Compare commits

...

145 Commits

Author SHA1 Message Date
d51f8fefaa roles/common: minor configuration of Debian 13 SSH
Tweak some of the new OpenSSH per-source penalty settings on Debian
13. For now only adjusting the source network masks and reusing the
list of IPs to exempt from fail2ban.

These being built in makes them easier to use, but I think I will
end up sticking with fail2ban for the heavy lifting because it per-
sists across restarts of the daemon, whereas OpenSSH's doesn't. I
will monitor OpenSSH on Debian 13 to see how to best use it along
side fail2ban.
2025-09-23 10:33:24 +03:00
9ff6e19135 roles/common: use 127.0.0.0/8 for fail2ban ignoreip
We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH
PerSourcePenaltyExemptList, but OpenSSH is more strict with regards
to masks not being applied to the host portion. I had never noticed
that fail2ban's default was applying the mask on the host portion!
2025-09-23 10:33:23 +03:00
4680999680 roles/common: sshd overrides for Debian 13 2025-09-23 10:33:23 +03:00
602734acce roles: update ansible.builtin.systemd builtin
Use ansible.builtin.systemd_service instead.
2025-09-23 10:33:11 +03:00
0db7911b70 roles/common: remove sudoers.d
We are not using this.
2025-09-21 23:09:40 +03:00
ee4c62e5f9 roles: remove tests for Debian
We only run on Debian now.
2025-09-21 22:20:31 +03:00
a315db8a7c roles/common: use ansible_distribution_version
In most cases it is enough to use the full version (ie 12.12) since
we use Ansible's version comparison function. We rarely need to use
the major version (ie 12) directly.
2025-09-21 22:19:00 +03:00
5f00892df3 roles/common: adjust when in tasks 2025-09-21 22:04:25 +03:00
9357265d27 roles/common: use ansible.builtin.apt module 2025-09-21 22:00:39 +03:00
dd62266340 roles/common: update comment in ntp task 2025-09-21 21:58:11 +03:00
a1bec20824 roles/common: simplify when logic in ntp task 2025-09-21 21:57:34 +03:00
8e91c44529 roles/common: fix syntax error in npt when 2025-09-21 21:56:15 +03:00
02d4135c79 roles/common: adjust ntp task
On Debian 12 we need to explicitly remove ntp because it does not
conflict with other time daemons.
2025-09-21 21:55:09 +03:00
37e148d009 Re-work ansible_managed
This is no longer a configuration setting. Now we must set it like
any other template variabled.
2025-09-21 21:15:12 +03:00
73dbbd23b6 roles/common: adjust handlers
Should start with an upper case letter.
2025-09-21 20:22:58 +03:00
b84283aa38 roles/common: remove unneeded firewall packages
We don't need curl or libnet-ip-perl anymore.
2025-09-21 20:15:11 +03:00
1695fdf8d1 roles/common: syntax in firewall play 2025-09-21 20:11:46 +03:00
9f1f7b1c69 roles/nginx: more syntax fixes to tasks 2025-09-21 20:08:51 +03:00
7d725f2084 roles/nginx: adjust task syntax
Tasks should start with an upper case letter and we should not use
free form syntax anymore.
2025-09-21 20:04:53 +03:00
4c39b0d48c roles/php_fpm: adjust task syntax
All tasks need names, and we can use name, tags, when, block order
for task keys. Suggested by ansible-lint.
2025-09-21 20:02:46 +03:00
f4023d0b20 roles/php_fpm: rename handler
Suggested by ansible-lint.
2025-09-21 19:59:23 +03:00
6aaface4a2 Rename roles/php-fpm to roles/php_fpm
Suggested by ansible-lint.
2025-09-21 19:56:20 +03:00
333e1cbeb9 roles/mariadb/handlers/main.yml: update syntax 2025-09-21 17:32:57 +03:00
0c62f4bdf0 roles/common/tasks/packages.yml: improve task key order
Suggested by ansible-lint. Makes it easier to see the tags after the
very long block.
2025-09-21 17:30:54 +03:00
26f22c0447 roles/munin: update task syntax 2025-09-21 17:29:22 +03:00
05881e2585 roles: fix unquoted octal modes 2025-09-21 17:25:22 +03:00
d4d326c2f7 roles/common: use FQCN in handler 2025-09-21 17:09:45 +03:00
1d4a6f208b roles/common: update default fail2ban ignores 2025-09-21 17:06:48 +03:00
8b22076d4a roles/common: json spacing 2025-09-21 17:06:01 +03:00
38176cb34c roles/nginx: update task syntax for plays 2025-09-21 16:59:08 +03:00
da737b71f7 roles/mariadb: update task syntax for mariadb play 2025-09-21 16:54:19 +03:00
c28189a1a5 roles/common: update task syntax for fail2ban play 2025-09-21 16:54:03 +03:00
b600141e89 roles/common: update task syntax for sshd play 2025-09-21 16:51:23 +03:00
4be98d1a33 roles/common: update task syntax for ssh-keys play 2025-09-21 16:49:32 +03:00
2bb018a40c roles/common: rename firewall and packages task files
Don't use firewall_Debian.yml or packages_Debian.yml since I am not
deploying Ubuntu anymore there is no need to distinguish.
2025-09-21 16:45:51 +03:00
89a1e11b7a roles/common: update task syntax in main play 2025-09-21 16:40:37 +03:00
0c0cad9084 Remove Ubuntu logic
For a few years now I have only been deploying Debian for personal
use.
2025-09-21 16:34:57 +03:00
9dce701a19 roles/common: update task syntax in packages play 2025-09-21 16:23:10 +03:00
3e9ee44d5b roles/common: update task syntax in ntp play 2025-09-21 16:18:32 +03:00
599b5e5e83 Pipfile.lock: run pipenv update 2025-09-21 15:57:28 +03:00
bc700ea532 Pipfile.lock: pipenv update 2025-08-17 10:28:23 +03:00
8016701b57 host_vars/web22: WordPress 6.8.2 2025-08-17 10:26:43 +03:00
00558c7dea roles/common: re-work fail2ban and nftables
Re-work the fail2ban and nftables interaction. Use systemd's PartOf
to indicate that fail2ban is part of the nftables service, which
tells systemd to propogate stop/start signals to it. Then we tell
the firehol update script to restart nftables instead of reload.
The different between restart and reload is meaningless for nftables
but we want systemd to propagate the stop/start signals to fail2ban.
2025-07-08 10:39:17 +03:00
c927186837 roles/common: adjust update-firehol-nftables.service
This service does not actually depend on nftables, at least not in
the systemd sense of dependency. Furthermore, this hard dependency
was causing the service to fail when it restarts nftables at the
end, which causes systemd to start it again and again until it hits
a restarting too quickly error.
2025-07-08 10:37:39 +03:00
690774c862 host_vars/web22: WordPress 6.8.1 2025-07-08 10:34:34 +03:00
cc021bd14a Pipfile.lock: run pipenv update 2025-07-08 10:25:09 +03:00
73fd06fe3a roles/common: remove cron-apt
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
2025-04-07 09:51:09 +03:00
88cb3a370e Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
027a43ddbe roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
bb30c3be20 host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
d8d9790d21 roles/nginx: enable nginx ssl_session_tickets
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
2025-03-29 22:35:56 +03:00
9a500ebc0d roles/nginx: disable nginx ssl_prefer_server_ciphers
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
2025-03-29 22:34:41 +03:00
4bae942585 roles/nginx: add nginx ssl_ecdh_curve
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:37 +03:00
99866c0c90 roles/nginx: use one day for nginx ssl_session_timeout
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:32 +03:00
0afb8a4493 roles/nginx: update nginx ssl_buffer_size
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
2025-03-29 22:34:27 +03:00
506695da31 roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
f67ed7762c roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
014f4d9502 roles/nginx: add newline 2025-03-29 22:19:41 +03:00
22c16e1ed3 roles/caddy/templates: closer to supporting WordPress
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
2025-03-29 22:09:37 +03:00
5aa6a33e51 roles/php-fpm: set user and group based on webserver
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
2025-03-29 21:01:56 +03:00
7f9b06af9c roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
84db337fea roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
7b23f5f94f roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
9830338be3 Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
e3eed26765 roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
8b31c7e148 host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
3ff8043aaf Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
cb79f7ef70 roles/common: minor change to firehol update script
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
2025-01-28 09:14:48 +03:00
bb14f05d2a roles/common: use Ansible timezone module
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
2025-01-27 23:11:56 +03:00
5b1530fa91 roles/common: rework firewall
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
2025-01-27 23:05:45 +03:00
5312dc6bd5 roles/common: use common nftables task
Use a common nftables task on Debian and Ubuntu.
2025-01-27 23:05:38 +03:00
d6e060d3af roles/common: simplify firewall tasks
Apply firewall tag to included tasks, then we don't need to use a
block.
2025-01-27 22:30:50 +03:00
b873af004a roles/common: single firewall task include
Use one include from the main tasks file.
2025-01-27 22:28:27 +03:00
7ea3ab46f8 host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
0561bd5b52 Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
d62572f02c Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
2ffe5e87d9 host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
38d4f1a303 Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
ed8cb88038 host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
c31e447861 roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
545684467c host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
24ae5eaab1 host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
dac23f1427 Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
41fbc73dd1 host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
fee794bcf0 Update Pipfile 2024-03-20 20:28:00 +03:00
8bce1d8b1b host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
6dc2ea36b6 roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
af71a9b5f8 roles/php-fpm: remove fmt strings
Ansible confuses them for jinja2 tokens.
2023-09-11 19:52:18 +03:00
4dd57803e2 roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
18d4245fc0 roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
1bddf3cccd Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
20dbe61fe1 roles/mariadb: use MariaDB 10.11
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
2023-09-10 22:53:10 +03:00
899e87321b host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
06416a3b64 roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
7a9a24ef5d roles/common: rework fail2ban again
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
2023-08-23 22:15:24 +03:00
067adcd9f5 roles/common: rework fail2ban tasks
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
2023-08-23 21:59:28 +03:00
84d210cfab roles/common: re-format handlers
Use the newer Ansible format.
2023-08-23 21:35:28 +03:00
17736a4f14 roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
b9e91c4a3d roles/common: minor updates to tarsnap task
Use modern Ansible task format
2023-08-23 21:20:22 +03:00
51c95e5d4c roles/common: update tarsnap task
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
2023-08-23 21:18:27 +03:00
8dbec29d2a roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
d3bf3dab04 roles/php-fpm: add support for PHP 8.2
This is used in Debian 12.
2023-08-23 20:56:35 +03:00
8f50b7756b host_vars/web22: WordPress 6.3 2023-08-22 21:33:49 +03:00
e86ccc9979 roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
cea8529f49 Pipfile.lock: run pipenv update 2023-08-22 21:02:17 +03:00
d77718edae host_vars: add fail2ban_ignoreip 2023-08-14 16:37:07 +02:00
14d57fc477 roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
5c39f1abd8 roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
6794eb0432 roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
11614e3725 host_vars: replace nomad02 with nomad03
The former is Ubuntu 20.04, the latter is Debian 12. Running Drone
CI.
2023-08-10 08:37:09 +02:00
b106f9d9e5 roles/common: ignore apt sources.list on Scaleway
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
2023-08-10 08:08:42 +02:00
3c8250e6ac Pipfile.lock: run pipenv update 2023-08-09 22:07:54 +02:00
d280859b0d roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
bca1629d2f Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
4fa82faf18 roles/common: adjust sshd_config for Debian 12
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
2023-08-09 21:27:19 +02:00
b8f0b4b1fb roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
68e5d05bbb host_vars/web22: WordPress 6.2.2 2023-07-27 18:48:37 +03:00
446d402778 roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
67379fc2e4 host_vars/web22: WordPress 6.2 2023-05-04 07:10:40 +03:00
73546967b6 Pipfile.lock: run pipenv update 2023-05-04 06:58:25 +03:00
16b661efe1 Pipfile.lock: run pipenv update 2023-04-14 10:09:29 -07:00
fdb9a75489 roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
232d7a0348 host_vars/web22: WordPress 6.1.1 2022-11-24 18:31:48 +03:00
6e4bb5bc34 host_vars/web21: use caddy 2022-11-13 18:58:57 +03:00
c840ffe018 roles/caddy: improve vhost template
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
2022-11-13 18:54:03 +03:00
45c9d7ea0a Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
a62bc446e8 host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
62a6a491db host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
4867d6da6a Add basic caddy role 2022-11-02 22:29:30 +03:00
d9f7c7a93b group_vars/web: set default webserver to nginx
While I'm still getting experience with caddy and adapting it to my
workloads.
2022-11-02 22:12:36 +03:00
bc8c030700 roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
f7598d8f1c Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
c353e84a84 site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
99ca23f258 Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
b663d27fd8 roles/common: rework firewall_Debian.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
2022-09-12 17:25:40 +03:00
67c99dacf6 roles/common: rework firewall_Ubuntu.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
2022-09-12 17:18:33 +03:00
4abf2b10e4 ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
f5199264f9 ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
b259f09cbd roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
f4b32e516b roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
fcb12ecee0 roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
5bc03ceacc roles/mariadb: install packages in single transaction
Using a list we can install these in a single apt transaction. Also
use the newer task format.
2022-09-12 10:12:07 +03:00
c317429f6d roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
b512a7f765 roles/common: create /etc/apt/keyrings
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
2022-09-12 10:05:12 +03:00
e3a87d4f79 roles/mariadb: MariaDB 10.6
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
2022-09-12 09:25:46 +03:00
84 changed files with 2343 additions and 12273 deletions

View File

@@ -10,4 +10,4 @@ ansible = "*"
ansible-lint = "*" ansible-lint = "*"
[requires] [requires]
python_version = "3.10" python_version = "3.13"

