Compare commits
	
		
			26 Commits
		
	
	
		
			d4d326c2f7
			...
			debian13
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| d51f8fefaa | |||
| 9ff6e19135 | |||
| 4680999680 | |||
| 602734acce | |||
| 0db7911b70 | |||
| ee4c62e5f9 | |||
| a315db8a7c | |||
| 5f00892df3 | |||
| 9357265d27 | |||
| dd62266340 | |||
| a1bec20824 | |||
| 8e91c44529 | |||
| 02d4135c79 | |||
| 37e148d009 | |||
| 73dbbd23b6 | |||
| b84283aa38 | |||
| 1695fdf8d1 | |||
| 9f1f7b1c69 | |||
| 7d725f2084 | |||
| 4c39b0d48c | |||
| f4023d0b20 | |||
| 6aaface4a2 | |||
| 333e1cbeb9 | |||
| 0c62f4bdf0 | |||
| 26f22c0447 | |||
| 05881e2585 | 
| @@ -13,12 +13,6 @@ interpreter_python=auto | |||||||
| # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking | # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking | ||||||
| host_key_checking = False | host_key_checking = False | ||||||
|  |  | ||||||
| ansible_managed = This file is managed by Ansible.%n |  | ||||||
|   template: {file} |  | ||||||
|   date: %Y-%m-%d %H:%M:%S |  | ||||||
|   user: {uid} |  | ||||||
|   host: {host} |  | ||||||
|  |  | ||||||
| [privilege_escalation] | [privilege_escalation] | ||||||
| # instead of using -K | # instead of using -K | ||||||
| become_ask_pass=True | become_ask_pass=True | ||||||
|   | |||||||
| @@ -3,4 +3,12 @@ | |||||||
|  |  | ||||||
| tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | ||||||
|  |  | ||||||
|  | ansible_managed: |- | ||||||
|  |   This file is managed by Ansible. | ||||||
|  |  | ||||||
|  |   {{ 'template: ' + template_path }} | ||||||
|  |   {{ 'date: ' + (template_mtime | string) }} | ||||||
|  |   {{ 'user: ' + template_uid }} | ||||||
|  |   {{ 'host: ' + template_host }} | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -3,7 +3,7 @@ | |||||||
|  |  | ||||||
| # I'm currently not sure when we need to restart versus reload | # I'm currently not sure when we need to restart versus reload | ||||||
| - name: reload caddy | - name: reload caddy | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: caddy |     name: caddy | ||||||
|     state: reloaded |     state: reloaded | ||||||
|  |  | ||||||
|   | |||||||
| @@ -36,7 +36,7 @@ | |||||||
|     {% elif has_wordpress -%} |     {% elif has_wordpress -%} | ||||||
|     root * {{ document_root }} |     root * {{ document_root }} | ||||||
|     encode |     encode | ||||||
|     {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%} |     {%   if ansible_distribution_major_version is version('12', '==') -%} | ||||||
|     php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock |     php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock | ||||||
|     {%   endif -%} |     {%   endif -%} | ||||||
|     file_server |     file_server | ||||||
|   | |||||||
| @@ -8,7 +8,7 @@ fail2ban_maxretry: 6 | |||||||
| fail2ban_findtime: 3600 | fail2ban_findtime: 3600 | ||||||
| # 2 weeks in seconds | # 2 weeks in seconds | ||||||
| fail2ban_bantime: 1209600 | fail2ban_bantime: 1209600 | ||||||
| fail2ban_ignoreip: 127.0.0.1/8 | fail2ban_ignoreip: 127.0.0.0/8 | ||||||
|  |  | ||||||
| # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys | # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys | ||||||
| # before re-configuring the SSH daemon to disable passwords. | # before re-configuring the SSH daemon to disable passwords. | ||||||
|   | |||||||
| @@ -1 +0,0 @@ | |||||||
| provisioning   ALL=(ALL)  ALL |  | ||||||
| @@ -1,27 +1,27 @@ | |||||||
| --- | --- | ||||||
| # ansible.builtin.file: roles/common/handlers/main.yml | # ansible.builtin.file: roles/common/handlers/main.yml | ||||||
|  |  | ||||||
| - name: reload sshd | - name: Reload sshd | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: "{{ sshd_service_name }}" |     name: "{{ sshd_service_name }}" | ||||||
|     state: reloaded |     state: reloaded | ||||||
|  |  | ||||||
| - name: reload sysctl | - name: Reload sysctl | ||||||
|   ansible.builtin.command: sysctl -p /etc/sysctl.conf |   ansible.builtin.command: sysctl -p /etc/sysctl.conf | ||||||
|  |  | ||||||
| - name: reload systemd | - name: Reload systemd | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     daemon_reload: true |     daemon_reload: true | ||||||
|  |  | ||||||
| - name: restart nftables | - name: Restart nftables | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: nftables |     name: nftables | ||||||
|     state: restarted |     state: restarted | ||||||
|  |  | ||||||
| # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed | # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed | ||||||
| # in the order they are defined, not in the order they are listed in the task's | # in the order they are defined, not in the order they are listed in the task's | ||||||
