alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:e7d5cb1edbc2acdc5a274d335b4bb66cb9f4a497
Branches Tags
alanorth:master alanorth:alpine
...
compare: alanorth:master
Branches Tags
alanorth:master alanorth:alpine

264 Commits
e7d5cb1edb ... master

Author SHA1 Message Date
Alan Orth
00558c7dea roles/common: re-work fail2ban and nftables 
Re-work the fail2ban and nftables interaction. Use systemd's PartOf
to indicate that fail2ban is part of the nftables service, which
tells systemd to propogate stop/start signals to it. Then we tell
the firehol update script to restart nftables instead of reload.
The different between restart and reload is meaningless for nftables
but we want systemd to propagate the stop/start signals to fail2ban.
 2025-07-08 10:39:17 +03:00
Alan Orth
c927186837 roles/common: adjust update-firehol-nftables.service 
This service does not actually depend on nftables, at least not in
the systemd sense of dependency. Furthermore, this hard dependency
was causing the service to fail when it restarts nftables at the
end, which causes systemd to start it again and again until it hits
a restarting too quickly error.
 2025-07-08 10:37:39 +03:00
Alan Orth
690774c862 host_vars/web22: WordPress 6.8.1 2025-07-08 10:34:34 +03:00
Alan Orth
cc021bd14a Pipfile.lock: run pipenv update 2025-07-08 10:25:09 +03:00
Alan Orth
73fd06fe3a roles/common: remove cron-apt 
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
 2025-04-07 09:51:09 +03:00
Alan Orth
88cb3a370e Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
Alan Orth
027a43ddbe roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
Alan Orth
bb30c3be20 host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
Alan Orth
d8d9790d21 roles/nginx: enable nginx ssl_session_tickets 
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
 2025-03-29 22:35:56 +03:00
Alan Orth
9a500ebc0d roles/nginx: disable nginx ssl_prefer_server_ciphers 
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
 2025-03-29 22:34:41 +03:00
Alan Orth
4bae942585 roles/nginx: add nginx ssl_ecdh_curve 
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:37 +03:00
Alan Orth
99866c0c90 roles/nginx: use one day for nginx ssl_session_timeout 
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:32 +03:00
Alan Orth
0afb8a4493 roles/nginx: update nginx ssl_buffer_size 
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
 2025-03-29 22:34:27 +03:00
Alan Orth
506695da31 roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
Alan Orth
f67ed7762c roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
Alan Orth
014f4d9502 roles/nginx: add newline 2025-03-29 22:19:41 +03:00
Alan Orth
22c16e1ed3 roles/caddy/templates: closer to supporting WordPress 
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
 2025-03-29 22:09:37 +03:00
Alan Orth
5aa6a33e51 roles/php-fpm: set user and group based on webserver 
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
 2025-03-29 21:01:56 +03:00
Alan Orth
7f9b06af9c roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
Alan Orth
84db337fea roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
Alan Orth
7b23f5f94f roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
Alan Orth
9830338be3 Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
Alan Orth
e3eed26765 roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
Alan Orth
8b31c7e148 host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
Alan Orth
3ff8043aaf Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
Alan Orth
cb79f7ef70 roles/common: minor change to firehol update script 
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
 2025-01-28 09:14:48 +03:00
Alan Orth
bb14f05d2a roles/common: use Ansible timezone module 
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
 2025-01-27 23:11:56 +03:00
Alan Orth
5b1530fa91 roles/common: rework firewall 
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
 2025-01-27 23:05:45 +03:00
Alan Orth
5312dc6bd5 roles/common: use common nftables task 
Use a common nftables task on Debian and Ubuntu.
 2025-01-27 23:05:38 +03:00
Alan Orth
d6e060d3af roles/common: simplify firewall tasks 
Apply firewall tag to included tasks, then we don't need to use a
block.
 2025-01-27 22:30:50 +03:00
Alan Orth
b873af004a roles/common: single firewall task include 
Use one include from the main tasks file.
 2025-01-27 22:28:27 +03:00
Alan Orth
7ea3ab46f8 host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
Alan Orth
0561bd5b52 Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
Alan Orth
d62572f02c Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
Alan Orth
2ffe5e87d9 host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
Alan Orth
38d4f1a303 Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
Alan Orth
ed8cb88038 host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
Alan Orth
c31e447861 roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
Alan Orth
545684467c host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
Alan Orth
24ae5eaab1 host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
Alan Orth
dac23f1427 Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
Alan Orth
41fbc73dd1 host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
Alan Orth
fee794bcf0 Update Pipfile 2024-03-20 20:28:00 +03:00
Alan Orth
8bce1d8b1b host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
Alan Orth
6dc2ea36b6 roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
Alan Orth
af71a9b5f8 roles/php-fpm: remove fmt strings 
Ansible confuses them for jinja2 tokens.
