alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:ca952b6948f4c3ce000611ee4d29e48b3b1b6653
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
...
compare: alanorth:debian13
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

316 Commits
ca952b6948 ... debian13

Author SHA1 Message Date
Alan Orth
d51f8fefaa roles/common: minor configuration of Debian 13 SSH 
Tweak some of the new OpenSSH per-source penalty settings on Debian
13. For now only adjusting the source network masks and reusing the
list of IPs to exempt from fail2ban.

These being built in makes them easier to use, but I think I will
end up sticking with fail2ban for the heavy lifting because it per-
sists across restarts of the daemon, whereas OpenSSH's doesn't. I
will monitor OpenSSH on Debian 13 to see how to best use it along
side fail2ban.
 2025-09-23 10:33:24 +03:00
Alan Orth
9ff6e19135 roles/common: use 127.0.0.0/8 for fail2ban ignoreip 
We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH
PerSourcePenaltyExemptList, but OpenSSH is more strict with regards
to masks not being applied to the host portion. I had never noticed
that fail2ban's default was applying the mask on the host portion!
 2025-09-23 10:33:23 +03:00
Alan Orth
4680999680 roles/common: sshd overrides for Debian 13 2025-09-23 10:33:23 +03:00
Alan Orth
602734acce roles: update ansible.builtin.systemd builtin 
Use ansible.builtin.systemd_service instead.
 2025-09-23 10:33:11 +03:00
Alan Orth
0db7911b70 roles/common: remove sudoers.d 
We are not using this.
 2025-09-21 23:09:40 +03:00
Alan Orth
ee4c62e5f9 roles: remove tests for Debian 
We only run on Debian now.
 2025-09-21 22:20:31 +03:00
Alan Orth
a315db8a7c roles/common: use ansible_distribution_version 
In most cases it is enough to use the full version (ie 12.12) since
we use Ansible's version comparison function. We rarely need to use
the major version (ie 12) directly.
 2025-09-21 22:19:00 +03:00
Alan Orth
5f00892df3 roles/common: adjust when in tasks 2025-09-21 22:04:25 +03:00
Alan Orth
9357265d27 roles/common: use ansible.builtin.apt module 2025-09-21 22:00:39 +03:00
Alan Orth
dd62266340 roles/common: update comment in ntp task 2025-09-21 21:58:11 +03:00
Alan Orth
a1bec20824 roles/common: simplify when logic in ntp task 2025-09-21 21:57:34 +03:00
Alan Orth
8e91c44529 roles/common: fix syntax error in npt when 2025-09-21 21:56:15 +03:00
Alan Orth
02d4135c79 roles/common: adjust ntp task 
On Debian 12 we need to explicitly remove ntp because it does not
conflict with other time daemons.
 2025-09-21 21:55:09 +03:00
Alan Orth
37e148d009 Re-work ansible_managed 
This is no longer a configuration setting. Now we must set it like
any other template variabled.
 2025-09-21 21:15:12 +03:00
Alan Orth
73dbbd23b6 roles/common: adjust handlers 
Should start with an upper case letter.
 2025-09-21 20:22:58 +03:00
Alan Orth
b84283aa38 roles/common: remove unneeded firewall packages 
We don't need curl or libnet-ip-perl anymore.
 2025-09-21 20:15:11 +03:00
Alan Orth
1695fdf8d1 roles/common: syntax in firewall play 2025-09-21 20:11:46 +03:00
Alan Orth
9f1f7b1c69 roles/nginx: more syntax fixes to tasks 2025-09-21 20:08:51 +03:00
Alan Orth
7d725f2084 roles/nginx: adjust task syntax 
Tasks should start with an upper case letter and we should not use
free form syntax anymore.
 2025-09-21 20:04:53 +03:00
Alan Orth
4c39b0d48c roles/php_fpm: adjust task syntax 
All tasks need names, and we can use name, tags, when, block order
for task keys. Suggested by ansible-lint.
 2025-09-21 20:02:46 +03:00
Alan Orth
f4023d0b20 roles/php_fpm: rename handler 
Suggested by ansible-lint.
 2025-09-21 19:59:23 +03:00
Alan Orth
6aaface4a2 Rename roles/php-fpm to roles/php_fpm 
Suggested by ansible-lint.
 2025-09-21 19:56:20 +03:00
Alan Orth
333e1cbeb9 roles/mariadb/handlers/main.yml: update syntax 2025-09-21 17:32:57 +03:00
Alan Orth
0c62f4bdf0 roles/common/tasks/packages.yml: improve task key order 
Suggested by ansible-lint. Makes it easier to see the tags after the
very long block.
 2025-09-21 17:30:54 +03:00
Alan Orth
26f22c0447 roles/munin: update task syntax 2025-09-21 17:29:22 +03:00
Alan Orth
05881e2585 roles: fix unquoted octal modes 2025-09-21 17:25:22 +03:00
Alan Orth
d4d326c2f7 roles/common: use FQCN in handler 2025-09-21 17:09:45 +03:00
Alan Orth
1d4a6f208b roles/common: update default fail2ban ignores 2025-09-21 17:06:48 +03:00
Alan Orth
8b22076d4a roles/common: json spacing 2025-09-21 17:06:01 +03:00
Alan Orth
38176cb34c roles/nginx: update task syntax for plays 2025-09-21 16:59:08 +03:00
Alan Orth
da737b71f7 roles/mariadb: update task syntax for mariadb play 2025-09-21 16:54:19 +03:00
Alan Orth
c28189a1a5 roles/common: update task syntax for fail2ban play 2025-09-21 16:54:03 +03:00
Alan Orth
b600141e89 roles/common: update task syntax for sshd play 2025-09-21 16:51:23 +03:00
Alan Orth
4be98d1a33 roles/common: update task syntax for ssh-keys play 2025-09-21 16:49:32 +03:00
Alan Orth
2bb018a40c roles/common: rename firewall and packages task files 
Don't use firewall_Debian.yml or packages_Debian.yml since I am not
deploying Ubuntu anymore there is no need to distinguish.
 2025-09-21 16:45:51 +03:00
Alan Orth
89a1e11b7a roles/common: update task syntax in main play 2025-09-21 16:40:37 +03:00
Alan Orth
0c0cad9084 Remove Ubuntu logic 
For a few years now I have only been deploying Debian for personal
use.
 2025-09-21 16:34:57 +03:00
Alan Orth
9dce701a19 roles/common: update task syntax in packages play 2025-09-21 16:23:10 +03:00
Alan Orth
3e9ee44d5b roles/common: update task syntax in ntp play 2025-09-21 16:18:32 +03:00
Alan Orth
599b5e5e83 Pipfile.lock: run pipenv update 2025-09-21 15:57:28 +03:00
Alan Orth
bc700ea532 Pipfile.lock: pipenv update 2025-08-17 10:28:23 +03:00
Alan Orth
8016701b57 host_vars/web22: WordPress 6.8.2 2025-08-17 10:26:43 +03:00
Alan Orth
00558c7dea roles/common: re-work fail2ban and nftables 
Re-work the fail2ban and nftables interaction. Use systemd's PartOf
to indicate that fail2ban is part of the nftables service, which
tells systemd to propogate stop/start signals to it. Then we tell
the firehol update script to restart nftables instead of reload.
The different between restart and reload is meaningless for nftables
but we want systemd to propagate the stop/start signals to fail2ban.
 2025-07-08 10:39:17 +03:00
Alan Orth
c927186837 roles/common: adjust update-firehol-nftables.service 
This service does not actually depend on nftables, at least not in
the systemd sense of dependency. Furthermore, this hard dependency
was causing the service to fail when it restarts nftables at the
end, which causes systemd to start it again and again until it hits
a restarting too quickly error.
 2025-07-08 10:37:39 +03:00
Alan Orth
690774c862 host_vars/web22: WordPress 6.8.1 2025-07-08 10:34:34 +03:00
Alan Orth
cc021bd14a Pipfile.lock: run pipenv update 2025-07-08 10:25:09 +03:00
Alan Orth
73fd06fe3a roles/common: remove cron-apt 
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
 2025-04-07 09:51:09 +03:00
Alan Orth
88cb3a370e Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
Alan Orth
027a43ddbe roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
Alan Orth
bb30c3be20 host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
Alan Orth
d8d9790d21 roles/nginx: enable nginx ssl_session_tickets 
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
 2025-03-29 22:35:56 +03:00
Alan Orth
9a500ebc0d roles/nginx: disable nginx ssl_prefer_server_ciphers 
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
 2025-03-29 22:34:41 +03:00
Alan Orth
4bae942585 roles/nginx: add nginx ssl_ecdh_curve 
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:37 +03:00
Alan Orth
99866c0c90 roles/nginx: use one day for nginx ssl_session_timeout 
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:32 +03:00
Alan Orth
0afb8a4493 roles/nginx: update nginx ssl_buffer_size 
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
 2025-03-29 22:34:27 +03:00
Alan Orth
506695da31 roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
Alan Orth
f67ed7762c roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
Alan Orth
014f4d9502 roles/nginx: add newline 2025-03-29 22:19:41 +03:00
Alan Orth
22c16e1ed3 roles/caddy/templates: closer to supporting WordPress 
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
 2025-03-29 22:09:37 +03:00
Alan Orth
5aa6a33e51 roles/php-fpm: set user and group based on webserver 
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
 2025-03-29 21:01:56 +03:00
Alan Orth
7f9b06af9c roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
Alan Orth
84db337fea roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
Alan Orth
7b23f5f94f roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
Alan Orth
9830338be3 Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
Alan Orth
e3eed26765 roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
Alan Orth
8b31c7e148 host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
Alan Orth
3ff8043aaf Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
Alan Orth
cb79f7ef70 roles/common: minor change to firehol update script 
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
 2025-01-28 09:14:48 +03:00
Alan Orth
bb14f05d2a roles/common: use Ansible timezone module 
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
 2025-01-27 23:11:56 +03:00
Alan Orth
5b1530fa91 roles/common: rework firewall 
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
 2025-01-27 23:05:45 +03:00
Alan Orth
5312dc6bd5 roles/common: use common nftables task 
Use a common nftables task on Debian and Ubuntu.
 2025-01-27 23:05:38 +03:00
Alan Orth
d6e060d3af roles/common: simplify firewall tasks 
Apply firewall tag to included tasks, then we don't need to use a
block.
 2025-01-27 22:30:50 +03:00
Alan Orth
b873af004a roles/common: single firewall task include 
Use one include from the main tasks file.
 2025-01-27 22:28:27 +03:00
Alan Orth
7ea3ab46f8 host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
Alan Orth
0561bd5b52 Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
Alan Orth
d62572f02c Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
Alan Orth
2ffe5e87d9 host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
Alan Orth
38d4f1a303 Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
Alan Orth
ed8cb88038 host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
Alan Orth
c31e447861 roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
Alan Orth
545684467c host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
Alan Orth
24ae5eaab1 host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
Alan Orth
dac23f1427 Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
Alan Orth
41fbc73dd1 host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
Alan Orth
fee794bcf0 Update Pipfile 2024-03-20 20:28:00 +03:00
Alan Orth
8bce1d8b1b host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
Alan Orth
6dc2ea36b6 roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
Alan Orth
af71a9b5f8 roles/php-fpm: remove fmt strings 
Ansible confuses them for jinja2 tokens.
 2023-09-11 19:52:18 +03:00
Alan Orth
4dd57803e2 roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
Alan Orth
18d4245fc0 roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
Alan Orth
1bddf3cccd Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
Alan Orth
20dbe61fe1 roles/mariadb: use MariaDB 10.11 
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
 2023-09-10 22:53:10 +03:00
Alan Orth
899e87321b host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
Alan Orth
06416a3b64 roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
Alan Orth
7a9a24ef5d roles/common: rework fail2ban again 
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
 2023-08-23 22:15:24 +03:00
Alan Orth
067adcd9f5 roles/common: rework fail2ban tasks 
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
 2023-08-23 21:59:28 +03:00
Alan Orth
84d210cfab roles/common: re-format handlers 
Use the newer Ansible format.
 2023-08-23 21:35:28 +03:00
Alan Orth
17736a4f14 roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
Alan Orth
b9e91c4a3d roles/common: minor updates to tarsnap task 
Use modern Ansible task format
 2023-08-23 21:20:22 +03:00
Alan Orth
51c95e5d4c roles/common: update tarsnap task 
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
 2023-08-23 21:18:27 +03:00
Alan Orth
8dbec29d2a roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
Alan Orth
d3bf3dab04 roles/php-fpm: add support for PHP 8.2 
This is used in Debian 12.
 2023-08-23 20:56:35 +03:00
Alan Orth
8f50b7756b host_vars/web22: WordPress 6.3 2023-08-22 21:33:49 +03:00
Alan Orth
e86ccc9979 roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
Alan Orth
cea8529f49 Pipfile.lock: run pipenv update 2023-08-22 21:02:17 +03:00
Alan Orth
d77718edae host_vars: add fail2ban_ignoreip 2023-08-14 16:37:07 +02:00
Alan Orth
14d57fc477 roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
Alan Orth
5c39f1abd8 roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
Alan Orth
6794eb0432 roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
Alan Orth
11614e3725 host_vars: replace nomad02 with nomad03 
The former is Ubuntu 20.04, the latter is Debian 12. Running Drone
CI.
 2023-08-10 08:37:09 +02:00
Alan Orth
b106f9d9e5 roles/common: ignore apt sources.list on Scaleway 
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
 2023-08-10 08:08:42 +02:00
Alan Orth
3c8250e6ac Pipfile.lock: run pipenv update 2023-08-09 22:07:54 +02:00
Alan Orth
d280859b0d roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
Alan Orth
bca1629d2f Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
Alan Orth
4fa82faf18 roles/common: adjust sshd_config for Debian 12 
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
 2023-08-09 21:27:19 +02:00
Alan Orth
b8f0b4b1fb roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
Alan Orth
68e5d05bbb host_vars/web22: WordPress 6.2.2 2023-07-27 18:48:37 +03:00
Alan Orth
446d402778 roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
Alan Orth
67379fc2e4 host_vars/web22: WordPress 6.2 2023-05-04 07:10:40 +03:00
Alan Orth
73546967b6 Pipfile.lock: run pipenv update 2023-05-04 06:58:25 +03:00
Alan Orth
16b661efe1 Pipfile.lock: run pipenv update 2023-04-14 10:09:29 -07:00
Alan Orth
fdb9a75489 roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
Alan Orth
232d7a0348 host_vars/web22: WordPress 6.1.1 2022-11-24 18:31:48 +03:00
Alan Orth
6e4bb5bc34 host_vars/web21: use caddy 2022-11-13 18:58:57 +03:00
Alan Orth
c840ffe018 roles/caddy: improve vhost template 
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
 2022-11-13 18:54:03 +03:00
Alan Orth
45c9d7ea0a Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
Alan Orth
a62bc446e8 host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
Alan Orth
62a6a491db host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
Alan Orth
4867d6da6a Add basic caddy role 2022-11-02 22:29:30 +03:00
Alan Orth
d9f7c7a93b group_vars/web: set default webserver to nginx 
While I'm still getting experience with caddy and adapting it to my
workloads.
 2022-11-02 22:12:36 +03:00
Alan Orth
bc8c030700 roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
Alan Orth
f7598d8f1c Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
Alan Orth
c353e84a84 site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
Alan Orth
99ca23f258 Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
Alan Orth
b663d27fd8 roles/common: rework firewall_Debian.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
 2022-09-12 17:25:40 +03:00
Alan Orth
67c99dacf6 roles/common: rework firewall_Ubuntu.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
 2022-09-12 17:18:33 +03:00
Alan Orth
4abf2b10e4 ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
Alan Orth
f5199264f9 ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
Alan Orth
b259f09cbd roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
Alan Orth
f4b32e516b roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
Alan Orth
fcb12ecee0 roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
Alan Orth
5bc03ceacc roles/mariadb: install packages in single transaction 
Using a list we can install these in a single apt transaction. Also
use the newer task format.
 2022-09-12 10:12:07 +03:00
Alan Orth
c317429f6d roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
Alan Orth
b512a7f765 roles/common: create /etc/apt/keyrings 
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
 2022-09-12 10:05:12 +03:00
Alan Orth
e3a87d4f79 roles/mariadb: MariaDB 10.6 
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
 2022-09-12 09:25:46 +03:00
Alan Orth
dec2d50fbc host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
Alan Orth
34be0013b7 Remove Debian 10 support 2022-09-11 09:21:08 +03:00
Alan Orth
399585f4e7 roles: don't compare literal true and false 
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
 2022-09-11 08:41:25 +03:00
Alan Orth
0240897b1b Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
Alan Orth
1da0da53ec roles: use longer format for when conditionals 
When the condition is an AND we can use this more succinct format.
 2022-09-10 23:12:49 +03:00
Alan Orth
677cc9f160 roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
Alan Orth
ffe7a872dd roles: strict truthy values 
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
 2022-09-10 22:33:19 +03:00
Alan Orth
95d0005978 Add ansible-lint 2022-09-10 18:36:53 +03:00
Alan Orth
498766fdc4 Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
Alan Orth
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
Alan Orth
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
Alan Orth
92a4c72809 Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
Alan Orth
a2d61abba2 roles/mariadb: update mirror 
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
 2022-08-14 22:09:47 -07:00
Alan Orth
d2a5a28809 Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
Alan Orth
84c0589aee host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
Alan Orth
2961578a54 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-28 18:51:35 +03:00
Alan Orth
4d74f76b3c Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
Alan Orth
9e737466c5 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-04 21:47:37 +03:00
Alan Orth
0ffb1b1a36 roles/common: use pyinotify backend for nginx fail2ban jail 
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
 2022-01-04 15:10:02 +02:00
Alan Orth
68f0b85eb3 Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
Alan Orth
ebbde530d2 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
 2021-12-22 11:40:27 +02:00
Alan Orth
ab47df6031 Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
Alan Orth
de75b2ffb6 host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
Alan Orth
e10d83dadd Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
Alan Orth
f070fd9a64 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-11-07 10:12:43 +02:00
Alan Orth
6e1527b1a8 Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
Alan Orth
ebd8b0632b roles/common: Disable unsafe Diffie-Hellman SSH moduli 
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
 2021-10-10 16:57:05 +03:00
Alan Orth
df26b6c17e roles/common: notify fail2ban after updating firewall 
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
 2021-09-28 10:45:51 +03:00
Alan Orth
d92151b8a6 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
 2021-09-28 10:28:02 +03:00
Alan Orth
b13ead0657 roles/common: use a range for mosh ports in nftables 
This is better than a loop in Jinja (though that is useful!).
 2021-09-28 07:34:25 +03:00
Alan Orth
89ced6f952 Pipfile.lock: run pipenv update 2021-09-27 17:28:41 +03:00
Alan Orth
ae5ba0607a Remove host_vars/nomad01 
Replaced by web23.
 2021-09-27 14:17:48 +03:00
Alan Orth
89fd642b78 roles/nginx: minor rework of acme.sh tasks 
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
 2021-09-27 13:40:17 +03:00
Alan Orth
65e6dd34cd roles/common: Add missing section to Debian 11 sshd_config 
We need to be able to configure the list of SSH users.
 2021-09-27 12:59:27 +03:00
Alan Orth
0421807e4d Add web23 
Will replace nomad01
 2021-09-27 12:22:45 +03:00
Alan Orth
d5eed5055e roles/nginx: Add support for gitea 
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
 2021-09-27 12:15:47 +03:00
Alan Orth
f8752bb3e7 roles/nginx: add todo about document roots 
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
 2021-09-27 12:05:53 +03:00
Alan Orth
170e591701 roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
Alan Orth
8d6c3c57c3 roles/nginx: install acme.sh after downloading 
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
 2021-09-27 11:28:02 +03:00
Alan Orth
79b29f0c51 roles/nginx: generate snakeoil cert manually 
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
 2021-09-27 10:48:24 +03:00
Alan Orth
a4acc85704 roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
Alan Orth
f7b9aa67f5 roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
Alan Orth
0a39c4f0ef README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
Alan Orth
85323d789c Remove host_vars/web19 
Replaced by web22.
 2021-09-13 11:49:32 +03:00
Alan Orth
341a1bf11e roles/php-fpm: Install php7.4-xml 
The RSS feeds in the WordPress admin dashboard need this.
 2021-09-13 10:19:33 +03:00
Alan Orth
6ee389eda5 roles/php-fpm: Use concrete dependencies 
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
 2021-09-13 10:18:40 +03:00
Alan Orth
83fea62b0f host_vars/web22: WordPress 5.8.1 2021-09-13 07:37:40 +03:00
Alan Orth
0d1a5fbb25 Add host_vars/web22 
Will replace web19 soon.
 2021-09-12 21:59:38 +03:00
Alan Orth
4d8444abf2 host_vars/web21: Fix path to cert 2021-09-12 20:39:45 +03:00
Alan Orth
e8486f6c9e host_vars/nomad02: Update Drone to version 2 2021-09-10 21:49:00 +03:00
Alan Orth
20cd6f213c roles/common: cache_valid_time explicitly sets update_cache 
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
 2021-09-08 21:59:51 +03:00
Alan Orth
eb80e797c6 Add host_vars/web21 
Replaces web20.
 2021-09-08 21:57:04 +03:00
Alan Orth
736bb8eb38 Remove host_vars/web20 
Will be replaced by web21.
 2021-09-08 21:56:43 +03:00
Alan Orth
34a30c4d13 roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
Alan Orth
c03e75d736 roles/common: explicitly install systemd-timesyncd 
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
 2021-09-08 17:04:46 +03:00
Alan Orth
d08f10f9c8 roles/common: Fix comment in ntp playbook 2021-09-08 17:04:20 +03:00
Alan Orth
8467dc1300 roles/mariadb: Change socket location 
Instead of using /var/run, just use /run directly. This is the real
path and it's the default anyways.
 2021-09-08 15:50:48 +03:00
Alan Orth
635bb5234d roles/common: fix logic for copying AbuseIPDB.com nft sets 
We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
 2021-09-08 09:58:13 +03:00
Alan Orth
37901da5b5 roles/common: update AbuseIPDB lists for nftables 2021-09-08 09:57:58 +03:00
Alan Orth
e36ae3b11e roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-09-08 09:35:36 +03:00
Alan Orth
81c1231a28 roles/php-fpm: Fix logic 
First, we cannot do a global check for has_wordpress or needs_php,
as those are defined per nginx vhost. Second, I realized that this
was only working in the past because vhosts that had WordPress or
needed PHP were listed first in the nginx_vhosts dict.