| # notify statement and we must restart fail2ban after updating the firewall. | # notify statement and we must restart fail2ban after updating the firewall. | ||||||
| - name: restart fail2ban | - name: Restart fail2ban | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: fail2ban |     name: fail2ban | ||||||
|     state: restarted |     state: restarted | ||||||
|   | |||||||
| @@ -1,7 +1,7 @@ | |||||||
| --- | --- | ||||||
| - name: Install fail2ban | - name: Install fail2ban | ||||||
|   when: ansible_distribution_major_version is version('11', '>=') |   when: ansible_distribution_version is version('11', '>=') | ||||||
|   ansible.builtin.package: |   ansible.builtin.apt: | ||||||
|     name: |     name: | ||||||
|       - fail2ban |       - fail2ban | ||||||
|       - python3-systemd |       - python3-systemd | ||||||
| @@ -14,7 +14,7 @@ | |||||||
|     dest: /etc/fail2ban/jail.d/sshd.local |     dest: /etc/fail2ban/jail.d/sshd.local | ||||||
|     owner: root |     owner: root | ||||||
|     mode: "0644" |     mode: "0644" | ||||||
|   notify: restart fail2ban |   notify: Restart fail2ban | ||||||
|  |  | ||||||
| - name: Configure fail2ban nginx filter | - name: Configure fail2ban nginx filter | ||||||
|   when: |   when: | ||||||
| @@ -26,7 +26,7 @@ | |||||||
|     dest: /etc/fail2ban/jail.d/nginx.local |     dest: /etc/fail2ban/jail.d/nginx.local | ||||||
|     owner: root |     owner: root | ||||||
|     mode: "0644" |     mode: "0644" | ||||||
|   notify: restart fail2ban |   notify: Restart fail2ban | ||||||
|  |  | ||||||
| - name: Create fail2ban service override directory | - name: Create fail2ban service override directory | ||||||
|   ansible.builtin.file: |   ansible.builtin.file: | ||||||
| @@ -43,11 +43,11 @@ | |||||||
|     owner: root |     owner: root | ||||||
|     mode: "0644" |     mode: "0644" | ||||||
|   notify: |   notify: | ||||||
|     - reload systemd |     - Reload systemd | ||||||
|     - restart fail2ban |     - Restart fail2ban | ||||||
|  |  | ||||||
| - name: Start and enable fail2ban service | - name: Start and enable fail2ban service | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: fail2ban |     name: fail2ban | ||||||
|     state: started |     state: started | ||||||
|     enabled: true |     enabled: true | ||||||
|   | |||||||
| @@ -2,27 +2,24 @@ | |||||||
| # Debian 11+ will use nftables directly, with no firewalld. | # Debian 11+ will use nftables directly, with no firewalld. | ||||||
|  |  | ||||||
| - name: Install Debian firewall packages | - name: Install Debian firewall packages | ||||||
|   when: ansible_distribution_major_version is version('11', '>=') |   when: ansible_distribution_version is version('11', '>=') | ||||||
|   ansible.builtin.package: |   ansible.builtin.apt: | ||||||
|     name: |     name: nftables | ||||||
|       - libnet-ip-perl # for aggregate-cidr-addresses.pl |  | ||||||
|       - nftables |  | ||||||
|       - curl # for nftables update scripts |  | ||||||
|     state: present |     state: present | ||||||
|     cache_valid_time: 3600 |     cache_valid_time: 3600 | ||||||
|  |  | ||||||
| - name: Remove iptables on newer Debian | - name: Remove iptables on newer Debian | ||||||
|   when: ansible_distribution_major_version is version('11', '>=') |   when: ansible_distribution_version is version('11', '>=') | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|     pkg: iptables |     pkg: iptables | ||||||
|     state: absent |     state: absent | ||||||
|  |  | ||||||
| - name: Configure nftables | - name: Configure nftables | ||||||
|   ansible.builtin.include_tasks: nftables.yml |  | ||||||
|   when: ansible_distribution_version is version('11', '>=') |   when: ansible_distribution_version is version('11', '>=') | ||||||
|  |   ansible.builtin.include_tasks: nftables.yml | ||||||
|  |  | ||||||
| - ansible.builtin.include_tasks: fail2ban.yml | - name: Configure fail2ban | ||||||
|   when: |   when: ansible_distribution_version is version('9', '>=') | ||||||
|     - ansible_distribution_major_version is version('9', '>=') |   ansible.builtin.include_tasks: fail2ban.yml | ||||||
|  |  | ||||||
| # vim: set sw=2 ts=2: | # vim: set sw=2 ts=2: | ||||||
|   | |||||||
| @@ -27,9 +27,9 @@ | |||||||
|     dest: /etc/sysctl.conf |     dest: /etc/sysctl.conf | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|     mode: 0644 |     mode: "0644" | ||||||
|   notify: |   notify: | ||||||
|     - reload sysctl |     - Reload sysctl | ||||||
|   tags: sysctl |   tags: sysctl | ||||||
|  |  | ||||||
