326263666239646237326534383665376536313536303263373265306537316161663262
31346635346436313261626366333738333966643333313230623133313434373530366462653435
33353434643635383833643736653461373765326537313430353164306566323733653237343632
66346133656333303538306133313563393363313230323664303836323861346466343230343264
36613934643662626365653036636136623630333638373565316437646232316263663433313762
39353234333131623731643662303130626465386338353833393533646564646565623736343039
38356635393461353166653565336535626366396532633961393334343234353764303431303663
61666533633731663666346132383037646433336463643062396465383034346631346165323939
33313937343338383737373164363930336236326432346465646166363430653932333932343236
38336235613034386533613665393666633635383164646538373035623862343737353463623730
33396233353331633463373538326365636231323535633737303562613262613730636237336632
38626230313637336436623661666438666538333838356632653034303864313232623337306333
66363464643061363337393732323065306335656531376337323438313733616539613538333837
34363033666366613933343563303537613564356462313931353533323938656362393536386334
38336237616335346334613534323130613861663239356363366564623933303737306138613535
63643639323135663232336131643331343063363234336230653536623765323562393161663266
32663839613564613636343166396463366665666333306239386338616366363236393931313439
30386238316261323630633464386265353464333735336435646663656638316130333762666531
38626463316165373434613436343335303633643965633230326534323761616365376630363039
30336661313737383535343934366466353231396430353030653762383934666235646161653832
31613565643031353535353234386665373636356362653337366563316630343838626231646462
34623262343761373831303861313661666435373565386465336166306631376666643631303863
37633934326262623737373266326631663932373863346466613133303961386466366336643235
39303933333236626637663636633739343761393432616232643238663738313636346137316430
34623238326430616134396166306339626261643032613661343763366138653830376463306461
62366564393364306139633837646264633130383064383730393862633561303538363232663366
30343633666632303530356637646337623339303236376164633962383839386265336666396436
38616238656336343066333063393833623862646237323238393465633662393362353161313963
63663539383630366536313933643565346162646363353035386666396363633635386564346666
64336362633033346461353133396363646237613433306366333064626563656637383863323361
31386262346631343565653836333764636366313330633462303533616531316537353538313031
64366263666138356339373864383866303632366162633738383437323564313732373738373038
39643862336136663165343736613730306339643237313361333438613438323439373966396138
62323661383336396636

67
host_vars/web23 Normal file
View File

@@ -0,0 +1,67 @@
$ANSIBLE_VAULT;1.1;AES256
64326662336532386161646564656439396461666266656463393335663130323930326139386562
3639653630336132663666646161363938386334323064320a663564613066313533353433333434
30346561616465646163646534356339666639333862623637613435376361323032636439633930
3731313063363337380a373961353530383764623830363935626231333734303364313565626633
37343037633862633632613165323136373662396438613663636433346566653064653632313338
36396333393334336434326630646164333531306432386133353664336535343363343939393464
34626335626436353239366138323863656336636536383733363931633933636331643263653566
30613931616462373336393337363430353962613665353936383533326364353365623333316664
62383439396131303831326562323264336638623461643361663763356236373464346464316237
65393232343733643338653734326562626166366562303037613862396564636662363066356664
32656363616637303039373732396533643432343961666365313963383131643464333765643737
32386165666131626365313938633530346361383734323334613464353862393931323836626563
62656531346532646530306463653364326362613162323536643836643839663933343132613435
63303234646335306632316166626266313635303566396363333464363631353834373761353837
65643461623135363139646564336430353461336433633765303138313730613630346465326666
61393133636262653836333664623333656164663361353130623863653863323131326136373238
33376333316433653337373834666136363130373261333330643439313734343036636364306532
63343662383539633235356162656366323965383331343139616361653466633865626337326562
63643761613536613334333065643533323066393764633931633066353064393966646161376361
37623939386636346161346164303832303534323038626335336665653634386132343031303861
61323765306366333936303765636436633465356539316631343562363535663932333666363035
30386233623265636464393662386464333430396337626230306438396563303437363938303061
32653939383136376365343934613339383563303935623664633639326137353437363261393637
66613331643530623862636665396536613730306537373666623135663837393466343261646461
62376162613861643633656334303132353034333834626664666237393534386439313638393933
35643663613432323432646466386434363335353234643264643463613334356462313766643030
30336364396235663230356235303264323339643761333036333537633862343862386130626533
36626536396663393031303533313238616133323239356634303830353439363133353839663266
36306539636563633734623162356230383232306138393831393336626336383966643335376564
36303730313936633361643736613736303163363536313038316432323039643362636538333037
65613663333032623035656665393565366363396134363832363163656532363537373435623233
36373961333237373264326634353363356537356538343663613034396132396366626330303365
62353461616434343938386237373365633861333733613631633234623034366364363761613636
34393532316466323264363363653335366639613731326131393335313039646538626665356333
62663435633539643237326631636563363833633130363535653336333538366137306235663730
36633934636536633865376262356239303966646638626638386536366662386432343466366161
36646436636538643366623864326630396565373462393132343834626638313437316137353564
34646138616438323065336266366434316135613938643131353034646230396632386433366365
38616436346232363563336439613939313464323861616530633962316634363462373530613665
63653636646565303664326631363535373037663734663965346430363831613431613365393832
62373030336262643430313635626261613232656236333130396537633238623265363932333966
34326135363762396564613064323135313663613565646461376162306532643433333336666532
65383661303137613335653336663666653463623565386137326662653839633536326135633764
33623437333931393737363061356235336232376437643131373531356566323336306138353561
66333863313461613930383231663162616261616639323238646439656166666261626533636161
38333362393033316266633364313739366262636530363937386137616234326638303137613433
65313962653566333364383732386165396136303666383439303064326463346563663434646364
62396130646632653039383661613638303162363538376236666338623865366639663138363636
36373766386234383465316635323931356233366262386135363238366538623135623361386436
64653533646233653463656334633566373433303365353965663732636566663332343337626337
34623861373562386264346430333133343631653631376366373735626664363965666561306262
35666235653235346233636361383566616533646662333662323139313865383264633734643263
63656431393834633935613430643839613433326431666665323136376562333737383862313261
65656431336439303563373833343965323965346439636131633366633431393032613963666539
38326539343132326334316233323362633835356265333031663066643535363639623031336362
64346230383638363763323462386261666266623134393139303264343234623132323437396630
66363738376133393731616535653230303262313937373333353932303038626166346366303163
66613831353731373165636532363165356561383137626437333563616561386666623234313438
37333435306530323235393164383138346131653235633536383636316161316238313064636261
33353963333430383236303038333939316637326130396430623964633338353863613534653663
30333839393230626261663966616230303330636335323565663938343562666663303536636332
34336665323764663163653161373166313631393534326532613538313637313136356336313433
34353036653738343433613763383137336562373332333062326134626638633938336364376131
61303435333163663636653135363162303663663266393438656430306532343438386436343735
31343231653263373532386263653263386435363633396638396164323539306233303562303862
3339306136613431636138333266633739323666633431363039

4
misc-plays/change_password.yml
View File

@@ -13,13 +13,13 @@
- hosts: all
user: provisioning
become: yes
become: true
vars_files:
- "../vars/{{ ansible_distribution }}.yml"
tasks:
- name: Set password, shell, homedir for provisioning user
when: provisioning_user is defined
user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no
user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
# vim: set sw=2 ts=2:

2
nomads.yml
View File

@@ -2,7 +2,7 @@
# file: nomads.yml
- hosts: nomads
become: yes
become: true
roles:
- common
- munin

11
roles/caddy/defaults/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# file: roles/caddy/defaults/main.yml
# parent directory of vhost document roots
caddy_root_prefix: "{{ web_root_prefix }}"
# Email address to use for the ACME account managing the site's certificates.
# Not sure what Caddy does if this doesn't exist.
caddy_email: foo@example.com
# vim: set ts=2 sw=2:

10
roles/caddy/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# file: roles/caddy/handlers/main.yml
# I'm currently not sure when we need to restart versus reload
- name: reload caddy
ansible.builtin.systemd_service:
name: caddy
state: reloaded
# vim: set sw=2 ts=2:

82
roles/caddy/tasks/main.yml Normal file
View File

@@ -0,0 +1,82 @@
---
# file: roles/caddy/tasks/main.yml
#
# Configure Caddy.
- name: Check Caddy package signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
register: caddy_signing_key_stat
tags:
- packages
- caddy
# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
- name: Download Caddy package signing key
ansible.builtin.get_url:
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
- packages
- caddy
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
tags:
- packages
- caddy
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
- name: Install Caddy
ansible.builtin.apt:
name: caddy
state: present
install_recommends: false
cache_valid_time: 3600
tags:
- caddy
- packages
- name: Create Caddyfile
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: "0755"
owner: root
group: root
notify:
- reload caddy
tags: caddy
- name: Create Caddy conf.d directory
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: "0755"
owner: root
group: root
tags: caddy
# TODO: the variable is still named nginx_vhosts
- name: Configure Caddy virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: caddy
# vim: set sw=2 ts=2:

14
roles/caddy/tasks/vhosts.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"
notify:
- reload caddy
tags: caddy
# vim: set ts=2 sw=2:

29
roles/caddy/templates/etc/caddy/Caddyfile.j2 Normal file
View File

@@ -0,0 +1,29 @@
# Global options
{
email {{ caddy_email }}
}
# Common security response headers
(security-headers) {
header {
# disable Google FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection: refuse to allow rendering this page
# in a frame, iframe, etc.
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
# Note: these are imported in lexical sort order!
import /etc/caddy/conf.d/*

46
roles/caddy/templates/etc/caddy/conf.d/vhost.j2 Normal file
View File

@@ -0,0 +1,46 @@
{{ ansible_managed | comment }}
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{% set static_site = item.static_site | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
{% if domain_aliases %}
{# domain_aliases is a string, so we split on space #}
{% for domain in domain_aliases | split (' ') %}
{{ domain }} {
redir https://{{domain_name}}{uri}
}
{% endfor %}
{% endif %}
{{ domain_name }} {
{% if has_gitea %}
reverse_proxy :3000
{% elif static_site -%}
root * {{ document_root }}
encode
file_server
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_facts["distribution_major_version"] is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server
{% endif -%}
import security-headers
}

6
roles/common/defaults/main.yml
View File

@@ -8,6 +8,10 @@ fail2ban_maxretry: 6
fail2ban_findtime: 3600
# 2 weeks in seconds
fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
fail2ban_ignoreip: 127.0.0.0/8
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2:

9994
roles/common/files/abuseipdb-ipv4.nft
View File

File diff suppressed because it is too large Load Diff

14
roles/common/files/abuseipdb-ipv6.nft
View File

@@ -1,14 +0,0 @@
#!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = {
2001:41d0:8:8c1::,
2400:6180:0:d1::8c9:8001,
2607:5300:203:3b58::,
2607:f298:5:102f::97c:9b51,
2607:f298:5:103f::cf7:8a8e,
2607:f298:5:6000::f25:8518,
2607:f298:6:a016::448:ebe6,
2607:f298:6:a034::eb5:2e70,
2a00:d680:20:50::68b6,
2a06:41c0:0:1::e4ca:8524,
}

9989
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

23
roles/common/files/abusers-ipv6.xml
View File

@@ -1,23 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="family" value="inet6" />
<short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description>
<entry>2001:41d0:700:1a2c::</entry>
<entry>2400:6180:0:d0::63:e001</entry>
<entry>2400:6180:0:d0::6a:4001</entry>
<entry>2604:a880:2:d0::22d5:c001</entry>
<entry>2604:a880:2:d1::19c:1001</entry>
<entry>2604:a880:cad:d0::169:3001</entry>
<entry>2607:5300:203:2519::</entry>
<entry>2607:5300:203:4418::</entry>
<entry>2607:5300:203:d86::</entry>
<entry>2607:5300:60:1e52::</entry>
<entry>2607:5300:61:404::</entry>
<entry>2607:f298:5:115b::bcf:e319</entry>
<entry>2607:f298:5:6000::864:52c7</entry>
<entry>2607:f298:6:a044::d7d:2305</entry>
<entry>2607:f298:6:a077::491:e10b</entry>
<entry>2a00:d680:20:50::4a10</entry>
<entry>2a03:6f00:6:1::b972:f5c1</entry>
</ipset>

89
roles/common/files/aggregate-cidr-addresses.pl
View File

@@ -1,89 +0,0 @@
#!/usr/bin/perl
#
# aggregate-cidr-addresses - combine a list of CIDR address blocks
# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see L<http://www.gnu.org/licenses/>.
#
# [MJS 22 Oct 2001] Aggregate CIDR addresses
# [MJS 9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
use strict;
use warnings;
use English qw( -no_match_vars );
use Net::IP;
## Read in all the IP addresses
my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
## Split any ranges into prefixes
@addrs = map {
defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
$_->find_prefixes
} @addrs;
## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
## Handle overlaps
my $count = 0;
my $current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
my $r = $current->overlaps($next);
if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
$current = $next;
$count++;
}
elsif ( $r == $IP_A_IN_B_OVERLAP ) {
$current = $next;
splice @addrs, $count, 1;
}
elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
splice @addrs, $count + 1, 1;
}
else {
die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
}
}
## Keep aggregating until we don't change anything
my $change = 1;
while ($change) {
$change = 0;
my @new_addrs = ();
$current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
if ( my $total = $current->aggregate($next) ) {
$current = $total;
$change = 1;
}
else {
push @new_addrs, $current;
$current = $next;
}
}
push @new_addrs, $current;
@addrs = @new_addrs;
}
## Print out the IP addresses
foreach (@addrs) {
print $_->prefix(), "\n";
}
# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

2
roles/common/files/etc/cron-apt/3-download
View File

@@ -1,2 +0,0 @@
autoclean -y
upgrade -y -o APT::Get::Show-Upgraded=true

5
roles/common/files/etc/cron-apt/config
View File

@@ -1,5 +0,0 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see the README file.
MAILON="never"
OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

1
roles/common/files/etc/sudoers.d/provisioning
View File

@@ -1 +0,0 @@
provisioning ALL=(ALL) ALL

2
roles/common/files/spamhaus-ipv4.nft → roles/common/files/firehol_level1-ipv4.nft
View File

@@ -1,5 +1,5 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
define FIREHOL_LEVEL1_IPV4 = {
192.168.254.254/32
}

6
roles/common/files/spamhaus-ipv4.xml
View File

@@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet" />
<short>spamhaus-ipv4</short>
<description>Spamhaus DROP and EDROP lists placeholder (IPv4).</description>
</ipset>

5
roles/common/files/spamhaus-ipv6.nft
View File

@@ -1,5 +0,0 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
fd21:3523:74e0:7301::/64
}

6
roles/common/files/spamhaus-ipv6.xml
View File

@@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet6" />
<short>spamhaus-ipv6</short>
<description>Spamhaus DROP list placeholder (IPv6).</description>
</ipset>

1
roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

27
roles/common/files/update-abusech-nftables.service
View File

@@ -1,27 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-abusech-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-abusech-nftables
ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
/usr/local/bin/update-abusech-nftables.sh
[Install]
WantedBy=multi-user.target