This changes the logic to first check if any vhosts have WordPress
or need PHP, then sets a fact that we can use to decide whether to
run php-fpm tasks or not.
 2021-09-08 09:32:06 +03:00
Alan Orth
bb6f058025 roles/php-fpm: whitespace 2021-09-07 20:12:31 +03:00
Alan Orth
547395b26e roles/nginx: Use php7.4-fpm socket on Debian 11 as well 2021-09-07 17:51:54 +03:00
Alan Orth
15208241d3 roles/common: Add git-lfs to base packages 2021-09-07 17:51:33 +03:00
Alan Orth
0fd05d496e roles/nginx: Set mode of downloaded acme.sh 2021-09-07 17:10:35 +03:00
Alan Orth
023a0d48ba roles/nginx: Remove old comment 2021-09-07 17:07:53 +03:00
Alan Orth
c687b7a91a roles/nginx: Run Let's Encrypt on Debian 11 too 2021-09-07 17:07:33 +03:00
Alan Orth
bd4ae36bb6 roles/mariadb: use socket for all operations 
Otherwise Ansible will try to connect with host 'localhost', which
we do not use (and we have disabled name resolution anyways).
 2021-09-07 16:48:15 +03:00
Alan Orth
b60637c7d9 roles/mariadb: Update comments for Ansible module 2021-09-07 16:47:47 +03:00
Alan Orth
479127a5e4 roles/common: Fix nftables handler in Debian firewall 
We used to use reload, but now the idempotent thing to do is to use
restart instead of reload.
 2021-09-07 15:43:33 +03:00
Alan Orth
d261f81642 roles/php-fpm: Use Ubuntu 20.04 configs on Debian 11 
They both use PHP 7.4.
 2021-09-06 21:19:57 +03:00
Alan Orth
6bc044d454 host_vars: remove mosh rules 
They are in roles/common now.
 2021-09-05 16:33:45 +03:00
Alan Orth
9e07e27fbe host_vars/web19: remove extra mosh rules 
These are now in the common role for all hosts.
 2021-09-05 16:24:28 +03:00
Alan Orth
575a9fdfe6 roles/common: Add mosh ports to common 
These have been in each hosts's "extra" rules lists forever and I
use them on every single host so they might as well be in the base
rules.
 2021-09-05 16:23:42 +03:00
Alan Orth
35fa3b0d72 roles/common: Fix typo in handlers 2021-09-05 16:19:31 +03:00
Alan Orth
ba5760bf8c host_vars/web19: WordPress 5.8 2021-09-05 15:55:58 +03:00
Alan Orth
5e918da88e Pipfile.lock: run pipenv update 2021-09-05 15:38:51 +03:00
Alan Orth
f7e87ea7be roles/common: Fix fail2ban ignoreip 
According to jail.conf we actually need to separate multiple values
with spaces instead of commas. On some versions of fail2ban this is
a fatal error:

> CRITICAL Unhandled exception in Fail2Ban:
> Traceback (most recent call last):
>   File "/usr/lib/python3/dist-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
>     run(*args, **kwargs)
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filtersystemd.py", line 246, in run
>     *self.formatJournalEntry(logentry))
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 432, in processLineAndAdd
>     if self.inIgnoreIPList(ip, log_ignore=True):
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 371, in inIgnoreIPList
>     "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group())
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 928, in addr2bin
>     return struct.unpack("!L", socket.inet_aton(ipstring))[0]
> OSError: illegal IP address string passed to inet_aton

This affects (at least) fail2ban 0.9.3 on Ubuntu 16.04, but I never
noticed.
 2021-08-12 15:24:50 +03:00
Alan Orth
7b233eb31d Pipfile.lock: Run pipenv update 
Ansible 4.3.0
 2021-08-01 16:14:42 +03:00
Alan Orth
b5ea575d8d roles/common: Always restart nftables service 
The "reload" capability only exists on Ubuntu, and it is exactly
the same as the "restart" functionality.
 2021-08-01 14:23:00 +03:00
Alan Orth
98cc3a8c2e Add nginx filter for fail2ban 
Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.
 2021-08-01 09:56:43 +03:00
Alan Orth
a67d901641 roles/common: Use AbuseIPDB.com list in nftables 
For now I am still manually updating this, as we can only hit their
API five times per day, so it is not possible to have each host get
the list themselves every day with our one API key.
 2021-07-31 21:46:50 +03:00
Alan Orth
7ae100faeb roles/common: Add comments to nftables.conf 2021-07-30 09:37:30 +03:00
Alan Orth
debcb21161 roles/common: Install curl for Abuse.ch update scripts 2021-07-29 10:24:32 +03:00
Alan Orth
8dd7663b3c roles/common: Use Abuse.ch's SSL Blacklist in nftables 
This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/
 2021-07-29 10:16:00 +03:00
Alan Orth
cba2a7a996 roles/common: Fix nftables in Debian firewall 
The previous commit meant to move the service start, not the config
copying task.
 2021-07-29 10:10:04 +03:00
Alan Orth
197bdf7666 roles/common: Start nftables service later 
We should only try to start the nftables service after we finish
copying all the config files just in case there is some unclean
state in one of them. On a first run this shouldn't matter, but
after nftables and some abuse list update scripts have run this
can happen (mostly in testing!).
 2021-07-29 10:05:15 +03:00
Alan Orth
46fc2ce3d4 roles/common: Move cleanup to a one-off play 
We only need to run this once on existing hosts that are using the
old firewalld/ipsets setup before applying the new nftables config.
 2021-07-29 10:00:30 +03:00
Alan Orth
b4d50166f4 roles/common: Fix loop in firewall cleanup 2021-07-28 23:46:53 +03:00
Alan Orth
c336b217c5 Remove extra TCP ports from firewall rules 
Now all web hosts get TCP 80 and 443 open automatically.
 2021-07-28 14:49:50 +03:00
Alan Orth
af6c3dd12a roles/common: Update cache in firewall playbook 
cron-apt updates the system against the security-only databases at
night so many packages are "missing" unless you run apt update. We
need to update the cache on all apt tasks actually because I might
be running them by their tag and they currently only get updated at
the beginning of the playbook.
 2021-07-28 14:46:58 +03:00
Alan Orth
b66c724109 roles/common: Use nftables on Ubuntu 20.04 as well 
This mostly copies the Debian 11 nftables setup and includes a play
to clean up the old firewalld settings, timers, etc.
 2021-07-28 14:18:41 +03:00
Alan Orth
8bc2b6f493 roles/common: Retab nftables.conf.j2 2021-07-27 22:03:23 +03:00
Alan Orth
a74d6dfc08 roles/common: Don't overwrite spamhaus nft sets 
The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.
 2021-07-27 22:01:57 +03:00
Alan Orth
d3922e7878 roles/common: Port configurable firewall logic to nftables 
This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts
in the web group, and allows configuration of "extra" rules in the
host or group vars.
 2021-07-27 21:22:32 +03:00
Alan Orth
14814aa5d9 roles/common: Wire up fail2ban 
The nftables support works easily and creates the table, chains, and
sets on demand.
 2021-07-26 22:07:31 +03:00
Alan Orth
3b053167b1 roles/common: Fix sources.list for Debian 11 Bullseye 
Seems the path to the security updates repo changed.
 2021-07-26 21:12:05 +03:00
Alan Orth
9bba0d96bb roles/common: Add initial support for nftables on Debian 11 
I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.
 2021-07-26 13:09:41 +03:00
Alan Orth
38c333045b roles/common: bring Ubuntu firewall changes to Debian 11 
Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
 2021-07-24 23:09:33 +03:00
Alan Orth
d4ede33099 roles/common: Don't configure apt sources on ARM 
I was using this on Ubuntu, but might as well bring it here too so
that I can run Debian on Scaleway's ARM instances, for example.
 2021-07-24 22:32:20 +03:00
Alan Orth
0bad75788d roles/common: Add encryption settings to Debian 11 sshd_config 
Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any
algorithms using less than 256 bits removed. NSA's Suite B removed
these long ago, and the new CNSA suite only uses 256 and up.

See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 2021-07-24 22:28:59 +03:00
Alan Orth
892033b880 roles/common: port common settings to Debian 11 sshd_config 
Still need to add the encryption settings.
 2021-07-22 14:16:20 +03:00
Alan Orth
7c6ab2a652 roles/common: Add sshd_config from Debian 11 RC2 2021-07-22 14:15:00 +03:00
Alan Orth
1c95c1faa8 roles/common: Update KexAlgorithms in Ubuntu 20.04 sshd_config 
Recommended by ssh-audit. Note that curve25519-sha256 is the new name
for the previously private implementation in libssh.
 2021-07-22 12:57:31 +03:00
Alan Orth
9ea14de6f5 roles/common: Remove Encrypt-and-MAC modes from Ubuntu 20.04 sshd_config 
Recommended by ssh-audit, but also generally the concensus for a few
years that Encrypt-and-MAC is hard to get right. OpenSSH has several
Encrypt-then-MAC schemes available so we can use those.

See: https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
 2021-07-22 12:48:12 +03:00
Alan Orth
9b7a31ebf9 roles/common: Remove 00-persistent-journal.conf 
This was to enable the persistent systemd journal, but it is no lo-
nger needed as of Ubuntu 18.04 and Debian 11. I had removed the ta-
asks long ago, but forgot to remove this file.
 2021-07-21 10:02:33 +03:00
Alan Orth
d7c34a30a3 roles/common: Add Spamhaus DROP lists to firewalld ipsets 
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
 2021-07-21 09:34:51 +03:00
Alan Orth
ee5f4cdf74 host_vars: don't hard code python path 
We now use auto mode in ansible.cfg, so we don't need to hard code
this in every single host's vars file.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
 2021-07-07 12:23:05 +03:00
Alan Orth
b014c09a2c ansible.cfg: Use auto discovery of Python interpreter 
Uses a built-in table of OSes and Python versions to decide which
Python interpreter to use. This is better than hard coding python3
in every single host's host_vars.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
 2021-07-07 12:22:00 +03:00
Alan Orth
531ff99af0 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-07-04 11:15:32 +03:00
Alan Orth
82d3a7ff2a roles/nginx: Add convenience tags to fact task 2021-07-01 18:17:14 +03:00
Alan Orth
6c3cf40a16 roles/nginx: Use snakeoil cert from ssl-cert 
Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.
 2021-07-01 18:11:34 +03:00
Alan Orth
681be5eb19 Pipfile.lock: run pipenv update 
Ansible 4.2.0 and Ansible Core 2.11.2
 2021-07-01 18:11:11 +03:00
Alan Orth
4fae56a386 host_vars/web19: WordPress 5.7.2 2021-06-13 16:14:22 +03:00
Alan Orth
1d5db7bdbe Pipfile.lock: run pipenv update 2021-06-13 16:14:05 +03:00
Alan Orth
32da3a3341 Pipfile.lock: Re-create pipenv environment for Ansible 4.0.0 
Seems we need to manually uninstall and re-install.
 2021-05-20 10:21:01 +03:00
Alan Orth
31a3f5832a roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-05-20 10:20:47 +03:00
Alan Orth
3e7130b519 Pipfile.lock: run pipenv update 2021-05-14 13:56:56 +03:00
Alan Orth
bd0b6a16de roles/nginx/defaults/main.yml: Update version comment 
Stable is now 1.20.0
 2021-05-10 16:00:44 +03:00
Alan Orth
7145298f90 Pipfile.lock: Run pipenv update 2021-05-10 15:59:34 +03:00
Alan Orth
1bfd2bc441 Pipfile.lock: Run pipenv update 
Ansible 3.3.0
 2021-04-28 12:49:23 +03:00
Alan Orth
884b3b8425 host_vars/web19: remove dead host 2021-04-24 20:17:17 +03:00
Alan Orth
e06a0c4093 host_vars/web19: WordPress 5.7.1 2021-04-16 19:51:55 +03:00
Alan Orth
7ba5afcec4 roles/nginx: Opt out of Google FLoC 
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
 2021-04-16 12:41:09 +03:00
Alan Orth
d3978e5b07 Pipfile.lock: run pipenv update 2021-04-13 14:28:34 +03:00
Alan Orth
4150dac57b roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-04-13 12:11:11 +03:00
Alan Orth
58bc9d191f roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-03-24 10:02:43 +02:00
Alan Orth
96cefc7f74 roles/nginx: Parameterize HSTS header 
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
 2021-03-23 15:36:28 +02:00
Alan Orth
f85eb2841a roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
Alan Orth
5d506ebc65 README.md: Update copyright year 2021-03-20 00:16:16 +02:00
Alan Orth
af49f27551 roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
Alan Orth
f341d2e5eb roles/nginx: Remove nginx pre/post hooks 
We are now using the well-known webroot.
 2021-03-19 23:46:22 +02:00
Alan Orth
ceba0ea417 roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
Alan Orth
a34cb1e666 roles/nginx: Switch to acme.sh for Let's Encrypt 
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
 2021-03-19 23:39:30 +02:00
Alan Orth
65fc52c5e5 roles/nginx: Use variable for nginx_ssl_dhparam 
I went years without realizing that I was hard coding the file dest
in this particular task.
 2021-03-19 18:13:55 +02:00
Alan Orth
7f13c8c675 host_vars/web19: WordPress 3.7 2021-03-19 13:27:34 +02:00
Alan Orth
9c36cfb8e5 Pipfile.lock: Run pipenv update 2021-03-19 13:18:19 +02:00
Alan Orth
7f72a9eda4 roles/nginx: Use RFC 7919 4096-bit dhparams 
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
 2021-03-19 13:13:56 +02:00
Alan Orth
6e96d48ea6 Pipfile.lock: Run pipenv update 
Ansible 3.0.0
 2021-03-01 15:27:58 +02:00
Alan Orth
db412066b3 roles/mariadb: Only create users on 127.0.0.1 and ::1 
A few months ago I disabled hostname lookups so only IP addresses
work now anyways.
 2021-02-13 13:11:28 +02:00
Alan Orth
63a836e2a7 roles/common: Update Tarsnap GPG key 
Apparently this changed since I last ran the tarsnap task.
 2021-02-13 12:57:17 +02:00
Alan Orth
dd04238a83 host_vars/web19: Add dev domain 2021-02-13 12:18:31 +02:00
Alan Orth
efdbeb75ea host_vars/web19: WordPress 5.6.1 2021-02-13 11:48:21 +02:00
Alan Orth
cd4411260c roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-02-07 15:56:33 +02:00
Alan Orth
8cb232a765 Pipfile.lock: Run pipenv update 2021-02-07 15:53:10 +02:00
Alan Orth
d4ca119265 Pipfile.lock: run pipenv update 
Minor Ansible update
 2021-01-27 11:06:12 +02:00
Alan Orth
f72f8c7a8d host_vars/web19: Remove piwik nginx host 2021-01-06 09:07:41 +02:00
Alan Orth
d7fa1697a1 host_vars/web19: Remove piwik database 2021-01-06 09:00:54 +02:00
Alan Orth
b0420d2adb roles: Remove mentions of Piwik 
I never check the damn analytics stats and the database is huge.
 2021-01-06 09:00:18 +02:00
Alan Orth
c70ebba151 Add host_vars/web20 2021-01-01 19:55:14 +02:00
Alan Orth
ac860e72f2 roles/php-fpm: Only run PHP tasks if we need them 2021-01-01 19:54:12 +02:00
Alan Orth
101c05d248 web.yml: Only run MariaDB role if it is needed 
Not all web hosts need this. Some are static sites, for example.
 2021-01-01 19:28:40 +02:00
Alan Orth
1b75679496 roles/mariadb: The service is mariadb 2020-12-29 11:25:30 +02:00
Alan Orth
ebf4a4c2ac roles/mariadb: Disable name lookups 
Add skip-name-resolve=1 to disable lookups of hostnames to IPs. We
need to make sure all accounts are using IPs like 127.0.0.1 instead
of "localhost" now.
 2020-12-29 11:19:01 +02:00
Alan Orth
57a83cef26 roles/mariadb: Tweak temp table size 
mysqltuner.pl said:

    When making adjustments, make tmp_table_size/max_heap_table_size equal
 2020-12-29 11:10:31 +02:00
Alan Orth
8ee52143fc roles/mariadb: Disable the query cache by default 
It seems that the usefulness of the query cache is diminishing in
recent years. If your cache is large then the time taken to scan
the cache can be longer than the SQL query itself.

See: https://haydenjames.io/mysql-query-cache-size-performance/
 2020-12-29 11:07:33 +02:00
Alan Orth
67a18c4f49 roles/mariadb: Reduce key buffer size 
mysqltuner.pl shows currently 6M out of 33M being used.
 2020-12-29 10:58:12 +02:00
Alan Orth
b8428e67a8 roles/mariadb: Install MariaDB 10.5 2020-12-29 10:41:27 +02:00
Alan Orth
e18529e6e1 roles/mariadb: Update service name 
As of MariaDB 10.5 the service name and binaries have changed from
mysql, mysqld, etc to mariadbd.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/
 2020-12-29 10:40:13 +02:00
Alan Orth
89db1449d1 roles/mariadb: Fetch signing key from mariadb.org 
I downloaded the key and checked the fingerprint with gpg:

    $ gpg --dry-run --import mariadb_release_signing_key.asc
    gpg: key F1656F24C74CD1D8: 6 signatures not checked due to missing keys
    gpg: Total number processed: 1
 2020-12-29 10:36:33 +02:00
Alan Orth
6660a0cd36 roles/mariadb: Remove innodb_buffer_pool_instances 
This was deprecated in MariaDB 10.5. The setting is now ignored and
will be removed in a future version.

See: https://mariadb.com/kb/en/changes-improvements-in-mariadb-105/#innodb-removed-or-deprecated-variables
 2020-12-29 10:18:23 +02:00
Alan Orth
e7d5cb1edb host_vars/web19: Override root for picturingjordan.com 2020-12-28 22:55:57 +02:00
Alan Orth
73d6abd15f roles/nginx: Allow sites to override the root 2020-12-28 22:53:32 +02:00
Alan Orth
e1b412bfff roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2020-12-23 09:01:08 +02:00
Alan Orth
39994f118c host_vars/web19: WordPress 5.6 2020-12-22 15:44:01 +02:00
Alan Orth
10b6b11be5 Pipfile.lock: Run pipenv update 2020-12-22 15:35:26 +02:00
Alan Orth
d4fd06862a roles/nginx: Fix Let's Encrypt pre/post renewal hooks 2020-12-10 15:20:23 +02:00
Alan Orth
d553f80a00 Run pipenv update 2020-12-09 22:47:44 +02:00
Alan Orth
b5921b6b34 host_vars/nomad02: Add drone.io deployment notes 2020-12-09 22:14:52 +02:00
Alan Orth
08aaeb1395 Add host_vars/nomad02 
To run drone.io
 2020-12-09 16:27:47 +02:00
Alan Orth
ae98fc5cf1 host_vars/nomad01: Fix ports 2020-12-09 16:04:24 +02:00
104 changed files with 2772 additions and 16447 deletions
Expand all files Collapse all files

3
Pipfile
View File

@@ -7,6 +7,7 @@ verify_ssl = true
[packages] [packages]
ansible = "*" ansible = "*"
ansible-lint = "*"
[requires] [requires]
python_version = "3.9" python_version = "3.13"