| - name: Set I/O scheduler | - name: Set I/O scheduler | ||||||
| @@ -38,7 +38,7 @@ | |||||||
|     dest: /etc/udev/rules.d/60-scheduler.rules |     dest: /etc/udev/rules.d/60-scheduler.rules | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|     mode: 0644 |     mode: "0644" | ||||||
|   tags: udev |   tags: udev | ||||||
|  |  | ||||||
| - name: Copy admin SSH keys | - name: Copy admin SSH keys | ||||||
|   | |||||||
| @@ -8,8 +8,8 @@ | |||||||
|     owner: root |     owner: root | ||||||
|     mode: "0644" |     mode: "0644" | ||||||
|   notify: |   notify: | ||||||
|     - restart nftables |     - Restart nftables | ||||||
|     - restart fail2ban |     - Restart fail2ban | ||||||
|  |  | ||||||
| - name: Create /etc/nftables extra config directory | - name: Create /etc/nftables extra config directory | ||||||
|   ansible.builtin.file: |   ansible.builtin.file: | ||||||
| @@ -29,8 +29,8 @@ | |||||||
|   loop: |   loop: | ||||||
|     - { src: firehol_level1-ipv4.nft, force: false } |     - { src: firehol_level1-ipv4.nft, force: false } | ||||||
|   notify: |   notify: | ||||||
|     - restart nftables |     - Restart nftables | ||||||
|     - restart fail2ban |     - Restart fail2ban | ||||||
|  |  | ||||||
| - name: Copy nftables update scripts | - name: Copy nftables update scripts | ||||||
|   ansible.builtin.template: |   ansible.builtin.template: | ||||||
| @@ -58,8 +58,8 @@ | |||||||
|     - /etc/systemd/system/update-spamhaus-nftables.timer |     - /etc/systemd/system/update-spamhaus-nftables.timer | ||||||
|     - /usr/local/bin/aggregate-cidr-addresses.pl |     - /usr/local/bin/aggregate-cidr-addresses.pl | ||||||
|   notify: |   notify: | ||||||
|     - restart nftables |     - Restart nftables | ||||||
|     - restart fail2ban |     - Restart fail2ban | ||||||
|  |  | ||||||
| - name: Copy nftables systemd units | - name: Copy nftables systemd units | ||||||
|   ansible.builtin.copy: |   ansible.builtin.copy: | ||||||
| @@ -75,12 +75,12 @@ | |||||||
|  |  | ||||||
| # need to reload to pick up service/timer/environment changes | # need to reload to pick up service/timer/environment changes | ||||||
| - name: Reload systemd daemon | - name: Reload systemd daemon | ||||||
|   ansible.builtin.systemd: # noqa no-handler |  | ||||||
|     daemon_reload: true |  | ||||||
|   when: nftables_systemd_units is changed |   when: nftables_systemd_units is changed | ||||||
|  |   ansible.builtin.systemd_service: # noqa no-handler | ||||||
|  |     daemon_reload: true | ||||||
|  |  | ||||||
| - name: Start and enable nftables update timers | - name: Start and enable nftables update timers | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: "{{ item }}" |     name: "{{ item }}" | ||||||
|     state: started |     state: started | ||||||
|     enabled: true |     enabled: true | ||||||
| @@ -88,7 +88,7 @@ | |||||||
|     - update-firehol-nftables.timer |     - update-firehol-nftables.timer | ||||||
|  |  | ||||||
| - name: Start and enable nftables | - name: Start and enable nftables | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: nftables |     name: nftables | ||||||
|     state: started |     state: started | ||||||
|     enabled: true |     enabled: true | ||||||
|   | |||||||
| @@ -12,11 +12,9 @@ | |||||||
|  |  | ||||||
| # Apparently some cloud images don't have this installed by default. From what | # Apparently some cloud images don't have this installed by default. From what | ||||||
| # I can see on existing servers, systemd-timesyncd is a standalone package on | # I can see on existing servers, systemd-timesyncd is a standalone package on | ||||||
| # Debian 11. | # Debian 11 and Debian 12. | ||||||
| - name: Install systemd-timesyncd | - name: Install systemd-timesyncd | ||||||
|   when: |   when: ansible_distribution_version is version('11', '>=') | ||||||
|     - ansible_distribution == 'Debian' |  | ||||||
|     - ansible_distribution_version is version('11', '>=')) |  | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|     name: systemd-timesyncd |     name: systemd-timesyncd | ||||||
|     state: present |     state: present | ||||||
| @@ -24,13 +22,17 @@ | |||||||
|  |  | ||||||
| - name: Start and enable systemd's NTP client | - name: Start and enable systemd's NTP client | ||||||
|   when: ansible_service_mgr == 'systemd' |   when: ansible_service_mgr == 'systemd' | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: systemd-timesyncd |     name: systemd-timesyncd | ||||||
|     state: started |     state: started | ||||||
|     enabled: true |     enabled: true | ||||||
|  |  | ||||||
| - name: Uninstall ntp on modern Debian | # On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to | ||||||