991
Pipfile.lock generated

File diff suppressed because it is too large Load Diff

View File

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions ## Assumptions
Before you can run this, a few things are assumed: Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 20.04 or Debian 11 host up and running - You have a clean, minimal Debian 12 host up and running
- Python 3 is installed on the remote server (requirement of Ansible) - Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine - You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host - You have sudo privileges on the remote host

View File

@@ -2,16 +2,16 @@
retry_files_enabled=False retry_files_enabled=False
force_handlers=True force_handlers=True
inventory=hosts inventory=hosts
gathering = smart
# instead of using --ask-vault-pass # instead of using --ask-vault-pass
ask_vault_pass=True ask_vault_pass=True
remote_user = provisioning remote_user = provisioning
interpreter_python=auto interpreter_python=auto
# Don't warn on unknown SSH host keys because it's super annoying for new hosts
ansible_managed = This file is managed by Ansible.%n # or if you get a new laptop and run Ansible there!
template: {file} #
date: %Y-%m-%d %H:%M:%S # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
user: {uid} host_key_checking = False
host: {host}
[privilege_escalation] [privilege_escalation]
# instead of using -K # instead of using -K

View File

@@ -3,4 +3,12 @@
tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ansible_managed: |-
This file is managed by Ansible.
{{ 'template: ' + template_path }}
{{ 'date: ' + (template_mtime | string) }}
{{ 'user: ' + template_uid }}
{{ 'host: ' + template_host }}
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,8 +1,14 @@
--- ---
# file: group_vars/web # file: group_vars/web
# run nginx by default
webserver: nginx
# all hosts run fail2ban with the sshd filter, but some can use other filters # all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters: extra_fail2ban_filters:
- nginx - nginx
# root prefix for all web servers
web_root_prefix: /var/www
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,163 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
36643866316634653430343333316233346137663238373035376232643132663036343736376464
3033313234383933656361343938653362623265653030360a396638643333633137376231663538
65313537316564303330663730333131633165633238643532646435386436623163346366383533
3965636630393834620a343531623964626135636337313861653361393733333463633234363435
64643934346466663934613962613230623562323666353231326363343430336637323666383634
36626136643432343332343665343734653435383336313862383863626466663633363738313563
30303666306439333836306161633432346636396333653434666531353966353430666436623531
31636562656161333830313362653764306137396231346334613336346538306432636639386561
65323737383865313264623934613365373465323065616130333837386665666333623832626239
33333230643332373238363432306466613737373132643134363563613535376365616130333433
35653262356233626331643432396237306237363135623830643536653938363461303738613130
66613036393338393037386162383831663866323233383736303532363837663039376166363639
34666237333562643665653165393730646632316237663337383937353365333532336462656362
31353934393363363765616335626565343238336262653361306164383030303835303666326532
31386332346362633433356161643536333862373030306364393935663061396538616637623230
66383163396139306430343639346264336464646233316636666239643132376164613666363538
33356365643430383732396235623038643566623131616461376261343563353236306663656634
64643035373039383031303464346264383066623762323161643561366164313461613038633531
36383161363065366164383932623231626633646166313835343264373366393236626336353039
66646338303731346337363962353135346239306562663737363038306433386230326636336162
65313132626564663738633531333662666661326463643032656136376564643938623061346464
66653239663464306430613563666336643839323537626338666435336138613763313364323637
30666566326463623438316263623233333434623366306330656564636163336636623433646631
65316562616136626330333166646332366537666664303766346239316535333031396235303466
34393664373361356231333530323865646333653237613636386632393730623330653437393164
65343266373237386364373862656138633263666633333465623836366233663537393539393638
34643963363865383434633163623832646632393234636136346137366361393638393461306337
64653436313065326637363632336565306137613131306364336537613835306332633366313130
34393732643361663731383661646631353035353064613931333330653031626435353163323633
65326135376462666435643837333131313863313630336566333835613132383365343234366133
39336131363366616136663636663334386361646465336331343836626439316532376566353565
37643361646435643133336333643837633331316432303062623062396564373137613235363762
32363838333337363035343631353261653063316138626133303937623233326531333837383033
39366536333434303864616164313137613337643730306261626138343764663662393161613730
36303736306631636266336131396336646635653131336265623364633038363339353933636632
39626134353866313439333962376663393831303261633431303035663130613265333739616135
62623138386235653935383364623230343662333138653562633266336534383963326237663132
38646335623532383565303466386261613931666438313261653434633934353739613431636132
39633133656230666231383936396264313630353434313035643565333661393736386637313264
63636337373334313937643261313564333564383566633730396364653533666236643433643436
33363061356362386535323038383637613364393639646363366630373735353234333134636565
37653064636536376638626135393332626539346365353661636439323338653137383866663734
62303139363436646464383266396464313565376132393937356665396536623332376134393366
30346435313566313237326461346362353633353261373038656130323365383765613739323239
38633934643531633037623036623839386637663762366631633033646138323936353433326430
34396466653230643766636636393735373363616637386662333535643536626261653264346332
34336337646133646261353939353166393530323730333063393365626365383366633464633236
64656535613838313461623864666362373030636366373038373863616462373939356238353362
36363535653734343533666532343166313964303236313135386134623963386535306435656330
38386430303330303837326138356364373439313836636234656331643131646363386138653065
64353837396533303463643130613339663166333933643362303565623432643064353865393635
65663362666130623933623733323933343065633432613965373764383035316338316338373934
65383061386635316331366532626437303664636436306535663365373064346136393063623335
35643062363536633332313531356637313032666262366466626462666663303161653635666331
32343130383231323239363235313031346438323330383938303733323436646336353163356132
30336136646261323866663530336335636464623035626635333961623363396239353935636531
64373231386163663962313834333538333133376433623363306239393462383930306432396562
65393761633834663431353032393032396330393338343863333939323632393438646331613463
35363530653161653266616331356531666434353663643364316564623438316132383463356437
38626365343733383735383939646331376531376563623231323535323735356630336130383835
39633335373163656431336130333664306164336536356431323438333933636365303330393233
32353437393133646632373234376431626332626333343866643463653662373861346539663131
32393333633766633738393937356134313236343633636533376665316134653632623061353866
36373761366264653737386331383235306137323965363265653937353833343362633433313462
32316466356335366630373635376561636233336165666661653632323835336563313134343064
30333033333331303164323133613536613636373333663131633162616235316636346337333462
64306336636562353733613538343462626233303661363131333665366135306332346135323136
31306535643539303936346632623930333339353439376462633462626165633437393830373739
61653230646366623830353630336661623466316136373264353762313065346632366164653261
64313830303466306135313964613537633236383535343132613332613733316161623365333163
38633930323439303030316433343764356538313632366635653437346161646439663563323832
38363731353734303932653662326138646239306261383232643537313365393061383663643632
31343736373739643164623437663239616663373335643262336664326365656137643066383463
37356666306666353339626662326135636530386462613061326631366535383034303830323237
65316135343135383230656638363564303635363333623833373163326365393430663235623231
35646632643735363730613462656562356139323863616266343566343861356238623564326430
31306366366330363036616137363163663136316565313334616164346639663465666338316439
33643732343062313536313233333039366435386235333736333937633266653761616262346566
32636337623266656464636634643632316134376334653932363134613336346539656438633137
31306439663834663431346133653532636664636463376337616539393239316465636537633630
30363461343733653465666332646236386633396530333863616236383437333931643731626364
38393337656130666237373538393430306333333033306466343866303038643234646339306233
32336364363838636563643939626665643231636633666166653539313461393238333461383262
62346634633236343433336531396361323238386262313565396265663162353765343037303862
63633034363664313733633433356332333633366530643863316364653065623161663932323831
31646530613933613735333834373532616136393662346431656363346364353031303262326134
31343332386166646530373635343039323163323366616263346431353765303430353636373539
36346461303730313630373637346266323331373733383465323037343633313739306233336339
63646137643332623834343462333263356432366631663065383962373634366639656133323964
64343035323863373139313163323562643066306139363235626532396436663137653635353035
31396334346137626461633436343539366635356537306231353961333963616334323037346637
33626161333264643261656661643933653835356236333831343563653938303266323730363865
31363562383666633636343935386535306361386234346535613363613363393065363832306363
63643238383363646137306361306265666435363739306463663637343761643831633261633531
36626562636333336434613365316232343832646163396338613839643064653834633832376230
33343265386162303266373033353332393931633663623734396133326232303465666432356363
66306338616634616631363662313963386638343266383063313166353437373433623736333361
36333163386630376262616362613530346563383637656130363365366634633135323863646363
35323430343033323734363533326334303438663065656535666432376661613435623365316139
30623835373535623662633131393831376231623663316331313661646531393338613532623063
66343665356338636438646339663761336636653332646233326264373435346263386130383861
34623265373463653165383665306334643233373066356231343666663866373739336436653933
65623134306536333538333061303066636339376636333438623666366362666137653261376539
31346435613134303866333065306237343162333138643339313461663934643234303132613961
65393037396463663034636534323566366161623365666466393634373764333437383263656535
33643461636362646135626164373335386130303766633434633062356630336463623661396639
32646565623164363631383731666161343762393639343839373234326337643766336263353166
62633964303733643035326535656561366139626565643938356264646239336166316534373261
30623765623338616537353062666338376262393966373033346233383132653839323731626663
66393938313132653538313031323538333263333361303661646633366633353534373837313935
37323635633431623365643738623834653631323564393436326562326439666462306263653331
66316134616432323939373366343564623264336632376132663462396362663134643236643832
31393366653961323763333335303135383934633538636335303435636334343737306232373561
31343139363863326536613163663862343263313630336438666132306162646130613233393935
37336330643361323032366433313939616134366134393032613862616136393339643232356139
35326534623263353766326132623330323639303230616263636536366263643339663838376238
35323731303163616236306439343632353561646339663933313937363739303864336438626638
64633139633338623431343236333534373835356365343536636261386437613538303334663739
62396532353832323262343763353365333561643633353638313534393164366539353431396336
36653563633237333730376331326432663561343463616135613738663130323936373136393538
65636634363631313364326665336164653939356133333031633632373030623666373562623564
64616365616435393231646236623333333037346363666664666233306661353337343066626136
35666164356537323735636131383266393064373538303966353531636561623032643233346566
61633465376631656636366662373865623764336135323865316336663731383335303330616231
64313836373063313061626365316538653831316562333165616531643434633964333438333665
66376634323531356538343837326636636636393639396535346264656531613733386337353966
31363730646365313834316234626532663563613234643563366566373662616335623035393536
61653334346336613539313732383438313132653738393339373661336531633565303635353665
31383939643261666538356633326666363934643738636430383537636165623264616236633863
35336134386437383539303061343261313530313366316338663539383238663966653837663331
33386464653161376335316536633532383035363066653234626363343232393165313463343930
63323435613932626435363235396236313365636166663238323534623038663034303365326566
66306635373433313730343536633931643935323062643136383434643138306138363366663834
66613964303634616139323832363633363063653237366135613964663733376161373937323462
30313833623733336366356635323261613132393734613735393062333232313236326264323366
32376535616334376137663636633333323665333939363366313432633436653864306532393966
61636337356534373164653637633162613235623364396539623961353466303036383031363162
37313364613939613939343538633665666136363135656330623332656466383139656234336133
62366262663064623137626363613066366666313733623463623562636131323435346264653564
31323431663339653966336230356339303534353139663739363263633564373364323937386434
37306462653630326366316530656462316539373263366262313930356663376334343562303361
61623161613939616666386336626537333135346136643537326635383939663863623332373033
32643730313861636163623133323061333631333332373838636163326562633936363631653062
37336661626336623462616562333264373330323363363630313739363962323735393332303562
62393161323962393039346432353066646162336332663636343739343566363833333738316437
64333337363137643931366536396333633538633830353865323765616264356335383031353534
33376363386630303332643263383738386532373434613963613764326636333133303262393832
35373930383662383064333465633736363063363434333662396331633032353733353334363162
32393361643562623362333963663262363235326536396131643435306665343438333933616466
34326634373965313638666337326633653938343561663739333464343135346437636436633034
62333039373136656664363531373430356363363736306533386135323061316339326636643739
38363763653331646638613963646138666165666439643065363335343132613731623264376536
37366533636564346661343966373964353731623861633463363638356163346165643164373535
30373564326263393436326337653631383731313139636339356433333830666265343165323330
36616538616534626237623862636536303336343331383237333333656637303266616137336439
61653631636632366563373034346365313337356266636338336663643538303063613036383831
65613635336366316263336131666238386237366264396438383966313762626639643236313532
30663235666662396231376631366139653937646132343639396430643339393165656266636235
38356135666433323434613238356537306630643861353436323037353461326534313632386232
63643261373263646437373535333036336634396331616330353233613564363361396437326435
38396462643833313362633436303637323163663166653231653866643733616432323663316362
3037356363643462356137346638313963376637643162623062