825
Pipfile.lock generated
View File

@@ -1,11 +1,11 @@
{ {
"_meta": { "_meta": {
"hash": { "hash": {
"sha256": "65b615b857250757470e21fc3a4b1cdfe75b4b012c0d1d633a5ebf1988d9cb91" "sha256": "47970866f4ffc7775e3a95dd04ee8b75f9784c457baadd8a31fe1783584fa73f"
}, },
"pipfile-spec": 6, "pipfile-spec": 6,
"requires": { "requires": {
"python_version": "3.9" "python_version": "3.13"
}, },
"sources": [ "sources": [
{ {
@@ -18,181 +18,730 @@
"default": { "default": {
"ansible": { "ansible": {
"hashes": [ "hashes": [
"sha256:98e718aea82199be62db7731373d660627aa1e938d34446588f2f49c228638ee" "sha256:1a17f8c593a973e6d81f10ebfe7eac53e799616f745d57b99bd36b34f79f16a2",
"sha256:1b3ad8158dd2597ce45a864a55ca09e5be1807cc97f44a00c39d7bb9e1520aa6"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.10.4" "markers": "python_version >= '3.11'",
"version": "==12.0.0"
}, },
"ansible-base": { "ansible-compat": {
"hashes": [ "hashes": [
"sha256:35a208726b10fecbcf00c263ae4572b48f505b5796fb77a85c3e9c1036ea5e4f" "sha256:5bb843838414b75efff24dae5ff5b332cd503a596143d471980243cec4b46c9c",
"sha256:f29ab81264b3f04fb94ac2d7f68fe73efc2eb3cbe4ecf00f9b4742e77c41756f"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.10'",
"version": "==2.10.3" "version": "==25.8.1"
},
"ansible-core": {
"hashes": [
"sha256:1fe6ca533951b5ba4a619e763ea4f6725f68c36677c7d5aaa467b59aa449bdc8",
"sha256:87fcbbc492ed16eb6adb0379bae0adbf69f3ce88a8440e7e88e0dcefa9f8a54c"
],
"markers": "python_version >= '3.11'",
"version": "==2.19.2"
},
"ansible-lint": {
"hashes": [
"sha256:2d5a8a2b01c46966591a17769a129142181515aac19c27742ecb8c94e84bf692",
"sha256:b8fe138a1257c6e58a755febd726b3186820f6dcb23a5bb062538c939a7277bb"
],
"index": "pypi",
"markers": "python_version >= '3.10'",
"version": "==25.9.0"
},
"attrs": {
"hashes": [
"sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3",
"sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b"
],
"markers": "python_version >= '3.8'",
"version": "==25.3.0"
},
"black": {
"hashes": [
"sha256:0172a012f725b792c358d57fe7b6b6e8e67375dd157f64fa7a3097b3ed3e2175",
"sha256:0474bca9a0dd1b51791fcc507a4e02078a1c63f6d4e4ae5544b9848c7adfb619",
"sha256:154b06d618233fe468236ba1f0e40823d4eb08b26f5e9261526fde34916b9140",
"sha256:1b9dc70c21ef8b43248f1d86aedd2aaf75ae110b958a7909ad8463c4aa0880b0",
"sha256:2ab0ce111ef026790e9b13bd216fa7bc48edd934ffc4cbf78808b235793cbc92",
"sha256:3bec74ee60f8dfef564b573a96b8930f7b6a538e846123d5ad77ba14a8d7a64f",
"sha256:456386fe87bad41b806d53c062e2974615825c7a52159cde7ccaeb0695fa28fa",
"sha256:474b34c1342cdc157d307b56c4c65bce916480c4a8f6551fdc6bf9b486a7c4ae",
"sha256:77e7060a00c5ec4b3367c55f39cf9b06e68965a4f2e61cecacd6d0d9b7ec945a",
"sha256:846d58e3ce7879ec1ffe816bb9df6d006cd9590515ed5d17db14e17666b2b357",
"sha256:8e46eecf65a095fa62e53245ae2795c90bdecabd53b50c448d0a8bcd0d2e74c4",
"sha256:9101ee58ddc2442199a25cb648d46ba22cd580b00ca4b44234a324e3ec7a0f7e",
"sha256:a16b14a44c1af60a210d8da28e108e13e75a284bf21a9afa6b4571f96ab8bb9d",
"sha256:aaf319612536d502fdd0e88ce52d8f1352b2c0a955cc2798f79eeca9d3af0608",
"sha256:b756fc75871cb1bcac5499552d771822fd9db5a2bb8db2a7247936ca48f39831",
"sha256:c0372a93e16b3954208417bfe448e09b0de5cc721d521866cd9e0acac3c04a1f",
"sha256:ce41ed2614b706fd55fd0b4a6909d06b5bab344ffbfadc6ef34ae50adba3d4f7",
"sha256:d119957b37cc641596063cd7db2656c5be3752ac17877017b2ffcdb9dfc4d2b1",
"sha256:e3c1f4cd5e93842774d9ee4ef6cd8d17790e65f44f7cdbaab5f2cf8ccf22a823",
"sha256:e593466de7b998374ea2585a471ba90553283fb9beefcfa430d84a2651ed5933",
"sha256:ef69351df3c84485a8beb6f7b8f9721e2009e20ef80a8d619e2d1788b7816d47",
"sha256:f96b6726d690c96c60ba682955199f8c39abc1ae0c3a494a9c62c0184049a713"
],
"markers": "python_version >= '3.9'",
"version": "==25.9.0"
},
"bracex": {
"hashes": [
"sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952",
"sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7"
],
"markers": "python_version >= '3.9'",
"version": "==2.6"
}, },
"cffi": { "cffi": {
"hashes": [ "hashes": [
"sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e", "sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb",
"sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d", "sha256:07b271772c100085dd28b74fa0cd81c8fb1a3ba18b21e03d7c27f3436a10606b",
"sha256:045d792900a75e8b1e1b0ab6787dd733a8190ffcf80e8c8ceb2fb10a29ff238a", "sha256:087067fa8953339c723661eda6b54bc98c5625757ea62e95eb4898ad5e776e9f",
"sha256:0638c3ae1a0edfb77c6765d487fee624d2b1ee1bdfeffc1f0b58c64d149e7eec", "sha256:0a1527a803f0a659de1af2e1fd700213caba79377e27e4693648c2923da066f9",
"sha256:105abaf8a6075dc96c1fe5ae7aae073f4696f2905fde6aeada4c9d2926752362", "sha256:0cf2d91ecc3fcc0625c2c530fe004f82c110405f101548512cce44322fa8ac44",
"sha256:155136b51fd733fa94e1c2ea5211dcd4c8879869008fc811648f16541bf99668", "sha256:0f6084a0ea23d05d20c3edcda20c3d006f9b6f3fefeac38f59262e10cef47ee2",
"sha256:1a465cbe98a7fd391d47dce4b8f7e5b921e6cd805ef421d04f5f66ba8f06086c", "sha256:12873ca6cb9b0f0d3a0da705d6086fe911591737a59f28b7936bdfed27c0d47c",
"sha256:1d2c4994f515e5b485fd6d3a73d05526aa0fcf248eb135996b088d25dfa1865b", "sha256:19f705ada2530c1167abacb171925dd886168931e0a7b78f5bffcae5c6b5be75",
"sha256:2c24d61263f511551f740d1a065eb0212db1dbbbbd241db758f5244281590c06", "sha256:1cd13c99ce269b3ed80b417dcd591415d3372bcac067009b6e0f59c7d4015e65",
"sha256:51a8b381b16ddd370178a65360ebe15fbc1c71cf6f584613a7ea08bfad946698", "sha256:1e3a615586f05fc4065a8b22b8152f0c1b00cdbc60596d187c2a74f9e3036e4e",
"sha256:594234691ac0e9b770aee9fcdb8fa02c22e43e5c619456efd0d6c2bf276f3eb2", "sha256:1f72fb8906754ac8a2cc3f9f5aaa298070652a0ffae577e0ea9bd480dc3c931a",
"sha256:5cf4be6c304ad0b6602f5c4e90e2f59b47653ac1ed9c662ed379fe48a8f26b0c", "sha256:1fc9ea04857caf665289b7a75923f2c6ed559b8298a1b8c49e59f7dd95c8481e",
"sha256:64081b3f8f6f3c3de6191ec89d7dc6c86a8a43911f7ecb422c60e90c70be41c7", "sha256:203a48d1fb583fc7d78a4c6655692963b860a417c0528492a6bc21f1aaefab25",
"sha256:6bc25fc545a6b3d57b5f8618e59fc13d3a3a68431e8ca5fd4c13241cd70d0009", "sha256:2081580ebb843f759b9f617314a24ed5738c51d2aee65d31e02f6f7a2b97707a",
"sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03", "sha256:21d1152871b019407d8ac3985f6775c079416c282e431a4da6afe7aefd2bccbe",
"sha256:7c6b1dece89874d9541fc974917b631406233ea0440d0bdfbb8e03bf39a49b3b", "sha256:24b6f81f1983e6df8db3adc38562c83f7d4a0c36162885ec7f7b77c7dcbec97b",
"sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909", "sha256:256f80b80ca3853f90c21b23ee78cd008713787b1b1e93eae9f3d6a7134abd91",
"sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53", "sha256:28a3a209b96630bca57cce802da70c266eb08c6e97e5afd61a75611ee6c64592",
"sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35", "sha256:2c8f814d84194c9ea681642fd164267891702542f028a15fc97d4674b6206187",
"sha256:9f7a31251289b2ab6d4012f6e83e58bc3b96bd151f5b5262467f4bb6b34a7c26", "sha256:2de9a304e27f7596cd03d16f1b7c72219bd944e99cc52b84d0145aefb07cbd3c",
"sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b", "sha256:38100abb9d1b1435bc4cc340bb4489635dc2f0da7456590877030c9b3d40b0c1",
"sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb", "sha256:3925dd22fa2b7699ed2617149842d2e6adde22b262fcbfada50e3d195e4b3a94",
"sha256:af5c59122a011049aad5dd87424b8e65a80e4a6477419c0c1015f73fb5ea0293", "sha256:3e17ed538242334bf70832644a32a7aae3d83b57567f9fd60a26257e992b79ba",
"sha256:b18e0a9ef57d2b41f5c68beefa32317d286c3d6ac0484efd10d6e07491bb95dd", "sha256:3e837e369566884707ddaf85fc1744b47575005c0a229de3327f8f9a20f4efeb",
"sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d", "sha256:3f4d46d8b35698056ec29bca21546e1551a205058ae1a181d871e278b0b28165",
"sha256:ba4e9e0ae13fc41c6b23299545e5ef73055213e466bd107953e4a013a5ddd7e3", "sha256:44d1b5909021139fe36001ae048dbdde8214afa20200eda0f64c068cac5d5529",
"sha256:c6332685306b6417a91b1ff9fae889b3ba65c2292d64bd9245c093b1b284809d", "sha256:45d5e886156860dc35862657e1494b9bae8dfa63bf56796f2fb56e1679fc0bca",
"sha256:d9efd8b7a3ef378dd61a1e77367f1924375befc2eba06168b6ebfa903a5e59ca", "sha256:4647afc2f90d1ddd33441e5b0e85b16b12ddec4fca55f0d9671fef036ecca27c",
"sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d", "sha256:4671d9dd5ec934cb9a73e7ee9676f9362aba54f7f34910956b84d727b0d73fb6",
"sha256:ebb253464a5d0482b191274f1c8bf00e33f7e0b9c66405fbffc61ed2c839c775", "sha256:53f77cbe57044e88bbd5ed26ac1d0514d2acf0591dd6bb02a3ae37f76811b80c",
"sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375", "sha256:5eda85d6d1879e692d546a078b44251cdd08dd1cfb98dfb77b670c97cee49ea0",
"sha256:f032b34669220030f905152045dfa27741ce1a6db3324a5bc0b96b6c7420c87b", "sha256:5fed36fccc0612a53f1d4d9a816b50a36702c28a2aa880cb8a122b3466638743",
"sha256:f60567825f791c6f8a592f3c6e3bd93dd2934e3f9dac189308426bd76b00ef3b", "sha256:61d028e90346df14fedc3d1e5441df818d095f3b87d286825dfcbd6459b7ef63",
"sha256:f803eaa94c2fcda012c047e62bc7a51b0bdabda1cad7a92a522694ea2d76e49f" "sha256:66f011380d0e49ed280c789fbd08ff0d40968ee7b665575489afa95c98196ab5",
"sha256:6824f87845e3396029f3820c206e459ccc91760e8fa24422f8b0c3d1731cbec5",
"sha256:6c6c373cfc5c83a975506110d17457138c8c63016b563cc9ed6e056a82f13ce4",
"sha256:6d02d6655b0e54f54c4ef0b94eb6be0607b70853c45ce98bd278dc7de718be5d",
"sha256:6d50360be4546678fc1b79ffe7a66265e28667840010348dd69a314145807a1b",
"sha256:730cacb21e1bdff3ce90babf007d0a0917cc3e6492f336c2f0134101e0944f93",
"sha256:737fe7d37e1a1bffe70bd5754ea763a62a066dc5913ca57e957824b72a85e205",
"sha256:74a03b9698e198d47562765773b4a8309919089150a0bb17d829ad7b44b60d27",
"sha256:7553fb2090d71822f02c629afe6042c299edf91ba1bf94951165613553984512",
"sha256:7a66c7204d8869299919db4d5069a82f1561581af12b11b3c9f48c584eb8743d",
"sha256:7cc09976e8b56f8cebd752f7113ad07752461f48a58cbba644139015ac24954c",
"sha256:81afed14892743bbe14dacb9e36d9e0e504cd204e0b165062c488942b9718037",
"sha256:8941aaadaf67246224cee8c3803777eed332a19d909b47e29c9842ef1e79ac26",
"sha256:89472c9762729b5ae1ad974b777416bfda4ac5642423fa93bd57a09204712322",
"sha256:8ea985900c5c95ce9db1745f7933eeef5d314f0565b27625d9a10ec9881e1bfb",
"sha256:8eca2a813c1cb7ad4fb74d368c2ffbbb4789d377ee5bb8df98373c2cc0dee76c",
"sha256:92b68146a71df78564e4ef48af17551a5ddd142e5190cdf2c5624d0c3ff5b2e8",
"sha256:9332088d75dc3241c702d852d4671613136d90fa6881da7d770a483fd05248b4",
"sha256:94698a9c5f91f9d138526b48fe26a199609544591f859c870d477351dc7b2414",
"sha256:9a67fc9e8eb39039280526379fb3a70023d77caec1852002b4da7e8b270c4dd9",
"sha256:9de40a7b0323d889cf8d23d1ef214f565ab154443c42737dfe52ff82cf857664",
"sha256:a05d0c237b3349096d3981b727493e22147f934b20f6f125a3eba8f994bec4a9",
"sha256:afb8db5439b81cf9c9d0c80404b60c3cc9c3add93e114dcae767f1477cb53775",
"sha256:b18a3ed7d5b3bd8d9ef7a8cb226502c6bf8308df1525e1cc676c3680e7176739",
"sha256:b1e74d11748e7e98e2f426ab176d4ed720a64412b6a15054378afdb71e0f37dc",
"sha256:b21e08af67b8a103c71a250401c78d5e0893beff75e28c53c98f4de42f774062",
"sha256:b4c854ef3adc177950a8dfc81a86f5115d2abd545751a304c5bcf2c2c7283cfe",
"sha256:b882b3df248017dba09d6b16defe9b5c407fe32fc7c65a9c69798e6175601be9",
"sha256:baf5215e0ab74c16e2dd324e8ec067ef59e41125d3eade2b863d294fd5035c92",
"sha256:c649e3a33450ec82378822b3dad03cc228b8f5963c0c12fc3b1e0ab940f768a5",
"sha256:c654de545946e0db659b3400168c9ad31b5d29593291482c43e3564effbcee13",
"sha256:c6638687455baf640e37344fe26d37c404db8b80d037c3d29f58fe8d1c3b194d",
"sha256:c8d3b5532fc71b7a77c09192b4a5a200ea992702734a2e9279a37f2478236f26",
"sha256:cb527a79772e5ef98fb1d700678fe031e353e765d1ca2d409c92263c6d43e09f",
"sha256:cf364028c016c03078a23b503f02058f1814320a56ad535686f90565636a9495",
"sha256:d48a880098c96020b02d5a1f7d9251308510ce8858940e6fa99ece33f610838b",
"sha256:d68b6cef7827e8641e8ef16f4494edda8b36104d79773a334beaa1e3521430f6",
"sha256:d9b29c1f0ae438d5ee9acb31cadee00a58c46cc9c0b2f9038c6b0b3470877a8c",
"sha256:d9b97165e8aed9272a6bb17c01e3cc5871a594a446ebedc996e2397a1c1ea8ef",
"sha256:da68248800ad6320861f129cd9c1bf96ca849a2771a59e0344e88681905916f5",
"sha256:da902562c3e9c550df360bfa53c035b2f241fed6d9aef119048073680ace4a18",
"sha256:dbd5c7a25a7cb98f5ca55d258b103a2054f859a46ae11aaf23134f9cc0d356ad",
"sha256:dd4f05f54a52fb558f1ba9f528228066954fee3ebe629fc1660d874d040ae5a3",
"sha256:de8dad4425a6ca6e4e5e297b27b5c824ecc7581910bf9aee86cb6835e6812aa7",
"sha256:e11e82b744887154b182fd3e7e8512418446501191994dbf9c9fc1f32cc8efd5",
"sha256:e6e73b9e02893c764e7e8d5bb5ce277f1a009cd5243f8228f75f842bf937c534",
"sha256:f73b96c41e3b2adedc34a7356e64c8eb96e03a3782b535e043a986276ce12a49",
"sha256:f93fd8e5c8c0a4aa1f424d6173f14a892044054871c771f8566e4008eaa359d2",
"sha256:fc33c5141b55ed366cfaad382df24fe7dcbc686de5be719b207bb248e3053dc5",
"sha256:fc7de24befaeae77ba923797c7c87834c73648a05a4bde34b3b7e5588973a453",
"sha256:fe562eb1a64e67dd297ccc4f5addea2501664954f2692b69a76449ec7913ecbf"
], ],
"version": "==1.14.4" "markers": "python_version >= '3.9'",
"version": "==2.0.0"
},
"click": {
"hashes": [
"sha256:9b9f285302c6e3064f4330c05f05b81945b2a39544279343e6e7c5f27a9baddc",
"sha256:e7b8232224eba16f4ebe410c25ced9f7875cb5f3263ffc93cc3e8da705e229c4"
],
"markers": "python_version >= '3.10'",
"version": "==8.3.0"
}, },
"cryptography": { "cryptography": {
"hashes": [ "hashes": [
"sha256:07ca431b788249af92764e3be9a488aa1d39a0bc3be313d826bbec690417e538", "sha256:0a17377fa52563d730248ba1f68185461fff36e8bc75d8787a7dd2e20a802b7a",
"sha256:13b88a0bd044b4eae1ef40e265d006e34dbcde0c2f1e15eb9896501b2d8f6c6f", "sha256:0ca4be2af48c24df689a150d9cd37404f689e2968e247b6b8ff09bff5bcd786f",
"sha256:32434673d8505b42c0de4de86da8c1620651abd24afe91ae0335597683ed1b77", "sha256:0d1922d9280e08cde90b518a10cd66831f632960a8d08cb3418922d83fce6f12",
"sha256:3cd75a683b15576cfc822c7c5742b3276e50b21a06672dc3a800a2d5da4ecd1b", "sha256:0dfb7c88d4462a0cfdd0d87a3c245a7bc3feb59de101f6ff88194f740f72eda6",
"sha256:4e7268a0ca14536fecfdf2b00297d4e407da904718658c1ff1961c713f90fd33", "sha256:0ff483716be32690c14636e54a1f6e2e1b7bf8e22ca50b989f88fa1b2d287080",
"sha256:545a8550782dda68f8cdc75a6e3bf252017aa8f75f19f5a9ca940772fc0cb56e", "sha256:13e67c4d3fb8b6bc4ef778a7ccdd8df4cd15b4bcc18f4239c8440891a11245cc",
"sha256:55d0b896631412b6f0c7de56e12eb3e261ac347fbaa5d5e705291a9016e5f8cb", "sha256:15b5fd9358803b0d1cc42505a18d8bca81dabb35b5cfbfea1505092e13a9d96d",
"sha256:5849d59358547bf789ee7e0d7a9036b2d29e9a4ddf1ce5e06bb45634f995c53e", "sha256:1cd6d50c1a8b79af1a6f703709d8973845f677c8e97b1268f5ff323d38ce8475",
"sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7", "sha256:2dd339ba3345b908fa3141ddba4025568fa6fd398eabce3ef72a29ac2d73ad75",
"sha256:7117319b44ed1842c617d0a452383a5a052ec6aa726dfbaffa8b94c910444297", "sha256:341fb7a26bc9d6093c1b124b9f13acc283d2d51da440b98b55ab3f79f2522ead",
"sha256:75e8e6684cf0034f6bf2a97095cb95f81537b12b36a8fedf06e73050bb171c2d", "sha256:34f04b7311174469ab3ac2647469743720f8b6c8b046f238e5cb27905695eb2a",
"sha256:7b8d9d8d3a9bd240f453342981f765346c87ade811519f98664519696f8e6ab7", "sha256:41c281a74df173876da1dc9a9b6953d387f06e3d3ed9284e3baae3ab3f40883a",
"sha256:a035a10686532b0587d58a606004aa20ad895c60c4d029afa245802347fab57b", "sha256:449ef2b321bec7d97ef2c944173275ebdab78f3abdd005400cc409e27cd159ab",
"sha256:a4e27ed0b2504195f855b52052eadcc9795c59909c9d84314c5408687f933fc7", "sha256:45f790934ac1018adeba46a0f7289b2b8fe76ba774a88c7f1922213a56c98bc1",
"sha256:a733671100cd26d816eed39507e585c156e4498293a907029969234e5e634bc4", "sha256:48948940d0ae00483e85e9154bb42997d0b77c21e43a77b7773c8c80de532ac5",
"sha256:a75f306a16d9f9afebfbedc41c8c2351d8e61e818ba6b4c40815e2b5740bb6b8", "sha256:4c49eda9a23019e11d32a0eb51a27b3e7ddedde91e099c0ac6373e3aacc0d2ee",
"sha256:bd717aa029217b8ef94a7d21632a3bb5a4e7218a4513d2521c2a2fd63011e98b", "sha256:504e464944f2c003a0785b81668fe23c06f3b037e9cb9f68a7c672246319f277",
"sha256:d25cecbac20713a7c3bc544372d42d8eafa89799f492a43b79e1dfd650484851", "sha256:534b96c0831855e29fc3b069b085fd185aa5353033631a585d5cd4dd5d40d657",
"sha256:d26a2557d8f9122f9bf445fc7034242f4375bd4e95ecda007667540270965b13", "sha256:6ef1488967e729948d424d09c94753d0167ce59afba8d0f6c07a22b629c557b2",
"sha256:d3545829ab42a66b84a9aaabf216a4dce7f16dbc76eb69be5c302ed6b8f4a29b", "sha256:7176a5ab56fac98d706921f6416a05e5aff7df0e4b91516f450f8627cda22af3",
"sha256:d3d5e10be0cf2a12214ddee45c6bd203dab435e3d83b4560c03066eda600bfe3", "sha256:7411c910fb2a412053cf33cfad0153ee20d27e256c6c3f14d7d7d1d9fec59fd5",
"sha256:efe15aca4f64f3a7ea0c09c87826490e50ed166ce67368a68f315ea0807a20df" "sha256:757af4f6341ce7a1e47c326ca2a81f41d236070217e5fbbad61bbfe299d55d28",
"sha256:7823bc7cdf0b747ecfb096d004cc41573c2f5c7e3a29861603a2871b43d3ef32",
"sha256:7fab1187b6c6b2f11a326f33b036f7168f5b996aedd0c059f9738915e4e8f53a",
"sha256:84ef1f145de5aee82ea2447224dc23f065ff4cc5791bb3b506615957a6ba8128",
"sha256:92e8cfe8bd7dd86eac0a677499894862cd5cc2fd74de917daa881d00871ac8e7",
"sha256:9394c7d5a7565ac5f7d9ba38b2617448eba384d7b107b262d63890079fad77ca",
"sha256:9495d78f52c804b5ec8878b5b8c7873aa8e63db9cd9ee387ff2db3fffe4df784",
"sha256:9873bf7c1f2a6330bdfe8621e7ce64b725784f9f0c3a6a55c3047af5849f920e",
"sha256:9babb7818fdd71394e576cf26c5452df77a355eac1a27ddfa24096665a27f8fd",
"sha256:9e8776dac9e660c22241b6587fae51a67b4b0147daa4d176b172c3ff768ad736",
"sha256:9ed64e5083fa806709e74fc5ea067dfef9090e5b7a2320a49be3c9df3583a2d8",
"sha256:9f2c4cc63be3ef43c0221861177cee5d14b505cd4d4599a89e2cd273c4d3542a",
"sha256:9f40642a140c0c8649987027867242b801486865277cbabc8c6059ddef16dc8b",
"sha256:af84e8e99f1a82cea149e253014ea9dc89f75b82c87bb6c7242203186f465129",
"sha256:b9c79af2c3058430d911ff1a5b2b96bbfe8da47d5ed961639ce4681886614e70",
"sha256:c52fded6383f7e20eaf70a60aeddd796b3677c3ad2922c801be330db62778e05",
"sha256:cbb8e769d4cac884bb28e3ff620ef1001b75588a5c83c9c9f1fdc9afbe7f29b0",
"sha256:d84c40bdb8674c29fa192373498b6cb1e84f882889d21a471b45d1f868d8d44b",
"sha256:db5597a4c7353b2e5fb05a8e6cb74b56a4658a2b7bf3cb6b1821ae7e7fd6eaa0",
"sha256:e22801b61613ebdebf7deb18b507919e107547a1d39a3b57f5f855032dd7cfb8",
"sha256:e34da95e29daf8a71cb2841fd55df0511539a6cdf33e6f77c1e95e44006b9b46",
"sha256:e46710a240a41d594953012213ea8ca398cd2448fbc5d0f1be8160b5511104a0",
"sha256:e94eb5fa32a8a9f9bf991f424f002913e3dd7c699ef552db9b14ba6a76a6313b",
"sha256:ec13b7105117dbc9afd023300fb9954d72ca855c274fe563e72428ece10191c0",
"sha256:ed570874e88f213437f5cf758f9ef26cbfc3f336d889b1e592ee11283bb8d1c7",
"sha256:ed957044e368ed295257ae3d212b95456bd9756df490e1ac4538857f67531fcc",
"sha256:ef648d2c690703501714588b2ba640facd50fd16548133b11b2859e8655a69da",
"sha256:efc9e51c3e595267ff84adf56e9b357db89ab2279d7e375ffcaf8f678606f3d9",
"sha256:f736ab8036796f5a119ff8211deda416f8c15ce03776db704a7a4e17381cb2ef",
"sha256:f7a24ea78de345cfa7f6a8d3bde8b242c7fac27f2bd78fa23474ca38dfaeeab9",
"sha256:f7de12fa0eee6234de9a9ce0ffcfa6ce97361db7a50b09b65c63ac58e5f22fc7",
"sha256:f9b55038b5c6c47559aa33626d8ecd092f354e23de3c6975e4bb205df128a2a0",
"sha256:fd4b5e2ee4e60425711ec65c33add4e7a626adef79d66f62ba0acfd493af282d"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.8' and python_full_version not in '3.9.0, 3.9.1'",
"version": "==3.2.1" "version": "==46.0.1"
},
"distro": {
"hashes": [
"sha256:2fa77c6fd8940f116ee1d6b94a2f90b13b5ea8d019b98bc8bafdcabcdd9bdbed",
"sha256:7bffd925d65168f85027d8da9af6bddab658135b840670a223589bc0c8ef02b2"
],
"markers": "python_version >= '3.6'",
"version": "==1.9.0"
},
"filelock": {
"hashes": [
"sha256:66eda1888b0171c998b35be2bcc0f6d75c388a7ce20c3f3f37aa8e96c2dddf58",
"sha256:d38e30481def20772f5baf097c122c3babc4fcdb7e14e57049eb9d88c6dc017d"
],
"markers": "python_version >= '3.9'",
"version": "==3.19.1"
},
"importlib-metadata": {
"hashes": [
"sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000",
"sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd"
],
"markers": "python_version >= '3.9'",
"version": "==8.7.0"
}, },
"jinja2": { "jinja2": {
"hashes": [ "hashes": [
"sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0", "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d",
"sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035" "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.7'",
"version": "==2.11.2" "version": "==3.1.6"
},
"jsonschema": {
"hashes": [
"sha256:3fba0169e345c7175110351d456342c364814cfcf3b964ba4587f22915230a63",
"sha256:e4a9655ce0da0c0b67a085847e00a3a51449e1157f4f75e9fb5aa545e122eb85"
],
"markers": "python_version >= '3.9'",
"version": "==4.25.1"
},
"jsonschema-specifications": {
"hashes": [
"sha256:98802fee3a11ee76ecaca44429fda8a41bff98b00a0f2838151b113f210cc6fe",
"sha256:b540987f239e745613c7a9176f3edb72b832a4ac465cf02712288397832b5e8d"
],
"markers": "python_version >= '3.9'",
"version": "==2025.9.1"
}, },
"markupsafe": { "markupsafe": {
"hashes": [ "hashes": [
"sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473", "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4",
"sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161", "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30",
"sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235", "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0",
"sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5", "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9",
"sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42", "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396",
"sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff", "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13",
"sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b", "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028",
"sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1", "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca",
"sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e", "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557",
"sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183", "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832",
"sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66", "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0",
"sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b", "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b",
"sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1", "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579",
"sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15", "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a",
"sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1", "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c",
"sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e", "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff",
"sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b", "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c",
"sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905", "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22",
"sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735", "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094",
"sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d", "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb",
"sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e", "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e",
"sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d", "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5",
"sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c", "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a",
"sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21", "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d",
"sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2", "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a",
"sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5", "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b",
"sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b", "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8",
"sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6", "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225",
"sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f", "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c",
"sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f", "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144",
"sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2", "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f",
"sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7", "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87",
"sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be" "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d",
"sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93",
"sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf",
"sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158",
"sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84",
"sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb",
"sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48",
"sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171",
"sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c",
"sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6",
"sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd",
"sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d",
"sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1",
"sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d",
"sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca",
"sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a",
"sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29",
"sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe",
"sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798",
"sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c",
"sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8",
"sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f",
"sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f",
"sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a",
"sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178",
"sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0",
"sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79",
"sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430",
"sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.9'",
"version": "==1.1.1" "version": "==3.0.2"
},
"mypy-extensions": {
"hashes": [
"sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505",
"sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558"
],
"markers": "python_version >= '3.8'",
"version": "==1.1.0"
}, },
"packaging": { "packaging": {
"hashes": [ "hashes": [
"sha256:05af3bb85d320377db281cf254ab050e1a7ebcbf5410685a9a407e18a1f81236", "sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484",
"sha256:eb41423378682dadb7166144a4926e443093863024de508ca5c9737d6bc08376" "sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.8'",
"version": "==20.7" "version": "==25.0"
},
"pathspec": {
"hashes": [
"sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08",
"sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"
],
"markers": "python_version >= '3.8'",
"version": "==0.12.1"
},
"platformdirs": {
"hashes": [
"sha256:abd01743f24e5287cd7a5db3752faf1a2d65353f38ec26d98e25a6db65958c85",
"sha256:ca753cf4d81dc309bc67b0ea38fd15dc97bc30ce419a7f58d13eb3bf14c4febf"
],
"markers": "python_version >= '3.9'",
"version": "==4.4.0"
}, },
"pycparser": { "pycparser": {
"hashes": [ "hashes": [
"sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0", "sha256:78816d4f24add8f10a06d6f05b4d424ad9e96cfebf68a4ddc99c65c0720d00c2",
"sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705" "sha256:e5c6e8d3fbad53479cab09ac03729e0a9faf2bee3db8208a550daf5af81a5934"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.8'",
"version": "==2.20" "version": "==2.23"
}, },
"pyparsing": { "pytokens": {
"hashes": [ "hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:c9a4bfa0be1d26aebce03e6884ba454e842f186a59ea43a6d3b25af58223c044",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" "sha256:db7b72284e480e69fb085d9f251f66b3d2df8b7166059261258ff35f50fb711b"
], ],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.8'",
"version": "==2.4.7" "version": "==0.1.10"
}, },
"pyyaml": { "pyyaml": {
"hashes": [ "hashes": [
"sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff",
"sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48",
"sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2", "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086",
"sha256:6034f55dab5fea9e53f436aa68fa3ace2634918e8b5994d82f3621c04ff5ed2e", "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e",
"sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133",
"sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5",
"sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484",
"sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee",
"sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5",
"sha256:ad9c67312c84def58f3c04504727ca879cb0013b2517c85a9a253f0cb6380c0a", "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68",
"sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a",
"sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf",
"sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a" "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99",
"sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8",
"sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85",
"sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19",
"sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc",
"sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a",
"sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1",
"sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317",
"sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c",
"sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631",
"sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d",
"sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652",
"sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5",
"sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e",
"sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b",
"sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8",
"sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476",
"sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706",
"sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563",
"sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237",
"sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b",
"sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083",
"sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180",
"sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425",
"sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e",
"sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f",
"sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725",
"sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183",
"sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab",
"sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774",
"sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725",
"sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e",
"sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5",
"sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d",
"sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290",
"sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44",
"sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed",
"sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4",
"sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba",
"sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12",
"sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"
], ],
"version": "==5.3.1" "markers": "python_version >= '3.8'",
"version": "==6.0.2"
}, },
"six": { "referencing": {
"hashes": [ "hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", "sha256:df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" "sha256:e8699adbbf8b5c7de96d8ffa0eb5c158b3beafce084968e2ea8bb08c6794dcd0"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.9'",
"version": "==1.15.0" "version": "==0.36.2"
},
"resolvelib": {
"hashes": [
"sha256:8e3e2000beaf53fdfd8772fda1a7b1df97e803ab7c8925621bbb87c4d187a94d",
"sha256:c27fbb5098acd7dfc01fb2be3724bd0881168edc2bd3b4dc876ca3f46b8e4a3d"
],
"markers": "python_version >= '3.9'",
"version": "==1.2.0"
},
"rpds-py": {
"hashes": [
"sha256:008b839781d6c9bf3b6a8984d1d8e56f0ec46dc56df61fd669c49b58ae800400",
"sha256:037a2361db72ee98d829bc2c5b7cc55598ae0a5e0ec1823a56ea99374cfd73c1",
"sha256:079bc583a26db831a985c5257797b2b5d3affb0386e7ff886256762f82113b5e",
"sha256:08f1e20bccf73b08d12d804d6e1c22ca5530e71659e6673bce31a6bb71c1e73f",
"sha256:0b08d152555acf1f455154d498ca855618c1378ec810646fcd7c76416ac6dc60",
"sha256:0d807710df3b5faa66c731afa162ea29717ab3be17bdc15f90f2d9f183da4059",
"sha256:0dc5dceeaefcc96dc192e3a80bbe1d6c410c469e97bdd47494a7d930987f18b2",
"sha256:12ed005216a51b1d6e2b02a7bd31885fe317e45897de81d86dcce7d74618ffff",
"sha256:134fae0e36022edad8290a6661edf40c023562964efea0cc0ec7f5d392d2aaef",
"sha256:13e608ac9f50a0ed4faec0e90ece76ae33b34c0e8656e3dceb9a7db994c692cd",
"sha256:1441811a96eadca93c517d08df75de45e5ffe68aa3089924f963c782c4b898cf",
"sha256:15d3b4d83582d10c601f481eca29c3f138d44c92187d197aff663a269197c02d",
"sha256:16323f674c089b0360674a4abd28d5042947d54ba620f72514d69be4ff64845e",
"sha256:168b025f8fd8d8d10957405f3fdcef3dc20f5982d398f90851f4abc58c566c52",
"sha256:1b207d881a9aef7ba753d69c123a35d96ca7cb808056998f6b9e8747321f03b8",
"sha256:1fea2b1a922c47c51fd07d656324531adc787e415c8b116530a1d29c0516c62d",
"sha256:23f6b69d1c26c4704fec01311963a41d7de3ee0570a84ebde4d544e5a1859ffc",
"sha256:2643400120f55c8a96f7c9d858f7be0c88d383cd4653ae2cf0d0c88f668073e5",
"sha256:26a1c73171d10b7acccbded82bf6a586ab8203601e565badc74bbbf8bc5a10f8",
"sha256:2bde09cbcf2248b73c7c323be49b280180ff39fadcfe04e7b6f54a678d02a7cf",
"sha256:2c426b99a068601b5f4623573df7a7c3d72e87533a2dd2253353a03e7502566c",
"sha256:2efe4eb1d01b7f5f1939f4ef30ecea6c6b3521eec451fb93191bf84b2a522418",
"sha256:2f57af9b4d0793e53266ee4325535a31ba48e2f875da81a9177c9926dfa60746",
"sha256:2fd50659a069c15eef8aa3d64bbef0d69fd27bb4a50c9ab4f17f83a16cbf8905",
"sha256:3020724ade63fe320a972e2ffd93b5623227e684315adce194941167fee02688",
"sha256:3182af66048c00a075010bc7f4860f33913528a4b6fc09094a6e7598e462fe39",
"sha256:31d3ebadefcd73b73928ed0b2fd696f7fefda8629229f81929ac9c1854d0cffb",
"sha256:33aa65b97826a0e885ef6e278fbd934e98cdcfed80b63946025f01e2f5b29502",
"sha256:387ce8c44ae94e0ec50532d9cb0edce17311024c9794eb196b90e1058aadeb66",
"sha256:3adc388fc3afb6540aec081fa59e6e0d3908722771aa1e37ffe22b220a436f0b",
"sha256:3c64d07e95606ec402a0a1c511fe003873fa6af630bda59bac77fac8b4318ebc",
"sha256:3ce0cac322b0d69b63c9cdb895ee1b65805ec9ffad37639f291dd79467bee675",
"sha256:3d905d16f77eb6ab2e324e09bfa277b4c8e5e6b8a78a3e7ff8f3cdf773b4c013",
"sha256:3deab27804d65cd8289eb814c2c0e807c4b9d9916c9225e363cb0cf875eb67c1",
"sha256:3e039aabf6d5f83c745d5f9a0a381d031e9ed871967c0a5c38d201aca41f3ba1",
"sha256:41e532bbdcb57c92ba3be62c42e9f096431b4cf478da9bc3bc6ce5c38ab7ba7a",
"sha256:42a89282d711711d0a62d6f57d81aa43a1368686c45bc1c46b7f079d55692734",
"sha256:466bfe65bd932da36ff279ddd92de56b042f2266d752719beb97b08526268ec5",
"sha256:4708c5c0ceb2d034f9991623631d3d23cb16e65c83736ea020cdbe28d57c0a0e",
"sha256:47162fdab9407ec3f160805ac3e154df042e577dd53341745fc7fb3f625e6d92",
"sha256:4848ca84d6ded9b58e474dfdbad4b8bfb450344c0551ddc8d958bf4b36aa837c",
"sha256:4b507d19f817ebaca79574b16eb2ae412e5c0835542c93fe9983f1e432aca195",
"sha256:4e44099bd522cba71a2c6b97f68e19f40e7d85399de899d66cdb67b32d7cb786",
"sha256:4ed2e16abbc982a169d30d1a420274a709949e2cbdef119fe2ec9d870b42f274",
"sha256:4f75e4bd8ab8db624e02c8e2fc4063021b58becdbe6df793a8111d9343aec1e3",
"sha256:4fc9b7fe29478824361ead6e14e4f5aed570d477e06088826537e202d25fe859",
"sha256:50c946f048209e6362e22576baea09193809f87687a95a8db24e5fbdb307b93a",
"sha256:5281ed1cc1d49882f9997981c88df1a22e140ab41df19071222f7e5fc4e72125",
"sha256:530064db9146b247351f2a0250b8f00b289accea4596a033e94be2389977de71",
"sha256:55266dafa22e672f5a4f65019015f90336ed31c6383bd53f5e7826d21a0e0b83",
"sha256:5b640501be9288c77738b5492b3fd3abc4ba95c50c2e41273c8a1459f08298d3",
"sha256:62ac3d4e3e07b58ee0ddecd71d6ce3b1637de2d373501412df395a0ec5f9beb5",
"sha256:62f85b665cedab1a503747617393573995dac4600ff51869d69ad2f39eb5e817",
"sha256:639fd5efec029f99b79ae47e5d7e00ad8a773da899b6309f6786ecaf22948c48",
"sha256:6567d2bb951e21232c2f660c24cf3470bb96de56cdcb3f071a83feeaff8a2772",
"sha256:67ce7620704745881a3d4b0ada80ab4d99df390838839921f99e63c474f82cf2",
"sha256:689fb5200a749db0415b092972e8eba85847c23885c8543a8b0f5c009b1a5948",
"sha256:68afeec26d42ab3b47e541b272166a0b4400313946871cba3ed3a4fc0cab1cef",
"sha256:6e5e54da1e74b91dbc7996b56640f79b195d5925c2b78efaa8c5d53e1d88edde",
"sha256:6f4461bf931108c9fa226ffb0e257c1b18dc2d44cd72b125bec50ee0ab1248a9",
"sha256:6f5b7bd8e219ed50299e58551a410b64daafb5017d54bbe822e003856f06a802",
"sha256:70d0738ef8fee13c003b100c2fbd667ec4f133468109b3472d249231108283a3",
"sha256:71108900c9c3c8590697244b9519017a400d9ba26a36c48381b3f64743a44aab",
"sha256:74e5b2f7bb6fa38b1b10546d27acbacf2a022a8b5543efb06cfebc72a59c85be",
"sha256:78af06ddc7fe5cc0e967085a9115accee665fb912c22a3f54bad70cc65b05fe6",
"sha256:7b002cab05d6339716b03a4a3a2ce26737f6231d7b523f339fa061d53368c9d8",
"sha256:7b90b0496570bd6b0321724a330d8b545827c4df2034b6ddfc5f5275f55da2ad",
"sha256:7ba22cb9693df986033b91ae1d7a979bc399237d45fccf875b76f62bb9e52ddf",
"sha256:7ba32c16b064267b22f1850a34051121d423b6f7338a12b9459550eb2096e7ec",
"sha256:7e32721e5d4922deaaf963469d795d5bde6093207c52fec719bd22e5d1bedbc4",
"sha256:7ee6521b9baf06085f62ba9c7a3e5becffbc32480d2f1b351559c001c38ce4c1",
"sha256:80c60cfb5310677bd67cb1e85a1e8eb52e12529545441b43e6f14d90b878775a",
"sha256:8177002868d1426305bb5de1e138161c2ec9eb2d939be38291d7c431c4712df8",
"sha256:819064fa048ba01b6dadc5116f3ac48610435ac9a0058bbde98e569f9e785c39",
"sha256:84f7d509870098de0e864cad0102711c1e24e9b1a50ee713b65928adb22269e4",
"sha256:879b0e14a2da6a1102a3fc8af580fc1ead37e6d6692a781bd8c83da37429b5ab",
"sha256:8a3f29aba6e2d7d90528d3c792555a93497fe6538aa65eb675b44505be747808",
"sha256:8a63b640a7845f2bdd232eb0d0a4a2dd939bcdd6c57e6bb134526487f3160ec5",
"sha256:8b61097f7488de4be8244c89915da8ed212832ccf1e7c7753a25a394bf9b1f10",
"sha256:8ee50c3e41739886606388ba3ab3ee2aae9f35fb23f833091833255a31740797",
"sha256:8fabb8fd848a5f75a2324e4a84501ee3a5e3c78d8603f83475441866e60b94a3",
"sha256:9024de74731df54546fab0bfbcdb49fae19159ecaecfc8f37c18d2c7e2c0bd61",
"sha256:92022bbbad0d4426e616815b16bc4127f83c9a74940e1ccf3cfe0b387aba0228",
"sha256:93a2ed40de81bcff59aabebb626562d48332f3d028ca2036f1d23cbb52750be4",
"sha256:94c44ee01fd21c9058f124d2d4f0c9dc7634bec93cd4b38eefc385dabe71acbf",
"sha256:9a1f4814b65eacac94a00fc9a526e3fdafd78e439469644032032d0d63de4881",
"sha256:9d992ac10eb86d9b6f369647b6a3f412fc0075cfd5d799530e84d335e440a002",
"sha256:9e71f5a087ead99563c11fdaceee83ee982fd39cf67601f4fd66cb386336ee52",
"sha256:a205fdfe55c90c2cd8e540ca9ceba65cbe6629b443bc05db1f590a3db8189ff9",
"sha256:a46fdec0083a26415f11d5f236b79fa1291c32aaa4a17684d82f7017a1f818b1",
"sha256:a50431bf02583e21bf273c71b89d710e7a710ad5e39c725b14e685610555926f",
"sha256:a512c8263249a9d68cac08b05dd59d2b3f2061d99b322813cbcc14c3c7421998",
"sha256:a55b9132bb1ade6c734ddd2759c8dc132aa63687d259e725221f106b83a0e485",
"sha256:a6e57b0abfe7cc513450fcf529eb486b6e4d3f8aee83e92eb5f1ef848218d456",
"sha256:a75f305c9b013289121ec0f1181931975df78738cdf650093e6b86d74aa7d8dd",
"sha256:a9e960fc78fecd1100539f14132425e1d5fe44ecb9239f8f27f079962021523e",
"sha256:aa8933159edc50be265ed22b401125c9eebff3171f570258854dbce3ecd55475",
"sha256:aaf94f812c95b5e60ebaf8bfb1898a7d7cb9c1af5744d4a67fa47796e0465d4e",
"sha256:abfa1171a9952d2e0002aba2ad3780820b00cc3d9c98c6630f2e93271501f66c",
"sha256:acb9aafccaae278f449d9c713b64a9e68662e7799dbd5859e2c6b3c67b56d334",
"sha256:ae2775c1973e3c30316892737b91f9283f9908e3cc7625b9331271eaaed7dc90",
"sha256:ae92443798a40a92dc5f0b01d8a7c93adde0c4dc965310a29ae7c64d72b9fad2",
"sha256:b2e7f8f169d775dd9092a1743768d771f1d1300453ddfe6325ae3ab5332b4657",
"sha256:b4938466c6b257b2f5c4ff98acd8128ec36b5059e5c8f8372d79316b1c36bb15",
"sha256:b6dfb0e058adb12d8b1d1b25f686e94ffa65d9995a5157afe99743bf7369d62b",
"sha256:b7fb801aa7f845ddf601c49630deeeccde7ce10065561d92729bfe81bd21fb33",
"sha256:ba81d2b56b6d4911ce735aad0a1d4495e808b8ee4dc58715998741a26874e7c2",
"sha256:bbf94c58e8e0cd6b6f38d8de67acae41b3a515c26169366ab58bdca4a6883bb8",
"sha256:be898f271f851f68b318872ce6ebebbc62f303b654e43bf72683dbdc25b7c881",
"sha256:bf876e79763eecf3e7356f157540d6a093cef395b65514f17a356f62af6cc136",
"sha256:c1476d6f29eb81aa4151c9a31219b03f1f798dc43d8af1250a870735516a1212",
"sha256:c2a8fed130ce946d5c585eddc7c8eeef0051f58ac80a8ee43bd17835c144c2cc",
"sha256:c46c9dd2403b66a2a3b9720ec4b74d4ab49d4fabf9f03dfdce2d42af913fe8d0",
"sha256:c4b676c4ae3921649a15d28ed10025548e9b561ded473aa413af749503c6737e",
"sha256:c796c0c1cc68cb08b0284db4229f5af76168172670c74908fdbd4b7d7f515819",
"sha256:c918c65ec2e42c2a78d19f18c553d77319119bf43aa9e2edf7fb78d624355527",
"sha256:cb56c6210ef77caa58e16e8c17d35c63fe3f5b60fd9ba9d424470c3400bcf9ed",
"sha256:cdfe4bb2f9fe7458b7453ad3c33e726d6d1c7c0a72960bcc23800d77384e42df",
"sha256:cf9931f14223de59551ab9d38ed18d92f14f055a5f78c1d8ad6493f735021bbb",
"sha256:d252f2d8ca0195faa707f8eb9368955760880b2b42a8ee16d382bf5dd807f89a",
"sha256:d5fa0ee122dc09e23607a28e6d7b150da16c662e66409bbe85230e4c85bb528a",
"sha256:d76f9cc8665acdc0c9177043746775aa7babbf479b5520b78ae4002d889f5c21",
"sha256:d78827d7ac08627ea2c8e02c9e5b41180ea5ea1f747e9db0915e3adf36b62dcf",
"sha256:d7ff07d696a7a38152ebdb8212ca9e5baab56656749f3d6004b34ab726b550b8",
"sha256:d9199717881f13c32c4046a15f024971a3b78ad4ea029e8da6b86e5aa9cf4594",
"sha256:dc23e6820e3b40847e2f4a7726462ba0cf53089512abe9ee16318c366494c17a",
"sha256:dce51c828941973a5684d458214d3a36fcd28da3e1875d659388f4f9f12cc33e",
"sha256:dd2135527aa40f061350c3f8f89da2644de26cd73e4de458e79606384f4f68e7",
"sha256:dd6cd0485b7d347304067153a6dc1d73f7d4fd995a396ef32a24d24b8ac63ac8",
"sha256:df8b74962e35c9249425d90144e721eed198e6555a0e22a563d29fe4486b51f6",
"sha256:dfbfac137d2a3d0725758cd141f878bf4329ba25e34979797c89474a89a8a3a3",
"sha256:e202e6d4188e53c6661af813b46c37ca2c45e497fc558bacc1a7630ec2695aec",
"sha256:e2f6fd8a1cea5bbe599b6e78a6e5ee08db434fc8ffea51ff201c8765679698b3",
"sha256:e48af21883ded2b3e9eb48cb7880ad8598b31ab752ff3be6457001d78f416723",
"sha256:e4b9fcfbc021633863a37e92571d6f91851fa656f0180246e84cbd8b3f6b329b",
"sha256:e5c20f33fd10485b80f65e800bbe5f6785af510b9f4056c5a3c612ebc83ba6cb",
"sha256:eb11a4f1b2b63337cfd3b4d110af778a59aae51c81d195768e353d8b52f88081",
"sha256:ed090ccd235f6fa8bb5861684567f0a83e04f52dfc2e5c05f2e4b1309fcf85e7",
"sha256:ed10dc32829e7d222b7d3b93136d25a406ba9788f6a7ebf6809092da1f4d279d",
"sha256:eda8719d598f2f7f3e0f885cba8646644b55a187762bec091fa14a2b819746a9",
"sha256:ee4308f409a40e50593c7e3bb8cbe0b4d4c66d1674a316324f0c2f5383b486f9",
"sha256:ee5422d7fb21f6a00c1901bf6559c49fee13a5159d0288320737bbf6585bd3e4",
"sha256:f149826d742b406579466283769a8ea448eed82a789af0ed17b0cd5770433444",
"sha256:f2729615f9d430af0ae6b36cf042cb55c0936408d543fb691e1a9e36648fd35a",
"sha256:f39f58a27cc6e59f432b568ed8429c7e1641324fbe38131de852cd77b2d534b0",
"sha256:f41f814b8eaa48768d1bb551591f6ba45f87ac76899453e8ccd41dba1289b04b",
"sha256:f9025faafc62ed0b75a53e541895ca272815bec18abe2249ff6501c8f2e12b83",
"sha256:faf8d146f3d476abfee026c4ae3bdd9ca14236ae4e4c310cbd1cf75ba33d24a3",
"sha256:fb08b65b93e0c6dd70aac7f7890a9c0938d5ec71d5cb32d45cf844fb8ae47636",
"sha256:fb7c72262deae25366e3b6c0c0ba46007967aea15d1eea746e44ddba8ec58dcc",
"sha256:fb89bec23fddc489e5d78b550a7b773557c9ab58b7946154a10a6f7a214a48b2",
"sha256:fe0dd05afb46597b9a2e11c351e5e4283c741237e7f617ffb3252780cca9336a",
"sha256:fecc80cb2a90e28af8a9b366edacf33d7a91cbfe4c2c4544ea1246e949cfebeb",
"sha256:fed467af29776f6556250c9ed85ea5a4dd121ab56a5f8b206e3e7a4c551e48ec",
"sha256:ffce0481cc6e95e5b3f0a47ee17ffbd234399e6d532f394c8dce320c3b089c21"
],
"markers": "python_version >= '3.9'",
"version": "==0.27.1"
},
"ruamel-yaml": {
"hashes": [
"sha256:148f6488d698b7a5eded5ea793a025308b25eca97208181b6a026037f391f701",
"sha256:dbfca74b018c4c3fba0b9cc9ee33e53c371194a9000e694995e620490fd40700"
],
"markers": "python_version >= '3.8'",
"version": "==0.18.15"
},
"ruamel-yaml-clib": {
"hashes": [
"sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b",
"sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4",
"sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef",
"sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5",
"sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3",
"sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632",
"sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6",
"sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7",
"sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680",
"sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf",
"sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da",
"sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6",
"sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a",
"sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01",
"sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519",
"sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6",
"sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f",
"sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd",
"sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2",
"sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52",
"sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd",
"sha256:943f32bc9dedb3abff9879edc134901df92cfce2c3d5c9348f172f62eb2d771d",
"sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c",
"sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6",
"sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb",
"sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a",
"sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969",
"sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28",
"sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d",
"sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e",
"sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45",
"sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4",
"sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12",
"sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31",
"sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642",
"sha256:d84318609196d6bd6da0edfa25cedfbabd8dbde5140a0a23af29ad4b8f91fb1e",
"sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285",
"sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed",
"sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1",
"sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7",
"sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3",
"sha256:e7e3736715fbf53e9be2a79eb4db68e4ed857017344d697e8b9749444ae57475",
"sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5",
"sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76",
"sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987",
"sha256:fd5415dded15c3822597455bc02bcd66e81ef8b7a48cb71a33628fc9fdde39df"
],
"markers": "python_version >= '3.9'",
"version": "==0.2.12"
},
"subprocess-tee": {
"hashes": [
"sha256:21942e976715af4a19a526918adb03a8a27a8edab959f2d075b777e3d78f532d",
"sha256:91b2b4da3aae9a7088d84acaf2ea0abee3f4fd9c0d2eae69a9b9122a71476590"
],
"markers": "python_version >= '3.8'",
"version": "==0.4.2"
},
"wcmatch": {
"hashes": [
"sha256:5848ace7dbb0476e5e55ab63c6bbd529745089343427caa5537f230cc01beb8a",
"sha256:f11f94208c8c8484a16f4f48638a85d771d9513f4ab3f37595978801cb9465af"
],
"markers": "python_version >= '3.9'",
"version": "==10.1"
},
"yamllint": {
"hashes": [
"sha256:364f0d79e81409f591e323725e6a9f4504c8699ddf2d7263d8d2b539cd66a583",
"sha256:81f7c0c5559becc8049470d86046b36e96113637bcbe4753ecef06977c00245d"
],
"markers": "python_version >= '3.9'",
"version": "==1.37.1"
},
"zipp": {
"hashes": [
"sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e",
"sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166"
],
"markers": "python_version >= '3.9'",
"version": "==3.23.0"
} }
}, },
"develop": {} "develop": {}