63
roles/common/files/update-abusech-nftables.sh
View File

@@ -1,63 +0,0 @@
#!/usr/bin/env bash
#
# update-abuseipdb-nftables.sh v0.0.1
#
# Download IP addresses seen using a blacklisted SSL certificate and load them
# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
#
# See: https://sslbl.abuse.ch/blacklist
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
abusech_list_temp=$(mktemp)
echo "Downloading Abuse.sh SSL Blacklist IPs"
abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
if [[ $abusech_response -ne 200 ]]; then
echo "Abuse.ch responded: HTTP $abusech_response"
exit 1
fi
if [[ -f "$abusech_list_temp" ]]; then
echo "Processing IPv4 list"
abusech_ipv4_list_temp=$(mktemp)
abusech_ipv4_set_temp=$(mktemp)
# Remove comments, DOS carriage returns, and IPv6 addresses (even though
# Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
# that assumption some time down the line).
sed -e '/#/d' -e 's/
//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
echo "Building abusech-ipv4 set"
cat << NFT_HEAD > "$abusech_ipv4_set_temp"
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$abusech_ipv4_set_temp"
done < $abusech_ipv4_list_temp
echo "}" >> "$abusech_ipv4_set_temp"
install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
fi
echo "Reloading nftables"
# The abusech nftables sets are included by nftables.conf

12
roles/common/files/update-abusech-nftables.timer
View File

@@ -1,12 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

24
roles/common/files/update-firehol-nftables.service Normal file
View File

@@ -0,0 +1,24 @@
[Unit]
Description=Update FireHOL lists
# Make sure the network is up
After=network-online.target
Wants=network-online.target update-firehol-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-firehol-nftables
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
/usr/local/bin/update-firehol-nftables.sh
[Install]
WantedBy=multi-user.target

2
roles/common/files/update-spamhaus-nftables.timer → roles/common/files/update-firehol-nftables.timer
View File

@@ -1,5 +1,5 @@
[Unit]
Description=Update Spamhaus lists
Description=Update FireHOL lists
[Timer]
# Once a day at midnight

27
roles/common/files/update-spamhaus-lists.service
View File

@@ -1,27 +0,0 @@
[Unit]
Description=Update Spamhaus lists
# This service will fail if firewalld is not running so we use Requires to make
# sure that firewalld is started.
Requires=firewalld.service
# Make sure the network is up and firewalld is started
After=network-online.target firewalld.service
Wants=network-online.target update-spamhaus-lists.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/firewalld/ipsets
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-lists
ExecStart=/usr/bin/flock -x update-spamhaus-lists.lck \
/usr/local/bin/update-spamhaus-lists.sh
[Install]
WantedBy=multi-user.target

107
roles/common/files/update-spamhaus-lists.sh
View File

@@ -1,107 +0,0 @@
#!/usr/bin/env bash
#
# update-spamhaus-lists.sh v0.0.5
#
# Download Spamhaus DROP lists and load them into firewalld ipsets. Should work
# with both the iptables and nftables backends.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firewalld_ipsets=$(firewall-cmd --get-ipsets)
xml_temp=$(mktemp)
spamhaus_ipv4_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv4.xml
spamhaus_ipv6_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv6.xml
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments.
networks=$(cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//')
# If firewalld already has this ipset we should delete it first to emulate
# `ipset flush` (but I don't want to use that because newer hosts might be
# using nftables and firewalld will handle that for us).
if [[ "$firewalld_ipsets" =~ spamhaus-ipv4 ]]; then
echo "Deleting existing spamhaus-ipv4 ipset"
# This deletes the firewalld ipset XML file as well as the ipset itself
firewall-cmd --permanent --delete-ipset=spamhaus-ipv4
else
echo "Creating placeholder spamhaus-ipv4 ipset"
# Create a placeholder ipset so firewalld doesn't complain when we try
# to reload the ipset later after having added a new XML definition. I
# don't know why, but depending on the system state there may not be a
# ipset defined and firewalld errors on INVALID_IPSET.
firewall-cmd --permanent --new-ipset=spamhaus-ipv4 --type=hash:net --option=family=inet
fi
# I'm not proud of this, but writing the XML directly is WAY faster than
# using firewall-cmd to add each entry one by one (and we can't add from
# a file because many of our hosts are using old firewalld).
cat << XML_HEAD > "$xml_temp"
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet" />
<short>spamhaus-ipv4</short>
<description>Spamhaus DROP and EDROP lists (IPv4).</description>
XML_HEAD
for network in $networks; do
echo " <entry>$network</entry>" >> "$xml_temp"
done
echo "</ipset>" >> "$xml_temp"
install -m 0600 "$xml_temp" "$spamhaus_ipv4_ipset_path"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP list"
networks=$(sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt)
if [[ "$firewalld_ipsets" =~ spamhaus-ipv6 ]]; then
echo "Deleting existing spamhaus-ipv6 ipset"
firewall-cmd --permanent --delete-ipset=spamhaus-ipv6
else
echo "Creating placeholder spamhaus-ipv6 ipset"
firewall-cmd --permanent --new-ipset=spamhaus-ipv6 --type=hash:net --option=family=inet6
fi
cat << XML_HEAD > "$xml_temp"
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet6" />
<short>spamhaus-ipv6</short>
<description>Spamhaus DROP lists (IPv6).</description>
XML_HEAD
for network in $networks; do
echo " <entry>$network</entry>" >> "$xml_temp"
done
echo "</ipset>" >> "$xml_temp"
install -m 0600 "$xml_temp" "$spamhaus_ipv6_ipset_path"
fi
echo "Reloading firewalld"
firewall-cmd --reload
rm -v drop.txt edrop.txt dropv6.txt "$xml_temp"

12
roles/common/files/update-spamhaus-lists.timer
View File

@@ -1,12 +0,0 @@
[Unit]
Description=Update Spamhaus lists
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

27
roles/common/files/update-spamhaus-nftables.service
View File

@@ -1,27 +0,0 @@
[Unit]
Description=Update Spamhaus lists
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-spamhaus-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-nftables
ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
/usr/local/bin/update-spamhaus-nftables.sh
[Install]
WantedBy=multi-user.target

91
roles/common/files/update-spamhaus-nftables.sh
View File

@@ -1,91 +0,0 @@
#!/usr/bin/env bash
#
# update-spamhaus-nftables.sh v0.0.1
#
# Download Spamhaus DROP lists and load them into nftables sets.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
spamhaus_ipv4_list_temp=$(mktemp)
spamhaus_ipv4_set_temp=$(mktemp)
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
# ranges to work around a firewalld bug.
#
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
echo "Building spamhaus-ipv4 set"
cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$spamhaus_ipv4_set_temp"
done < $spamhaus_ipv4_list_temp
echo "}" >> "$spamhaus_ipv4_set_temp"
install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP lists"
spamhaus_ipv6_list_temp=$(mktemp)
spamhaus_ipv6_set_temp=$(mktemp)
sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
echo "Building spamhaus-ipv6 set"
cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
NFT_HEAD
while read -r network; do
echo "$network," >> "$spamhaus_ipv6_set_temp"
done < $spamhaus_ipv6_list_temp
echo "}" >> "$spamhaus_ipv6_set_temp"
install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
fi
echo "Reloading nftables"
# The spamhaus nftables sets are included by nftables.conf
/usr/sbin/nft -f /etc/nftables.conf
rm -v drop.txt edrop.txt dropv6.txt

35
roles/common/handlers/main.yml
View File

@@ -1,20 +1,27 @@
---
# file: roles/common/handlers/main.yml
# ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd
systemd: name={{ sshd_service_name }} state=reloaded
- name: Reload sshd
ansible.builtin.systemd_service:
name: "{{ sshd_service_name }}"
state: reloaded
- name: reload sysctl
command: sysctl -p /etc/sysctl.conf
- name: Reload sysctl
ansible.builtin.command: sysctl -p /etc/sysctl.conf
- name: restart firewalld
systemd: name=firewalld state=restarted
- name: Reload systemd
ansible.builtin.systemd_service:
daemon_reload: true
- name: restart fail2ban
systemd: name=fail2ban state=restarted
- name: Restart nftables
ansible.builtin.systemd_service:
name: nftables
state: restarted
- name: reload systemd
systemd: daemon_reload=yes
- name: restarted nftables
systemd: name=nftables state=restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: Restart fail2ban
ansible.builtin.systemd_service:
name: fail2ban
state: restarted