View File

@@ -1,46 +1,27 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
31303064616130313334356131393461656264376237303838313334366562376338343931333036 38663333313561616264323430323162323837623430363739623561633331656664613936666665
3165636436393538633063303338636464663634643539310a323766633431376166393134303038 6364373033623163393239663035306337383066343438310a383666313434323036643037363065
34316264643034386661343566656139306234383430613032343332643363323534333238376233 30396333626130303633663930663965666662646233393439376661346265616565616236623366
6262383039383065660a313138653738643838346365633238326534646637353033623638306161 3930373433646231610a336233663132306263656465633034333030316362643939316465666534
31336565373635663661343930396463333632366665633464646264333732373431633463343462 38353961393038613961353732613434663565633466303265383231343336386330333464376363
64303538343234613532323431643765643738396233376138343561306361313864376165393064 33616330643364376332623634363766656366666239633964316439376463313063333162343963
37313964656461353466306433366538346131313034316633626265346665666332666665336635 61356634393438313063666434626338616264613639656462626639616263366531663135393466
64386261643536386536366337313938343134346532393866663065306434353766666132383666 66346635616439306364356133303664376134626636616131373138656562363363306633333164
37623138653430363964313566666165326130656239333965346234386233643537643231613163 62623135343633393834393165383231316562643062343165663235313930663039623135373263
61333336383265613930613239393663356566633464343732383133336435393036646536353834 61343336643235303962333938613230356465346436376334373438386461366231383737643137
31626235343330666233616533636636316637643665333861386263646363613237613638313835 36343832353730366131653430633465383163396336353065306638373166386438356264616139
39393736313734393539386563333331636361376137313631373833643763623338653462653066 65346635663338366463343932336231386235393836616238373864626235623935663661396663
31633061323161663139633761623662653434363362386235623061626662343535626461663934 31633565356465333737303339333435383162316530396563333335613062623138333232336162
33633966353263613466616439663631363162376466346535383963383332376130303265633935 62376363666431363931663231643561616562383230643737393261623934363633313231333137
31646533633330616136346239356366616530363539323466333765656537623862653633643930 39383238656237343661626662366465356463396336386261326334613436396364633062646532
64646261636239343866663238613834376339366666353534373666333966366264626663326430 61313136366636363861316166396134316562666435653437326331363563653035343138636163
61343530636536613032646630346136656231633730646331666633623634623235666535336536 66336139636533656334643966383962383734623565323435333665666164353732663736326364
36303735373331383332653731616136376163396337323536616431633934633830323531656633 35616264383237316330386539363065376334643432393636643464646238633034333166663665
65666565363133366166323866366137663332343633333262643433396531333833626532313663 33313166393738626133636136346637646437306335326263393634363133663736666338313838
62303265623764613231306365323362303565623232326137386135363262623366343330666134 64623139613037653461643563666539613237323934376534376461313833336338623032616661
64376435363164636332383061343066336439363433653939353235383934346331383933333130 64643062663633366436383232366137373936383430306332616634636331326361383931363961
36623437393461613137316634626638353039343465333161623632363735346438383537306236 62313236313563326438303935373837666434313435653236643135303739373763656562393537
37306531336433346461656466396566623263353632323364643963323835356666393062343137 31653265653739346433663937343439656231663963333633373066356231623762313438393763
36323065323639646330643437373965613563366663363739646237396563336633653232643466 36306336656566633034373834316363333233326130626639313130643935333437653934313636
30336534373463643733613536343762633435343636333632613936383930316532333933613961 32383034346234333561333466653561323834346166633831303566376266373933356536383031
31313535653639653331343364383662653434333833663464623164636538353763346134643762 6236303934323963336662386666653138313165366133303434
36383132326134353632336334303264376162316162646331656434663435326535636164663238
62383435343366663932346131636530386434333064323734363061633166323363383566383931
30626337656133613632313136656431623761343036613865663261653437343139303734383231
33613938643264313138626639393132663032326235383439326132363361616463366266383439
36656161386531303230396562356438356537653133666336306439303630393665623665396130
37356633356165333737303235373062663664643434346366613536343164626339633039386538
30653962373361626436616366396362343739613937633830613235373866613665306334663166
63643965303465306637663666336563633234333437643565353262623963653562623662323337
31353636353830336362643536396232333732663937616666383431616161646265313834393232
66646338303134393232363133653837346638613165323035363266333566663163336338613335
37303964326663303338643233353939633735616231356430663931646363613565653764303637
36643063306362373666653531656534646465666134353866313333316239663363663062373038
33393938663363376530303463636665663539626537373262366536363830653632663736356632
35653465306236356166653739623461636434636132653237333932333965366464633365326430
32306533303966373662353061343130306662623735363930626663393139323236613730356336
34306436333734626339616438383934353934306233323863653964623435663863333330643061
64626333623436623230613362373533343237313165313030616662633739373065376231313237
61303561303432613336366238326534616631346364616135363562303161313334303866336434
6164

View File

@@ -1,130 +1,141 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
38656665633261633138336335373266363136353736393735633130373737316562383130666636 38353762626535363837346634333565643931386536313339336365663162656533363636383931
6561646263333036333763366562326661353032316564330a383634366236376563613861353932 3737373161623364396366323338613062386466313539640a653334643937326338386262623261
63653365343662356634653231633364353062373539323165633339326364643933373464376166 65643635373532636439396235373964303537646334343633633531633435323037313433346636
6236613532633734640a626636316566373431323837656263663065303534343639356165313338 3866306363303338360a356166353265386130616163616662623764313536616666656237636563
37316361373062623233343265346334613337313765306162336430653563393631633532363661 30323036353635303438363234646234656530373365396530666539393132643831653039666562
33626138346232363635623365613632313536646236633736653931363931343062613738653162 65383962306465363862333131383263353736623264616465336139313638343462653361333239
36393565633535633939666530613765623738316263313839323139306134346530303664623861 64363562653366396664623662376433663335313231653935626237663430303734326433333739
63376230303062303262376534323332333336363832353630363262383931356139613539386133 62616265373732316530366331323664373637386661353664626464646264356465346466663539
34643961336134643262623634363839633463613365653839356364333961383737303263373632 31613435366362343564313732616639376664613630316236373333653634386130663463626231
30333063383835353961636333363564353664636132363930656136396638303431353738653937 31396631623466666364316237313363366439326231653035316437616134643035393138383364
66656335363933326162323036313930336465373763323161643437653338636635643064376635 35313738373562353632366637663232393638396330626165323535343538633264353366663738
37346461386136643332363961366638653531633239336631373933643336643066313062636132 30663135646162396331623837343661613333313437313434313365623664316135626239636230
37356134336666396265346466346465633139313239393636663931356431643936613830643033 65376137303439323166346536353831653537326662356330393362666430633831323537623830
32333036396365356362356332353265643765666466666464653265666562306534396530663530 65326164663136383339353138663936306166633662346363353063663435323266653137666630
39666465336663396436343436373434383537346262626663366337366163306133663530346461 61353263653735626236373233313436343466653238376634623366356431333439323932343938
63376237373230303063316439386630373566613134303631373362336538633531386233616238 33303432613063383135633261653837633961643737623462626439373335613430356532353031
65643662653130346165386338633965636431636237656162613634393530636138633937646639 31626666663963643736323731613735376239663530373166626365666339346435323761333637
62353433346664343332656166366161623330353934653631383961303931366231363030633262 35383464626437646665653931653932653033376464386132383038633734373138313830303466
37623235373438653037343033393365323365653561633736373930396261663638356163626630 39313532333866303565353161636435646231313461646639316566386639323561363633636139
63356639383231616339323530636338303465336462333036336636623964333834336234316163 37613661626162306431313266383964323434343039386533333535646565373933396565613565
34323866636239316634633236383635656265323133346534343435656561643034613337313336 34666136633265663035306261623531333665636336303665613635333232316331643935353461
32626234366532663033396561313838626437663961393131393962396137323531366262666362 32643735623532313363663530656630653531666335323565353063316537396334383230386462
62373332663532333061666332623261636239346137373933646335353238386232613739303634 33333565616634356537376466373332356663376363353166656139623336396130653564333739
39336331373231653635663330323539366563363135663863393632396332313464653533653138 39303733303939313838363331356437646632386631343466383332313037616430313566396335
36343364393063633437356638383935346131313932636131663965383465643561613633383962 31363038373437643266656463373662653966653832613935303462303031653761336165646162
39623830313463633437653364343339633939663831623565393039646666613062356562356237 31646631373335336435383638666562373236656231613662646161613533376237366463383630
33623463323336663664356334656130613665363739623263613032663732353435313639363130 36393532316336303531353032303937353963306164663162386137393664353962323865616532
33336263653039336139326164303565666661323737666533643837633438343762336462393534 63326462626130386234643639363762323863326134623063343731366433306431303763363233
65663932343635646435333362663237663835623332623038616465356632306663326433333463 36366334386266616261616266386439623665326339653562373836306165353137353137376337
34343830646535303638303033356630663534343435333237623462663466633062346131333163 37316363653935623736613138356333653936363866356665303737363032363564643532303234
38636539626539613431393336303935666334623638653134343637393930663561316339383664 37656432656363336564393263353430373437303337303461613763346461646565646535366638
31363532646636343439383539613738646163306336313862653465373636353136383666663163 34366337343033666134383966646563356533626665373337646231313431346239303635353261
63626139613031316665653330313565313831656561333830633735343861323134636237343562 62313939383762303235373537643531623465353062303939383666323139396630346461626136
62653834663035616665633761636631383233343037653034643064623932356239336366396266 38656632373637616532666433626564376338363239326234656561636239653536366331633234
36353462623732373831366661393266376561313563323730663165613737656136353831333232 65366139623238336234363564616430646435666562616636303064663437663731303839313365
64366461353264303434656161353639616133376465346232383437336537383463366466303839 38636438386162623862363865646233346336636439663833343136316165343564393339653565
64623730333037396162613762383962326135633934306338343635346463666135386364656665 38346166346434386338303032303430303535373635336562663030336566666435623537363137
65326161356539613362376635306231656465306262333936323234653538663963383838323062 61373161343138656365376531633830313561336632633330323035346431643837383062343537
65363330336137363163373661373464313164663630393761363366363635313139643163633834 66663961306666333535656432393134363565656635333633363732626665656365356138623164
39613334336336613434313364306134643332633332393466383265336537663231636663613464 65303936633666643034313636663262616661313739663135653335366261613133643630343362
36323436343136323538643134376430333331663738393134393032633838383966353866366337 66343033363835613031626635336538303362393561313032336136306465316231366137373736
35633838663230653930633665363664636333613538613839663937373139323738323133333938 62303335393333306132326135393562666431303631306538326433613362306131316139386361
66653432663330316537353364616664623935626666366533383539323830386530663131386130 31383665386466653066613038633335636233396335383764336462636138333034383836386365
36383831373965376666666165393266303465353738303962336563353531333364613765336432 38323739346630643532346161383336646165333336393961663930623531303434366265313861
35353232636663323231383932643532663330653337666563353735323436373436383639373363 39613231373335373338656434636134663036636234393534353033613133383034343437626434
35343465396265356336346134366437393238663861326332393135393432643335353563303362 31646339613430343265333833303231333739666266646436336161363330396264313636616461
64653033373461363865316237323264346535316163376162303839313734393865393137636530 61396332363537636162316261363030393466356263353938343236323932306366316535366533
63633733373430633332353264336566626262626565393832323164653534616636343164653339 38633165393339356339383939666161336461653438353632653530326639313238323761386461
36383536656463396239313863323835633937313963363439663535633036326634303239396233 63653765313532646166306237386435663432633934343039666637323362626338313135623034
32626433626338383434363331663864633436393663316239663362613734393132336638313466 30356438633635363738383932393861376235353962303663313963313964383530306530316363
66643965316466363362363136323336363862303661653161393234323361636135633838613739 64656638363436326562323234303961396333323931666365656433663865616439336138656232
34393662346430366666626136643434656131396463306462626538396236653466646331613735 66653964383034343837663936306632336562373637346132333063663263306237303461333732
34393035323038313932383631623961633761383734653132386562306430376365386464663238 65363661623064643663623661393563353739373535373764356163666639376236313839336438
66303036653866646633623266623736636361383339336164626439383031313162646632303963 35386265646331313663653761353864663934663261313037396135373938343265353934353361
31373864366661653033613165323061316138623462336236393933386431613736316635383938 30343564623631316366343838656135393364353836613330393536623662383637333039383133
63643332623465663432633139303231306162353035373338353162633530303934303436376535 37653733626662646631616563306638366263323634303636616331323964393962643061646361
64386535613861303064396666636363626137373336626334663631346566313732393065373532 39363562396634656637626630653533396236613334343332326439656165306537326464613436
36386436386537333561393336393363636133653737623431386531626163333961343162396139 37333632663731316165613432353339356561316431623038303365303663326666303666646363
63646631333063303033613533353963616634336230343930366566353664306430663263333835 66656630396661353765666131393737636630366666373136313837373165303437316233656261
38363937383363613932316130313236373932303763306335363136376362313931396139666334 38346463303964343132393162663762346163363739383733326635643264616166393264633934
30613639663163336363666664313737303561316164616234646630326432346134393738383834 64333137373532343032303431316633613836323631613231346133366635616435366436316239
61383734643337663138346533373339343733353332383863363234376330616531643931373161 64353633366431386664623239353735623037623364346431633733336563303430653233313637
66363938323764336161323437376463626661336234343739343632323936386265616531623863 35353138616164643834343339653739373038633531303039333632663566323565383637646561
30393830353064643138653233656135373032643065313663373039326462303866636462373835 31383965396365653364343761363161656432656665383963656463613637633938376234353532
63316365383331623063306334383861393535633536386236303130633530336130326536323461 33653837613266666661613165376665626432643439363637623333336234313836373232333736
32643761323533376637626366313133616232636161343334353362363261363262353532353336 65313232373233613763376463663161643636663162643864363962376232326462643936383131
37353232366337653030396239316631386665383866363966643139393763383035613535326334 39366164323038376633376238363663313238336166386663616261306532633331643537376631
64366164656338393831366136343465316534626661343431326333663664316331343438353236 31376663393036363566653061353636326565376636346466656263663266326332656461336437
34303165623062653934613532636163653263303837343561656136646333656261366530623766 32646162313932646632663738646532663439313630393038383530653562313439336631663535
39653239336562646234323261356266663030333139366466373931383866313139666239336161 36396265353231373435353137303164356633653938373166363663616632303764633738333439
37303462373637393139653762626430626431316362346233366466356337343831656635663431 62626533346561333565626163643235393164353861636662636531333834623965323034363735
38313465356538363066306163656236333839656437376233386361366232396536353964393630 33336138356663303462393864343434636364346432383665313931653062363138623261326438
35623331356630386164656237303262396339633939646133636636623266303765626138383365 31616533643163363261386635653732343939633965363362643536626264323537656238633539
37363962633332613062306536393431613934623530376639363331303238623866343237323232 62393935386433313366656133633532353131343237623466376632623434626362363062326531
66613437383837323466346230306330306532656632643337326264666532646330373530336437 33346165643164363365626432333631393664316266613731663162313764386336333231396632
63376330393364666635373066343132663239353038633539356537366338393861613037333336 36666536336333623063346166306164376138343566353063343866316432333266366337623866
38346230613233316435333637373234653566363537613737363534373138373036313338333161 61313039663661643863663434343732313139653037373065333463383635393061323938643162
38336561623662316537303033373061363137353262313866346262303365666535366463336366 61383064303461366162636439343438376266313931323934313563623435346634663739666565
64343336373936373034633335323533636531306463376364393962643133386337336431616535 62333035346634303139626432313262383262633437663436323763313361633235393037343665
36333937313466313339356130356232666466313934323433356539663239393335343865353636 62316564376464333133343134333230383765303834613233613232626131343631326433373062
66363565376234363933663033653763346439333331386139643661633734323833396462313763 36343466396430313534336332636233623337613134333861646334326633396434353765636163
64613735393030353965623839333134613664613264646439393934613865626133373138353962 37343638363234313030363661306337393361333332306331396164346633336130336366396430
66653733353362333539353934666135333133376338386536643238336462663432303132336438 62306539656332313162626239303066656664383639353730633738643132386662643733393761
33313532316264353635376132303237303639373132333039653063313733333266623838643963 62666339346130626163656237623730363066343838303036613038613763356263363365366238
63376138363539663963303265666330646138356163366663373237386264343263356362366664 62623435303838623630333231663137393362323234383533393763623235376164626461373736
64336432666639316664393237343532396337366239353930363330313464616162343037306336 36343761353362623433663936623433353439646463613233363732613435373564616239626564
62356361313331326139633864363861373936313163326139636464656165356635616466646662 61313066333939326435656535333963313831316231356232346534633531613963353130333432
34383830663932303239666139633766636265623364313462353730656563393763386230623530 37656163663230626632393939363532356366643764323330366630656334623261656334633865
30326630653165623965623164613235323837326466646338313936333631346437643438653939 61303066333566363061626437643132353664383061383364333338666230313034373535613063
62626661323866356136346161613661313438633165643464623764626537396632316363613534 63386237383638333263323337313336373830303865303466363965303839316162663431656538
65336337303634373766346265333332313663653831343861396238623264623134626462613065 33376332643335366537306133613761613132643232316438623939356331656263633933613935
30393932633337376338663033663365646366656134633665313936373531346366663766633032 65653465383434386561323462626362623566663330656439386361616562353430303938636436
33323431303130323133613764656164643861373035653962303565653866653362653834383561 66636531343063633561363330663436383930613438323764356562383536393933646264323135
39623035653862383836616165383963363064653036313563383561323236663931306165376532 64633764356166343965346362323466306636363633656466653934313230326435336536306230
32316666313231613565616562663736393630336336646362363039643462316432363330373339 38353432323537393131313239373861386237313530366139313338313330326632313536353837
34626133613166656166313565303436326563663239323334616533613561333263643365666135 63386161336335363834356437326630353031373435316462613634633039336132646134653236
66336265316166613039663937326164626439323038656562646237613439333535626462313162 31346664353932323339366464356161333637313761666138386164313163333531626235663338
64663332326533336436383364333735646534356631326262643736393364613137303736356365 62386333303264306363646136646463393134373939346438383465393439343337643336633039
39626463373735323062633939333865643237353435663464393262636433303861303537393031 62316464663038326439656334373331303165346534346466663538313632633561393335333931
33633864623730336136346434303762633932613938393432353230333230626539343962633564 65363964363335616639643462393463343437626539363838626439386164303464316666633663
35636335316537373138363330303962633839353537636361613237666135393632336330323331 63656639626133653266306266306531646331386366343936316136363935323662336335326338
36353235633935653333316331656465353030313765363237643865383231346439383335383665 30666130316265666631306635646565363039306138313462376662626161313134383633653834
63373462613564623261363264363936356130393831376164346464646361613132366137323038 32376163383763306165323466306264616366343332636564636162666434333732643635336163
65663030656338316166616635613934363965653165356331323165326635303431633764393365 61626162626331613438373464336465303739316130343965633532336531313661613961313164
33633966633662643536663135333666663264366265396537336637326537343736316332626166 39636165316638616338653965373833333732396363393463383433383930353361636166346232
34316331383438633133343432303837363339313561353737356535313663613361336162393636 61323935663536306533336137356566383130393564623938666231393431626136396137633066
33623231303764353533336631383232646365343035303064376662333830343738313238333636 36633133313861353338616561373838363833353531633465363731336237663561383561326635
30663435343538333135616366636162636637303930383131356663383631306431643036646361 62306338643965613635353536613335363934666362366466663461646135346436336164346536
62386531663739373066326666306235616662353835616166393739656564323737316131343134 62666631303638386137356233303235613636346661303834613335616161396238663530643165
36643063626464666337323634636536343365376233653363323565393731646536306637346630 65366364336139303766303938643038303461656335303438396565346330313665636165626432
33386633653165323762643638623739306363313433306338306162633333376463386261303466 64326666313562646239356231663834326566313331303363343064346539626636346438313266
64376531353238343435643865383061323364383362396432336539613230376235346537636362 65643364656164336166353435343730376266333633666230316464356439336463316464653137
34633637646230353463363763303239343766383935333861653137373266313534663335646230 66303865613961373732323439326535373933393537656462303831333432636261613564636330
66616339366532323766353365343433303432636134663834663834303932366663396131643337 63323361366332386331376437666234346661373233653432343733346363306130383665626437
61653733623361306336656333353664303165346238643738386536336335656165616131306131 33313330336365633464643563643465393935653132376135663163393161616462353838336664
33613139353839613764306161313764316233623361313037386163313238343031613931353332 35393833656135643733623765626639386561333336623930303465323963613164666531396632
62383839616365636435653634313736346438303565643133626161326534376636366537633037 35326365386566353966383635643132316230383363393539653335633934646239316131653536
33356533363234353263613662623334653465303561353934343230633664643536353538336437 66656161653030343462346337653434313062343663633665363838393865336536626532623132
34633631356363323836363439303131656361633162626232396636643436303032626335353534 66643636656134353363636433636538623930396262663864343332303066333566653063336464
36376437616533633934383034376464323530383965326432333834636132306438363334326262 32303030396137346636636164323133396364623532643332363638643761323938616530353836
61363532663439653937363935353831623562363737643066306537643433623262646535663166 65366331633561623331393231323534343239323565333330636136383836616230343034633036
31336661653539343236646361313930316562343630613535306231333734623265623064653031 38373530616532653166653932643665396434373465376530313663646236336238656266616261
37653633326131363433343732363264383366663965313836346561383833383138376136663164 33396463303963646633373038336662623161643135656136326533646337316562323932613833
35363835643630623037633032323162366333653963363736653537643739656665353638376132 65616434316239353531666131383335383733333830613934393465663138353662613063323537
61393639316336343731353038303033656164353839613764633635396438616336343533333065 31393337343737646537666430323666366338303731623339323063393636353132636233343436
31396337656433663736646338313062383337343466316137303032356266386562353833303636 61653862333837623666343061633531396235633565313631663937393337303764316466613130
64646637323836323930646530383339336636623934333833636565323164653862306462376365 33653732373034613639326338353438643664653461616133646235393864386564353765313932
30623031663832303265616563353164643336646131613963663530396336333637623836343137 36613165323465333937626165316632313334313364353463366239356630653530313761373261
6566 35326331313438656238646535643131656634396238363734626431633734336238616538383636
32303331666531653331306263303534613332653535643833303062653566393632333030383263
63393636643264656439373165383861323534333462353763343931363065393738323433323839
33333530323434363662633939303261636465356663326565633238663333656131376130396561
63363636613161383465323233626630613265346162386439353665393832383961616564636538
65333635336638646436623033343831356339656638333231666439643337306636313931643466
32393765303361323735646130613035346564356562656631373435653832663165313131336236
31636634663466366234386262623234626161663461386661656435656133616339383633386230
34313065396335636630333066633339646432313632373131306235333164336534363630313939
32623062393230633732323130613338363833356533306662616637326337343330303635343532
38396665633938313932656130303263396631343761616631616637633831666139343130313236
62356630346264376432