4
README.md
View File

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions ## Assumptions
Before you can run this, a few things are assumed: Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running - You have a clean, minimal Debian 12 host up and running
- Python 3 is installed on the remote server (requirement of Ansible) - Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine - You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host - You have sudo privileges on the remote host
@@ -25,7 +25,7 @@ Once you've satisfied the the above assumptions, you can execute:
- Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades) - Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)
## License ## License
Copyright (C) 20142020 Alan Orth Copyright (C) 20142021 Alan Orth
The contents of this repository are free software: you can redistribute The contents of this repository are free software: you can redistribute
it and/or modify it under the terms of the GNU General Public License it and/or modify it under the terms of the GNU General Public License

13
ansible.cfg
View File

@@ -2,15 +2,16 @@
retry_files_enabled=False retry_files_enabled=False
force_handlers=True force_handlers=True
inventory=hosts inventory=hosts
gathering = smart
# instead of using --ask-vault-pass # instead of using --ask-vault-pass
ask_vault_pass=True ask_vault_pass=True
remote_user = provisioning remote_user = provisioning
interpreter_python=auto
ansible_managed = This file is managed by Ansible.%n # Don't warn on unknown SSH host keys because it's super annoying for new hosts
template: {file} # or if you get a new laptop and run Ansible there!
date: %Y-%m-%d %H:%M:%S #
user: {uid} # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
host: {host} host_key_checking = False
[privilege_escalation] [privilege_escalation]
# instead of using -K # instead of using -K

8
group_vars/all
View File

@@ -3,4 +3,12 @@
tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ansible_managed: |-
This file is managed by Ansible.
{{ 'template: ' + template_path }}
{{ 'date: ' + (template_mtime | string) }}
{{ 'user: ' + template_uid }}
{{ 'host: ' + template_host }}
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

14
group_vars/web Normal file
View File

@@ -0,0 +1,14 @@
---
# file: group_vars/web
# run nginx by default
webserver: nginx
# all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters:
- nginx
# root prefix for all web servers
web_root_prefix: /var/www
# vim: set ts=2 sw=2:

87
host_vars/nomad01
View File

@@ -1,87 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
66623536376436633432346633333339643365323131326136386239316166633861323465643864
6237346632386436323966326635323262613939333833360a306562623438313033343838636361
63393130646637653034623830346232313766303866336564326435383138613762316134656235
3263646630653532630a626662303432376261626565623830383965383938346332346337346661
31366161613036363436643761646239363431633036303234306433323536663334633739636137
39303736313630626634633831376539313762373637313734623462343138383266646638363863
38373262303336333431343634663962323738616637646230653636343866656462643061383336
38393438366263323538343833663261316437333034316535333837346166393431363166653466
65623439356337353837376266643934323938386633616362373062396136643765363862643037
61396131653938353833613730656534646365613932313932343436616131303865336432323434
33663130326639633464633137303139343334336137613432333062386639396632313336656138
37386166323164306565643461306339653733643434343365343835356436656163333633353236
64313061333034316265373235646634616137393865393330623039636332346332663234646233
32343732343438333630666666383634653231643434353132323434393939303232633465343166
32313966663635643538326161353432663039623164353837383435303236613237386661316239
33303333613335333637303731643061663535653339316266373164633138636331653537313832
34396136363930316536323631623462393837616334363233646565623732333738363034393661
38303635333765363763623462313532313933366635383162633261323936646562633630653863
65656663326561323735633137616665316662343038363338393261306538323634663836633662
63656133336637636565356265343864666539383165386432386539633831363835333035376230
61656366343730323439663166366165366133306666316135306532306134636532343338643732
39396666373138653561653832376635643863356130346232663333363734633061613939333264
34313732393831626462343864343330343238303362303337373864383635313334616130373162
31613666636639656339383163633238353262386239326334346534353965393838383635306131
31323461626664626337333134643130653030333130636235633333613161646666626165393765
31633936326435303837346165363165626666336331323834623834643336303331303834376239
66366336376338316264303639613337643337373233636463323637336631353536386563353861
30326236373330656239303962623632656238653563393830336366366132313862666533613365
39363538616364633735313430333166323330623363613163633638623661363661303236383839
33393734316261333666306632303666316433656464626366393332383637626336326231623134
65646536383633323761653232356439383562323131353434383266643764636431643132626432
64356536336466623737643334313966323631646139373763323164633066643337323730376533
34656131656366323238306630346161316139613462383532643265653534623563363764356239
37323039613331633435303765373038343837373161303339393838353562353832623561386238
31343865323338643435306238633261333434343263653537376438386461613265303731313361
31626638363566343039343539363631313163353762313430663131343363646234363236383430
37373265633631346236626639313165383739393364343139653835396635653932366433343532
32396636393334376533383238346461666635616137356431306666636661363265383033636434
64346563666435353032653532323230376264623666636638383730386331653665343730306436
62643632633265336532616239363632343366303130333463623534656533346565346261373134
38616365636336633031343631626464323565343336353735666138326234376534376366366131
65663631656137616137323564663532626264303863366361396333363231393661643338636531
37323164363437323430326436396665326630633539366334633538323464653938383261663336
33636631643430346661643730376231623166633332663366363830303136666338636330363636
66343438633066373566313965356332633366303363313463393962613032323232613161646564
34616432353661303832663762383165393133393563613236383530666135633833663065306139
63303062633938646663313066653839333730393734323633323234653831393334653633326131
32663630623233643138633936303539653666613865316538386130366639646539316263616330
35373461633732616430323632383162343430363732613231633736633363623962383934616631
65393165333534653835383939623635353461663734636562313036656361616461653561346430
33623736303135323639313938303335373731663965306561396330313939373835373932323834
66396638666537363735663933316333323637363834363261346431396464346566613862353465
30633936373561393632653831363739633534636161343963303765373335333733333666386630
62643632643636666138396331386164653161643762626234643030336430613330313538613933
63386235653939663234633736326337653065343236343336663665623032623466353730333739
31383038356633386466323265613134623763353938653331313334373463343861643631343933
31306530643433636462666230656434666135663937616362343032626133326563303630666537
65333638373763623261396664326266366266646430393838333961373039383834366664623833
34313935616238303936396563316161326537373363386131336336343135613239343766656236
32373938323438393433303337326665316438303737326566663361346165633266646439343163
63343336636138623430393934396330303039623565316665316462663339616263363038303332
30303530356464623032663536363438623963316235636633323837326137666435353437356432
61333430613663653630393631383239353636653730353965306163336636623838343634326539
63636233373134646262393633313961656438646162613462386530313834333536663030613032
32623739383631626632633737386236383131346430313530663136633866316161626633363263
37646462333435653431373034626264623965626233323932323432313638633837616330633562
64616365353639306665653063343330323937363537313962326133383630383966316335633335
39643266376438313935653730303530393038346466386361346330313933633362326237636130
37313765623964343563666231336336663764633263343437346566376232376130313437386235
64306538663564613764393032663536653634346232376463363137376466346562313433363062
64363833303566313435326464356534643561626164636337626562393732613933373266333130
33663264333432616631663736663935623336363132616562663061643430343565613430623332
30383264333464343230376332643862366231316131336264666463396632323632366435386236
38636237383061383738373236393532373234373662313862653534383937336436666136653638
30653735653834643436363464316664336539386433383834633834396236366339393137353138
37323861383639343561303739313161353735373066383436383363643636313066346534383338
32373233646565323863376337313766323666363430623765383836666464396337623332633733
34623133363435383730636433353035313661313235303339343038633637343062373635613430
38363138363661353662393831323863653637376531643564343866333264333066323632633032
38633861313934613838613264363364396530333530636437313166656162333337363466653763
63316335353731656331323433363138363962356437323938373033356364313265616535666533
30346436323837656461306364393935306131323334376562663365633530313732323331323937
63393437306664333932656335326432376332323939323763386266373730313430666533633966
65303163646632636461623539666636613966623430356635343263643034613231653363613162
33623735343232363634633432326133343433633662653235613561653434363937306135323537
3939323339626364666439636133323334666633653066666532

110
host_vars/web19
View File

@@ -1,110 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
64383838396265653365343861343362316562363865636230623564316562356366376264663036
6536303765333234613437363062623235666234353664310a393561343233306565383439633036
33393562393163383739636432633535613131366639356166656138373633663836343062376431
6234633464663833310a353134333062623365653733353531636537353262616238343362643865
36336430376563666431383538323735316433326432306631396435333635613532306164333966
65623731353239333764376663353439363137663134376565346664646461316566373366393262
61396138623561623334656132626437656237643434303638353662313331303937663662613063
62393032386462393231363761306539326134346632383336353938313237666433633666623964
38363932643237323836386563623536313264363862396266366236393465616564366661623763
38633266313333646539653233386663623137323035626662663732363264366661323666633430
39656231656463333034613236366464623234303563373162396663303132333832343764323633
36366530626265623138326461626333623063363632623531376264616164613532383338323838
34383133616665646465393462343865373363306634653764346337333434396262363361396635
37333666313437393361323131303336653365363838373464353566366137373463663463653232
33356662613462613731306438396233643565313662653633303964633131333564346530616338
62363937346234386264656433376333346162336666663364363966343636323731656439323066
35313863393261373661626438626438663231613961343661616638323735386366356233626531
65663836303562653062323435356230656636363837643130643865303032353131306463393930
61366332663862613065373439376666336432346231613564633366303733303062613538383830
37663232616430623530343830666361303032613734633634376236363530333931313534613763
38353036303061326434623836393631646531363664323135393961353136373139643431376637
30383536343361376435396361623634343034323138343634303934386162353639666531366238
30376464313463343034623362646232616637653936633232383236663565323462366365366634
63363239613630663166653033353964653566663734646639663639623065323836333630323936
66303062393032633632646333396235333738306563356439363535653865346131326333333333
38656435613939333734393662626264643962373162663365323266376232623164656163306532
66643865303335356264396361653764326330633935326431323666353237313530643930646663
62643964303938623762613432323936366333326333383839393538306631353963623335623231
33653334666638313137656437643364363631316162393562643631366534363637653262363366
62383561633161346236393563306361376534333030353331633131376438613731313535326138
36353137393066623435343738653565623238313436613730393434316530633938636233633237
32363531313637353964303735373864383130366332333061323964623030303466333561613335
35356232323035333064323630646166343566623165643661656330666134353137366431303036
39626639396433313032303239313537656261613932326233343030393430663664663764643566
33643832353234306163393465393036626337303261386434633765343731396631353036336565
65646566623337366230386136613563396665383733326533643333363232666662383430303763
35353632663138336331356434333332396630656337643630303933353434613064666432353864
32663566643264623765653039666634646665643264346539656463663239666565646564353233
39373161323765326263346137643938616561366464626439373563383363343430633665383134
66303239353461376538323933363239303134393438623864373835306234303466316430626231
36626465663663313739306530386138323634366432306531656432323665373063653131376662
32663161316237303865366431306134643566346564363766356466643163306134323133373037
62613433623162373135376230616265633764356335323366396338363631353239363839373339
35316563643665373864616465626138356564346266663362393730646531326565393362356532
37386434376139316135373866646333623561656364363033643735333164653234346335336335
37316132393837626462653030643430303239643338306461373431633934666137343136333735
62656163663962616130656465633366613938396163313234373830393439626632653662373963
36656539393632363937313233386432306465373031386333353130346636353861396535353431
35356330343034613735313032306139643665376637363036636135336332613231646536616337
62306332643564643766346530616132363937376365373939623863663337326163343731386433
33616639316334396431643139643032306665343463383534633665346366653333653530313130
31343233663437396635646631353738373361326236396161643238306364366433376631633734
36313266306235376532633435626666663331316362373134653635646162313564366132333234
39393634636162353334363636346535383934303337336165383530313232383939303133373531
63613232386437353333363161333864353237303730626136613263316263663834366331633530
33316339326537636539663061333334643465663965386430356635613863653731333830353335
61663334376134396535643965376665393533633735396430663733643165343463316633656636
35383931643562383866303066376133366435633932626166393138393435383166343035326632
61326337613963356537633237366566623731663539663235336336316163653535343831616632
64366463626338343931313136383661313661613034303333626661376134326266373261653763
66613838373731353862373563663833623066396331346335626461383666303838323233383032
36346663393665623365666130396164616534316335383436616463323939663636343435373133
30396131646365393233333666633537386461366334613235373134316334373262356233633539
62333363353864393930333333303938383537373036623438363435353138616263373637386161
37646334393862346162616431386661316465666161666362623434613166633033386635356465
31646262323036653334356531613162626636353632633835363665616432336436636530323835
31623230623336376237643731633736373037316536633539613063623337303664336330373330
31636463363936373931336365373437393739626361343331663836396437366566386233336262
65333139633436633730613264313735636635333864393830306364613965393963326439323364
37363939326438656637343766333939666432363763306332653163306265323861366233613839
66663938323866306339373432656331356664336134366335623532646465386533323536383230
63646265323261656135376535383364336464306261663030656337623466356365623834383335
64333131336466663364666164366333396230313861373336386566616464363038383734313537
65306631303366616132616263613864343537323163306130393737316530653936616635303733
32633536653431363565633236626535643861636231303732653739623031303732316437353230
39643539646262393136653162366565316634336637333636316533393564643930383130643830
31653535316363316161343662333364663338323134663933623234346134333535613837613434
36663166336262393839303736663434386665363837633662653966613338646266393334386164
36353065303132663039393336333639366262303964643063653139633930663833643964353164
32343263626462396638333633663639366434393932376230313135306262653139386466616531
38623337363831323231383435393261663632373331623037383934336663356534613830323434
33303330316465646634393662323838663738636432633131623965316564393161303734313266
33346637613134633136383833323031306563353561633562343838306164666233666165613431
36356164366364383433316166633637666437666634356161376166373731306230656233383037
65316135326632363530353532323963616463323730376138613561623330303932383663633965
65386439653431626139336539383532646330633538313432346133323633383234313030363230
63386162636132356666616438313337356139333034396430653934373363373064376139346237
36643263613838343162613433613736313835373064316637333931306337336433333066633562
32666231326163393561353035366639333033323437643230363131646132363064626334363533
35663861356663373535663466336539313637363034373765373039373032656230656437373862
38303334346531393963636632343732396465346263393861396637616565313462373038356561
63643763646535613762346635313763616165656139666537313764313738393463663331343936
65336465323938616362656232626331326263336666643939356133306333313138313963626435
38363539303538393639393263396637323864303334323665316431613166306233656534626637
32663931663164663731303235633530373565316461383163643433336632653836623130396436
35653635353266666238326533643835643230333538363765376533616230653862623437623630
32653831366532363237383333363830333661646163633938313132663933323064376136656265
33303437363538653039383839393966313630653938643161636565366237656631396531383333
62643735333561623733393435376463626166363535303931613963656232343239356434316365
30623831633062373939323438313332346665613033383531373165363331393235303832363461
31653634353133363331333066363739353465663136346335653734363836323432396431616334
35646134316637653265343139313136393134626439306165653938616139363631333735303239
64633464386565666465646639386264653766386233376663373138363732636264366231363039
66346132386163353966393137353062623633346163643563363836376539643934663039646664
61323364643363643731343834623561353135393663643566383866623433363436313234636232
64373037313930653533363535373565663564643833353436356133653563336130386335643065
64396662653536303631616664346665303734653838326164386665323631336330326137333933
64356264343237616262636437306637303233343761646632646234376537333535323936663965
3865