|   when: ansible_service_mgr == 'systemd' | # remove it to be sure. | ||||||
|  | - name: Uninstall ntp on Debian 12 | ||||||
|  |   when: | ||||||
|  |     - ansible_service_mgr == 'systemd' | ||||||
|  |     - ansible_distribution_major_version is version('12', '==') | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|     name: ntp |     name: ntp | ||||||
|     state: absent |     state: absent | ||||||
|   | |||||||
| @@ -1,5 +1,6 @@ | |||||||
| --- | --- | ||||||
| - name: Configure Debian packages | - name: Configure Debian packages | ||||||
|  |   tags: packages | ||||||
|   block: |   block: | ||||||
|     # Scaleway seems to use a weird sources.list format as of Debian 12? |     # Scaleway seems to use a weird sources.list format as of Debian 12? | ||||||
|     - name: Check for weird Debian sources |     - name: Check for weird Debian sources | ||||||
| @@ -16,7 +17,7 @@ | |||||||
|         dest: /etc/apt/sources.list |         dest: /etc/apt/sources.list | ||||||
|         owner: root |         owner: root | ||||||
|         group: root |         group: root | ||||||
|         mode: 0644 |         mode: "0644" | ||||||
|  |  | ||||||
|     - name: Set fact for base packages |     - name: Set fact for base packages | ||||||
|       ansible.builtin.set_fact: |       ansible.builtin.set_fact: | ||||||
| @@ -47,11 +48,10 @@ | |||||||
|         cache_valid_time: 3600 |         cache_valid_time: 3600 | ||||||
|  |  | ||||||
|     - name: Remove cron-apt |     - name: Remove cron-apt | ||||||
|       ansible.builtin.import_tasks: cron-apt.yml |  | ||||||
|       tags: cron-apt |       tags: cron-apt | ||||||
|  |       ansible.builtin.import_tasks: cron-apt.yml | ||||||
|  |  | ||||||
|     - name: Install tarsnap |     - name: Install tarsnap | ||||||
|       ansible.builtin.import_tasks: tarsnap.yml |       ansible.builtin.import_tasks: tarsnap.yml | ||||||
|   tags: packages |  | ||||||
|  |  | ||||||
| # vim: set sw=2 ts=2: | # vim: set sw=2 ts=2: | ||||||
|   | |||||||
| @@ -1,13 +1,26 @@ | |||||||
| --- | --- | ||||||
| # SSH configs don't change in Debian minor versions | # Only override the system sshd configuration on older Debian. | ||||||
| - name: Reconfigure /etc/ssh/sshd_config | - name: Reconfigure /etc/ssh/sshd_config | ||||||
|  |   when: ansible_distribution_version is version('12', '<=') | ||||||
|   ansible.builtin.template: |   ansible.builtin.template: | ||||||
|     src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2" |     src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2" | ||||||
|     dest: /etc/ssh/sshd_config |     dest: /etc/ssh/sshd_config | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|     mode: 0600 |     mode: "0600" | ||||||
|   notify: reload sshd |   notify: Reload sshd | ||||||
|  |  | ||||||
|  | # Newer OpenSSH versions support including extra configuration. The includes | ||||||
|  | # happen at the beginning of the file and the first value to be read is used. | ||||||
|  | - name: Configure sshd_config.d overrides | ||||||
|  |   when: ansible_distribution_version is version('13', '>=') | ||||||
|  |   ansible.builtin.template: | ||||||
|  |     src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2 | ||||||
|  |     dest: /etc/ssh/sshd_config.d/01-custom.conf | ||||||
|  |     owner: root | ||||||
|  |     group: root | ||||||
|  |     mode: "0600" | ||||||
|  |   notify: Reload sshd | ||||||
|  |  | ||||||
| # See: WeakDH (2015): https://weakdh.org/sysadmin.html | # See: WeakDH (2015): https://weakdh.org/sysadmin.html | ||||||
| - name: Remove small Diffie-Hellman SSH moduli | - name: Remove small Diffie-Hellman SSH moduli | ||||||
| @@ -33,7 +46,7 @@ | |||||||
|         cmd: mv moduli.safe moduli |         cmd: mv moduli.safe moduli | ||||||
|         chdir: /etc/ssh |         chdir: /etc/ssh | ||||||
|       register: replace_small_moduli |       register: replace_small_moduli | ||||||
|       notify: reload sshd |       notify: Reload sshd | ||||||
|  |  | ||||||
| - name: Remove DSA and ECDSA host keys | - name: Remove DSA and ECDSA host keys | ||||||
|   ansible.builtin.file: |   ansible.builtin.file: | ||||||
| @@ -44,6 +57,6 @@ | |||||||
|     - ssh_host_dsa_key.pub |     - ssh_host_dsa_key.pub | ||||||
|     - ssh_host_ecdsa_key |     - ssh_host_ecdsa_key | ||||||
|     - ssh_host_ecdsa_key.pub |     - ssh_host_ecdsa_key.pub | ||||||
|   notify: reload sshd |   notify: Reload sshd | ||||||
|  |  | ||||||
| # vim: set sw=2 ts=2: | # vim: set sw=2 ts=2: | ||||||
|   | |||||||
| @@ -5,6 +5,7 @@ | |||||||
|   register: tarsnap_signing_key_stat |   register: tarsnap_signing_key_stat | ||||||