View File

@@ -1,85 +1,67 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
30633037383332656130363532373262623063623730666337373430336363383964343039663832 64326662336532386161646564656439396461666266656463393335663130323930326139386562
3633313230323565376234336433383330626238373665360a393234643435376431613363313036 3639653630336132663666646161363938386334323064320a663564613066313533353433333434
32386236343262643662356563633038333434333730616332353234333363356465326133623139 30346561616465646163646534356339666639333862623637613435376361323032636439633930
3830316433303631640a613231373138336330646639376135326238383230323534316464383135 3731313063363337380a373961353530383764623830363935626231333734303364313565626633
35333631356666323161313261633134636364396232323130333666373864333165346233666232 37343037633862633632613165323136373662396438613663636433346566653064653632313338
62346362353033636464323866343334633565373265623431613866623234633133633466383735 36396333393334336434326630646164333531306432386133353664336535343363343939393464
31343439646166633237643364386638306539626562636235666535333438343664323932383865 34626335626436353239366138323863656336636536383733363931633933636331643263653566
39333533363131633930353962336238363234393161623966376365326661643431303263653164 30613931616462373336393337363430353962613665353936383533326364353365623333316664
63666436616437326137303765303730303135663434663235373363323966623166376332393661 62383439396131303831326562323264336638623461643361663763356236373464346464316237
62336336366265623035346162303730323762353961376333313662626232343366653930656338 65393232343733643338653734326562626166366562303037613862396564636662363066356664
36353134333463663034363737653133633536356166353966373563316235636132383530643339 32656363616637303039373732396533643432343961666365313963383131643464333765643737
37326661346666663139326239396466373630633363373431346635626561623665366566653731 32386165666131626365313938633530346361383734323334613464353862393931323836626563
36396138643936623632613934633965663166313364396466633263303738666164316231366662 62656531346532646530306463653364326362613162323536643836643839663933343132613435
64636362356564663330363763323139623065336162353734626539663231663734333962343665 63303234646335306632316166626266313635303566396363333464363631353834373761353837
32613563363130376665333666313733303963633161313633636337646466353064653866623265 65643461623135363139646564336430353461336433633765303138313730613630346465326666
30653762316433653631306535303463663738653731633964666466623534396663326263643437 61393133636262653836333664623333656164663361353130623863653863323131326136373238
62663366613635373832316538653066623733336631663261666564333634643161653962373932 33376333316433653337373834666136363130373261333330643439313734343036636364306532
30313065656238663063313737383432393433656439383033346634373030643166306565646230 63343662383539633235356162656366323965383331343139616361653466633865626337326562
62353930336664393733663462343062323332323030356338316133393838656536306164623435 63643761613536613334333065643533323066393764633931633066353064393966646161376361
64393634363665643862346564326138336136393235316433313538383162396563303937356335 37623939386636346161346164303832303534323038626335336665653634386132343031303861
33646334646630646233323762323335303030393331636532656132313536663465383237623536 61323765306366333936303765636436633465356539316631343562363535663932333666363035
39633364363036636434323963613633353238346134643837316232653038616138373731643033 30386233623265636464393662386464333430396337626230306438396563303437363938303061
64396563353839386334313933653664613230323430383434653964636538393838386639356361 32653939383136376365343934613339383563303935623664633639326137353437363261393637
63643565643636653434343363333966653163616236363366356539313532393133666239376530 66613331643530623862636665396536613730306537373666623135663837393466343261646461
62663930343462633864373138633364636634643361363935303263353766373936386561376638 62376162613861643633656334303132353034333834626664666237393534386439313638393933
65316138646534396435636563326165643737326533303338323665656334346264643262636437 35643663613432323432646466386434363335353234643264643463613334356462313766643030
63303530363063316461333536333433366461356533393139313435396136353439323435366266 30336364396235663230356235303264323339643761333036333537633862343862386130626533
32343566616161636466663339613434643835613831346366613866343536663530326431343139 36626536396663393031303533313238616133323239356634303830353439363133353839663266
38653165383430653064613837343738623134303766373133623131646134613663383637336264 36306539636563633734623162356230383232306138393831393336626336383966643335376564
35313966646639613262623836393933376137623535323365393837326631663930313336313737 36303730313936633361643736613736303163363536313038316432323039643362636538333037
35626139386264303162393636306136306161383565353739643166653262366164386539353266 65613663333032623035656665393565366363396134363832363163656532363537373435623233
38323266343833323063343263346365383534643835353435626335333637303237633239646330 36373961333237373264326634353363356537356538343663613034396132396366626330303365
32643235666331613364616535326230346634333363633938646633633831633364653337373235 62353461616434343938386237373365633861333733613631633234623034366364363761613636
30316161633634303562613263633962376365363038346137316164323036616664626132386461 34393532316466323264363363653335366639613731326131393335313039646538626665356333
65323764383733666634643635633834396635343835663266623839383130343563386231376537 62663435633539643237326631636563363833633130363535653336333538366137306235663730
62326338643833303538343566616461353135333863626462663830366435636564626538346361 36633934636536633865376262356239303966646638626638386536366662386432343466366161
33646661613334636239653636383436653438376235376665363235653837303037363164633931 36646436636538643366623864326630396565373462393132343834626638313437316137353564
32633733326139346261323464393734316661633239643437373235303237643932633433313564 34646138616438323065336266366434316135613938643131353034646230396632386433366365
36643739613330303362663861626637613130383965646639356532353539373437326439356362 38616436346232363563336439613939313464323861616530633962316634363462373530613665
39643137666633313262356366616561353461633033376235313965646132343233326366353264 63653636646565303664326631363535373037663734663965346430363831613431613365393832
35393561633632306265373032306636326261646235623266636662646334363233623330333734 62373030336262643430313635626261613232656236333130396537633238623265363932333966
37663266363639623036323433656166383631386633313131303030306437643761343965353063 34326135363762396564613064323135313663613565646461376162306532643433333336666532
39373435363238616566643239306136366637646437633335313431623839616264616261633339 65383661303137613335653336663666653463623565386137326662653839633536326135633764
33313364323039373531346335333963343034323637643134653566666562373137656335633932 33623437333931393737363061356235336232376437643131373531356566323336306138353561
39653862653465626432663534663965653933623430616561363430666235363666613833656463 66333863313461613930383231663162616261616639323238646439656166666261626533636161
65326430383137663034623233393339623135356535666161366564383564336132363038646663 38333362393033316266633364313739366262636530363937386137616234326638303137613433
61353465393265613337643338326436333237336339326262356362643932623163616638643835 65313962653566333364383732386165396136303666383439303064326463346563663434646364
31323739646335383532396665326535373161666661306538653365346465366434346463663438 62396130646632653039383661613638303162363538376236666338623865366639663138363636
64323766353933633736313266386564656436666534326534663531613936633830386238303861 36373766386234383465316635323931356233366262386135363238366538623135623361386436
37363231656365383531613764386662356334313330333236363734646431383166636132383338 64653533646233653463656334633566373433303365353965663732636566663332343337626337
35343138353232663135366438386366626239326632333937666530626364313463613831313162 34623861373562386264346430333133343631653631376366373735626664363965666561306262
30363933623561396137616130656535393138346339663266353764653931316639636562666164 35666235653235346233636361383566616533646662333662323139313865383264633734643263
61333938363466623031653766313139306439396435663665386665663663306134666563373238 63656431393834633935613430643839613433326431666665323136376562333737383862313261
36316261363063666335363462353066313735386139313465623338366266383434643464643162 65656431336439303563373833343965323965346439636131633366633431393032613963666539
34383836636336316232343132363464383565366162313563393864376433386236376565623631 38326539343132326334316233323362633835356265333031663066643535363639623031336362
64656164646635666139396539353763333065323266663262643233306261656532613362346432 64346230383638363763323462386261666266623134393139303264343234623132323437396630
33373631613137336366666266633331303966653138393539326335653463303033613565663638 66363738376133393731616535653230303262313937373333353932303038626166346366303163
30663465643832643637643836323462633163643534663465336664313265353966306261613339 66613831353731373165636532363165356561383137626437333563616561386666623234313438
32616139353263663033373835653632386262396164343731613836336435616131356632653830 37333435306530323235393164383138346131653235633536383636316161316238313064636261
61613461333632666366653330626537396232323733663930633966663239356130306666376137 33353963333430383236303038333939316637326130396430623964633338353863613534653663
62636333373635356461633431346636643731656338306366396430323537626233316137656465 30333839393230626261663966616230303330636335323565663938343562666663303536636332
65643339346565376166373066643339356666663735313063303130313663393966623866613337 34336665323764663163653161373166313631393534326532613538313637313136356336313433
31386663363166336337633266646363666236623837303634643337316636353531653765323637 34353036653738343433613763383137336562373332333062326134626638633938336364376131
62313330326363303932633336383337353062643865383730613435353832663364643262626162 61303435333163663636653135363162303663663266393438656430306532343438386436343735
63303439383164333037306231613538313639626537323039366561363233303735323032653432 31343231653263373532386263653263386435363633396638396164323539306233303562303862
35643432336666616665386238353034333037353630323234316266373936356439353632336365 3339306136613431636138333266633739323666633431363039
37646462666537306534623937393939326663316532623837326564303330373261323630353863
38343438316539336464376664326362353831396132393566396333613164646462636361646234
35313837666463376233623762663239613134356632333730343363346238613334383861306635
31623665666461643661383265633965386566656165663566376235343338636336336330336661
64653032656365363835616634656663623365323766396537303361336533313132316631316533
31353036663766643131386135653366313535366232636538346237613461383761393666336432
31623364653166356565376463363437386533303062373930393761646163613962636462643865
33376561323366363936386531663637343465626666623133396162306139366665616132326161
63663535636465383836333061396239313463343635633135323464646135393031386361633539
64396534396361323466326364326266386336643831643536383866313033366534636135613736
34316661313335383239316536623862316637396465616563386361636261313330313466656239
37626431613464363965343233666534323736363865373734633535343632393335346265643361
65326436393631353264613761343237386561306261353261356364386137393362306566353032
31313363613963323136303262323934333961343563626533666563636432653436393937303037
37336566663932663062633534303632646162316262323935366661313938393735666561343237
31616366363339353231643561373362613266343266623464323238356261303762316334333266
39303633316164376330343864336636313333363862323835303735383866363334643933653337
35373030353264323761