27
host_vars/web21 Normal file
View File

@@ -0,0 +1,27 @@
$ANSIBLE_VAULT;1.1;AES256
38663333313561616264323430323162323837623430363739623561633331656664613936666665
6364373033623163393239663035306337383066343438310a383666313434323036643037363065
30396333626130303633663930663965666662646233393439376661346265616565616236623366
3930373433646231610a336233663132306263656465633034333030316362643939316465666534
38353961393038613961353732613434663565633466303265383231343336386330333464376363
33616330643364376332623634363766656366666239633964316439376463313063333162343963
61356634393438313063666434626338616264613639656462626639616263366531663135393466
66346635616439306364356133303664376134626636616131373138656562363363306633333164
62623135343633393834393165383231316562643062343165663235313930663039623135373263
61343336643235303962333938613230356465346436376334373438386461366231383737643137
36343832353730366131653430633465383163396336353065306638373166386438356264616139
65346635663338366463343932336231386235393836616238373864626235623935663661396663
31633565356465333737303339333435383162316530396563333335613062623138333232336162
62376363666431363931663231643561616562383230643737393261623934363633313231333137
39383238656237343661626662366465356463396336386261326334613436396364633062646532
61313136366636363861316166396134316562666435653437326331363563653035343138636163
66336139636533656334643966383962383734623565323435333665666164353732663736326364
35616264383237316330386539363065376334643432393636643464646238633034333166663665
33313166393738626133636136346637646437306335326263393634363133663736666338313838
64623139613037653461643563666539613237323934376534376461313833336338623032616661
64643062663633366436383232366137373936383430306332616634636331326361383931363961
62313236313563326438303935373837666434313435653236643135303739373763656562393537
31653265653739346433663937343439656231663963333633373066356231623762313438393763
36306336656566633034373834316363333233326130626639313130643935333437653934313636
32383034346234333561333466653561323834346166633831303566376266373933356536383031
6236303934323963336662386666653138313165366133303434

141
host_vars/web22 Normal file
View File

@@ -0,0 +1,141 @@
$ANSIBLE_VAULT;1.1;AES256
38353762626535363837346634333565643931386536313339336365663162656533363636383931
3737373161623364396366323338613062386466313539640a653334643937326338386262623261
65643635373532636439396235373964303537646334343633633531633435323037313433346636
3866306363303338360a356166353265386130616163616662623764313536616666656237636563
30323036353635303438363234646234656530373365396530666539393132643831653039666562
65383962306465363862333131383263353736623264616465336139313638343462653361333239
64363562653366396664623662376433663335313231653935626237663430303734326433333739
62616265373732316530366331323664373637386661353664626464646264356465346466663539
31613435366362343564313732616639376664613630316236373333653634386130663463626231
31396631623466666364316237313363366439326231653035316437616134643035393138383364
35313738373562353632366637663232393638396330626165323535343538633264353366663738
30663135646162396331623837343661613333313437313434313365623664316135626239636230
65376137303439323166346536353831653537326662356330393362666430633831323537623830
65326164663136383339353138663936306166633662346363353063663435323266653137666630
61353263653735626236373233313436343466653238376634623366356431333439323932343938
33303432613063383135633261653837633961643737623462626439373335613430356532353031
31626666663963643736323731613735376239663530373166626365666339346435323761333637
35383464626437646665653931653932653033376464386132383038633734373138313830303466
39313532333866303565353161636435646231313461646639316566386639323561363633636139
37613661626162306431313266383964323434343039386533333535646565373933396565613565
34666136633265663035306261623531333665636336303665613635333232316331643935353461
32643735623532313363663530656630653531666335323565353063316537396334383230386462
33333565616634356537376466373332356663376363353166656139623336396130653564333739
39303733303939313838363331356437646632386631343466383332313037616430313566396335
31363038373437643266656463373662653966653832613935303462303031653761336165646162
31646631373335336435383638666562373236656231613662646161613533376237366463383630
36393532316336303531353032303937353963306164663162386137393664353962323865616532
63326462626130386234643639363762323863326134623063343731366433306431303763363233
36366334386266616261616266386439623665326339653562373836306165353137353137376337
37316363653935623736613138356333653936363866356665303737363032363564643532303234
37656432656363336564393263353430373437303337303461613763346461646565646535366638
34366337343033666134383966646563356533626665373337646231313431346239303635353261
62313939383762303235373537643531623465353062303939383666323139396630346461626136
38656632373637616532666433626564376338363239326234656561636239653536366331633234
65366139623238336234363564616430646435666562616636303064663437663731303839313365
38636438386162623862363865646233346336636439663833343136316165343564393339653565
38346166346434386338303032303430303535373635336562663030336566666435623537363137
61373161343138656365376531633830313561336632633330323035346431643837383062343537
66663961306666333535656432393134363565656635333633363732626665656365356138623164
65303936633666643034313636663262616661313739663135653335366261613133643630343362
66343033363835613031626635336538303362393561313032336136306465316231366137373736
62303335393333306132326135393562666431303631306538326433613362306131316139386361
31383665386466653066613038633335636233396335383764336462636138333034383836386365
38323739346630643532346161383336646165333336393961663930623531303434366265313861
39613231373335373338656434636134663036636234393534353033613133383034343437626434
31646339613430343265333833303231333739666266646436336161363330396264313636616461
61396332363537636162316261363030393466356263353938343236323932306366316535366533
38633165393339356339383939666161336461653438353632653530326639313238323761386461
63653765313532646166306237386435663432633934343039666637323362626338313135623034
30356438633635363738383932393861376235353962303663313963313964383530306530316363
64656638363436326562323234303961396333323931666365656433663865616439336138656232
66653964383034343837663936306632336562373637346132333063663263306237303461333732
65363661623064643663623661393563353739373535373764356163666639376236313839336438
35386265646331313663653761353864663934663261313037396135373938343265353934353361
30343564623631316366343838656135393364353836613330393536623662383637333039383133
37653733626662646631616563306638366263323634303636616331323964393962643061646361
39363562396634656637626630653533396236613334343332326439656165306537326464613436
37333632663731316165613432353339356561316431623038303365303663326666303666646363
66656630396661353765666131393737636630366666373136313837373165303437316233656261
38346463303964343132393162663762346163363739383733326635643264616166393264633934
64333137373532343032303431316633613836323631613231346133366635616435366436316239
64353633366431386664623239353735623037623364346431633733336563303430653233313637
35353138616164643834343339653739373038633531303039333632663566323565383637646561
31383965396365653364343761363161656432656665383963656463613637633938376234353532
33653837613266666661613165376665626432643439363637623333336234313836373232333736
65313232373233613763376463663161643636663162643864363962376232326462643936383131
39366164323038376633376238363663313238336166386663616261306532633331643537376631
31376663393036363566653061353636326565376636346466656263663266326332656461336437
32646162313932646632663738646532663439313630393038383530653562313439336631663535
36396265353231373435353137303164356633653938373166363663616632303764633738333439
62626533346561333565626163643235393164353861636662636531333834623965323034363735
33336138356663303462393864343434636364346432383665313931653062363138623261326438
31616533643163363261386635653732343939633965363362643536626264323537656238633539
62393935386433313366656133633532353131343237623466376632623434626362363062326531
33346165643164363365626432333631393664316266613731663162313764386336333231396632
36666536336333623063346166306164376138343566353063343866316432333266366337623866
61313039663661643863663434343732313139653037373065333463383635393061323938643162
61383064303461366162636439343438376266313931323934313563623435346634663739666565
62333035346634303139626432313262383262633437663436323763313361633235393037343665
62316564376464333133343134333230383765303834613233613232626131343631326433373062
36343466396430313534336332636233623337613134333861646334326633396434353765636163
37343638363234313030363661306337393361333332306331396164346633336130336366396430
62306539656332313162626239303066656664383639353730633738643132386662643733393761
62666339346130626163656237623730363066343838303036613038613763356263363365366238
62623435303838623630333231663137393362323234383533393763623235376164626461373736
36343761353362623433663936623433353439646463613233363732613435373564616239626564
61313066333939326435656535333963313831316231356232346534633531613963353130333432
37656163663230626632393939363532356366643764323330366630656334623261656334633865
61303066333566363061626437643132353664383061383364333338666230313034373535613063
63386237383638333263323337313336373830303865303466363965303839316162663431656538
33376332643335366537306133613761613132643232316438623939356331656263633933613935
65653465383434386561323462626362623566663330656439386361616562353430303938636436
66636531343063633561363330663436383930613438323764356562383536393933646264323135
64633764356166343965346362323466306636363633656466653934313230326435336536306230
38353432323537393131313239373861386237313530366139313338313330326632313536353837
63386161336335363834356437326630353031373435316462613634633039336132646134653236
31346664353932323339366464356161333637313761666138386164313163333531626235663338
62386333303264306363646136646463393134373939346438383465393439343337643336633039
62316464663038326439656334373331303165346534346466663538313632633561393335333931
65363964363335616639643462393463343437626539363838626439386164303464316666633663
63656639626133653266306266306531646331386366343936316136363935323662336335326338
30666130316265666631306635646565363039306138313462376662626161313134383633653834
32376163383763306165323466306264616366343332636564636162666434333732643635336163
61626162626331613438373464336465303739316130343965633532336531313661613961313164
39636165316638616338653965373833333732396363393463383433383930353361636166346232
61323935663536306533336137356566383130393564623938666231393431626136396137633066
36633133313861353338616561373838363833353531633465363731336237663561383561326635
62306338643965613635353536613335363934666362366466663461646135346436336164346536
62666631303638386137356233303235613636346661303834613335616161396238663530643165
65366364336139303766303938643038303461656335303438396565346330313665636165626432
64326666313562646239356231663834326566313331303363343064346539626636346438313266
65643364656164336166353435343730376266333633666230316464356439336463316464653137
66303865613961373732323439326535373933393537656462303831333432636261613564636330
63323361366332386331376437666234346661373233653432343733346363306130383665626437
33313330336365633464643563643465393935653132376135663163393161616462353838336664
35393833656135643733623765626639386561333336623930303465323963613164666531396632
35326365386566353966383635643132316230383363393539653335633934646239316131653536
66656161653030343462346337653434313062343663633665363838393865336536626532623132
66643636656134353363636433636538623930396262663864343332303066333566653063336464
32303030396137346636636164323133396364623532643332363638643761323938616530353836
65366331633561623331393231323534343239323565333330636136383836616230343034633036
38373530616532653166653932643665396434373465376530313663646236336238656266616261
33396463303963646633373038336662623161643135656136326533646337316562323932613833
65616434316239353531666131383335383733333830613934393465663138353662613063323537
31393337343737646537666430323666366338303731623339323063393636353132636233343436
61653862333837623666343061633531396235633565313631663937393337303764316466613130
33653732373034613639326338353438643664653461616133646235393864386564353765313932
36613165323465333937626165316632313334313364353463366239356630653530313761373261
35326331313438656238646535643131656634396238363734626431633734336238616538383636
32303331666531653331306263303534613332653535643833303062653566393632333030383263
63393636643264656439373165383861323534333462353763343931363065393738323433323839
33333530323434363662633939303261636465356663326565633238663333656131376130396561
63363636613161383465323233626630613265346162386439353665393832383961616564636538
65333635336638646436623033343831356339656638333231666439643337306636313931643466
32393765303361323735646130613035346564356562656631373435653832663165313131336236
31636634663466366234386262623234626161663461386661656435656133616339383633386230
34313065396335636630333066633339646432313632373131306235333164336534363630313939
32623062393230633732323130613338363833356533306662616637326337343330303635343532
38396665633938313932656130303263396631343761616631616637633831666139343130313236
62356630346264376432

67
host_vars/web23 Normal file
View File

@@ -0,0 +1,67 @@
$ANSIBLE_VAULT;1.1;AES256
64326662336532386161646564656439396461666266656463393335663130323930326139386562
3639653630336132663666646161363938386334323064320a663564613066313533353433333434
30346561616465646163646534356339666639333862623637613435376361323032636439633930
3731313063363337380a373961353530383764623830363935626231333734303364313565626633
37343037633862633632613165323136373662396438613663636433346566653064653632313338
36396333393334336434326630646164333531306432386133353664336535343363343939393464
34626335626436353239366138323863656336636536383733363931633933636331643263653566
30613931616462373336393337363430353962613665353936383533326364353365623333316664
62383439396131303831326562323264336638623461643361663763356236373464346464316237
65393232343733643338653734326562626166366562303037613862396564636662363066356664
32656363616637303039373732396533643432343961666365313963383131643464333765643737
32386165666131626365313938633530346361383734323334613464353862393931323836626563
62656531346532646530306463653364326362613162323536643836643839663933343132613435
63303234646335306632316166626266313635303566396363333464363631353834373761353837
65643461623135363139646564336430353461336433633765303138313730613630346465326666
61393133636262653836333664623333656164663361353130623863653863323131326136373238
33376333316433653337373834666136363130373261333330643439313734343036636364306532
63343662383539633235356162656366323965383331343139616361653466633865626337326562
63643761613536613334333065643533323066393764633931633066353064393966646161376361
37623939386636346161346164303832303534323038626335336665653634386132343031303861
61323765306366333936303765636436633465356539316631343562363535663932333666363035
30386233623265636464393662386464333430396337626230306438396563303437363938303061
32653939383136376365343934613339383563303935623664633639326137353437363261393637
66613331643530623862636665396536613730306537373666623135663837393466343261646461
62376162613861643633656334303132353034333834626664666237393534386439313638393933
35643663613432323432646466386434363335353234643264643463613334356462313766643030
30336364396235663230356235303264323339643761333036333537633862343862386130626533
36626536396663393031303533313238616133323239356634303830353439363133353839663266
36306539636563633734623162356230383232306138393831393336626336383966643335376564
36303730313936633361643736613736303163363536313038316432323039643362636538333037
65613663333032623035656665393565366363396134363832363163656532363537373435623233
36373961333237373264326634353363356537356538343663613034396132396366626330303365
62353461616434343938386237373365633861333733613631633234623034366364363761613636
34393532316466323264363363653335366639613731326131393335313039646538626665356333
62663435633539643237326631636563363833633130363535653336333538366137306235663730
36633934636536633865376262356239303966646638626638386536366662386432343466366161
36646436636538643366623864326630396565373462393132343834626638313437316137353564
34646138616438323065336266366434316135613938643131353034646230396632386433366365
38616436346232363563336439613939313464323861616530633962316634363462373530613665
63653636646565303664326631363535373037663734663965346430363831613431613365393832
62373030336262643430313635626261613232656236333130396537633238623265363932333966
34326135363762396564613064323135313663613565646461376162306532643433333336666532
65383661303137613335653336663666653463623565386137326662653839633536326135633764
33623437333931393737363061356235336232376437643131373531356566323336306138353561
66333863313461613930383231663162616261616639323238646439656166666261626533636161
38333362393033316266633364313739366262636530363937386137616234326638303137613433
65313962653566333364383732386165396136303666383439303064326463346563663434646364
62396130646632653039383661613638303162363538376236666338623865366639663138363636
36373766386234383465316635323931356233366262386135363238366538623135623361386436
64653533646233653463656334633566373433303365353965663732636566663332343337626337
34623861373562386264346430333133343631653631376366373735626664363965666561306262
35666235653235346233636361383566616533646662333662323139313865383264633734643263
63656431393834633935613430643839613433326431666665323136376562333737383862313261
65656431336439303563373833343965323965346439636131633366633431393032613963666539
38326539343132326334316233323362633835356265333031663066643535363639623031336362
64346230383638363763323462386261666266623134393139303264343234623132323437396630
66363738376133393731616535653230303262313937373333353932303038626166346366303163
66613831353731373165636532363165356561383137626437333563616561386666623234313438
37333435306530323235393164383138346131653235633536383636316161316238313064636261
33353963333430383236303038333939316637326130396430623964633338353863613534653663
30333839393230626261663966616230303330636335323565663938343562666663303536636332
34336665323764663163653161373166313631393534326532613538313637313136356336313433
34353036653738343433613763383137336562373332333062326134626638633938336364376131
61303435333163663636653135363162303663663266393438656430306532343438386436343735
31343231653263373532386263653263386435363633396638396164323539306233303562303862
3339306136613431636138333266633739323666633431363039

4
misc-plays/change_password.yml
View File

@@ -13,13 +13,13 @@
- hosts: all - hosts: all
user: provisioning user: provisioning
become: yes become: true
vars_files: vars_files:
- "../vars/{{ ansible_distribution }}.yml" - "../vars/{{ ansible_distribution }}.yml"
tasks: tasks:
- name: Set password, shell, homedir for provisioning user - name: Set password, shell, homedir for provisioning user
when: provisioning_user is defined when: provisioning_user is defined
user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

2
nomads.yml
View File

@@ -2,7 +2,7 @@
# file: nomads.yml # file: nomads.yml
- hosts: nomads - hosts: nomads
become: yes become: true
roles: roles:
- common - common
- munin - munin

11
roles/caddy/defaults/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
# file: roles/caddy/defaults/main.yml
# parent directory of vhost document roots
caddy_root_prefix: "{{ web_root_prefix }}"
# Email address to use for the ACME account managing the site's certificates.
# Not sure what Caddy does if this doesn't exist.
caddy_email: foo@example.com
# vim: set ts=2 sw=2:

10
roles/caddy/handlers/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
# file: roles/caddy/handlers/main.yml
# I'm currently not sure when we need to restart versus reload
- name: reload caddy
ansible.builtin.systemd_service:
name: caddy
state: reloaded
# vim: set sw=2 ts=2:

82
roles/caddy/tasks/main.yml Normal file
View File

@@ -0,0 +1,82 @@
---
# file: roles/caddy/tasks/main.yml
#
# Configure Caddy.
- name: Check Caddy package signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
register: caddy_signing_key_stat
tags:
- packages
- caddy
# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
- name: Download Caddy package signing key
ansible.builtin.get_url:
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
- packages
- caddy
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
tags:
- packages
- caddy
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
- name: Install Caddy
ansible.builtin.apt:
name: caddy
state: present
install_recommends: false
cache_valid_time: 3600
tags:
- caddy
- packages
- name: Create Caddyfile
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: "0755"
owner: root
group: root
notify:
- reload caddy
tags: caddy
- name: Create Caddy conf.d directory
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: "0755"
owner: root
group: root
tags: caddy
# TODO: the variable is still named nginx_vhosts
- name: Configure Caddy virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: caddy
# vim: set sw=2 ts=2:

14
roles/caddy/tasks/vhosts.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"
notify:
- reload caddy
tags: caddy
# vim: set ts=2 sw=2:

29
roles/caddy/templates/etc/caddy/Caddyfile.j2 Normal file
View File

@@ -0,0 +1,29 @@
# Global options
{
email {{ caddy_email }}
}
# Common security response headers
(security-headers) {
header {
# disable Google FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection: refuse to allow rendering this page
# in a frame, iframe, etc.
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
# Note: these are imported in lexical sort order!
import /etc/caddy/conf.d/*

46
roles/caddy/templates/etc/caddy/conf.d/vhost.j2 Normal file
View File

@@ -0,0 +1,46 @@
{{ ansible_managed | comment }}
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{% set static_site = item.static_site | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
{% if domain_aliases %}
{# domain_aliases is a string, so we split on space #}
{% for domain in domain_aliases | split (' ') %}
{{ domain }} {
redir https://{{domain_name}}{uri}
}
{% endfor %}
{% endif %}
{{ domain_name }} {
{% if has_gitea %}
reverse_proxy :3000
{% elif static_site -%}
root * {{ document_root }}
encode
file_server
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server
{% endif -%}
import security-headers
}

8
roles/common/defaults/main.yml
View File

@@ -1,11 +1,17 @@
--- ---
#file - roles/common/defaults/main.yml #file - roles/common/defaults/main.yml
# add a dummy API key for AbuseIPDB.com (override with real one in host_vars)
abuseipdb_api_key: dummy
fail2ban_maxretry: 6 fail2ban_maxretry: 6
# 1 hour in seconds # 1 hour in seconds
fail2ban_findtime: 3600 fail2ban_findtime: 3600
# 2 weeks in seconds # 2 weeks in seconds
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24 fail2ban_ignoreip: 127.0.0.0/8
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

2
roles/common/files/00-persistent-journal.conf
View File

@@ -1,2 +0,0 @@
[Journal]
Storage=persistent

5
roles/common/files/abusech-ipv4.nft Normal file
View File

@@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
192.168.254.254
}

9996
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

16
roles/common/files/abusers-ipv6.xml
View File

@@ -1,16 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="family" value="inet6" />
<short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description>
<entry>2001:41d0:602:238d::</entry>
<entry>2001:41d0:8:9924::1</entry>
<entry>2001:41d0:a:4284::</entry>
<entry>2402:1f00:8001:8bd::</entry>
<entry>240e:f7:4f01:c::3</entry>
<entry>2604:a880:800:10::b5:d001</entry>
<entry>2a00:d680:30:50::67</entry>
<entry>2a03:b0c0:3:d0::d4d:b001</entry>
<entry>2a03:b0c0:3:e0::33c:b001</entry>
<entry>2a03:b0c0:3:f0::1aa:8000</entry>
</ipset>

2
roles/common/files/etc/cron-apt/3-download
View File

@@ -1,2 +0,0 @@
autoclean -y
upgrade -y -o APT::Get::Show-Upgraded=true

5
roles/common/files/etc/cron-apt/config
View File

@@ -1,5 +0,0 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see the README file.
MAILON="never"
OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

1
roles/common/files/etc/sudoers.d/provisioning
View File

@@ -1 +0,0 @@
provisioning ALL=(ALL) ALL

5
roles/common/files/firehol_level1-ipv4.nft Normal file
View File

@@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
192.168.254.254/32
}

1
roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub Normal file
View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

24
roles/common/files/update-firehol-nftables.service Normal file
View File

@@ -0,0 +1,24 @@
[Unit]
Description=Update FireHOL lists
# Make sure the network is up
After=network-online.target
Wants=network-online.target update-firehol-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-firehol-nftables
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
/usr/local/bin/update-firehol-nftables.sh
[Install]
WantedBy=multi-user.target

12
roles/common/files/update-firehol-nftables.timer Normal file
View File

@@ -0,0 +1,12 @@
[Unit]
Description=Update FireHOL lists
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

32
roles/common/handlers/main.yml
View File

@@ -1,17 +1,27 @@
--- ---
# file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: Reload sshd
systemd: name={{ sshd_service_name }} state=reloaded ansible.builtin.systemd_service:
name: "{{ sshd_service_name }}"
state: reloaded
- name: reload sysctl - name: Reload sysctl
command: sysctl -p /etc/sysctl.conf ansible.builtin.command: sysctl -p /etc/sysctl.conf
- name: restart firewalld - name: Reload systemd
systemd: name=firewalld state=restarted ansible.builtin.systemd_service:
daemon_reload: true
- name: restart fail2ban - name: Restart nftables
systemd: name=fail2ban state=restarted ansible.builtin.systemd_service:
name: nftables
state: restarted
- name: reload systemd # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
systemd: daemon_reload=yes # in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: Restart fail2ban
ansible.builtin.systemd_service:
name: fail2ban
state: restarted