19
roles/common/tasks/cron-apt.yml
View File

@@ -1,12 +1,17 @@
---
- name: Remove cron-apt
ansible.builtin.apt:
name: cron-apt
state: absent
cache_valid_time: 3600
- name: Configure cron-apt (config)
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
- name: Remove cron-apt configs
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
- name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
- /etc/cron-apt/config
- /etc/cron-apt/action.d/3-download
- /etc/apt/security.sources.list
# vim: set ts=2 sw=2:

50
roles/common/tasks/fail2ban.yml
View File

@@ -1,25 +1,55 @@
---
- name: Install fail2ban
when: ansible_facts["distribution_version"] is version('11', '>=')
ansible.builtin.apt:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
notify: restart fail2ban
ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: "0644"
notify: Restart fail2ban
- name: Configure fail2ban nginx filter
when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
notify: restart fail2ban
when:
- webserver is defined and webserver == 'nginx'
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: "0644"
notify: Restart fail2ban
- name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
ansible.builtin.template:
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: "0644"
notify:
- reload systemd
- restart fail2ban
- Reload systemd
- Restart fail2ban
- name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes
ansible.builtin.systemd_service:
name: fail2ban
state: started
enabled: true
# vim: set sw=2 ts=2:

25
roles/common/tasks/firewall.yml Normal file
View File

@@ -0,0 +1,25 @@
---
# Debian 11+ will use nftables directly, with no firewalld.
- name: Install Debian firewall packages
when: ansible_facts["distribution_version"] is version('11', '>=')
ansible.builtin.apt:
name: nftables
state: present
cache_valid_time: 3600
- name: Remove iptables on newer Debian
when: ansible_facts["distribution_version"] is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Configure nftables
when: ansible_facts["distribution_version"] is version('11', '>=')
ansible.builtin.include_tasks: nftables.yml
- name: Configure fail2ban
when: ansible_facts["distribution_version"] is version('9', '>=')
ansible.builtin.include_tasks: fail2ban.yml
# vim: set sw=2 ts=2:

148
roles/common/tasks/firewall_Debian.yml
View File

@@ -1,148 +0,0 @@
---
# Debian 11 will use nftables directly, with no firewalld.
- block:
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('10', '<=')
set_fact:
debian_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
set_fact:
debian_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
- name: Install firewall packages
apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- reload nftables
- name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
loop:
- spamhaus-ipv4.nft
- spamhaus-ipv6.nft
- abusech-ipv4.nft
- abuseipdb-ipv4.nft
- abuseipdb-ipv6.nft
notify:
- reload nftables
- name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
notify:
- restart firewalld
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
# backend. Using individual calls seems to work around it.
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('10', '<=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('10', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
# vim: set sw=2 ts=2:

133
roles/common/tasks/firewall_Ubuntu.yml
View File

@@ -1,133 +0,0 @@
---
# Ubuntu 20.04 will use nftables directly, with no firewalld.
# Ubuntu 18.04 will use firewalld with the nftables backend.
# Ubuntu 16.04 will use firewalld with the iptables backend.
- block:
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '<')
set_fact:
ubuntu_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=')
set_fact:
ubuntu_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
- name: Install firewall packages
apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
- name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=')
apt: pkg=ufw state=absent
- name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- restart nftables
- name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('20.04', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
loop:
- spamhaus-ipv4.nft
- spamhaus-ipv6.nft
- abusech-ipv4.nft
- abuseipdb-ipv4.nft
- abuseipdb-ipv6.nft
notify:
- restart nftables
- name: Copy firewalld public zone file
when: ansible_distribution_version is version('18.04', '<=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('18.04', '<=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('18.04', '<=')
copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('18.04', '<=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
systemd: daemon_reload=yes
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('18.04', '<=')
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
notify:
- restart firewalld
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
systemd: name={{ item }} state=started enabled=yes
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
# vim: set sw=2 ts=2:

46
roles/common/tasks/main.yml
View File

@@ -1,54 +1,48 @@
---
- name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
tags: always
- name: Configure network time
import_tasks: ntp.yml
ansible.builtin.import_tasks: ntp.yml
tags: ntp
- name: Install common packages
include_tasks: packages_Debian.yml
when: ansible_distribution == 'Debian'
tags: packages
- name: Install common packages
include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
ansible.builtin.include_tasks: packages.yml
tags: packages
- name: Configure firewall
include_tasks: firewall_Debian.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
ansible.builtin.import_tasks: firewall.yml
tags: firewall
- name: Configure secure shell daemon
import_tasks: sshd.yml
ansible.builtin.import_tasks: sshd.yml
tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
when: ansible_facts["virtualization_role"] != 'host'
ansible.builtin.template:
src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
dest: /etc/sysctl.conf
owner: root
group: root
mode: "0644"
notify:
- reload sysctl
- Reload sysctl
tags: sysctl
- name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
ansible.builtin.template:
src: etc/udev/rules.d/60-scheduler.rules.j2
dest: /etc/udev/rules.d/60-scheduler.rules
owner: root
group: root
mode: "0644"
tags: udev
- name: Copy admin SSH keys
import_tasks: ssh-keys.yml
ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys
# vim: set sw=2 ts=2:

69
roles/common/tasks/nftables.yml Normal file
View File

@@ -0,0 +1,69 @@
---
# Common nftables tasks for Debian 11 and Debian 12.
- name: Copy nftables.conf
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: "0644"
notify:
- Restart nftables
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: "0755"
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: firehol_level1-ipv4.nft
dest: /etc/nftables/firehol_level1-ipv4.nft
owner: root
group: root
mode: "0644"
force: false
notify:
- Restart nftables
- name: Copy nftables update scripts
ansible.builtin.template:
src: update-firehol-nftables.sh.j2
dest: /usr/local/bin/update-firehol-nftables.sh
mode: "0755"
owner: root
group: root
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- update-firehol-nftables.service
- update-firehol-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
when: nftables_systemd_units is changed
ansible.builtin.systemd_service: # noqa no-handler
daemon_reload: true
- name: Start and enable nftables update timers
ansible.builtin.systemd_service:
name: update-firehol-nftables.timer
state: started
enabled: true
- name: Start and enable nftables
ansible.builtin.systemd_service:
name: nftables
state: started
enabled: true
# vim: set sw=2 ts=2:

42
roles/common/tasks/ntp.yml
View File

@@ -1,18 +1,40 @@
---
# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
# use timedatectl as a network time client instead of the standalone ntp client.
# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
# as a network time client instead of the standalone ntp client.
- name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd'
command: /usr/bin/timedatectl set-timezone {{ timezone }}
when:
- timezone is defined
- ansible_facts["service_mgr"] == 'systemd'
community.general.timezone:
name: "{{ timezone }}"
tags: timezone
- name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes
# Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on
# Debian 11 and Debian 12.
- name: Install systemd-timesyncd
when: ansible_facts["distribution_version"] is version('11', '>=')
ansible.builtin.apt:
name: systemd-timesyncd
state: present
cache_valid_time: 3600
- name: Uninstall ntp on modern Ubuntu/Debian
apt: name=ntp state=absent update_cache=yes
when: ansible_service_mgr == 'systemd'
- name: Start and enable systemd's NTP client
when: ansible_facts["service_mgr"] == 'systemd'
ansible.builtin.systemd_service:
name: systemd-timesyncd
state: started
enabled: true
# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
# remove it to be sure.
- name: Uninstall ntp on Debian 12
when:
- ansible_facts["service_mgr"] == 'systemd'
- ansible_facts["distribution_major_version"] is version('12', '==')
ansible.builtin.apt:
name: ntp
state: absent
# vim: set ts=2 sw=2:

57
roles/common/tasks/packages.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Configure Debian packages
tags: packages
block:
# Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources
ansible.builtin.stat:
path: /etc/apt/sources.list.d/debian.sources
register: weird_debian_sources_stat
- name: Configure apt mirror
when:
- ansible_facts["architecture"] != 'armv7l'
- not weird_debian_sources_stat
ansible.builtin.template:
src: sources.list.j2
dest: /etc/apt/sources.list
owner: root
group: root
mode: "0644"
- name: Set fact for base packages
ansible.builtin.set_fact:
base_packages:
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- safe-rm
- debian-goodies
- mosh
- python3-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- gnupg2
- zstd
- rsync
- lsof
- unattended-upgrades
- name: Install base packages
ansible.builtin.apt:
name: "{{ base_packages }}"
state: present
cache_valid_time: 3600
- name: Remove cron-apt
tags: cron-apt
ansible.builtin.import_tasks: cron-apt.yml
- name: Install tarsnap
ansible.builtin.import_tasks: tarsnap.yml
# vim: set sw=2 ts=2:

38
roles/common/tasks/packages_Debian.yml
View File

@@ -1,38 +0,0 @@
---
- block:
- name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Set fact for base packages
set_fact:
base_packages:
- git
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python3-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- gnupg2
- zstd
- name: Install base packages
apt: name={{ base_packages }} state=present update_cache=yes cache_valid_time=3600
- name: Configure cron-apt
import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

105
roles/common/tasks/packages_Ubuntu.yml
View File

@@ -1,105 +0,0 @@
---
- block:
- name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Upgrade base OS
apt: upgrade=dist update_cache=yes cache_valid_time=3600
- name: Set Ubuntu base packages
set_fact:
ubuntu_base_packages:
- git
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present update_cache=yes cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap
snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove core18 snap
snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove snapd snap
snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd # annoying (Ubuntu >= 16.04)
- lxd-client # annoying (Ubuntu >= 16.04)
- liblxc1 # annoying (Ubuntu >= 16.04)
- lxc-common # annoying (Ubuntu >= 16.04)
- lxcfs #annoying (Ubuntu >= 16.04)
when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd-agent-loader # annoying (Ubuntu 20.04)
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
- name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: yes
- name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd'
loop:
- motd-news.service
- motd-news.timer
- name: Configure cron-apt
import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

6
roles/common/tasks/ssh-keys.yml
View File

@@ -1,9 +1,11 @@
---
- name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
ansible.builtin.file:
dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
state: absent
- name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub

63
roles/common/tasks/sshd.yml
View File

@@ -1,25 +1,62 @@
---
# SSH configs don't change in Debian minor versions
# Only override the system sshd configuration on older Debian.
- name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Debian'
notify: reload sshd
when: ansible_facts["distribution_version"] is version('12', '<=')
ansible.builtin.template:
src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0600"
notify: Reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu'
notify: reload sshd
# Newer OpenSSH versions support including extra configuration. The includes
# happen at the beginning of the file and the first value to be read is used.
- name: Configure sshd_config.d overrides
when: ansible_facts["distribution_version"] is version('13', '>=')
ansible.builtin.template:
src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
dest: /etc/ssh/sshd_config.d/01-custom.conf
owner: root
group: root
mode: "0600"
notify: Reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli
block:
- name: Check unsafe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 < 3071' moduli
chdir: /etc/ssh
creates: moduli.safe
register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli
when: check_unsafe_moduli.stdout | length > 0
ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh
creates: moduli.safe
register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli
when: extract_safe_moduli is changed
ansible.builtin.command:
cmd: mv moduli.safe moduli
chdir: /etc/ssh
register: replace_small_moduli
notify: Reload sshd
- name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent
ansible.builtin.file:
name: "/etc/ssh/{{ item }}"
state: absent
loop:
- ssh_host_dsa_key
- ssh_host_dsa_key.pub
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
notify: reload sshd
notify: Reload sshd
# vim: set sw=2 ts=2:

49
roles/common/tasks/tarsnap.yml
View File

@@ -1,24 +1,45 @@
---
- name: Add Tarsnap apt mirror
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l'
- name: Check tarsnap apt signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
register: tarsnap_signing_key_stat
- name: Add GPG key for Tarsnap
apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key
- name: Download tarsnap apt signing key
when: not tarsnap_signing_key_stat.stat.exists
ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: "0644"
register: download_tarsnap_signing_key
- name: Add tarsnap.org repo
when: ansible_facts["architecture"] != 'armv7l'
ansible.builtin.template:
src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: "0644"
register: add_tarsnap_apt_repository
- name: Update apt cache
apt:
update_cache: yes
when:
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
ansible.builtin.apt: # noqa no-handler
update_cache: true
- name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600
ansible.builtin.apt:
pkg: tarsnap
cache_valid_time: 3600
- name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
ansible.builtin.copy:
src: tarsnaprc
dest: /root/.tarsnaprc
owner: root
group: root
mode: "0600"
# vim: set sw=2 ts=2:

6
roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2
View File

@@ -2,13 +2,9 @@
enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables
banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
backend = pyinotify
logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck.
maxretry = 1

5
roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
View File

@@ -2,13 +2,8 @@
enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables
banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
backend = systemd
maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }}

40
roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2 Normal file
View File

@@ -0,0 +1,40 @@
{{ ansible_managed | comment }}
HostKey /etc/ssh/ssh_host_ed25519_key
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
# audit track of which key was using to log in.
LogLevel VERBOSE
MaxAuthTries 4
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
X11Forwarding no
# Based on the ssh-audit profile for Debian 13, but with but with all algos with
# less than 256 bits removed, as NSA's Suite B removed them years ago and the
# new (2018) CNSA suite is 256 bits and up.
#
# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
{% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}
PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
# The default is 32:128.
PerSourceNetBlockSize 24:56

8
roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
View File

@@ -1,15 +1,19 @@
[Unit]
# If nftables is stopped or restarted, propagate to fail2ban as well
PartOf=nftables.service
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
{% if ansible_facts["distribution_version"] is version('11','>=') %}
ProtectSystem=strict
{% else %}
{# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full
{% endif %}
NoNewPrivileges=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
{% if ansible_facts["distribution_version"] is version('11','>=') %}
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log

56
roles/common/templates/nftables.conf.j2
View File

@@ -5,47 +5,18 @@
flush ruleset
# Lists updated daily by update-spamhaus-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"
# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"
# Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft"
# List updated daily by update-firehol-nftables.sh
include "/etc/nftables/firehol_level1-ipv4.nft"
# Notes:
# - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6
table inet filter {
set spamhaus-ipv4 {
set firehol_level1-ipv4 {
type ipv4_addr
# if the set contains prefixes we need to use the interval flag
flags interval
elements = $SPAMHAUS_IPV4
}
set spamhaus-ipv6 {
type ipv6_addr
flags interval
elements = $SPAMHAUS_IPV6
}
set abusech-ipv4 {
type ipv4_addr
elements = $ABUSECH_IPV4
}
set abuseipdb-ipv4 {
type ipv4_addr
elements = $ABUSEIPDB_IPV4
}
set abuseipdb-ipv6 {
type ipv6_addr
elements = $ABUSEIPDB_IPV6
elements = $FIREHOL_LEVEL1_IPV4
}
chain input {
@@ -55,13 +26,7 @@ table inet filter {
ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
iifname lo accept comment "Allow from loopback"
@@ -81,6 +46,9 @@ table inet filter {
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
{% endif %}
ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
{# Extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
@@ -102,12 +70,6 @@ table inet filter {
chain output {
type filter hook output priority 0;
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
}
}

81
roles/common/templates/public.xml.j2
View File

@@ -1,81 +0,0 @@
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interface name="{{ ansible_default_ipv4.interface }}"/>
{# ssh rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# ipv6 ssh rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# web rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# ipv6 web rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# munin rules #}
{% if munin_master_host is defined %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
<port protocol="tcp" port="{{ munin_node_port }}"/>
<accept/>
</rule>
{% endif %}
{# extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[rule.acl].src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{# ipv6 extra rules #}
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
<rule family="ipv6">
<source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{% endif %}
{% endfor %}
{% endif %}
<rule>
<source ipset="abusers-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="abusers-ipv6"/>
<drop/>
</rule>
<rule>
<source ipset="spamhaus-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="spamhaus-ipv6"/>
<drop/>
</rule>
</zone>