|  |  | ||||||
| - name: Download tarsnap apt signing key | - name: Download tarsnap apt signing key | ||||||
|  |   when: not tarsnap_signing_key_stat.stat.exists | ||||||
|   ansible.builtin.get_url: |   ansible.builtin.get_url: | ||||||
|     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc |     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc | ||||||
|     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc |     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc | ||||||
| @@ -12,9 +13,9 @@ | |||||||
|     group: root |     group: root | ||||||
|     mode: "0644" |     mode: "0644" | ||||||
|   register: download_tarsnap_signing_key |   register: download_tarsnap_signing_key | ||||||
|   when: not tarsnap_signing_key_stat.stat.exists |  | ||||||
|  |  | ||||||
| - name: Add tarsnap.org repo | - name: Add tarsnap.org repo | ||||||
|  |   when: ansible_architecture != 'armv7l' | ||||||
|   ansible.builtin.template: |   ansible.builtin.template: | ||||||
|     src: tarsnap_sources.list.j2 |     src: tarsnap_sources.list.j2 | ||||||
|     dest: /etc/apt/sources.list.d/tarsnap.list |     dest: /etc/apt/sources.list.d/tarsnap.list | ||||||
| @@ -22,12 +23,11 @@ | |||||||
|     group: root |     group: root | ||||||
|     mode: "0644" |     mode: "0644" | ||||||
|   register: add_tarsnap_apt_repository |   register: add_tarsnap_apt_repository | ||||||
|   when: ansible_architecture != 'armv7l' |  | ||||||
|  |  | ||||||
| - name: Update apt cache | - name: Update apt cache | ||||||
|  |   when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed | ||||||
|   ansible.builtin.apt: # noqa no-handler |   ansible.builtin.apt: # noqa no-handler | ||||||
|     update_cache: true |     update_cache: true | ||||||
|   when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed |  | ||||||
|  |  | ||||||
| - name: Install tarsnap | - name: Install tarsnap | ||||||
|   ansible.builtin.apt: |   ansible.builtin.apt: | ||||||
|   | |||||||
| @@ -0,0 +1,40 @@ | |||||||
|  | {{ ansible_managed | comment }} | ||||||
|  |  | ||||||
|  | HostKey /etc/ssh/ssh_host_ed25519_key | ||||||
|  |  | ||||||
|  | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear | ||||||
|  | # audit track of which key was using to log in. | ||||||
|  | LogLevel VERBOSE | ||||||
|  |  | ||||||
|  | MaxAuthTries 4 | ||||||
|  |  | ||||||
|  | AuthorizedKeysFile	.ssh/authorized_keys | ||||||
|  |  | ||||||
|  | # To disable tunneled clear text passwords, change to no here! | ||||||
|  | {% if ssh_password_authentication == 'disabled' %} | ||||||
|  | PasswordAuthentication no | ||||||
|  | {% else %} | ||||||
|  | PasswordAuthentication yes | ||||||
|  | {% endif %} | ||||||
|  |  | ||||||
|  | X11Forwarding no | ||||||
|  |  | ||||||
|  | # Based on the ssh-audit profile for Debian 13, but with but with all algos with | ||||||
|  | # less than 256 bits removed, as NSA's Suite B removed them years ago and the | ||||||
|  | # new (2018) CNSA suite is 256 bits and up. | ||||||
|  | # | ||||||
|  | # See: ssh-audit.py -P "Hardened Debian 13 (version 1)" | ||||||
|  | # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite | ||||||
|  | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr | ||||||
|  | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com | ||||||
|  | KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com | ||||||
|  |  | ||||||
|  | {% if ssh_allowed_users is defined and ssh_allowed_users %} | ||||||
|  | AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }} | ||||||
|  | {% endif %} | ||||||
|  |  | ||||||
|  | PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }} | ||||||
|  |  | ||||||
|  | # Mask to use for IPv4 and IPv6 respectively when applying network penalties. | ||||||
|  | # The default is 32:128. | ||||||
|  | PerSourceNetBlockSize 24:56 | ||||||
| @@ -6,14 +6,14 @@ PartOf=nftables.service | |||||||
| PrivateDevices=yes | PrivateDevices=yes | ||||||
| PrivateTmp=yes | PrivateTmp=yes | ||||||
| ProtectHome=read-only | ProtectHome=read-only | ||||||
| {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %} | {% if ansible_distribution_version is version('11','>=') %} | ||||||
| ProtectSystem=strict | ProtectSystem=strict | ||||||
| {% else %} | {% else %} | ||||||
| {# Older systemd versions don't have ProtectSystem=strict #} | {# Older systemd versions don't have ProtectSystem=strict #} | ||||||
| ProtectSystem=full | ProtectSystem=full | ||||||
| {% endif %} | {% endif %} | ||||||
| NoNewPrivileges=yes | NoNewPrivileges=yes | ||||||
| {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %} | {% if ansible_distribution_version is version('11','>=') %} | ||||||