View File

@@ -0,0 +1,11 @@
---
# file: roles/caddy/defaults/main.yml
# parent directory of vhost document roots
caddy_root_prefix: "{{ web_root_prefix }}"
# Email address to use for the ACME account managing the site's certificates.
# Not sure what Caddy does if this doesn't exist.
caddy_email: foo@example.com
# vim: set ts=2 sw=2:

View File

@@ -0,0 +1,10 @@
---
# file: roles/caddy/handlers/main.yml
# I'm currently not sure when we need to restart versus reload
- name: reload caddy
ansible.builtin.systemd_service:
name: caddy
state: reloaded
# vim: set sw=2 ts=2:

View File

@@ -0,0 +1,82 @@
---
# file: roles/caddy/tasks/main.yml
#
# Configure Caddy.
- name: Check Caddy package signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
register: caddy_signing_key_stat
tags:
- packages
- caddy
# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
- name: Download Caddy package signing key
ansible.builtin.get_url:
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
- packages
- caddy
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
tags:
- packages
- caddy
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
- name: Install Caddy
ansible.builtin.apt:
name: caddy
state: present
install_recommends: false
cache_valid_time: 3600
tags:
- caddy
- packages
- name: Create Caddyfile
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: "0755"
owner: root
group: root
notify:
- reload caddy
tags: caddy
- name: Create Caddy conf.d directory
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: "0755"
owner: root
group: root
tags: caddy
# TODO: the variable is still named nginx_vhosts
- name: Configure Caddy virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: caddy
# vim: set sw=2 ts=2:

View File

@@ -0,0 +1,14 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"
notify:
- reload caddy
tags: caddy
# vim: set ts=2 sw=2:

View File

@@ -0,0 +1,29 @@
# Global options
{
email {{ caddy_email }}
}
# Common security response headers
(security-headers) {
header {
# disable Google FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection: refuse to allow rendering this page
# in a frame, iframe, etc.
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
# Note: these are imported in lexical sort order!
import /etc/caddy/conf.d/*

View File

@@ -0,0 +1,46 @@
{{ ansible_managed | comment }}
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{% set static_site = item.static_site | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
{% if domain_aliases %}
{# domain_aliases is a string, so we split on space #}
{% for domain in domain_aliases | split (' ') %}
{{ domain }} {
redir https://{{domain_name}}{uri}
}
{% endfor %}
{% endif %}
{{ domain_name }} {
{% if has_gitea %}
reverse_proxy :3000
{% elif static_site -%}
root * {{ document_root }}
encode
file_server
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server
{% endif -%}
import security-headers
}

View File

@@ -8,6 +8,10 @@ fail2ban_maxretry: 6
fail2ban_findtime: 3600 fail2ban_findtime: 3600
# 2 weeks in seconds # 2 weeks in seconds
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24 fail2ban_ignoreip: 127.0.0.0/8
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

File diff suppressed because it is too large Load Diff

View File

@@ -1,5 +0,0 @@
#!/usr/sbin/nft -f
define ABUSEIPDB_IPV6 = {
fd21:3523:74e0:7301::
}

View File

@@ -1,89 +0,0 @@
#!/usr/bin/perl
#
# aggregate-cidr-addresses - combine a list of CIDR address blocks
# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see L<http://www.gnu.org/licenses/>.
#
# [MJS 22 Oct 2001] Aggregate CIDR addresses
# [MJS 9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
use strict;
use warnings;
use English qw( -no_match_vars );
use Net::IP;
## Read in all the IP addresses
my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
## Split any ranges into prefixes
@addrs = map {
defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
$_->find_prefixes
} @addrs;
## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
## Handle overlaps
my $count = 0;
my $current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
my $r = $current->overlaps($next);
if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
$current = $next;
$count++;
}
elsif ( $r == $IP_A_IN_B_OVERLAP ) {
$current = $next;
splice @addrs, $count, 1;
}
elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
splice @addrs, $count + 1, 1;
}
else {
die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
}
}
## Keep aggregating until we don't change anything
my $change = 1;
while ($change) {
$change = 0;
my @new_addrs = ();
$current = $addrs[0];
foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
if ( my $total = $current->aggregate($next) ) {
$current = $total;
$change = 1;
}
else {
push @new_addrs, $current;
$current = $next;
}
}
push @new_addrs, $current;
@addrs = @new_addrs;
}
## Print out the IP addresses
foreach (@addrs) {
print $_->prefix(), "\n";
}
# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

View File

@@ -1,2 +0,0 @@
autoclean -y
upgrade -y -o APT::Get::Show-Upgraded=true

View File

@@ -1,5 +0,0 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see the README file.
MAILON="never"
OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

View File

@@ -1 +0,0 @@
provisioning ALL=(ALL) ALL

View File

@@ -1,5 +1,5 @@
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = { define FIREHOL_LEVEL1_IPV4 = {
192.168.254.254/32 192.168.254.254/32
} }

View File

@@ -1,5 +0,0 @@
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
fd21:3523:74e0:7301::/64
}

View File

@@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

View File

@@ -1,27 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-abusech-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-abusech-nftables
ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
/usr/local/bin/update-abusech-nftables.sh
[Install]
WantedBy=multi-user.target

View File

@@ -1,63 +0,0 @@
#!/usr/bin/env bash
#
# update-abuseipdb-nftables.sh v0.0.1
#
# Download IP addresses seen using a blacklisted SSL certificate and load them
# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
#
# See: https://sslbl.abuse.ch/blacklist
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
abusech_list_temp=$(mktemp)
echo "Downloading Abuse.sh SSL Blacklist IPs"
abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
if [[ $abusech_response -ne 200 ]]; then
echo "Abuse.ch responded: HTTP $abusech_response"
exit 1
fi
if [[ -f "$abusech_list_temp" ]]; then
echo "Processing IPv4 list"
abusech_ipv4_list_temp=$(mktemp)
abusech_ipv4_set_temp=$(mktemp)
# Remove comments, DOS carriage returns, and IPv6 addresses (even though
# Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
# that assumption some time down the line).
sed -e '/#/d' -e 's/
//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
echo "Building abusech-ipv4 set"
cat << NFT_HEAD > "$abusech_ipv4_set_temp"
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$abusech_ipv4_set_temp"
done < $abusech_ipv4_list_temp
echo "}" >> "$abusech_ipv4_set_temp"
install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
fi
echo "Reloading nftables"
# The abusech nftables sets are included by nftables.conf

View File

@@ -1,12 +0,0 @@
[Unit]
Description=Update Abuse.ch SSL Blacklist IPs
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

View File

@@ -0,0 +1,24 @@
[Unit]
Description=Update FireHOL lists
# Make sure the network is up
After=network-online.target
Wants=network-online.target update-firehol-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-firehol-nftables
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
/usr/local/bin/update-firehol-nftables.sh
[Install]
WantedBy=multi-user.target

View File

@@ -1,5 +1,5 @@
[Unit] [Unit]
Description=Update Spamhaus lists Description=Update FireHOL lists
[Timer] [Timer]
# Once a day at midnight # Once a day at midnight

View File

@@ -1,27 +0,0 @@
[Unit]
Description=Update Spamhaus lists
# This service will fail if nftables is not running so we use Requires to make
# sure that nftables is started.
Requires=nftables.service
# Make sure the network is up and nftables is started
After=network-online.target nftables.service
Wants=network-online.target update-spamhaus-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-spamhaus-nftables
ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
/usr/local/bin/update-spamhaus-nftables.sh
[Install]
WantedBy=multi-user.target

View File

@@ -1,91 +0,0 @@
#!/usr/bin/env bash
#
# update-spamhaus-nftables.sh v0.0.1
#
# Download Spamhaus DROP lists and load them into nftables sets.
#
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}
download drop.txt
download edrop.txt
download dropv6.txt
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
echo "Processing IPv4 DROP lists"
spamhaus_ipv4_list_temp=$(mktemp)
spamhaus_ipv4_set_temp=$(mktemp)
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
# ranges to work around a firewalld bug.
#
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
echo "Building spamhaus-ipv4 set"
cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$spamhaus_ipv4_set_temp"
done < $spamhaus_ipv4_list_temp
echo "}" >> "$spamhaus_ipv4_set_temp"
install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
fi
if [[ -f "dropv6.txt" ]]; then
echo "Processing IPv6 DROP lists"
spamhaus_ipv6_list_temp=$(mktemp)
spamhaus_ipv6_set_temp=$(mktemp)
sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
echo "Building spamhaus-ipv6 set"
cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
#!/usr/sbin/nft -f
define SPAMHAUS_IPV6 = {
NFT_HEAD
while read -r network; do
echo "$network," >> "$spamhaus_ipv6_set_temp"
done < $spamhaus_ipv6_list_temp
echo "}" >> "$spamhaus_ipv6_set_temp"
install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
fi
echo "Reloading nftables"
# The spamhaus nftables sets are included by nftables.conf
/usr/sbin/nft -f /etc/nftables.conf
rm -v drop.txt edrop.txt dropv6.txt

View File

@@ -1,20 +1,27 @@
--- ---
# ansible.builtin.file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: Reload sshd
ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded ansible.builtin.systemd_service:
name: "{{ sshd_service_name }}"
state: reloaded
- name: reload sysctl - name: Reload sysctl
command: sysctl -p /etc/sysctl.conf ansible.builtin.command: sysctl -p /etc/sysctl.conf
- name: reload systemd - name: Reload systemd
ansible.builtin.systemd: daemon_reload=true ansible.builtin.systemd_service:
daemon_reload: true
- name: restart nftables - name: Restart nftables
ansible.builtin.systemd: name=nftables state=restarted ansible.builtin.systemd_service:
name: nftables
state: restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's # in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall. # notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban - name: Restart fail2ban
ansible.builtin.systemd: name=fail2ban state=restarted ansible.builtin.systemd_service:
name: fail2ban
state: restarted