19
roles/common/tasks/cron-apt.yml
View File

@@ -1,12 +1,17 @@
--- ---
- name: Remove cron-apt
ansible.builtin.apt:
name: cron-apt
state: absent
cache_valid_time: 3600
- name: Configure cron-apt (config) - name: Remove cron-apt configs
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/config
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/action.d/3-download
- /etc/apt/security.sources.list
- name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

49
roles/common/tasks/fail2ban.yml
View File

@@ -1,20 +1,55 @@
--- ---
- name: Install fail2ban
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 ansible.builtin.template:
notify: restart fail2ban src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: "0644"
notify: Restart fail2ban
- name: Configure fail2ban nginx filter
when:
- webserver is defined and webserver == 'nginx'
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: "0644"
notify: Restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override - name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 ansible.builtin.template:
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: "0644"
notify: notify:
- reload systemd - Reload systemd
- restart fail2ban - Restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes ansible.builtin.systemd_service:
name: fail2ban
state: started
enabled: true
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

25
roles/common/tasks/firewall.yml Normal file
View File

@@ -0,0 +1,25 @@
---
# Debian 11+ will use nftables directly, with no firewalld.
- name: Install Debian firewall packages
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name: nftables
state: present
cache_valid_time: 3600
- name: Remove iptables on newer Debian
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Configure nftables
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.include_tasks: nftables.yml
- name: Configure fail2ban
when: ansible_distribution_version is version('9', '>=')
ansible.builtin.include_tasks: fail2ban.yml
# vim: set sw=2 ts=2:

60
roles/common/tasks/firewall_Debian.yml
View File

@@ -1,60 +0,0 @@
---
- block:
- name: Set Debian firewall packages
set_fact:
debian_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Install firewalld and deps
when: ansible_distribution_major_version is version('9', '>=')
apt: pkg={{ debian_firewall_packages }} state=present
- name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '>=')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
notify:
- restart firewalld
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
# backend. Using individual calls seems to work around it.
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '>=')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('9', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('9', '>=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy ipsets of abusive IPs
when: ansible_distribution_major_version is version('9', '>=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
notify:
- restart firewalld
- include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
# vim: set sw=2 ts=2:

64
roles/common/tasks/firewall_Ubuntu.yml
View File

@@ -1,64 +0,0 @@
---
- block:
- name: Set Ubuntu firewall packages
set_fact:
ubuntu_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Install firewalld and deps
when: ansible_distribution_version is version('16.04', '>=')
apt: pkg={{ ubuntu_firewall_packages }} state=present
- name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=')
apt: pkg=ufw state=absent
# I'm not sure why, but you can use firewalld with the nftables backend even
# if nftables itself is not installed. In that case the only way to see the
# currently active rules is with firewall-cmd. I prefer installing nftables
# so that we can have somewhat of a parallel with iptables:
#
# nft list ruleset
#
# See: https://firewalld.org/2018/07/nftables-backend
- name: Install nftables
when: ansible_distribution_version is version('20.04', '==')
apt: pkg=nftables state=present
- name: Use nftables backend in firewalld
when: ansible_distribution_version is version('20.04', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=iptables$'
line: 'FirewallBackend=nftables'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_version is version('16.04', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('16.04', '>=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy ipsets of abusive IPs
when: ansible_distribution_version is version('16.04', '>=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
notify:
- restart firewalld
- include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
# vim: set sw=2 ts=2:

44
roles/common/tasks/main.yml
View File

@@ -1,54 +1,48 @@
--- ---
- name: Import OS-specific variables - name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml" ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
tags: always tags: always
- name: Configure network time - name: Configure network time
import_tasks: ntp.yml ansible.builtin.import_tasks: ntp.yml
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages.yml
when: ansible_distribution == 'Debian'
tags: packages
- name: Install common packages
include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Debian.yml ansible.builtin.import_tasks: firewall.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: firewall tags: firewall
- name: Configure secure shell daemon - name: Configure secure shell daemon
import_tasks: sshd.yml ansible.builtin.import_tasks: sshd.yml
tags: sshd tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template:
src: "sysctl_{{ ansible_distribution }}.j2"
dest: /etc/sysctl.conf
owner: root
group: root
mode: "0644"
notify: notify:
- reload sysctl - Reload sysctl
tags: sysctl tags: sysctl
- name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler - name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template:
src: etc/udev/rules.d/60-scheduler.rules.j2
dest: /etc/udev/rules.d/60-scheduler.rules
owner: root
group: root
mode: "0644"
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys
import_tasks: ssh-keys.yml ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys tags: ssh-keys
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

96
roles/common/tasks/nftables.yml Normal file
View File

@@ -0,0 +1,96 @@
---
# Common nftables tasks for Debian 11 and Debian 12.
- name: Copy nftables.conf
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: "0644"
notify:
- Restart nftables
- Restart fail2ban
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: "0755"
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: firehol_level1-ipv4.nft, force: false }
notify:
- Restart nftables
- Restart fail2ban
- name: Copy nftables update scripts
ansible.builtin.template:
src: update-firehol-nftables.sh.j2
dest: /usr/local/bin/update-firehol-nftables.sh
mode: "0755"
owner: root
group: root
- name: Remove deprecated data and scripts
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/nftables/spamhaus-ipv4.nft
- /etc/nftables/spamhaus-ipv6.nft
- /etc/nftables/abuseipdb-ipv4.nft
- /etc/nftables/abuseipdb-ipv6.nft
- /etc/nftables/abusech-ipv4.nft
- /usr/local/bin/update-abusech-nftables.sh
- /usr/local/bin/update-spamhaus-nftables.sh
- /etc/systemd/system/update-abusech-nftables.service
- /etc/systemd/system/update-abusech-nftables.timer
- /etc/systemd/system/update-spamhaus-nftables.service
- /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl
notify:
- Restart nftables
- Restart fail2ban
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- update-firehol-nftables.service
- update-firehol-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
when: nftables_systemd_units is changed
ansible.builtin.systemd_service: # noqa no-handler
daemon_reload: true
- name: Start and enable nftables update timers
ansible.builtin.systemd_service:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-firehol-nftables.timer
- name: Start and enable nftables
ansible.builtin.systemd_service:
name: nftables
state: started
enabled: true
# vim: set sw=2 ts=2:

38
roles/common/tasks/ntp.yml
View File

@@ -1,18 +1,40 @@
--- ---
# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should # Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
# use timedatectl as a network time client instead of the standalone ntp client. # as a network time client instead of the standalone ntp client.
- name: Set timezone - name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd' when:
command: /usr/bin/timedatectl set-timezone {{ timezone }} - timezone is defined
- ansible_service_mgr == 'systemd'
community.general.timezone:
name: "{{ timezone }}"
tags: timezone tags: timezone
# Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on
# Debian 11 and Debian 12.
- name: Install systemd-timesyncd
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name: systemd-timesyncd
state: present
cache_valid_time: 3600
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes ansible.builtin.systemd_service:
name: systemd-timesyncd
state: started
enabled: true
- name: Uninstall ntp on modern Ubuntu/Debian # On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
apt: name=ntp state=absent update_cache=yes # remove it to be sure.
when: ansible_service_mgr == 'systemd' - name: Uninstall ntp on Debian 12
when:
- ansible_service_mgr == 'systemd'
- ansible_distribution_major_version is version('12', '==')
ansible.builtin.apt:
name: ntp
state: absent
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

57
roles/common/tasks/packages.yml Normal file
View File

@@ -0,0 +1,57 @@
---
- name: Configure Debian packages
tags: packages
block:
# Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources
ansible.builtin.stat:
path: /etc/apt/sources.list.d/debian.sources
register: weird_debian_sources_stat
- name: Configure apt mirror
when:
- ansible_architecture != 'armv7l'
- not weird_debian_sources_stat
ansible.builtin.template:
src: sources.list.j2
dest: /etc/apt/sources.list
owner: root
group: root
mode: "0644"
- name: Set fact for base packages
ansible.builtin.set_fact:
base_packages:
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- safe-rm
- debian-goodies
- mosh
- python3-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- gnupg2
- zstd
- rsync
- lsof
- unattended-upgrades
- name: Install base packages
ansible.builtin.apt:
name: "{{ base_packages }}"
state: present
cache_valid_time: 3600
- name: Remove cron-apt
tags: cron-apt
ansible.builtin.import_tasks: cron-apt.yml
- name: Install tarsnap
ansible.builtin.import_tasks: tarsnap.yml
# vim: set sw=2 ts=2:

37
roles/common/tasks/packages_Debian.yml
View File

@@ -1,37 +0,0 @@
---
- block:
- name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
- name: Set fact for base packages
set_fact:
base_packages:
- git
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python3-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- gnupg2
- zstd
- name: Install base packages
apt: name={{ base_packages }} state=present update_cache=yes cache_valid_time=3600
- name: Configure cron-apt
import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

105
roles/common/tasks/packages_Ubuntu.yml
View File

@@ -1,105 +0,0 @@
---
- block:
- name: Configure apt mirror
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Upgrade base OS
apt: upgrade=dist update_cache=yes cache_valid_time=3600
- name: Set Ubuntu base packages
set_fact:
ubuntu_base_packages:
- git
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- name: Install base packages
apt: pkg={{ ubuntu_base_packages }} state=present update_cache=yes cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap
snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove core18 snap
snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Remove snapd snap
snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd # annoying (Ubuntu >= 16.04)
- lxd-client # annoying (Ubuntu >= 16.04)
- liblxc1 # annoying (Ubuntu >= 16.04)
- lxc-common # annoying (Ubuntu >= 16.04)
- lxcfs #annoying (Ubuntu >= 16.04)
when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd-agent-loader # annoying (Ubuntu 20.04)
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
- name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: yes
- name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd'
loop:
- motd-news.service
- motd-news.timer
- name: Configure cron-apt
import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

6
roles/common/tasks/ssh-keys.yml
View File

@@ -1,9 +1,11 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file:
dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
state: absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

63
roles/common/tasks/sshd.yml
View File

@@ -1,25 +1,62 @@
--- ---
# Only override the system sshd configuration on older Debian.
# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 when: ansible_distribution_version is version('12', '<=')
when: ansible_distribution == 'Debian' ansible.builtin.template:
notify: reload sshd src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0600"
notify: Reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # Newer OpenSSH versions support including extra configuration. The includes
# ie with new ciphers supported etc. # happen at the beginning of the file and the first value to be read is used.
- name: Reconfigure /etc/ssh/sshd_config - name: Configure sshd_config.d overrides
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 when: ansible_distribution_version is version('13', '>=')
when: ansible_distribution == 'Ubuntu' ansible.builtin.template:
notify: reload sshd src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
dest: /etc/ssh/sshd_config.d/01-custom.conf
owner: root
group: root
mode: "0600"
notify: Reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli
block:
- name: Check unsafe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 < 3071' moduli
chdir: /etc/ssh
creates: moduli.safe
register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli
when: check_unsafe_moduli.stdout | length > 0
ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh
creates: moduli.safe
register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli
when: extract_safe_moduli is changed
ansible.builtin.command:
cmd: mv moduli.safe moduli
chdir: /etc/ssh
register: replace_small_moduli
notify: Reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file:
name: "/etc/ssh/{{ item }}"
state: absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key - ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub - ssh_host_ecdsa_key.pub
notify: reload sshd notify: Reload sshd
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

49
roles/common/tasks/tarsnap.yml
View File

@@ -1,24 +1,45 @@
--- ---
- name: Add Tarsnap apt mirror - name: Check tarsnap apt signing key
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 ansible.builtin.stat:
register: add_tarsnap_apt_repository path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
when: ansible_architecture != 'armv7l' register: tarsnap_signing_key_stat
- name: Add GPG key for Tarsnap - name: Download tarsnap apt signing key
apt_key: id=0xFC72A10BF6B692AA url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present when: not tarsnap_signing_key_stat.stat.exists
register: add_tarsnap_apt_key ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: "0644"
register: download_tarsnap_signing_key
- name: Add tarsnap.org repo
when: ansible_architecture != 'armv7l'
ansible.builtin.template:
src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: "0644"
register: add_tarsnap_apt_repository
- name: Update apt cache - name: Update apt cache
apt: when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
update_cache: yes ansible.builtin.apt: # noqa no-handler
when: update_cache: true
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600 ansible.builtin.apt:
pkg: tarsnap
cache_valid_time: 3600
- name: Copy tarsnaprc - name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 ansible.builtin.copy:
src: tarsnaprc
dest: /root/.tarsnaprc
owner: root
group: root
mode: "0600"
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

13
roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2 Normal file
View File

@@ -0,0 +1,13 @@
[nginx]
enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch
# Integrate with nftables
banaction=nftables[type=allports]
backend = pyinotify
logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck.
maxretry = 1
findtime = {{ fail2ban_findtime }}
bantime = {{ fail2ban_bantime }}
ignoreip = {{ fail2ban_ignoreip }}

4
roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
View File

@@ -2,8 +2,8 @@
enabled = true enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf # See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd filter = sshd
# Integrate with firewalld and ipsets # Integrate with nftables
banaction = firewallcmd-ipset banaction=nftables[type=allports]
backend = systemd backend = systemd
maxretry = {{ fail2ban_maxretry }} maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }} findtime = {{ fail2ban_findtime }}

40
roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2 Normal file
View File

@@ -0,0 +1,40 @@
{{ ansible_managed | comment }}
HostKey /etc/ssh/ssh_host_ed25519_key
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
# audit track of which key was using to log in.
LogLevel VERBOSE
MaxAuthTries 4
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
X11Forwarding no
# Based on the ssh-audit profile for Debian 13, but with but with all algos with
# less than 256 bits removed, as NSA's Suite B removed them years ago and the
# new (2018) CNSA suite is 256 bits and up.
#
# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
{% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}
PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
# The default is 32:128.
PerSourceNetBlockSize 24:56

8
roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
View File

@@ -1,15 +1,19 @@
[Unit]
# If nftables is stopped or restarted, propagate to fail2ban as well
PartOf=nftables.service
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectHome=read-only ProtectHome=read-only
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} {% if ansible_distribution_version is version('11','>=') %}
ProtectSystem=strict ProtectSystem=strict
{% else %} {% else %}
{# Older systemd versions don't have ProtectSystem=strict #} {# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full ProtectSystem=full
{% endif %} {% endif %}
NoNewPrivileges=yes NoNewPrivileges=yes
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} {% if ansible_distribution_version is version('11','>=') %}
ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log ReadWritePaths=-/var/log/fail2ban.log

75
roles/common/templates/nftables.conf.j2 Executable file
View File

@@ -0,0 +1,75 @@
#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#
flush ruleset
# List updated daily by update-firehol-nftables.sh
include "/etc/nftables/firehol_level1-ipv4.nft"
# Notes:
# - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6
table inet filter {
set firehol_level1-ipv4 {
type ipv4_addr
# if the set contains prefixes we need to use the interval flag
flags interval
elements = $FIREHOL_LEVEL1_IPV4
}
chain input {
type filter hook input priority 0;
ct state {established, related} accept comment "Allow traffic from established and related packets"
ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
iifname lo accept comment "Allow from loopback"
ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
{# SSH rules #}
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
{# Web rules #}
{% if 'web' in group_names %}
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
{% endif %}
ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
{# Extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% endif %}
{% endfor %}
{% endif %}
# everything else
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
}
}

72
roles/common/templates/public.xml.j2
View File

@@ -1,72 +0,0 @@
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interface name="{{ ansible_default_ipv4.interface }}"/>
{# ssh rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# ipv6 ssh rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# web rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# ipv6 web rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# munin rules #}
{% if munin_master_host is defined %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
<port protocol="tcp" port="{{ munin_node_port }}"/>
<accept/>
</rule>
{% endif %}
{# extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[rule.acl].src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{# ipv6 extra rules #}
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
<rule family="ipv6">
<source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{% endif %}
{% endfor %}
{% endif %}
<rule>
<source ipset="abusers-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="abusers-ipv6"/>
<drop/>
</rule>
</zone>

14
roles/common/templates/rc.local_Ubuntu.j2
View File

@@ -1,14 +0,0 @@
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0

5
roles/common/templates/security.sources.list.j2
View File

@@ -1,5 +0,0 @@
{% if ansible_distribution == 'Ubuntu' %}
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
{% elif ansible_distribution == 'Debian' %}
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
{% endif %}

12
roles/common/templates/sources.list.j2
View File

@@ -1,16 +1,6 @@
{% if ansible_distribution == 'Ubuntu' %}
{% set apt_mirror = apt_mirror | default("ubuntu.mirror.ac.ke") %}
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
{% else %}
{% set apt_mirror = apt_mirror | default('deb.debian.org') %} {% set apt_mirror = apt_mirror | default('deb.debian.org') %}
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
{% endif %} {# ansible_distribution #}

20
roles/common/templates/sshd_config_Ubuntu-20.04.j2 → roles/common/templates/sshd_config_Debian-11.j2
View File

@@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@@ -122,14 +126,16 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # with less than 256 bits removed, as NSA's Suite B removed them years ago and
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users? # Is there a list of allowed users?

47
roles/common/templates/sshd_config_Ubuntu-18.04.j2 → roles/common/templates/sshd_config_Debian-12.j2
View File

@@ -1,21 +1,23 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with # The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where # OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
#ListenAddress :: #ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
@@ -54,12 +56,16 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads) # some PAM modules and threads)
ChallengeResponseAuthentication no KbdInteractiveAuthentication no
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -75,13 +81,13 @@ ChallengeResponseAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and # be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration, # PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass # PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password". # the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
UsePAM yes UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
@@ -94,13 +100,12 @@ X11Forwarding no
PrintMotd no PrintMotd no
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no #PermitUserEnvironment no
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
#UseDNS no #UseDNS no
#PidFile /var/run/sshd.pid #PidFile /run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100
#PermitTunnel no #PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
@@ -122,12 +127,20 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # with less than 256 bits removed, as NSA's Suite B removed them years ago and
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user {% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ provisioning_user.name }} # Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

100
roles/common/templates/sysctl_Ubuntu.j2
View File

@@ -1,100 +0,0 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# CIS Benchmark Adjustments
# See: https://github.com/alanorth/securekickstarts
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
# TCP stuff
# See: http://fasterdata.es.net/host-tuning/linux/
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# increase Linux autotuning TCP buffer limit
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
# recommended for hosts with jumbo frames enabled
#net.ipv4.tcp_mtu_probing=1
# increase quadruplets (src ip, src port, dest ip, dest port)
# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
net.ipv4.ip_local_port_range = 10240 65535
# recommended for web servers, especially if running SPDY
# see: http://www.chromium.org/spdy/spdy-best-practices
net.ipv4.tcp_slow_start_after_idle = 0

2
roles/common/templates/tarsnap_sources.list.j2
View File

@@ -1 +1 @@
deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./ deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./

65
roles/common/templates/update-firehol-nftables.sh.j2 Executable file
View File

@@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
#
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}
download firehol_level1.netset
if [[ -f "firehol_level1.netset" ]]; then
echo "Processing FireHOL Level 1 list"
firehol_level1_ipv4_list_temp=$(mktemp)
firehol_level1_ipv4_set_temp=$(mktemp)
# Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
# for local services like systemd-resolved and others on localhost. Ideally
# these are blocked already at the WAN side by network administrators.
cat firehol_level1.netset \
| sed \
-e '/^$/d' \
-e '/^#.*/d' \
-e '/^127\.0\.0\.0\/8/d' \
> "$firehol_level1_ipv4_list_temp"
echo "Building firehol_level1-ipv4 set"
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$firehol_level1_ipv4_set_temp"
done < $firehol_level1_ipv4_list_temp
echo "}" >> "$firehol_level1_ipv4_set_temp"
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi
echo "Restarting nftables"
/usr/bin/systemctl restart nftables.service
rm -v firehol_level1.netset

19
roles/mariadb/defaults/main.yml
View File

@@ -1,12 +1,11 @@
--- ---
# file: roles/mariadb/defaults/main.yml # ansible.builtin.file: roles/mariadb/defaults/main.yml
# #
# Based on my running of mysqltuner.pl on a host with three WordPress databases # Based on my running of mysqltuner.pl on a host with three WordPress databases
# and a Piwik instance monitoring three sites.
# #
# default is 128MB but is a waste because it seems only the mysql table uses it # default is 128MB but is a waste because it seems only the mysql table uses it
key_buffer_size: 32M key_buffer_size: 8M
# default is 128MB but is a waste because it seems only information_schema uses # default is 128MB but is a waste because it seems only information_schema uses
# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables # AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
@@ -15,16 +14,20 @@ aria_pagecache_buffer_size: 8M
# default is 128M, but set to at least the size of your InnoDB data # default is 128M, but set to at least the size of your InnoDB data
innodb_buffer_pool_size: 256M innodb_buffer_pool_size: 256M
# Unless you have a pool size over 1GB, use a single instance
# See: https://mariadb.com/kb/en/mariadb/xtradbinnodb-server-system-variables
innodb_buffer_pool_instances: 1
# Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should # Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should
# force it to use a Unix socket. # force it to use a Unix socket.
# See: https://github.com/ansible/ansible/issues/47736 # See: https://github.com/ansible/ansible/issues/47736
mariadb_login_unix_socket: /var/run/mysqld/mysqld.sock mariadb_login_unix_socket: /run/mysqld/mysqld.sock
# default is 100 but the max I've seen used is 5, so let's reduce it # default is 100 but the max I've seen used is 5, so let's reduce it
max_connections: 33 max_connections: 33
# disable the query cache by default
query_cache_size: 0
query_cache_type: 0
# mysqltuner says we should use larger than 32M on our setup
tmp_table_size: 64M
max_heap_table_size: 64M
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

6
roles/mariadb/handlers/main.yml
View File

@@ -1,5 +1,7 @@
--- ---
- name: restart mysql - name: restart mariadb
systemd: name=mysql state=restarted ansible.builtin.systemd_service:
name: mariadb
state: restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