| ReadWritePaths=-/var/run/fail2ban | ReadWritePaths=-/var/run/fail2ban | ||||||
| ReadWritePaths=-/var/lib/fail2ban | ReadWritePaths=-/var/lib/fail2ban | ||||||
| ReadWritePaths=-/var/log/fail2ban.log | ReadWritePaths=-/var/log/fail2ban.log | ||||||
|   | |||||||
| @@ -1,5 +1,7 @@ | |||||||
| --- | --- | ||||||
| - name: restart mariadb | - name: restart mariadb | ||||||
|   ansible.builtin.systemd: name=mariadb state=restarted |   ansible.builtin.systemd_service: | ||||||
|  |     name: mariadb | ||||||
|  |     state: restarted | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -1,4 +1,4 @@ | |||||||
| --- | --- | ||||||
| # ansible.builtin.file: roles/munin/handlers/main.yml | # ansible.builtin.file: roles/munin/handlers/main.yml | ||||||
| - name: restart munin-node | - name: restart munin-node | ||||||
|   ansible.builtin.systemd: name=munin-node state=restarted |   ansible.builtin.systemd_service: name=munin-node state=restarted | ||||||
|   | |||||||
| @@ -1,16 +1,22 @@ | |||||||
| --- | --- | ||||||
| - name: Install munin-node | - name: Install munin-node | ||||||
|   ansible.builtin.apt: name=munin-node state=present |   ansible.builtin.apt: | ||||||
|  |     name: munin-node | ||||||
|  |     state: present | ||||||
|   tags: packages |   tags: packages | ||||||
|  |  | ||||||
| # some nice things to have for munin-node on Ubuntu | # some nice things to have for munin-node on Ubuntu | ||||||
| # libwww-perl: for munin's nginx_status check | # libwww-perl: for munin's nginx_status check | ||||||
| - name: Install munin-node deps | - name: Install munin-node deps | ||||||
|   ansible.builtin.apt: name=libwww-perl state=present |   ansible.builtin.apt: | ||||||
|  |     name: libwww-perl | ||||||
|  |     state: present | ||||||
|   tags: packages |   tags: packages | ||||||
|  |  | ||||||
| - name: Create munin-node.conf | - name: Create munin-node.conf | ||||||
|   ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf |   ansible.builtin.template: | ||||||
|  |     src: munin-node.conf.j2 | ||||||
|  |     dest: /etc/munin/munin-node.conf | ||||||
|   notify: |   notify: | ||||||
|     - restart munin-node |     - restart munin-node | ||||||
|  |  | ||||||
| @@ -20,6 +26,9 @@ | |||||||
|     - restart munin-node |     - restart munin-node | ||||||
|  |  | ||||||
| - name: Start munin-node | - name: Start munin-node | ||||||
|   ansible.builtin.systemd: name=munin-node state=started enabled=true |   ansible.builtin.systemd_service: | ||||||
|  |     name: munin-node | ||||||
|  |     state: started | ||||||
|  |     enabled: true | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -1,9 +1,16 @@ | |||||||
| --- | --- | ||||||
| - name: Install munin package | - name: Install munin package | ||||||
|   ansible.builtin.apt: name=munin state=present |   ansible.builtin.apt: | ||||||
|  |     name: munin | ||||||
|  |     state: present | ||||||
|   tags: packages |   tags: packages | ||||||
|  |  | ||||||
| - name: Create munin configuration file | - name: Create munin configuration file | ||||||
|   ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 |   ansible.builtin.template: | ||||||
|  |     src: munin.conf.j2 | ||||||
|  |     dest: /etc/munin/munin.conf | ||||||
|  |     owner: root | ||||||
|  |     group: root | ||||||
|  |     mode: "0644" | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -1,5 +1,7 @@ | |||||||
| --- | --- | ||||||
| - name: reload nginx | - name: Reload nginx | ||||||
|   ansible.builtin.systemd: name=nginx state=reloaded |   ansible.builtin.systemd_service: | ||||||
|  |     name: nginx | ||||||
|  |     state: reloaded | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -1,7 +1,12 @@ | |||||||
| --- | --- | ||||||
| # Use acme.sh instead of certbot because they only support installation via | # Use acme.sh instead of certbot because they only support installation via | ||||||
| # snap now. | # snap now. | ||||||
| - block: | - name: Install and configure Let's Encrypt | ||||||
|  |   tags: letsencrypt | ||||||
|  |   when: | ||||||
|  |     - ansible_distribution == 'Debian' | ||||||
|  |     - ansible_distribution_version is version('11', '>=')) | ||||||
|  |   block: | ||||||
|     - name: Remove certbot |     - name: Remove certbot | ||||||
|       ansible.builtin.apt: |       ansible.builtin.apt: | ||||||
|         name: certbot |         name: certbot | ||||||
| @@ -77,15 +82,10 @@ | |||||||
|  |  | ||||||
|     # always issues daemon-reload just in case the service/timer changed |     # always issues daemon-reload just in case the service/timer changed | ||||||