View File

@@ -1,12 +1,17 @@
--- ---
- name: Remove cron-apt
ansible.builtin.apt:
name: cron-apt
state: absent
cache_valid_time: 3600
- name: Configure cron-apt (config) - name: Remove cron-apt configs
ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/config
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/action.d/3-download
- /etc/apt/security.sources.list
- name: Configure cron-apt (security)
ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,29 +1,39 @@
--- ---
- name: Install fail2ban
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
ansible.builtin.template: ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2 src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local dest: /etc/fail2ban/jail.d/sshd.local
owner: root owner: root
mode: 0644 mode: "0644"
notify: restart fail2ban notify: Restart fail2ban
- name: Configure fail2ban nginx filter - name: Configure fail2ban nginx filter
when: when:
- webserver is defined and webserver == 'nginx'
- extra_fail2ban_filters is defined - extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters" - "'nginx' in extra_fail2ban_filters"
ansible.builtin.template: ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2 src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local dest: /etc/fail2ban/jail.d/nginx.local
owner: root owner: root
mode: 0644 mode: "0644"
notify: restart fail2ban notify: Restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
ansible.builtin.file: ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d path: /etc/systemd/system/fail2ban.service.d
state: directory state: directory
owner: root owner: root
mode: 0755 mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override - name: Configure fail2ban service override
@@ -31,13 +41,13 @@
src: etc/systemd/system/fail2ban.service.d/override.conf.j2 src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root owner: root
mode: 0644 mode: "0644"
notify: notify:
- reload systemd - Reload systemd
- restart fail2ban - Restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: fail2ban name: fail2ban
state: started state: started
enabled: true enabled: true

View File

@@ -0,0 +1,25 @@
---
# Debian 11+ will use nftables directly, with no firewalld.
- name: Install Debian firewall packages
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name: nftables
state: present
cache_valid_time: 3600
- name: Remove iptables on newer Debian
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
- name: Configure nftables
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.include_tasks: nftables.yml
- name: Configure fail2ban
when: ansible_distribution_version is version('9', '>=')
ansible.builtin.include_tasks: fail2ban.yml
# vim: set sw=2 ts=2:

View File

@@ -1,84 +0,0 @@
---
# Debian 11 will use nftables directly, with no firewalld.
- block:
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.set_fact:
debian_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
- name: Install firewall packages
ansible.builtin.apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.apt: pkg=iptables state=absent
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify:
- restart nftables
- restart fail2ban
- name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd: daemon_reload=true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.systemd: name={{ item }} state=started enabled=true
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.systemd: name=nftables state=started enabled=true
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
# vim: set sw=2 ts=2:

View File

@@ -1,84 +0,0 @@
---
# Ubuntu 20.04 will use nftables directly, with no firewalld.
- block:
- name: Set Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.set_fact:
ubuntu_firewall_packages:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables
- python3-systemd
- curl # for nftables update scripts
- name: Install firewall packages
ansible.builtin.apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
- name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=')
ansible.builtin.apt: pkg=ufw state=absent
- name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
- name: Copy extra nftables configuration files
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
loop:
- { src: "spamhaus-ipv4.nft", force: "no" }
- { src: "spamhaus-ipv6.nft", force: "no" }
- { src: "abusech-ipv4.nft", force: "no" }
- { src: "abuseipdb-ipv4.nft", force: "yes" }
- { src: "abuseipdb-ipv6.nft", force: "yes" }
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables update scripts
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
loop:
- update-spamhaus-nftables.sh
- aggregate-cidr-addresses.pl
- update-abusech-nftables.sh
- name: Copy nftables systemd units
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-nftables.service
- update-spamhaus-nftables.timer
- update-abusech-nftables.service
- update-abusech-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd: daemon_reload=true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.systemd: name={{ item }} state=started enabled=true
loop:
- update-spamhaus-nftables.timer
- update-abusech-nftables.timer
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.systemd: name=nftables state=started enabled=true
- ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
# vim: set sw=2 ts=2:

View File

@@ -1,6 +1,6 @@
--- ---
- name: Import OS-specific variables - name: Import OS-specific variables
ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml" ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
tags: always tags: always
- name: Configure network time - name: Configure network time
@@ -8,23 +8,11 @@
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
ansible.builtin.include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages.yml
when: ansible_distribution == 'Debian'
tags: packages
- name: Install common packages
ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
ansible.builtin.include_tasks: firewall_Debian.yml ansible.builtin.import_tasks: firewall.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
ansible.builtin.include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: firewall tags: firewall
- name: Configure secure shell daemon - name: Configure secure shell daemon
@@ -34,13 +22,23 @@
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template:
src: "sysctl_{{ ansible_distribution }}.j2"
dest: /etc/sysctl.conf
owner: root
group: root
mode: "0644"
notify: notify:
- reload sysctl - Reload sysctl
tags: sysctl tags: sysctl
- name: Set I/O scheduler - name: Set I/O scheduler
ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template:
src: etc/udev/rules.d/60-scheduler.rules.j2
dest: /etc/udev/rules.d/60-scheduler.rules
owner: root
group: root
mode: "0644"
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys

View File

@@ -0,0 +1,96 @@
---
# Common nftables tasks for Debian 11 and Debian 12.
- name: Copy nftables.conf
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: "0644"
notify:
- Restart nftables
- Restart fail2ban
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: "0755"
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: firehol_level1-ipv4.nft, force: false }
notify:
- Restart nftables
- Restart fail2ban
- name: Copy nftables update scripts
ansible.builtin.template:
src: update-firehol-nftables.sh.j2
dest: /usr/local/bin/update-firehol-nftables.sh
mode: "0755"
owner: root
group: root
- name: Remove deprecated data and scripts
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/nftables/spamhaus-ipv4.nft
- /etc/nftables/spamhaus-ipv6.nft
- /etc/nftables/abuseipdb-ipv4.nft
- /etc/nftables/abuseipdb-ipv6.nft
- /etc/nftables/abusech-ipv4.nft
- /usr/local/bin/update-abusech-nftables.sh
- /usr/local/bin/update-spamhaus-nftables.sh
- /etc/systemd/system/update-abusech-nftables.service
- /etc/systemd/system/update-abusech-nftables.timer
- /etc/systemd/system/update-spamhaus-nftables.service
- /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl
notify:
- Restart nftables
- Restart fail2ban
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- update-firehol-nftables.service
- update-firehol-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
when: nftables_systemd_units is changed
ansible.builtin.systemd_service: # noqa no-handler
daemon_reload: true
- name: Start and enable nftables update timers
ansible.builtin.systemd_service:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-firehol-nftables.timer
- name: Start and enable nftables
ansible.builtin.systemd_service:
name: nftables
state: started
enabled: true
# vim: set sw=2 ts=2:

View File

@@ -1,27 +1,40 @@
--- ---
# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should # Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
# use systemd-timesyncd as a network time client instead of the standalone ntp # as a network time client instead of the standalone ntp client.
# client.
- name: Set timezone - name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd' when:
command: /usr/bin/timedatectl set-timezone {{ timezone }} - timezone is defined
- ansible_service_mgr == 'systemd'
community.general.timezone:
name: "{{ timezone }}"
tags: timezone tags: timezone
# Apparently some cloud images don't have this installed by default. From what # Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on # I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11. # Debian 11 and Debian 12.
- name: Install systemd-timesyncd - name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or when: ansible_distribution_version is version('11', '>=')
(ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) ansible.builtin.apt:
ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600 name: systemd-timesyncd
state: present
cache_valid_time: 3600
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true ansible.builtin.systemd_service:
name: systemd-timesyncd
state: started
enabled: true
- name: Uninstall ntp on modern Ubuntu/Debian # On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
ansible.builtin.apt: name=ntp state=absent # remove it to be sure.
when: ansible_service_mgr == 'systemd' - name: Uninstall ntp on Debian 12
when:
- ansible_service_mgr == 'systemd'
- ansible_distribution_major_version is version('12', '==')
ansible.builtin.apt:
name: ntp
state: absent
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,10 +1,23 @@
--- ---
- name: Configure Debian packages - name: Configure Debian packages
tags: packages
block: block:
# Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources
ansible.builtin.stat:
path: /etc/apt/sources.list.d/debian.sources
register: weird_debian_sources_stat
- name: Configure apt mirror - name: Configure apt mirror
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 when:
when: ansible_architecture != 'armv7l' - ansible_architecture != 'armv7l'
- not weird_debian_sources_stat
ansible.builtin.template:
src: sources.list.j2
dest: /etc/apt/sources.list
owner: root
group: root
mode: "0644"
- name: Set fact for base packages - name: Set fact for base packages
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -15,7 +28,6 @@
- iotop - iotop
- htop - htop
- strace - strace
- cron-apt
- safe-rm - safe-rm
- debian-goodies - debian-goodies
- mosh - mosh
@@ -27,16 +39,19 @@
- zstd - zstd
- rsync - rsync
- lsof - lsof
- unattended-upgrades
- name: Install base packages - name: Install base packages
ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600 ansible.builtin.apt:
name: "{{ base_packages }}"
state: present
cache_valid_time: 3600
- name: Configure cron-apt - name: Remove cron-apt
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
ansible.builtin.import_tasks: cron-apt.yml
- name: Install tarsnap - name: Install tarsnap
ansible.builtin.import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@@ -1,93 +0,0 @@
---
- name: Configure Ubuntu packages
block:
- name: Configure apt mirror
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Upgrade base OS
ansible.builtin.apt: upgrade=dist cache_valid_time=3600
- name: Set Ubuntu base packages
ansible.builtin.set_fact:
ubuntu_base_packages:
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- rsync
- lsof
- name: Install base packages
ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
# We have to remove snaps one by one in a specific order because some depend
# on others. Only after that can we remove the corresponding system packages.
- name: Remove lxd snap
community.general.snap: name=lxd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: true
- name: Remove core18 snap
community.general.snap: name=core18 state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: true
- name: Remove snapd snap
community.general.snap: name=snapd state=absent
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: true
- name: Set fact for packages to remove (Ubuntu 20.04)
ansible.builtin.set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd-agent-loader # annoying (Ubuntu 20.04)
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
- name: Disable annoying Canonical spam in MOTD
ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: true
- name: Disable annoying Canonical spam in MOTD
ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd'
loop:
- motd-news.service
- motd-news.timer
- name: Configure cron-apt
ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
ansible.builtin.import_tasks: tarsnap.yml
tags: packages
# vim: set sw=2 ts=2:

View File

@@ -1,9 +1,11 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file:
dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
state: absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

View File

@@ -1,17 +1,26 @@
--- ---
# Only override the system sshd configuration on older Debian.
# SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 when: ansible_distribution_version is version('12', '<=')
when: ansible_distribution == 'Debian' ansible.builtin.template:
notify: reload sshd src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0600"
notify: Reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # Newer OpenSSH versions support including extra configuration. The includes
# ie with new ciphers supported etc. # happen at the beginning of the file and the first value to be read is used.
- name: Reconfigure /etc/ssh/sshd_config - name: Configure sshd_config.d overrides
ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 when: ansible_distribution_version is version('13', '>=')
when: ansible_distribution == 'Ubuntu' ansible.builtin.template:
notify: reload sshd src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
dest: /etc/ssh/sshd_config.d/01-custom.conf
owner: root
group: root
mode: "0600"
notify: Reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html # See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
register: check_unsafe_moduli register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli - name: Extract safe Diffie-Hellman SSH moduli
when: check_unsafe_moduli.stdout | length > 0
ansible.builtin.shell: ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh chdir: /etc/ssh
creates: moduli.safe creates: moduli.safe
when: check_unsafe_moduli.stdout | length > 0
register: extract_safe_moduli register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli - name: Replace unsafe Diffie-Hellman SSH moduli
when: extract_safe_moduli is changed
ansible.builtin.command: ansible.builtin.command:
cmd: mv moduli.safe moduli cmd: mv moduli.safe moduli
chdir: /etc/ssh chdir: /etc/ssh
register: replace_small_moduli register: replace_small_moduli
when: extract_safe_moduli is changed notify: Reload sshd
notify: reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file:
name: "/etc/ssh/{{ item }}"
state: absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub
- ssh_host_ecdsa_key - ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub - ssh_host_ecdsa_key.pub
notify: reload sshd notify: Reload sshd
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@@ -1,24 +1,45 @@
--- ---
- name: Add Tarsnap apt mirror - name: Check tarsnap apt signing key
ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 ansible.builtin.stat:
register: add_tarsnap_apt_repository path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
when: ansible_architecture != 'armv7l' register: tarsnap_signing_key_stat
- name: Add GPG key for Tarsnap - name: Download tarsnap apt signing key
ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present when: not tarsnap_signing_key_stat.stat.exists
register: add_tarsnap_apt_key ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: "0644"
register: download_tarsnap_signing_key
- name: Add tarsnap.org repo
when: ansible_architecture != 'armv7l'
ansible.builtin.template:
src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: "0644"
register: add_tarsnap_apt_repository
- name: Update apt cache - name: Update apt cache
ansible.builtin.apt: when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
ansible.builtin.apt: # noqa no-handler
update_cache: true update_cache: true
when:
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600 ansible.builtin.apt:
pkg: tarsnap
cache_valid_time: 3600
- name: Copy tarsnaprc - name: Copy tarsnaprc
ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 ansible.builtin.copy:
src: tarsnaprc
dest: /root/.tarsnaprc
owner: root
group: root
mode: "0600"
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@@ -0,0 +1,40 @@
{{ ansible_managed | comment }}
HostKey /etc/ssh/ssh_host_ed25519_key
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
# audit track of which key was using to log in.
LogLevel VERBOSE
MaxAuthTries 4
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
X11Forwarding no
# Based on the ssh-audit profile for Debian 13, but with but with all algos with
# less than 256 bits removed, as NSA's Suite B removed them years ago and the
# new (2018) CNSA suite is 256 bits and up.
#
# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
{% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}
PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
# The default is 32:128.
PerSourceNetBlockSize 24:56