108
roles/mariadb/tasks/main.yml
View File

@@ -1,59 +1,111 @@
--- ---
- name: Add GPG key for MariaDB repo - name: Remove MariaDB key from apt-key
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x177F4010FE56CA3336300305F1656F24C74CD1D8 ansible.builtin.apt_key:
register: add_mariadb_apt_key id: "013577200103762554506315430003013705453362230723150730"
tags: mariadb, packages state: absent
tags:
- packages
- mariadb
- name: Add MariaDB 10.4 repo - name: Check MariaDB package signing key
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/mariadb_release_signing_key.asc
register: mariadb_signing_key_stat
tags:
- packages
- mariadb
- name: Download MariaDB package signing key
when: not mariadb_signing_key_stat.stat.exists
ansible.builtin.get_url:
url: https://mariadb.org/mariadb_release_signing_key.asc
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: "0644"
register: download_mariadb_signing_key
tags:
- packages
- mariadb
- name: Add MariaDB 10.11 repo
ansible.builtin.apt_repository:
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
}} main
filename: mariadb
state: present
register: add_mariadb_apt_repository register: add_mariadb_apt_repository
tags: mariadb, packages tags:
- packages
- mariadb
- name: Update apt cache - name: Update apt cache
apt: when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
update_cache: yes ansible.builtin.apt: # noqa no-handler
when: update_cache: true
add_mariadb_apt_key is changed or tags:
add_mariadb_apt_repository is changed - packages
- mariadb
- name: Install mariadb-server - name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600 ansible.builtin.apt:
loop: name: [mariadb-server, python3-pymysql]
- mariadb-server state: present
- python3-pymysql # for ansible cache_valid_time: 3600
tags: mariadb, packages tags: mariadb, packages
- name: Create system my.cnf - name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 ansible.builtin.template:
src: my.cnf.j2
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: "0644"
notify: notify:
- restart mysql - restart mariadb
tags: mariadb tags: mariadb
# 'localhost' needs to be the last item for idempotency, see # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
# https://docs.ansible.com/ansible/latest/mysql_user_module.html
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user:
name: root
host: "{{ item }}"
password: "{{ mariadb_root_password }}"
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: loop:
- "{{ inventory_hostname }}"
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
- localhost
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 ansible.builtin.template:
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: "0600"
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
community.mysql.mysql_db:
db: "{{ item.name }}"
state: present
encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}"
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL state=present
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
community.mysql.mysql_user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
priv: "{{ item.name }}.*:ALL"
host: 127.0.0.1
state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}"
tags: mariadb tags: mariadb
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

3
roles/mariadb/templates/mariadb.list.j2
View File

@@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.4/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

23
roles/mariadb/templates/my.cnf.j2
View File

@@ -19,14 +19,14 @@
# Remember to edit /etc/mysql/debian.cnf when changing the socket location. # Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client] [client]
port = 3306 port = 3306
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
# Here is entries for some specific programs # Here is entries for some specific programs
# The following values assume you have at least 32M ram # The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed. # This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe] [mysqld_safe]
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
nice = 0 nice = 0
[mysqld] [mysqld]
@@ -34,8 +34,8 @@ nice = 0
# * Basic Settings # * Basic Settings
# #
user = mysql user = mysql
pid-file = /var/run/mysqld/mysqld.pid pid-file = /run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
port = 3306 port = 3306
basedir = /usr basedir = /usr
datadir = /var/lib/mysql datadir = /var/lib/mysql
@@ -47,6 +47,10 @@ skip-external-locking
# Instead of skip-networking the default is now to listen only on # Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure. # localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1 bind-address = 127.0.0.1
# don't resolve connection IPs to hostnames (make sure user accounts are using
# IPs instead of "localhost")
skip-name-resolve=1
# #
# * Fine Tuning # * Fine Tuning
# #
@@ -57,8 +61,8 @@ max_allowed_packet = 16M
thread_cache_size = 128 thread_cache_size = 128
sort_buffer_size = 4M sort_buffer_size = 4M
bulk_insert_buffer_size = 16M bulk_insert_buffer_size = 16M
tmp_table_size = 32M tmp_table_size = {{ tmp_table_size }}
max_heap_table_size = 32M max_heap_table_size = {{ max_heap_table_size }}
# #
# * MyISAM # * MyISAM
# #
@@ -75,11 +79,9 @@ read_rnd_buffer_size = 1M
# #
# * Query Cache Configuration # * Query Cache Configuration
# #
# Cache only tiny result sets, so we can fit more in the query cache.
query_cache_limit = 128K query_cache_limit = 128K
query_cache_size = 64M query_cache_size = {{ query_cache_size }}
# for more write intensive setups, set to DEMAND or OFF query_cache_type = {{ query_cache_type }}
#query_cache_type = DEMAND
# #
# * Logging and Replication # * Logging and Replication
# #
@@ -141,7 +143,6 @@ innodb_file_per_table = 1
innodb_open_files = 400 innodb_open_files = 400
innodb_io_capacity = 400 innodb_io_capacity = 400
innodb_flush_method = O_DIRECT innodb_flush_method = O_DIRECT
innodb_buffer_pool_instances = {{ innodb_buffer_pool_instances }}
aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }} aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
# #

4
roles/munin/handlers/main.yml
View File

@@ -1,4 +1,4 @@
--- ---
# file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
systemd: name=munin-node state=restarted ansible.builtin.systemd_service: name=munin-node state=restarted

4
roles/munin/tasks/main.yml
View File

@@ -1,8 +1,8 @@
--- ---
- name: Configure munin scraper - name: Configure munin scraper
import_tasks: munin.yml ansible.builtin.import_tasks: munin.yml
tags: munin tags: munin
- name: Configure munin listener - name: Configure munin listener
import_tasks: munin-node.yml ansible.builtin.import_tasks: munin-node.yml
tags: munin-node tags: munin-node

19
roles/munin/tasks/munin-node.yml
View File

@@ -1,25 +1,34 @@
--- ---
- name: Install munin-node - name: Install munin-node
apt: name=munin-node state=present ansible.builtin.apt:
name: munin-node
state: present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
apt: name=libwww-perl state=present ansible.builtin.apt:
name: libwww-perl
state: present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template:
src: munin-node.conf.j2
dest: /etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
- name: Configure munin-node - name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify: notify:
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
systemd: name=munin-node state=started enabled=true ansible.builtin.systemd_service:
name: munin-node
state: started
enabled: true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

11
roles/munin/tasks/munin.yml
View File

@@ -1,9 +1,16 @@
--- ---
- name: Install munin package - name: Install munin package
apt: name=munin state=present ansible.builtin.apt:
name: munin
state: present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template:
src: munin.conf.j2
dest: /etc/munin/munin.conf
owner: root
group: root
mode: "0644"
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

39
roles/nginx/defaults/main.yml
View File

@@ -1,37 +1,44 @@
--- ---
# file: roles/nginx/defaults/main.yml # ansible.builtin.file: roles/nginx/defaults/main.yml
# path config # path config
nginx_confd_path: /etc/nginx/conf.d nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots # parent directory of vhost roots
nginx_root_prefix: /var/www nginx_root_prefix: "{{ web_root_prefix }}"
# 1 hour timeout # 1 day timeout
nginx_ssl_session_timeout: 1h nginx_ssl_session_timeout: 1d
# 10MB -> 40,000 sessions # 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!) nginx_ssl_buffer_size: 4k
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3' nginx_ssl_protocols: TLSv1.2 TLSv1.3
nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS) # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# install certbot + dependencies? # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# True unless you're in development and using "localhost" + snakeoil certs # in seconds, see: https://hstspreload.org/
use_letsencrypt: True nginx_hsts_max_age: 31536000
# install acme.sh?
# true unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: true
# Directory root for Let's Encrypt certs # Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live letsencrypt_root: /etc/ssl
# Location of Let's Encrypt's certbot script # Location where to save initial acme.sh script. After installation the script
letsencrypt_certbot_dest: /opt/certbot-auto # will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.18.x # stable is 1.26.x
# mainline is 1.19.x # mainline is 1.27.x
nginx_version: mainline nginx_version: mainline
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

3
roles/nginx/files/extra-security.conf
View File

@@ -15,3 +15,6 @@ add_header X-XSS-Protection "1; mode=block" always;
# CSP can be quite difficult to configure, and cause real issues if you get it wrong # CSP can be quite difficult to configure, and cause real issues if you get it wrong
# There is website that helps you generate a policy here http://cspisawesome.com/ # There is website that helps you generate a policy here http://cspisawesome.com/
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always; # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
add_header Permissions-Policy interest-cohort=() always;

3
roles/nginx/files/start-nginx.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl start nginx

3
roles/nginx/files/stop-nginx.sh
View File

@@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl stop nginx

6
roles/nginx/handlers/main.yml
View File

@@ -1,5 +1,7 @@
--- ---
- name: reload nginx - name: Reload nginx
systemd: name=nginx state=reloaded ansible.builtin.systemd_service:
name: nginx
state: reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

210
roles/nginx/tasks/letsencrypt.yml
View File

@@ -1,137 +1,91 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- name: Install and configure Let's Encrypt
tags: letsencrypt
when:
- ansible_distribution == 'Debian'
- ansible_distribution_version is version('11', '>='))
block:
- name: Remove certbot
ansible.builtin.apt:
name: certbot
state: absent
- name: Remove old certbot post and pre hooks for nginx
ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
- name: Check if acme.sh is installed
ansible.builtin.stat:
path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download acme.sh
when: not acme_home.stat.exists
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: "0700"
register: acme_download
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh
when: acme_download is changed
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root
register: acme_install
- name: Remove temporary acme.sh script
when:
- acme_install.rc is defined
- acme_install.rc == 0
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
- name: Set default certificate authority for acme.sh
ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
- name: Prepare Let's Encrypt well-known directory
ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
- block:
- name: Copy systemd service to renew Let's Encrypt certs - name: Copy systemd service to renew Let's Encrypt certs
template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root ansible.builtin.template:
src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service
mode: "0644"
owner: root
group: root
- name: Copy systemd timer to renew Let's Encrypt certs - name: Copy systemd timer to renew Let's Encrypt certs
copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root ansible.builtin.copy:
src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer
mode: "0644"
owner: root
group: root
# always issues daemon-reload just in case the server/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes ansible.builtin.systemd_service:
name: renew-letsencrypt.timer
- name: Download certbot state: started
get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700 enabled: true
daemon_reload: true
# Dependencies certbot checks for on its first run. I set them in a fact so that
# I can pass the list directly to the apt module to install in one transaction.
- name: Set certbot dependencies (Debian 10)
when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==')
set_fact:
certbot_dependencies:
- augeas-lenses
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-8
- gcc
- gcc-8
- libasan5
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libexpat1-dev
- libffi-dev
- libgcc-8-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpfr6
- libmpx2
- libpython-dev
- libpython2-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan1
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2-dev
- python2.7-dev
- python3-distutils
- python3-lib2to3
- python3-virtualenv
- virtualenv
# Dependencies certbot checks for on its first run. I set them in a fact so that
# I can pass the list directly to the apt module to install in one transaction.
- name: Set certbot dependencies (Ubuntu 18.04)
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
set_fact:
certbot_dependencies:
- augeas-lenses
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-7
- gcc
- gcc-7
- gcc-7-base
- libasan4
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libcilkrts5
- libexpat1-dev
- libffi-dev
- libgcc-7-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpx2
- libpython-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan0
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2.7-dev
- python3-virtualenv
- virtualenv
- name: Install certbot dependencies
apt: name={{ certbot_dependencies }} state=present update_cache=yes
when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=')
tags: letsencrypt
# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone
# certbot-auto so I guess we need to use the one from the repositories.
- block:
- name: Install certbot (Ubuntu 20.04)
apt: name=certbot state=present update_cache=yes
- name: Copy certbot post and pre hooks for nginx
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755
with_items:
- { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/stop-nginx.sh' }
- { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' }
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

111
roles/nginx/tasks/main.yml
View File

@@ -1,77 +1,132 @@
--- ---
- name: Add nginx.org apt signing key - name: Remove nginx apt signing key from apt-key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key:
register: add_nginx_apt_key id: "053473772654754373614404074646527257655730117366337542"
tags: nginx, packages state: absent
tags:
- packages
- nginx
- name: Download nginx apt signing key
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: "0644"
checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
register: download_nginx_signing_key
tags:
- packages
- nginx
- name: Add nginx.org repo - name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: "0644"
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags:
- nginx
- packages
- name: Update apt cache - name: Update apt cache
apt: when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
update_cache: yes ansible.builtin.apt: # noqa no-handler
when: update_cache: true
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
apt: pkg=nginx cache_valid_time=3600 state=present ansible.builtin.apt:
tags: nginx, packages pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx
- packages
- name: Copy nginx.conf - name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: "0755"
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
ansible.builtin.include_tasks: vhosts.yml
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
ansible.builtin.include_tasks: wordpress.yml
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes ansible.builtin.systemd_service:
name: nginx
state: started
enabled: true
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt
include_tasks: letsencrypt.yml ansible.builtin.include_tasks: letsencrypt.yml
when: use_letsencrypt is defined and use_letsencrypt
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

37
roles/nginx/tasks/vhosts.yml
View File

@@ -1,25 +1,40 @@
--- ---
- name: Configure https vhosts
- block: tags: nginx
block:
- name: Configure https vhosts - name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template:
src: vhost.conf.j2
dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - Reload nginx
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify: notify:
- reload nginx - Reload nginx
- name: Generate 2048-bit dhparam - name: Download 4096-bit RFC 7919 dhparams
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem ansible.builtin.get_url:
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify: notify:
- reload nginx - Reload nginx
# TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
mode: "0755"
owner: nginx
group: nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: nginx
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

28
roles/nginx/tasks/wordpress.yml
View File

@@ -1,15 +1,29 @@
--- ---
- name: Install and configure WordPress
- block: tags: wordpress
block:
- name: Install WordPress - name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes when:
when: item.has_wordpress is defined and item.has_wordpress - item.has_wordpress is defined
- item.has_wordpress
ansible.builtin.git:
repo: https://github.com/WordPress/WordPress.git
dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
version: "{{ item.wordpress_version }}"
depth: 1
force: true
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes when:
when: item.has_wordpress is defined and item.has_wordpress - item.has_wordpress is defined
- item.has_wordpress
ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
owner: nginx
group: nginx
recurse: true
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: wordpress
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

8
roles/nginx/templates/blank-vhost.conf.j2
View File

@@ -11,12 +11,14 @@ server {
return 444; return 444;
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl default_server;
http2 on;
server_name _; server_name _;
# "snakeoil" certificate (self signed!) # self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;

5
roles/nginx/templates/gitea.j2 Normal file
View File

@@ -0,0 +1,5 @@
location / {
proxy_pass http://localhost:3000;
}

26
roles/nginx/templates/https.j2
View File

@@ -1,7 +1,7 @@
{# helper variables and per-site defaults that we can't set in role defaults #} {# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to True #} {# assume HSTS is off unless a vhost explicitly sets it to true #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{# first, check if the current vhost has a custom cert (perhaps self-signed) #} {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
{% if item.tls_certificate_path is defined and item.tls_key_path is defined %} {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@@ -16,8 +16,8 @@
# concatenated key + cert # concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html # See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem; ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem; ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;
{% endif %} {% endif %}
@@ -27,29 +27,21 @@
ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }}; ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}"; ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #} {# OSCP stapling only works with real certs #}
{% if use_letsencrypt == True or item.tls_certificate_path %} {% if use_letsencrypt == true or item.tls_certificate_path %}
# OCSP stapling... # OCSP stapling...
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver {{ nginx_ssl_stapling_resolver }}; resolver {{ nginx_ssl_stapling_resolver }};
{% endif %} {# end: use_letsencrypt #} {% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and {% if enable_hsts == true %}
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == True %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}

16
roles/nginx/templates/nginx_org_sources.list.j2
View File

@@ -1,19 +1,7 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %}
{% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %}
{% endif %} {% endif %}

6
roles/nginx/templates/renew-letsencrypt.service.j2
View File

@@ -1,7 +1,9 @@
[Unit] [Unit]
Description=Renew Let's Encrypt certificates Description=Renew Let's Encrypt certificates
ConditionFileIsExecutable={{ letsencrypt_certbot_dest }} ConditionFileIsExecutable={{ letsencrypt_acme_home }}/acme.sh
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx" ExecStart={{ letsencrypt_acme_home }}/acme.sh --cron --home {{ letsencrypt_acme_home }} --reloadcmd "/bin/systemctl reload nginx" -w /var/lib/letsencrypt
SuccessExitStatus=0 2

51
roles/nginx/templates/vhost.conf.j2
View File

@@ -4,9 +4,16 @@
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %} {% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #} {# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{% set has_wordpress = item.has_wordpress | default(False) %} {% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(False) %} {% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
# http -> https vhost # http -> https vhost
server { server {
@@ -14,6 +21,8 @@ server {
listen [::]:80; listen [::]:80;
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
{% include 'well-known.j2' %}
# redirect http -> https # redirect http -> https
location / { location / {
# ? in rewrite makes sure nginx doesn't append query string again # ? in rewrite makes sure nginx doesn't append query string again
@@ -23,31 +32,36 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
root {{ nginx_root_prefix }}/{{ domain_name }}; root {{ document_root }};
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #} {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %}; index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
access_log /var/log/nginx/{{ domain_name }}-access.log; access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log; error_log /var/log/nginx/{{ domain_name }}-error.log;
{% include 'https.j2' %} {% include 'https.j2' %}
{% if has_wordpress == True %} {% if has_wordpress == true %}
{% include 'wordpress.j2' %} {% include 'wordpress.j2' %}
{% endif %} {% endif %}
{% if has_gitea == true %}
{% include 'gitea.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;
} }
{% if has_wordpress == True or needs_php == True %} {% if has_wordpress == true or needs_php == true %}
location ~ [^/]\.php(/|$) { location ~ [^/]\.php(/|$) {
# Zero-day exploit defense. # Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3 # http://forum.nginx.org/read.php?2,88845,page=3
@@ -63,17 +77,8 @@ server {
# See: https://httpoxy.org/ # See: https://httpoxy.org/
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #} {% if ansible_distribution_major_version is version('12', '==') %}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %} fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
{% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
{% endif %} {% endif %}
fastcgi_index index.php; fastcgi_index index.php;
# set script path relative to document root in server block # set script path relative to document root in server block
@@ -87,11 +92,11 @@ server {
fastcgi_cache_bypass $http_pragma $wordpress_logged_in; fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in; fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
include extra-security.conf; include extra-security.conf;
@@ -101,7 +106,7 @@ server {
include extra-security.conf; include extra-security.conf;
} }
{% if has_wordpress == True %} {% if has_wordpress == true %}
# Check if a user is logged in # Check if a user is logged in
# if so, set $wordpress_logged_in = 1 # if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0 # otherwise, set $wordpress_logged_in = 0

6
roles/nginx/templates/well-known.j2 Normal file
View File

@@ -0,0 +1,6 @@
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}

8
roles/nginx/templates/wordpress.j2
View File

@@ -5,22 +5,22 @@
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }
location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ { location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
add_header Cache-Control "max-age=604800"; add_header Cache-Control "max-age=604800";
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }

14
roles/php-fpm/handlers/main.yml
View File

@@ -1,14 +0,0 @@
---
# For Ubuntu 18.04
- name: reload php7.2-fpm
systemd: name=php7.2-fpm state=reloaded
# For Debian 10
- name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04
- name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Debian_10.yml
View File

@@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
# for Piwik
- php-mbstring
- php-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.3-fpm
- name: Remove default www pool
file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
notify: reload php7.3-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.3-fpm
tags: php-fpm
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Ubuntu_18.04.yml
View File

@@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
# for Piwik
- php-mbstring
- php-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.2-fpm
- name: Remove default www pool
file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
notify: reload php7.2-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.2-fpm
tags: php-fpm
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Ubuntu_20.04.yml
View File

@@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
# for Piwik
- php-mbstring
- php-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm
- name: Remove default www pool
file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm
tags: php-fpm
# vim: set ts=2 sw=2:

21
roles/php-fpm/tasks/main.yml
View File

@@ -1,21 +0,0 @@
---
# Ubuntu 18.04 uses php-fpm 7.2
# Debian 10 uses php-fpm 7.3
# Ubuntu 20.04 uses PHP 7.4
- name: Configure php-fpm on Ubuntu 18.04
include_tasks: Ubuntu_18.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
tags: php-fpm
- name: Configure php-fpm on Debian 10
include_tasks: Debian_10.yml
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==')
tags: php-fpm
- name: Configure php-fpm on Ubuntu 20.04
include_tasks: Ubuntu_20.04.yml
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
tags: php-fpm
# vim: set ts=2 sw=2:

1915
roles/php-fpm/templates/php7.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

415
roles/php-fpm/templates/php7.2-pool.conf.j2
View File

@@ -1,415 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1946
roles/php-fpm/templates/php7.3-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

428
roles/php-fpm/templates/php7.3-pool.conf.j2
View File

@@ -1,428 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.3-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

2
roles/php-fpm/defaults/main.yml → roles/php_fpm/defaults/main.yml
View File

@@ -1,5 +1,5 @@
--- ---
# file: roles/php-fpm/defaults/main.yml # ansible.builtin.file: roles/php-fpm/defaults/main.yml
# default is on, but turn it off because of protection in nginx vhosts # default is on, but turn it off because of protection in nginx vhosts
cgi_fix_pathinfo: 0 cgi_fix_pathinfo: 0

8
roles/php_fpm/handlers/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# For Debian 12
- name: Reload php8.2-fpm
ansible.builtin.systemd_service:
name: php8.2-fpm
state: reloaded
# vim: set ts=2 sw=2:

50
roles/php_fpm/tasks/Debian_12.yml Normal file
View File

@@ -0,0 +1,50 @@
---
- name: Install and configure php-fpm
tags: php-fpm
when: install_php
block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php8.2-fpm
# for WordPress
- php8.2-mysql
- php8.2-gd
- php8.2-curl
- php8.2-xml
- name: Install php-fpm and deps
ansible.builtin.apt:
name: "{{ php_fpm_packages }}"
state: present
update_cache: true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template:
src: php8.2-pool.conf.j2
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
owner: root
group: root
mode: "0644"
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: Reload php8.2-fpm
- name: Remove default www pool
ansible.builtin.file:
path: /etc/php/8.2/fpm/pool.d/www.conf
state: absent
notify: Reload php8.2-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template:
src: php8.2-php.ini.j2
dest: /etc/php/8.2/fpm/php.ini
owner: root
group: root
mode: "0644"
notify: Reload php8.2-fpm
# vim: set ts=2 sw=2:

35
roles/php_fpm/tasks/main.yml Normal file
View File

@@ -0,0 +1,35 @@
---
# Debian 12 uses PHP 8.2
# If any of the vhosts on this host need WordPress then we need to install PHP.
# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
# any that have has_wordpress defined, and has_wordpress set to true.
#
# See: https://stackoverflow.com/a/31896249
- name: Check if any vhost needs WordPress
ansible.builtin.set_fact:
install_php: true
when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
# Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP
ansible.builtin.set_fact:
install_php: true
when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
# If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else.
- name: Set install_php to false
ansible.builtin.set_fact:
install_php: false
when: install_php is not defined
- name: Configure php-fpm on Debian 12
ansible.builtin.include_tasks: Debian_12.yml
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version is version('12', '==')
- install_php
tags: php-fpm
# vim: set ts=2 sw=2:

559
roles/php-fpm/templates/php7.4-php.ini.j2 → roles/php_fpm/templates/php8.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More