|     - name: Start and enable systemd timer to renew Let's Encrypt certs |     - name: Start and enable systemd timer to renew Let's Encrypt certs | ||||||
|       ansible.builtin.systemd: |       ansible.builtin.systemd_service: | ||||||
|         name: renew-letsencrypt.timer |         name: renew-letsencrypt.timer | ||||||
|         state: started |         state: started | ||||||
|         enabled: true |         enabled: true | ||||||
|         daemon_reload: true |         daemon_reload: true | ||||||
|  |  | ||||||
|   when: |  | ||||||
|     - ansible_distribution == 'Debian' |  | ||||||
|     - ansible_distribution_version is version('11', '>=')) |  | ||||||
|   tags: letsencrypt |  | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -54,7 +54,7 @@ | |||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   notify: |   notify: | ||||||
|     - reload nginx |     - Reload nginx | ||||||
|   tags: nginx |   tags: nginx | ||||||
|  |  | ||||||
| - name: Copy extra nginx configs | - name: Copy extra nginx configs | ||||||
| @@ -68,7 +68,7 @@ | |||||||
|     - extra-security.conf |     - extra-security.conf | ||||||
|     - fastcgi_cache |     - fastcgi_cache | ||||||
|   notify: |   notify: | ||||||
|     - reload nginx |     - Reload nginx | ||||||
|   tags: nginx |   tags: nginx | ||||||
|  |  | ||||||
| - name: Remove default nginx vhost | - name: Remove default nginx vhost | ||||||
| @@ -104,7 +104,7 @@ | |||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   notify: |   notify: | ||||||
|     - reload nginx |     - Reload nginx | ||||||
|   tags: nginx |   tags: nginx | ||||||
|  |  | ||||||
| - name: Configure munin vhost | - name: Configure munin vhost | ||||||
| @@ -115,11 +115,11 @@ | |||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   notify: |   notify: | ||||||
|     - reload nginx |     - Reload nginx | ||||||
|   tags: nginx |   tags: nginx | ||||||
|  |  | ||||||
| - name: Start and enable nginx service | - name: Start and enable nginx service | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: nginx |     name: nginx | ||||||
|     state: started |     state: started | ||||||
|     enabled: true |     enabled: true | ||||||
|   | |||||||
| @@ -1,21 +1,23 @@ | |||||||
| --- | --- | ||||||
| - block: | - name: Configure https vhosts | ||||||
|  |   tags: nginx | ||||||
|  |   block: | ||||||
|     - name: Configure https vhosts |     - name: Configure https vhosts | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|         src: vhost.conf.j2 |         src: vhost.conf.j2 | ||||||
|         dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf" |         dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf" | ||||||
|         mode: 0644 |         mode: "0644" | ||||||
|         owner: root |         owner: root | ||||||
|         group: root |         group: root | ||||||
|       loop: "{{ nginx_vhosts }}" |       loop: "{{ nginx_vhosts }}" | ||||||
|       notify: |       notify: | ||||||
|         - reload nginx |         - Reload nginx | ||||||
|  |  | ||||||
|     - name: Generate self-signed TLS cert |     - name: Generate self-signed TLS cert | ||||||
|       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key |       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key | ||||||
|         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt |         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt | ||||||
|       notify: |       notify: | ||||||
|         - reload nginx |         - Reload nginx | ||||||
|  |  | ||||||
|     - name: Download 4096-bit RFC 7919 dhparams |     - name: Download 4096-bit RFC 7919 dhparams | ||||||
|       ansible.builtin.get_url: |       ansible.builtin.get_url: | ||||||
| @@ -23,17 +25,16 @@ | |||||||
|         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 |         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 | ||||||
|         dest: "{{ nginx_ssl_dhparam }}" |         dest: "{{ nginx_ssl_dhparam }}" | ||||||
|       notify: |       notify: | ||||||
|         - reload nginx |         - Reload nginx | ||||||
|  |  | ||||||
|     # TODO: this could break because we can override the document root in host vars |     # TODO: this could break because we can override the document root in host vars | ||||||
|     - name: Create vhost document roots |     - name: Create vhost document roots | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|         path: "{{ nginx_root_prefix }}/{{ item.domain_name }}" |         path: "{{ nginx_root_prefix }}/{{ item.domain_name }}" | ||||||
|         state: directory |         state: directory | ||||||
|         mode: 0755 |         mode: "0755" | ||||||