View File

@@ -1,15 +1,19 @@
[Unit]
# If nftables is stopped or restarted, propagate to fail2ban as well
PartOf=nftables.service
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectHome=read-only ProtectHome=read-only
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %} {% if ansible_distribution_version is version('11','>=') %}
ProtectSystem=strict ProtectSystem=strict
{% else %} {% else %}
{# Older systemd versions don't have ProtectSystem=strict #} {# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full ProtectSystem=full
{% endif %} {% endif %}
NoNewPrivileges=yes NoNewPrivileges=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %} {% if ansible_distribution_version is version('11','>=') %}
ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log ReadWritePaths=-/var/log/fail2ban.log

View File

@@ -5,47 +5,18 @@
flush ruleset flush ruleset
# Lists updated daily by update-spamhaus-nftables.sh # List updated daily by update-firehol-nftables.sh
include "/etc/nftables/spamhaus-ipv4.nft" include "/etc/nftables/firehol_level1-ipv4.nft"
include "/etc/nftables/spamhaus-ipv6.nft"
# Lists updated monthly (manually)
include "/etc/nftables/abuseipdb-ipv4.nft"
include "/etc/nftables/abuseipdb-ipv6.nft"
# Lists updated daily by update-abusech-nftables.sh
include "/etc/nftables/abusech-ipv4.nft"
# Notes: # Notes:
# - tables hold chains, chains hold rules # - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6 # - inet is for both ipv4 and ipv6
table inet filter { table inet filter {
set spamhaus-ipv4 { set firehol_level1-ipv4 {
type ipv4_addr type ipv4_addr
# if the set contains prefixes we need to use the interval flag # if the set contains prefixes we need to use the interval flag
flags interval flags interval
elements = $SPAMHAUS_IPV4 elements = $FIREHOL_LEVEL1_IPV4
}
set spamhaus-ipv6 {
type ipv6_addr
flags interval
elements = $SPAMHAUS_IPV6
}
set abusech-ipv4 {
type ipv4_addr
elements = $ABUSECH_IPV4
}
set abuseipdb-ipv4 {
type ipv4_addr
elements = $ABUSEIPDB_IPV4
}
set abuseipdb-ipv6 {
type ipv6_addr
elements = $ABUSEIPDB_IPV6
} }
chain input { chain input {
@@ -55,13 +26,7 @@ table inet filter {
ct state invalid counter drop comment "Early drop of invalid connections" ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list" ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
iifname lo accept comment "Allow from loopback" iifname lo accept comment "Allow from loopback"
@@ -105,12 +70,6 @@ table inet filter {
chain output { chain output {
type filter hook output priority 0; type filter hook output priority 0;
ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list" ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
} }
} }

View File

@@ -1,5 +0,0 @@
{% if ansible_distribution == 'Ubuntu' %}
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
{% elif ansible_distribution == 'Debian' %}
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
{% endif %}

View File

@@ -1,16 +1,6 @@
{% if ansible_distribution == 'Ubuntu' %}
{% set apt_mirror = apt_mirror | default("ubuntu.mirror.ac.ke") %}
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
{% else %}
{% set apt_mirror = apt_mirror | default('deb.debian.org') %} {% set apt_mirror = apt_mirror | default('deb.debian.org') %}
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
{% endif %} {# ansible_distribution #}

View File

@@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@@ -131,8 +135,7 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users? # Is there a list of allowed users?

View File

@@ -1,9 +1,8 @@
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with # The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where # OpenSSH is to specify options with their default value where
@@ -18,6 +17,7 @@ Include /etc/ssh/sshd_config.d/*.conf
#ListenAddress :: #ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying # Ciphers and keying
@@ -56,12 +56,16 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads) # some PAM modules and threads)
ChallengeResponseAuthentication no KbdInteractiveAuthentication no
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -77,13 +81,13 @@ ChallengeResponseAuthentication no
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and # be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration, # PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass # PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password". # the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
UsePAM yes UsePAM yes
#AllowAgentForwarding yes #AllowAgentForwarding yes
@@ -101,7 +105,7 @@ PrintMotd no
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
#UseDNS no #UseDNS no
#PidFile /var/run/sshd.pid #PidFile /run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100
#PermitTunnel no #PermitTunnel no
#ChrootDirectory none #ChrootDirectory none
@@ -122,14 +126,16 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # with less than 256 bits removed, as NSA's Suite B removed them years ago and
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users? # Is there a list of allowed users?

View File

@@ -1,100 +0,0 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# CIS Benchmark Adjustments
# See: https://github.com/alanorth/securekickstarts
kernel.randomize_va_space = 2
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
# TCP stuff
# See: http://fasterdata.es.net/host-tuning/linux/
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# increase Linux autotuning TCP buffer limit
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# increase the length of the processor input queue
net.core.netdev_max_backlog = 30000
# recommended for hosts with jumbo frames enabled
#net.ipv4.tcp_mtu_probing=1
# increase quadruplets (src ip, src port, dest ip, dest port)
# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
net.ipv4.ip_local_port_range = 10240 65535
# recommended for web servers, especially if running SPDY
# see: http://www.chromium.org/spdy/spdy-best-practices
net.ipv4.tcp_slow_start_after_idle = 0

View File

@@ -1 +1 @@
deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./ deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./

View File

@@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
#
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}
download firehol_level1.netset
if [[ -f "firehol_level1.netset" ]]; then
echo "Processing FireHOL Level 1 list"
firehol_level1_ipv4_list_temp=$(mktemp)
firehol_level1_ipv4_set_temp=$(mktemp)
# Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
# for local services like systemd-resolved and others on localhost. Ideally
# these are blocked already at the WAN side by network administrators.
cat firehol_level1.netset \
| sed \
-e '/^$/d' \
-e '/^#.*/d' \
-e '/^127\.0\.0\.0\/8/d' \
> "$firehol_level1_ipv4_list_temp"
echo "Building firehol_level1-ipv4 set"
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$firehol_level1_ipv4_set_temp"
done < $firehol_level1_ipv4_list_temp
echo "}" >> "$firehol_level1_ipv4_set_temp"
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi
echo "Restarting nftables"
/usr/bin/systemctl restart nftables.service
rm -v firehol_level1.netset

View File

@@ -1,5 +1,7 @@
--- ---
- name: restart mariadb - name: restart mariadb
ansible.builtin.systemd: name=mariadb state=restarted ansible.builtin.systemd_service:
name: mariadb
state: restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,57 +1,111 @@
--- ---
- name: Add GPG key for MariaDB repo - name: Remove MariaDB key from apt-key
ansible.builtin.apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc ansible.builtin.apt_key:
register: add_mariadb_apt_key id: "013577200103762554506315430003013705453362230723150730"
tags: mariadb, packages state: absent
tags:
- packages
- mariadb
- name: Add MariaDB 10.5 repo - name: Check MariaDB package signing key
ansible.builtin.template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/mariadb_release_signing_key.asc
register: mariadb_signing_key_stat
tags:
- packages
- mariadb
- name: Download MariaDB package signing key
when: not mariadb_signing_key_stat.stat.exists
ansible.builtin.get_url:
url: https://mariadb.org/mariadb_release_signing_key.asc
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: "0644"
register: download_mariadb_signing_key
tags:
- packages
- mariadb
- name: Add MariaDB 10.11 repo
ansible.builtin.apt_repository:
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
}} main
filename: mariadb
state: present
register: add_mariadb_apt_repository register: add_mariadb_apt_repository
tags: mariadb, packages tags:
- packages
- mariadb
- name: Update apt cache - name: Update apt cache
ansible.builtin.apt: when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
ansible.builtin.apt: # noqa no-handler
update_cache: true update_cache: true
when: tags:
add_mariadb_apt_key is changed or - packages
add_mariadb_apt_repository is changed - mariadb
- name: Install mariadb-server - name: Install mariadb-server
ansible.builtin.apt: name={{ item }} state=present cache_valid_time=3600 ansible.builtin.apt:
loop: name: [mariadb-server, python3-pymysql]
- mariadb-server state: present
- python3-pymysql # for ansible cache_valid_time: 3600
tags: mariadb, packages tags: mariadb, packages
- name: Create system my.cnf - name: Create system my.cnf
ansible.builtin.template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 ansible.builtin.template:
src: my.cnf.j2
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: "0644"
notify: notify:
- restart mariadb - restart mariadb
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
community.mysql.mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user:
name: root
host: "{{ item }}"
password: "{{ mariadb_root_password }}"
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: loop:
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials
ansible.builtin.template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 ansible.builtin.template:
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: "0600"
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
community.mysql.mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }}
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
community.mysql.mysql_db:
db: "{{ item.name }}"
state: present
encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}"
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
community.mysql.mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }}
loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
community.mysql.mysql_user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
priv: "{{ item.name }}.*:ALL"
host: 127.0.0.1
state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}"
tags: mariadb tags: mariadb
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb [arch=amd64] https://dlm.mariadb.com/repo/mariadb-server/10.5/repo/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

View File

@@ -1,4 +1,4 @@
--- ---
# ansible.builtin.file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
ansible.builtin.systemd: name=munin-node state=restarted ansible.builtin.systemd_service: name=munin-node state=restarted

View File

@@ -1,16 +1,22 @@
--- ---
- name: Install munin-node - name: Install munin-node
ansible.builtin.apt: name=munin-node state=present ansible.builtin.apt:
name: munin-node
state: present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
ansible.builtin.apt: name=libwww-perl state=present ansible.builtin.apt:
name: libwww-perl
state: present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template:
src: munin-node.conf.j2
dest: /etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
@@ -20,6 +26,9 @@
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
ansible.builtin.systemd: name=munin-node state=started enabled=true ansible.builtin.systemd_service:
name: munin-node
state: started
enabled: true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,9 +1,16 @@
--- ---
- name: Install munin package - name: Install munin package
ansible.builtin.apt: name=munin state=present ansible.builtin.apt:
name: munin
state: present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template:
src: munin.conf.j2
dest: /etc/munin/munin.conf
owner: root
group: root
mode: "0644"
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -5,20 +5,20 @@
nginx_confd_path: /etc/nginx/conf.d nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots # parent directory of vhost roots
nginx_root_prefix: /var/www nginx_root_prefix: "{{ web_root_prefix }}"
# 1 hour timeout # 1 day timeout
nginx_ssl_session_timeout: 1h nginx_ssl_session_timeout: 1d
# 10MB -> 40,000 sessions # 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!) nginx_ssl_buffer_size: 4k
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3' nginx_ssl_protocols: TLSv1.2 TLSv1.3
nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS) # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# in seconds, see: https://hstspreload.org/ # in seconds, see: https://hstspreload.org/
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
letsencrypt_acme_script_temp: /root/acme.sh letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh letsencrypt_acme_home: /root/.acme.sh
# stable is 1.20.x # stable is 1.26.x
# mainline is 1.21.x # mainline is 1.27.x
nginx_version: mainline nginx_version: mainline
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,5 +1,7 @@
--- ---
- name: reload nginx - name: Reload nginx
ansible.builtin.systemd: name=nginx state=reloaded ansible.builtin.systemd_service:
name: nginx
state: reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,8 +1,12 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via # Use acme.sh instead of certbot because they only support installation via
# snap now. # snap now.
- block: - name: Install and configure Let's Encrypt
tags: letsencrypt
when:
- ansible_distribution == 'Debian'
- ansible_distribution_version is version('11', '>='))
block:
- name: Remove certbot - name: Remove certbot
ansible.builtin.apt: ansible.builtin.apt:
name: certbot name: certbot
@@ -22,31 +26,31 @@
register: acme_home register: acme_home
- name: Download acme.sh - name: Download acme.sh
when: not acme_home.stat.exists
ansible.builtin.get_url: ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}" dest: "{{ letsencrypt_acme_script_temp }}"
mode: 0700 mode: "0700"
register: acme_download register: acme_download
when: not acme_home.stat.exists
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# have to chdir to the /root directory where the script exists or else it # have to chdir to the /root directory where the script exists or else it
# fails. Ansible runs it, but the script can't find itself...). # fails. Ansible runs it, but the script can't find itself...).
- name: Install acme.sh - name: Install acme.sh
when: acme_download is changed
ansible.builtin.command: ansible.builtin.command:
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron" cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
creates: "{{ letsencrypt_acme_home }}/acme.sh" creates: "{{ letsencrypt_acme_home }}/acme.sh"
chdir: /root chdir: /root
register: acme_install register: acme_install
when: acme_download is changed
- name: Remove temporary acme.sh script - name: Remove temporary acme.sh script
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
when: when:
- acme_install.rc is defined - acme_install.rc is defined
- acme_install.rc == 0 - acme_install.rc == 0
ansible.builtin.file:
dest: "{{ letsencrypt_acme_script_temp }}"
state: absent
- name: Set default certificate authority for acme.sh - name: Set default certificate authority for acme.sh
ansible.builtin.command: ansible.builtin.command:
@@ -64,7 +68,7 @@
ansible.builtin.template: ansible.builtin.template:
src: renew-letsencrypt.service.j2 src: renew-letsencrypt.service.j2
dest: /etc/systemd/system/renew-letsencrypt.service dest: /etc/systemd/system/renew-letsencrypt.service
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
@@ -72,20 +76,16 @@
ansible.builtin.copy: ansible.builtin.copy:
src: renew-letsencrypt.timer src: renew-letsencrypt.timer
dest: /etc/systemd/system/renew-letsencrypt.timer dest: /etc/systemd/system/renew-letsencrypt.timer
mode: 0644 mode: "0644"
owner: root owner: root
group: root group: root
# always issues daemon-reload just in case the service/timer changed # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs - name: Start and enable systemd timer to renew Let's Encrypt certs
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: renew-letsencrypt.timer name: renew-letsencrypt.timer
state: started state: started
enabled: true enabled: true
daemon_reload: true daemon_reload: true
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,72 +1,128 @@
--- ---
- name: Add nginx.org apt signing key - name: Remove nginx apt signing key from apt-key
ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key:
register: add_nginx_apt_key id: "053473772654754373614404074646527257655730117366337542"
tags: nginx, packages state: absent
tags:
- packages
- nginx
- name: Download nginx apt signing key
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: "0644"
checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
register: download_nginx_signing_key
tags:
- packages
- nginx
- name: Add nginx.org repo - name: Add nginx.org repo
ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: "0644"
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags:
- nginx
- packages
- name: Update apt cache - name: Update apt cache
ansible.builtin.apt: when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
ansible.builtin.apt: # noqa no-handler
update_cache: true update_cache: true
when:
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present ansible.builtin.apt:
tags: nginx, packages pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx
- packages
- name: Copy nginx.conf - name: Copy nginx.conf
ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: "0755"
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
ansible.builtin.include_tasks: vhosts.yml
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
ansible.builtin.include_tasks: wordpress.yml
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - Reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
ansible.builtin.systemd: name=nginx state=started enabled=true ansible.builtin.systemd_service:
name: nginx
state: started
enabled: true
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt

View File

@@ -1,16 +1,23 @@
--- ---
- name: Configure https vhosts
- block: tags: nginx
block:
- name: Configure https vhosts - name: Configure https vhosts
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template:
src: vhost.conf.j2
dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - Reload nginx
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
notify: notify:
- reload nginx - Reload nginx
- name: Download 4096-bit RFC 7919 dhparams - name: Download 4096-bit RFC 7919 dhparams
ansible.builtin.get_url: ansible.builtin.get_url:
@@ -18,12 +25,16 @@
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}" dest: "{{ nginx_ssl_dhparam }}"
notify: notify:
- reload nginx - Reload nginx
# TODO: this could break because we can override the document root in host vars # TODO: this could break because we can override the document root in host vars
- name: Create vhost document roots - name: Create vhost document roots
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
mode: "0755"
owner: nginx
group: nginx
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: nginx
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -1,19 +1,29 @@
--- ---
- name: Install and configure WordPress
- block: tags: wordpress
block:
- name: Install WordPress - name: Install WordPress
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
when: when:
- item.has_wordpress is defined - item.has_wordpress is defined
- item.has_wordpress - item.has_wordpress
ansible.builtin.git:
repo: https://github.com/WordPress/WordPress.git
dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
version: "{{ item.wordpress_version }}"
depth: 1
force: true
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when: when:
- item.has_wordpress is defined - item.has_wordpress is defined
- item.has_wordpress - item.has_wordpress
ansible.builtin.file:
path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
state: directory
owner: nginx
group: nginx
recurse: true
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
tags: wordpress
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -11,9 +11,11 @@ server {
return 444; return 444;
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl default_server;
http2 on;
server_name _; server_name _;
# self-signed "snakeoil" certificate # self-signed "snakeoil" certificate

View File

@@ -27,8 +27,9 @@
ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }}; ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}"; ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #} {# OSCP stapling only works with real certs #}
{% if use_letsencrypt == true or item.tls_certificate_path %} {% if use_letsencrypt == true or item.tls_certificate_path %}
@@ -38,15 +39,6 @@
resolver {{ nginx_ssl_stapling_resolver }}; resolver {{ nginx_ssl_stapling_resolver }};
{% endif %} {# end: use_letsencrypt #} {% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == true %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store

View File

@@ -1,19 +1,7 @@
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %}
{% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %}
{% endif %} {% endif %}

View File

@@ -8,6 +8,12 @@
{% set has_wordpress = item.has_wordpress | default(false) %} {% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %} {% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %} {% set has_gitea = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
# http -> https vhost # http -> https vhost
server { server {
@@ -26,15 +32,11 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
{# Allow sites to override the nginx document root #} root {{ document_root }};
{% if item.document_root is defined %}
root {{ item.document_root }};
{% else %}
root {{ nginx_root_prefix }}/{{ domain_name }};
{% endif %}
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #} {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
@@ -75,10 +77,8 @@ server {
# See: https://httpoxy.org/ # See: https://httpoxy.org/
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) %} {% if ansible_distribution_major_version is version('12', '==') %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock; fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
{% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
{% endif %} {% endif %}
fastcgi_index index.php; fastcgi_index index.php;
# set script path relative to document root in server block # set script path relative to document root in server block

View File

@@ -1,6 +0,0 @@
---
# For Ubuntu 20.04 and Debian 11
- name: reload php7.4-fpm
ansible.builtin.systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2:

View File

@@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php7.4-fpm
# for WordPress
- php7.4-mysql
- php7.4-gd
- php7.4-curl
- php7.4-xml
- name: Install php-fpm and deps
ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm
- name: Remove default www pool
ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

View File

@@ -0,0 +1,8 @@
---
# For Debian 12
- name: Reload php8.2-fpm
ansible.builtin.systemd_service:
name: php8.2-fpm
state: reloaded
# vim: set ts=2 sw=2:

View File

@@ -0,0 +1,50 @@
---
- name: Install and configure php-fpm
tags: php-fpm
when: install_php
block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php8.2-fpm
# for WordPress
- php8.2-mysql
- php8.2-gd
- php8.2-curl
- php8.2-xml
- name: Install php-fpm and deps
ansible.builtin.apt:
name: "{{ php_fpm_packages }}"
state: present
update_cache: true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template:
src: php8.2-pool.conf.j2
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
owner: root
group: root
mode: "0644"
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: Reload php8.2-fpm
- name: Remove default www pool
ansible.builtin.file:
path: /etc/php/8.2/fpm/pool.d/www.conf
state: absent
notify: Reload php8.2-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template:
src: php8.2-php.ini.j2
dest: /etc/php/8.2/fpm/php.ini
owner: root
group: root
mode: "0644"
notify: Reload php8.2-fpm
# vim: set ts=2 sw=2:

View File

@@ -1,6 +1,5 @@
--- ---
# Ubuntu 20.04 uses PHP 7.4 # Debian 12 uses PHP 8.2
# Debian 11 uses PHP 7.4
# If any of the vhosts on this host need WordPress then we need to install PHP. # If any of the vhosts on this host need WordPress then we need to install PHP.
# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
@@ -10,13 +9,13 @@
- name: Check if any vhost needs WordPress - name: Check if any vhost needs WordPress
ansible.builtin.set_fact: ansible.builtin.set_fact:
install_php: true install_php: true
when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0" when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
# Legacy, was only for Piwik, but leaving for now. # Legacy, was only for Piwik, but leaving for now.
- name: Check if any vhost needs PHP - name: Check if any vhost needs PHP
ansible.builtin.set_fact: ansible.builtin.set_fact:
install_php: true install_php: true
when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0" when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
# If install_php has not been set, then we assume no vhosts need PHP. This is # If install_php has not been set, then we assume no vhosts need PHP. This is
# a bit hacky, but it's the closest we come to an if/then/else. # a bit hacky, but it's the closest we come to an if/then/else.
@@ -25,20 +24,12 @@
install_php: false install_php: false
when: install_php is not defined when: install_php is not defined
- name: Configure php-fpm on Ubuntu 20.04 - name: Configure php-fpm on Debian 12
ansible.builtin.include_tasks: Ubuntu_20.04.yml ansible.builtin.include_tasks: Debian_12.yml
when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_version is version('20.04', '==')
- install_php == true
tags: php-fpm
- name: Configure php-fpm on Debian 11
ansible.builtin.include_tasks: Ubuntu_20.04.yml
when: when:
- ansible_distribution == 'Debian' - ansible_distribution == 'Debian'
- ansible_distribution_version is version('11', '==') - ansible_distribution_major_version is version('12', '==')
- install_php == true - install_php
tags: php-fpm tags: php-fpm
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

View File

@@ -19,11 +19,16 @@
; Default Value: none ; Default Value: none
;prefix = /path/to/pools/$pool ;prefix = /path/to/pools/$pool
; Unix user/group of processes ; Unix user/group of the child processes. This can be used only if the master
; Note: The user is mandatory. If the group is not set, the default user's group ; process running user is root. It is set after the child process is created.
; will be used. ; The user and group can be specified either by their name or by their numeric
user = nginx ; IDs.
group = nginx ; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = {{ webserver }}
group = {{ webserver }}
; The address on which to accept FastCGI requests. ; The address on which to accept FastCGI requests.
; Valid syntaxes are: ; Valid syntaxes are:
@@ -35,20 +40,22 @@ group = nginx
; (IPv6 and IPv4-mapped) on a specific port; ; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket. ; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory. ; Note: This value is mandatory.
listen = /run/php/php7.4-fpm-{{ domain_name }}.sock listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog. ; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD) ; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511 ;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write ; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many ; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. ; BSD-derived systems allow connections regardless of permissions. The owner
; Default Values: user and group are set as the running user ; and group can be specified either by name or by their numeric IDs.
; mode is set to 0660 ; Default Values: Owner is set to the master process running user. If the group
listen.owner = nginx ; is not set, the owner's group is used. Mode is set to 0660.
listen.group = nginx listen.owner = {{ webserver }}
listen.group = {{ webserver }}
;listen.mode = 0660 ;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using ; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names. ; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored ; When set, listen.owner and listen.group are ignored
@@ -63,6 +70,10 @@ listen.group = nginx
; Default Value: any ; Default Value: any
;listen.allowed_clients = 127.0.0.1 ;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set) ; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority) ; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root ; Note: - It will only work if the FPM master process is launched as root
@@ -71,8 +82,9 @@ listen.group = nginx
; Default Value: no set ; Default Value: no set
; process.priority = -19 ; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user ; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; or group is differrent than the master process user. It allows to create process ; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user. ; core dump and ptrace the process for the pool user.
; Default Value: no ; Default Value: no
; process.dumpable = yes ; process.dumpable = yes
@@ -94,6 +106,8 @@ listen.group = nginx
; state (waiting to process). If the number ; state (waiting to process). If the number
; of 'idle' processes is greater than this ; of 'idle' processes is greater than this
; number then some children will be killed. ; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when ; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used: ; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that ; pm.max_children - the maximum number of children that
@@ -129,6 +143,12 @@ pm.min_spare_servers = 1
; Note: Mandatory when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3 pm.max_spare_servers = 3
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed. ; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand' ; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s ; Default Value: 10s
@@ -141,7 +161,7 @@ pm.max_spare_servers = 3
;pm.max_requests = 500 ;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be ; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations: ; recognized as a status page. It shows the following information:
; pool - the name of the pool; ; pool - the name of the pool;
; process manager - static, dynamic or ondemand; ; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started; ; start time - the date and time FPM has started;
@@ -231,7 +251,7 @@ pm.max_spare_servers = 3
; last request memory: 0 ; last request memory: 0
; ;
; Note: There is a real-time FPM status monitoring sample web page available ; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.4/fpm/status.html ; It's available in: /usr/share/php/8.2/fpm/status.html
; ;
; Note: The value must start with a leading slash (/). The value can be ; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it ; anything, but it may not be a good idea to use the .php extension or it
@@ -239,6 +259,22 @@ pm.max_spare_servers = 3
; Default Value: not set ; Default Value: not set
;pm.status_path = /status ;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no ; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside ; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to ; that FPM is alive and responding, or to
@@ -271,13 +307,13 @@ pm.max_spare_servers = 3
; %d: time taken to serve the request ; %d: time taken to serve the request
; it can accept the following format: ; it can accept the following format:
; - %{seconds}d (default) ; - %{seconds}d (default)
; - %{miliseconds}d ; - %{milliseconds}d
; - %{mili}d ; - %{milli}d
; - %{microseconds}d ; - %{microseconds}d
; - %{micro}d ; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER) ; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env ; it must be associated with embraces to specify the name of the env
; variable. Some exemples: ; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename ; %f: script filename
@@ -306,14 +342,30 @@ pm.max_spare_servers = 3
; %s: status (response code) ; %s: status (response code)
; %t: server time the request was received ; %t: server time the request was received
; it can accept a strftime(3) format: ; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag ; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished) ; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format: ; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag ; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %u: remote user ; %u: remote user
; ;
; Default: "%R - %u %t \"%m %r\" %s" ; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests ; The log file for slow requests
; Default Value: not set ; Default Value: not set
@@ -372,7 +424,7 @@ pm.max_spare_servers = 3
; Redirect worker stdout and stderr into main error log. If not set, stdout and ; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs. ; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page ; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms). ; process time (several ms).
; Default Value: no ; Default Value: no
;catch_workers_output = yes ;catch_workers_output = yes

View File

@@ -1,7 +1,10 @@
--- ---
# file: site.yml # file: site.yml
- import_playbook: nomads.yml - name: Import nomads playbook
- import_playbook: web.yml ansible.builtin.import_playbook: nomads.yml
- name: Import web playbook
ansible.builtin.import_playbook: web.yml
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

View File

@@ -1,10 +0,0 @@
---
# sshd service name is `ssh` on Debian/Ubuntu, but it's
# `sshd` on CentOS
sshd_service_name: ssh
# provisioning user vars
provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
# vim: set ts=2 sw=2:

View File

@@ -7,8 +7,9 @@
roles: roles:
- common - common
- { role: mariadb, when: mariadb_databases is defined} - { role: mariadb, when: mariadb_databases is defined}
- nginx - { role: nginx, when: webserver is defined and webserver == 'nginx' }
- php-fpm - { role: caddy, when: webserver is defined and webserver == 'caddy' }
- php_fpm
- munin - munin
vars_files: vars_files:
- vars/ipsets.yml - vars/ipsets.yml