14
roles/common/templates/rc.local_Ubuntu.j2
View File

@@ -1,14 +0,0 @@
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0

5
roles/common/templates/security.sources.list.j2
View File

@@ -1,5 +0,0 @@
{% if ansible_distribution == 'Ubuntu' %}
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
{% elif ansible_distribution == 'Debian' %}
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
{% endif %}

10
roles/common/templates/sources.list.j2
View File

@@ -1,16 +1,6 @@
{% if ansible_distribution == 'Ubuntu' %}
{% set apt_mirror = apt_mirror | default("ubuntu.mirror.ac.ke") %}
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
{% else %}
{% set apt_mirror = apt_mirror | default('deb.debian.org') %}
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
{% endif %} {# ansible_distribution #}

20
roles/common/templates/sshd_config_Debian-11.j2
View File

@@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
@@ -122,7 +126,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
# the new (2018) CNSA suite is 256 bits and up.
@@ -131,8 +135,12 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user
AllowUsers {{ provisioning_user.name }}
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

36
roles/common/templates/sshd_config_Ubuntu-20.04.j2 → roles/common/templates/sshd_config_Debian-12.j2
View File

@@ -1,9 +1,8 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
@@ -18,6 +17,7 @@ Include /etc/ssh/sshd_config.d/*.conf
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
@@ -56,12 +56,16 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -77,13 +81,13 @@ ChallengeResponseAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
@@ -101,7 +105,7 @@ PrintMotd no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
@@ -114,7 +118,7 @@ PrintMotd no
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
@@ -122,14 +126,16 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
# the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?

133
roles/common/templates/sshd_config_Ubuntu-18.04.j2
View File

@@ -1,133 +0,0 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user
AllowUsers {{ provisioning_user.name }}

4
roles/common/templates/sysctl_Debian.j2
View File

@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
{# kernels after 2.6.32 don't have buggy cubic #}
{% if ansible_kernel < "2.6.33" %}
{% if ansible_facts["kernel"] < "2.6.33" %}
# recommended default congestion control is htcp
net.ipv4.tcp_congestion_control=htcp
{% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
#net.ipv4.tcp_mtu_probing=1
{# disable iptables on bridge interfaces on VM hosts #}
{% if ansible_virtualization_role == "host" %}
{% if ansible_facts["virtualization_role"] == "host" %}
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

100
roles/common/templates/sysctl_Ubuntu.j2
View File

@@ -1,100 +0,0 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# CIS Benchmark Adjustments
# See: https://github.com/alanorth/securekickstarts
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
# TCP stuff
# See: http://fasterdata.es.net/host-tuning/linux/
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# increase Linux autotuning TCP buffer limit
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
# recommended for hosts with jumbo frames enabled
#net.ipv4.tcp_mtu_probing=1
# increase quadruplets (src ip, src port, dest ip, dest port)
# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
net.ipv4.ip_local_port_range = 10240 65535
# recommended for web servers, especially if running SPDY
# see: http://www.chromium.org/spdy/spdy-best-practices
net.ipv4.tcp_slow_start_after_idle = 0

2
roles/common/templates/tarsnap_sources.list.j2
View File

@@ -1 +1 @@
deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./

65
roles/common/templates/update-firehol-nftables.sh.j2 Executable file
View File

@@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
#
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}
download firehol_level1.netset
if [[ -f "firehol_level1.netset" ]]; then
echo "Processing FireHOL Level 1 list"
firehol_level1_ipv4_list_temp=$(mktemp)
firehol_level1_ipv4_set_temp=$(mktemp)
# Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
# for local services like systemd-resolved and others on localhost. Ideally
# these are blocked already at the WAN side by network administrators.
cat firehol_level1.netset \
| sed \
-e '/^$/d' \
-e '/^#.*/d' \
-e '/^127\.0\.0\.0\/8/d' \
> "$firehol_level1_ipv4_list_temp"
echo "Building firehol_level1-ipv4 set"
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$firehol_level1_ipv4_set_temp"
done < $firehol_level1_ipv4_list_temp
echo "}" >> "$firehol_level1_ipv4_set_temp"
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi
echo "Restarting nftables"
/usr/bin/systemctl restart nftables.service
rm -v firehol_level1.netset

17
roles/mariadb/defaults/main.yml
View File

@@ -1,15 +1,4 @@
---
# file: roles/mariadb/defaults/main.yml
#
# Based on my running of mysqltuner.pl on a host with three WordPress databases
#
# default is 128MB but is a waste because it seems only the mysql table uses it
key_buffer_size: 8M
# default is 128MB but is a waste because it seems only information_schema uses
# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
aria_pagecache_buffer_size: 8M
# default is 128M, but set to at least the size of your InnoDB data
innodb_buffer_pool_size: 256M
@@ -17,15 +6,11 @@ innodb_buffer_pool_size: 256M
# Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should
# force it to use a Unix socket.
# See: https://github.com/ansible/ansible/issues/47736
mariadb_login_unix_socket: /var/run/mysqld/mysqld.sock
mariadb_login_unix_socket: /run/mysqld/mysqld.sock
# default is 100 but the max I've seen used is 5, so let's reduce it
max_connections: 33
# disable the query cache by default
query_cache_size: 0
query_cache_type: 0
# mysqltuner says we should use larger than 32M on our setup
tmp_table_size: 64M
max_heap_table_size: 64M

4
roles/mariadb/handlers/main.yml
View File

@@ -1,5 +1,7 @@
---
- name: restart mariadb
systemd: name=mariadb state=restarted
ansible.builtin.systemd_service:
name: mariadb
state: restarted
# vim: set ts=2 sw=2:

68
roles/mariadb/tasks/main.yml
View File

@@ -1,57 +1,63 @@
---
- name: Add GPG key for MariaDB repo
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc
register: add_mariadb_apt_key
tags: mariadb, packages
- name: Add MariaDB 10.5 repo
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644
register: add_mariadb_apt_repository
tags: mariadb, packages
- name: Update apt cache
apt:
update_cache: yes
when:
add_mariadb_apt_key is changed or
add_mariadb_apt_repository is changed
- name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600
loop:
- mariadb-server
- python3-pymysql # for ansible
ansible.builtin.apt:
name: [mariadb-server, python3-pymysql]
state: present
cache_valid_time: 3600
tags: mariadb, packages
- name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644
- name: Add MariaDB configuration overrides
ansible.builtin.template:
src: 70-local.cnf.j2
dest: /etc/mysql/mariadb.conf.d/70-local.cnf
owner: root
group: root
mode: "0644"
notify:
- restart mariadb
tags: mariadb
# 'localhost' needs to be the last item for idempotency, see
# https://docs.ansible.com/ansible/latest/mysql_user_module.html
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
- name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
community.mysql.mysql_user:
name: root
host: "{{ item }}"
password: "{{ mariadb_root_password }}"
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop:
- 127.0.0.1
- ::1
tags: mariadb
- name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600
ansible.builtin.template:
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: "0600"
tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined
community.mysql.mysql_db:
db: "{{ item.name }}"
state: present
encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}"
tags: mariadb
- name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined
community.mysql.mysql_user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
priv: "{{ item.name }}.*:ALL"
host: 127.0.0.1
state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}"
tags: mariadb
# vim: set ts=2 sw=2:

10
roles/mariadb/templates/70-local.cnf.j2 Normal file
View File

@@ -0,0 +1,10 @@
{{ ansible_managed | comment }}
[mysqld]
# don't resolve connection IPs to hostnames (make sure user accounts are using
# IPs instead of "localhost")
skip-name-resolve=1
max_connections = {{ max_connections }}
tmp_table_size = {{ tmp_table_size }}
max_heap_table_size = {{ max_heap_table_size }}
innodb_buffer_pool_size = {{ innodb_buffer_pool_size }}