|         owner: nginx |         owner: nginx | ||||||
|         group: nginx |         group: nginx | ||||||
|       loop: "{{ nginx_vhosts }}" |       loop: "{{ nginx_vhosts }}" | ||||||
|   tags: nginx |  | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -1,5 +1,7 @@ | |||||||
| --- | --- | ||||||
| - block: | - name: Install and configure WordPress | ||||||
|  |   tags: wordpress | ||||||
|  |   block: | ||||||
|     - name: Install WordPress |     - name: Install WordPress | ||||||
|       when: |       when: | ||||||
|         - item.has_wordpress is defined |         - item.has_wordpress is defined | ||||||
| @@ -23,6 +25,5 @@ | |||||||
|         group: nginx |         group: nginx | ||||||
|         recurse: true |         recurse: true | ||||||
|       loop: "{{ nginx_vhosts }}" |       loop: "{{ nginx_vhosts }}" | ||||||
|   tags: wordpress |  | ||||||
|  |  | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
|   | |||||||
| @@ -77,7 +77,7 @@ server { | |||||||
|         # See: https://httpoxy.org/ |         # See: https://httpoxy.org/ | ||||||
|         fastcgi_param HTTP_PROXY ""; |         fastcgi_param HTTP_PROXY ""; | ||||||
|  |  | ||||||
|         {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %} |         {% if ansible_distribution_major_version is version('12', '==') %} | ||||||
|         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock; |         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock; | ||||||
|         {% endif %} |         {% endif %} | ||||||
|         fastcgi_index index.php; |         fastcgi_index index.php; | ||||||
|   | |||||||
| @@ -1,7 +1,7 @@ | |||||||
| --- | --- | ||||||
| # For Debian 12 | # For Debian 12 | ||||||
| - name: reload php8.2-fpm | - name: Reload php8.2-fpm | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd_service: | ||||||
|     name: php8.2-fpm |     name: php8.2-fpm | ||||||
|     state: reloaded |     state: reloaded | ||||||
| 
 | 
 | ||||||
| @@ -1,5 +1,8 @@ | |||||||
| --- | --- | ||||||
| - block: | - name: Install and configure php-fpm | ||||||
|  |   tags: php-fpm | ||||||
|  |   when: install_php | ||||||
|  |   block: | ||||||
|     - name: Set php-fpm packages |     - name: Set php-fpm packages | ||||||
|       ansible.builtin.set_fact: |       ansible.builtin.set_fact: | ||||||
|         php_fpm_packages: |         php_fpm_packages: | ||||||
| @@ -26,13 +29,13 @@ | |||||||
|         mode: "0644" |         mode: "0644" | ||||||
|       loop: "{{ nginx_vhosts }}" |       loop: "{{ nginx_vhosts }}" | ||||||
|       when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) |       when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) | ||||||
|       notify: reload php8.2-fpm |       notify: Reload php8.2-fpm | ||||||
| 
 | 
 | ||||||
|     - name: Remove default www pool |     - name: Remove default www pool | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|         path: /etc/php/8.2/fpm/pool.d/www.conf |         path: /etc/php/8.2/fpm/pool.d/www.conf | ||||||
|         state: absent |         state: absent | ||||||
|       notify: reload php8.2-fpm |       notify: Reload php8.2-fpm | ||||||
| 
 | 
 | ||||||
|     # re-configure php.ini |     # re-configure php.ini | ||||||
|     - name: Update php.ini |     - name: Update php.ini | ||||||
| @@ -42,9 +45,6 @@ | |||||||
|         owner: root |         owner: root | ||||||
|         group: root |         group: root | ||||||
|         mode: "0644" |         mode: "0644" | ||||||
|       notify: reload php8.2-fpm |       notify: Reload php8.2-fpm | ||||||
| 
 |  | ||||||
|   tags: php-fpm |  | ||||||
|   when: install_php |  | ||||||
| 
 | 
 | ||||||
| # vim: set ts=2 sw=2: | # vim: set ts=2 sw=2: | ||||||
							
								
								
									
										2
									
								
								web.yml
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								web.yml
									
									
									
									
									
								
							| @@ -9,7 +9,7 @@ | |||||||
|     - { role: mariadb, when: mariadb_databases is defined} |     - { role: mariadb, when: mariadb_databases is defined} | ||||||
|     - { role: nginx, when: webserver is defined and webserver == 'nginx' } |     - { role: nginx, when: webserver is defined and webserver == 'nginx' } | ||||||
|     - { role: caddy, when: webserver is defined and webserver == 'caddy' } |     - { role: caddy, when: webserver is defined and webserver == 'caddy' } | ||||||
|     - php-fpm |     - php_fpm | ||||||
|     - munin |     - munin | ||||||
|   vars_files: |   vars_files: | ||||||
|     - vars/ipsets.yml |     - vars/ipsets.yml | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user