3
roles/mariadb/templates/mariadb.list.j2
View File

@@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.5/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

196
roles/mariadb/templates/my.cnf.j2
View File

@@ -1,196 +0,0 @@
{{ ansible_managed | comment }}
# MariaDB database server configuration file.
#
# You can copy this file to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc_messages_dir = /usr/share/mysql
lc_messages = en_US
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
# don't resolve connection IPs to hostnames (make sure user accounts are using
# IPs instead of "localhost")
skip-name-resolve=1
#
# * Fine Tuning
#
max_connections = {{ max_connections }}
connect_timeout = 5
wait_timeout = 600
max_allowed_packet = 16M
thread_cache_size = 128
sort_buffer_size = 4M
bulk_insert_buffer_size = 16M
tmp_table_size = {{ tmp_table_size }}
max_heap_table_size = {{ max_heap_table_size }}
#
# * MyISAM
#
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched. On error, make copy and try a repair.
myisam_recover_options = BACKUP
key_buffer_size = {{ key_buffer_size }}
#open-files-limit = 2000
table_open_cache = 400
myisam_sort_buffer_size = 512M
concurrent_insert = 2
read_buffer_size = 2M
read_rnd_buffer_size = 1M
#
# * Query Cache Configuration
#
query_cache_limit = 128K
query_cache_size = {{ query_cache_size }}
query_cache_type = {{ query_cache_type }}
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
#
# we do want to know about network errors and such
log_warnings = 2
#
# Enable the slow query log to see queries with especially long duration
#slow_query_log[={0|1}]
slow_query_log_file = /var/log/mysql/mariadb-slow.log
long_query_time = 10
#log_slow_rate_limit = 1000
log_slow_verbosity = query_plan
#log-queries-not-using-indexes
#log_slow_admin_statements
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#report_host = master1
#auto_increment_increment = 2
#auto_increment_offset = 1
log_bin = /var/log/mysql/mariadb-bin
log_bin_index = /var/log/mysql/mariadb-bin.index
# not fab for performance, but safer
#sync_binlog = 1
expire_logs_days = 10
max_binlog_size = 100M
# slaves
#relay_log = /var/log/mysql/relay-bin
#relay_log_index = /var/log/mysql/relay-bin.index
#relay_log_info_file = /var/log/mysql/relay-bin.info
#log_slave_updates
#read_only
#
# If applications support it, this stricter sql_mode prevents some
# mistakes like inserting invalid dates etc.
#sql_mode = NO_ENGINE_SUBSTITUTION,TRADITIONAL
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
default_storage_engine = InnoDB
# you can't just change log file size, requires special procedure
#innodb_log_file_size = 50M
innodb_buffer_pool_size = {{ innodb_buffer_pool_size }}
innodb_log_buffer_size = 8M
innodb_file_per_table = 1
innodb_open_files = 400
innodb_io_capacity = 400
innodb_flush_method = O_DIRECT
aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
#
# * Galera-related settings
#
[galera]
# Mandatory settings
#wsrep_on=ON
#wsrep_provider=
#wsrep_cluster_address=
#binlog_format=row
#default_storage_engine=InnoDB
#innodb_autoinc_lock_mode=2
#
# Allow server to accept connections on all interfaces.
#
#bind-address=0.0.0.0
#
# Optional setting
#wsrep_slave_threads=1
#innodb_flush_log_at_trx_commit=0
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
#no-auto-rehash # faster start of mysql but no tab completion
[isamchk]
key_buffer = 16M
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!include /etc/mysql/mariadb.cnf
!includedir /etc/mysql/conf.d/

4
roles/munin/handlers/main.yml
View File

@@ -1,4 +1,4 @@
---
# file: roles/munin/handlers/main.yml
# ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node
systemd: name=munin-node state=restarted
ansible.builtin.systemd_service: name=munin-node state=restarted

4
roles/munin/tasks/main.yml
View File

@@ -1,8 +1,8 @@
---
- name: Configure munin scraper
import_tasks: munin.yml
ansible.builtin.import_tasks: munin.yml
tags: munin
- name: Configure munin listener
import_tasks: munin-node.yml
ansible.builtin.import_tasks: munin-node.yml
tags: munin-node

19
roles/munin/tasks/munin-node.yml
View File

@@ -1,25 +1,34 @@
---
- name: Install munin-node
apt: name=munin-node state=present
ansible.builtin.apt:
name: munin-node
state: present
tags: packages
# some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check
- name: Install munin-node deps
apt: name=libwww-perl state=present
ansible.builtin.apt:
name: libwww-perl
state: present
tags: packages
- name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
ansible.builtin.template:
src: munin-node.conf.j2
dest: /etc/munin/munin-node.conf
notify:
- restart munin-node
- name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x
ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify:
- restart munin-node
- name: Start munin-node
systemd: name=munin-node state=started enabled=true
ansible.builtin.systemd_service:
name: munin-node
state: started
enabled: true
# vim: set ts=2 sw=2:

11
roles/munin/tasks/munin.yml
View File

@@ -1,9 +1,16 @@
---
- name: Install munin package
apt: name=munin state=present
ansible.builtin.apt:
name: munin
state: present
tags: packages
- name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
ansible.builtin.template:
src: munin.conf.j2
dest: /etc/munin/munin.conf
owner: root
group: root
mode: "0644"
# vim: set ts=2 sw=2:

28
roles/nginx/defaults/main.yml
View File

@@ -1,44 +1,44 @@
---
# file: roles/nginx/defaults/main.yml
# ansible.builtin.file: roles/nginx/defaults/main.yml
# path config
nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots
nginx_root_prefix: /var/www
nginx_root_prefix: "{{ web_root_prefix }}"
# 1 hour timeout
nginx_ssl_session_timeout: 1h
# 1 day timeout
nginx_ssl_session_timeout: 1d
# 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!)
nginx_ssl_buffer_size: 1400
nginx_ssl_buffer_size: 4k
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
nginx_ssl_protocols: TLSv1.2 TLSv1.3
nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/
nginx_hsts_max_age: 31536000
# install acme.sh?
# True unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: True
# true unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: true
# Directory root for Let's Encrypt certs
letsencrypt_root: /etc/ssl
# Location where to save initial acme.sh script. After installation the script
# will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself).
letsencrypt_acme_script: /root/acme.sh
# a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.20.x
# mainline is 1.21.x
# stable is 1.26.x
# mainline is 1.27.x
nginx_version: mainline
# vim: set ts=2 sw=2:

6
roles/nginx/handlers/main.yml
View File

@@ -1,5 +1,7 @@
---
- name: reload nginx
systemd: name=nginx state=reloaded
- name: Reload nginx
ansible.builtin.systemd_service:
name: nginx
state: reloaded
# vim: set ts=2 sw=2:

138
roles/nginx/tasks/letsencrypt.yml
View File

@@ -1,59 +1,91 @@
---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block:
- name: Remove certbot
apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Download acme.sh
get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script }}"
- name: Prepare Let's Encrypt well-known directory
file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs
template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs
copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644
owner: root
group: root
# always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
systemd:
name: renew-letsencrypt.timer
state: started
enabled: yes
daemon_reload: yes
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
- name: Install and configure Let's Encrypt
tags: letsencrypt
when:
- ansible_facts["distribution"] == 'Debian'
- ansible_facts["distribution_version"] is version('11', '>=')
block:
- name: Remove certbot
ansible.builtin.apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh
when: not acme_home.stat.exists
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: "0700"
register: acme_download
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
when: acme_download is changed
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
- name: Remove temporary acme.sh script
when:
- acme_install.rc is defined
- acme_install.rc == 0
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory
ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- name: Copy systemd service to renew Let's Encrypt certs
ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: "0644"
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs
ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: "0644"
owner: root
group: root
# always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
ansible.builtin.systemd_service:
name: renew-letsencrypt.timer
state: started
enabled: true
daemon_reload: true
# vim: set ts=2 sw=2:

112
roles/nginx/tasks/main.yml
View File

@@ -1,84 +1,124 @@
---
- name: Add nginx.org apt signing key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
register: add_nginx_apt_key
tags: nginx, packages
- name: Download nginx apt signing key
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: "0644"
checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
register: download_nginx_signing_key
tags:
- packages
- nginx
- name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: "0644"
register: add_nginx_apt_repository
tags: nginx, packages
tags:
- nginx
- packages
- name: Update apt cache
apt:
update_cache: yes
when:
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
ansible.builtin.apt: # noqa no-handler
update_cache: true
- name: Set nginx packages
set_fact:
nginx_packages:
- nginx
- ssl-cert # for ssl-cert-snakeoil.pem in nginx
tags: nginx, packages
- name: Install nginx packages
apt: pkg={{ nginx_packages }} cache_valid_time=3600 state=present
tags: nginx, packages
- name: Install nginx
ansible.builtin.apt:
pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx
- packages
- name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: "0644"
owner: root
group: root
notify:
- reload nginx
- Reload nginx
tags: nginx
- name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- extra-security.conf
- fastcgi_cache
notify:
- reload nginx
- Reload nginx
tags: nginx
- name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent
ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx
- name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: "0755"
tags: nginx
- name: Configure nginx virtual hosts
include_tasks: vhosts.yml
when: nginx_vhosts is defined
ansible.builtin.include_tasks: vhosts.yml
tags: nginx
- name: Configure WordPress
include_tasks: wordpress.yml
when: nginx_vhosts is defined
ansible.builtin.include_tasks: wordpress.yml
tags: wordpress
- name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: "0644"
owner: root
group: root
notify:
- reload nginx
- Reload nginx
tags: nginx
- name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: "0644"
owner: root
group: root
notify:
- reload nginx
- Reload nginx
tags: nginx
- name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes
ansible.builtin.systemd_service:
name: nginx
state: started
enabled: true
tags: nginx
- name: Configure Let's Encrypt
include_tasks: letsencrypt.yml
#when: use_letsencrypt is defined and use_letsencrypt
ansible.builtin.include_tasks: letsencrypt.yml
tags: letsencrypt
# vim: set ts=2 sw=2:

55
roles/nginx/tasks/vhosts.yml
View File

@@ -1,23 +1,40 @@
---
- block:
- name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}"
notify:
- reload nginx
- name: Download 4096-bit RFC 7919 dhparams
get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify:
- reload nginx
- name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}"
- name: Configure https vhosts
tags: nginx
block:
- name: Configure https vhosts
ansible.builtin.template:
src: vhost.conf.j2
dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"
notify:
- Reload nginx
- name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify:
- Reload nginx
- name: Download 4096-bit RFC 7919 dhparams
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify:
- Reload nginx
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots
ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
mode: "0755"
owner: nginx
group: nginx
loop: "{{ nginx_vhosts }}"
# vim: set ts=2 sw=2:

38
roles/nginx/tasks/wordpress.yml
View File

@@ -1,15 +1,31 @@
---
- block:
- name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
when: item.has_wordpress is defined and item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
when: item.has_wordpress is defined and item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Install and configure WordPress
tags: wordpress
block:
- name: Install WordPress
when:
- item.has_wordpress is defined
- item.has_wordpress
ansible.builtin.git:
repo: https://github.com/WordPress/WordPress.git
dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
version: "{{ item.wordpress_version }}"
depth: 1
force: true
loop: "{{ nginx_vhosts }}"
become: true
become_user: nginx
- name: Fix WordPress directory permissions
when:
- item.has_wordpress is defined
- item.has_wordpress
ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
owner: nginx
group: nginx
recurse: true
loop: "{{ nginx_vhosts }}"
# vim: set ts=2 sw=2:

12
roles/nginx/templates/blank-vhost.conf.j2
View File

@@ -11,14 +11,16 @@ server {
return 444;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
# self-signed "snakeoil" certificate from ssl-cert package
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
# self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
ssl_session_timeout {{ nginx_ssl_session_timeout }};
ssl_session_cache {{ nginx_ssl_session_cache }};

5
roles/nginx/templates/gitea.j2 Normal file
View File

@@ -0,0 +1,5 @@
location / {
proxy_pass http://localhost:3000;
}

20
roles/nginx/templates/https.j2
View File

@@ -1,7 +1,7 @@
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to True #}
{% set enable_hsts = item.enable_hsts | default(False) %}
{# assume HSTS is off unless a vhost explicitly sets it to true #}
{% set enable_hsts = item.enable_hsts | default(false) %}
{# first, check if the current vhost has a custom cert (perhaps self-signed) #}
{% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@@ -27,27 +27,19 @@
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on;
ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #}
{% if use_letsencrypt == True or item.tls_certificate_path %}
{% if use_letsencrypt == true or item.tls_certificate_path %}
# OCSP stapling...
ssl_stapling on;
ssl_stapling_verify on;
resolver {{ nginx_ssl_stapling_resolver }};
{% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == True %}
{% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/

2
roles/nginx/templates/nginx.conf.j2
View File

@@ -14,7 +14,6 @@ error_log /var/log/nginx/error.log warn;
# The file storing the process ID of the main process
pid /var/run/nginx.pid;
events {
# If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
@@ -23,6 +22,7 @@ events {
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

16
roles/nginx/templates/nginx_org_sources.list.j2
View File

@@ -1,19 +1,7 @@
{{ ansible_managed | comment }}
{% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
{% endif %}
{% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %}
deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
{% endif %}

52
roles/nginx/templates/vhost.conf.j2
View File

@@ -4,9 +4,16 @@
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts = item.enable_hsts | default(False) %}
{% set has_wordpress = item.has_wordpress | default(False) %}
{% set needs_php = item.needs_php | default(False) %}
{% set enable_hsts = item.enable_hsts | default(false) %}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
# http -> https vhost
server {
@@ -25,36 +32,36 @@ server {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
{# Allow sites to override the nginx document root #}
{% if item.document_root is defined %}
root {{ item.document_root }};
{% else %}
root {{ nginx_root_prefix }}/{{ domain_name }};
{% endif %}
root {{ document_root }};
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }};
index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};
index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log;
{% include 'https.j2' %}
{% if has_wordpress == True %}
{% if has_wordpress == true %}
{% include 'wordpress.j2' %}
{% endif %}
{% if has_gitea == true %}
{% include 'gitea.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
{% if has_wordpress == True or needs_php == True %}
{% if has_wordpress == true or needs_php == true %}
location ~ [^/]\.php(/|$) {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
@@ -70,17 +77,8 @@ server {
# See: https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
{% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
{% if ansible_facts["distribution_major_version"] is version('12', '==') %}
fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
{% endif %}
fastcgi_index index.php;
# set script path relative to document root in server block
@@ -94,7 +92,7 @@ server {
fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_hsts == True %}
{% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
@@ -108,7 +106,7 @@ server {
include extra-security.conf;
}
{% if has_wordpress == True %}
{% if has_wordpress == true %}
# Check if a user is logged in
# if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0

4
roles/nginx/templates/wordpress.j2
View File

@@ -5,7 +5,7 @@
location / {
try_files $uri $uri/ /index.php?$args;
{% if enable_hsts == True %}
{% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/
@@ -16,7 +16,7 @@
location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
add_header Cache-Control "max-age=604800";
{% if enable_hsts == True %}
{% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/

14
roles/php-fpm/handlers/main.yml
View File

@@ -1,14 +0,0 @@
---
# For Ubuntu 18.04
- name: reload php7.2-fpm
systemd: name=php7.2-fpm state=reloaded
# For Debian 10
- name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04
- name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2:

Some files were not shown because too many files have changed in this diff Show More