 2023-09-11 19:52:18 +03:00
Alan Orth
4dd57803e2 roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
Alan Orth
18d4245fc0 roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
Alan Orth
1bddf3cccd Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
Alan Orth
20dbe61fe1 roles/mariadb: use MariaDB 10.11 
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
 2023-09-10 22:53:10 +03:00
Alan Orth
899e87321b host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
Alan Orth
06416a3b64 roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
Alan Orth
7a9a24ef5d roles/common: rework fail2ban again 
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
 2023-08-23 22:15:24 +03:00
Alan Orth
067adcd9f5 roles/common: rework fail2ban tasks 
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
 2023-08-23 21:59:28 +03:00
Alan Orth
84d210cfab roles/common: re-format handlers 
Use the newer Ansible format.
 2023-08-23 21:35:28 +03:00
Alan Orth
17736a4f14 roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
Alan Orth
b9e91c4a3d roles/common: minor updates to tarsnap task 
Use modern Ansible task format
 2023-08-23 21:20:22 +03:00
Alan Orth
51c95e5d4c roles/common: update tarsnap task 
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
 2023-08-23 21:18:27 +03:00
Alan Orth
8dbec29d2a roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
Alan Orth
d3bf3dab04 roles/php-fpm: add support for PHP 8.2 
This is used in Debian 12.
 2023-08-23 20:56:35 +03:00
Alan Orth
8f50b7756b host_vars/web22: WordPress 6.3 2023-08-22 21:33:49 +03:00
Alan Orth
e86ccc9979 roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
Alan Orth
cea8529f49 Pipfile.lock: run pipenv update 2023-08-22 21:02:17 +03:00
Alan Orth
d77718edae host_vars: add fail2ban_ignoreip 2023-08-14 16:37:07 +02:00
Alan Orth
14d57fc477 roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
Alan Orth
5c39f1abd8 roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
Alan Orth
6794eb0432 roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
Alan Orth
11614e3725 host_vars: replace nomad02 with nomad03 
The former is Ubuntu 20.04, the latter is Debian 12. Running Drone
CI.
 2023-08-10 08:37:09 +02:00
Alan Orth
b106f9d9e5 roles/common: ignore apt sources.list on Scaleway 
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
 2023-08-10 08:08:42 +02:00
Alan Orth
3c8250e6ac Pipfile.lock: run pipenv update 2023-08-09 22:07:54 +02:00
Alan Orth
d280859b0d roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
Alan Orth
bca1629d2f Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
Alan Orth
4fa82faf18 roles/common: adjust sshd_config for Debian 12 
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
 2023-08-09 21:27:19 +02:00
Alan Orth
b8f0b4b1fb roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
Alan Orth
68e5d05bbb host_vars/web22: WordPress 6.2.2 2023-07-27 18:48:37 +03:00
Alan Orth
446d402778 roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
Alan Orth
67379fc2e4 host_vars/web22: WordPress 6.2 2023-05-04 07:10:40 +03:00
Alan Orth
73546967b6 Pipfile.lock: run pipenv update 2023-05-04 06:58:25 +03:00
Alan Orth
16b661efe1 Pipfile.lock: run pipenv update 2023-04-14 10:09:29 -07:00
Alan Orth
fdb9a75489 roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
Alan Orth
232d7a0348 host_vars/web22: WordPress 6.1.1 2022-11-24 18:31:48 +03:00
Alan Orth
6e4bb5bc34 host_vars/web21: use caddy 2022-11-13 18:58:57 +03:00
Alan Orth
c840ffe018 roles/caddy: improve vhost template 
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
 2022-11-13 18:54:03 +03:00
Alan Orth
45c9d7ea0a Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
Alan Orth
a62bc446e8 host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
Alan Orth
62a6a491db host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
Alan Orth
4867d6da6a Add basic caddy role 2022-11-02 22:29:30 +03:00
Alan Orth
d9f7c7a93b group_vars/web: set default webserver to nginx 
While I'm still getting experience with caddy and adapting it to my
workloads.
 2022-11-02 22:12:36 +03:00
Alan Orth
bc8c030700 roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
Alan Orth
f7598d8f1c Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
Alan Orth
c353e84a84 site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
Alan Orth
99ca23f258 Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
Alan Orth
b663d27fd8 roles/common: rework firewall_Debian.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
 2022-09-12 17:25:40 +03:00
Alan Orth
67c99dacf6 roles/common: rework firewall_Ubuntu.yml playbook 
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
 2022-09-12 17:18:33 +03:00
Alan Orth
4abf2b10e4 ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
Alan Orth
f5199264f9 ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
Alan Orth
b259f09cbd roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
Alan Orth
f4b32e516b roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
Alan Orth
fcb12ecee0 roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
Alan Orth
5bc03ceacc roles/mariadb: install packages in single transaction 
Using a list we can install these in a single apt transaction. Also
use the newer task format.
 2022-09-12 10:12:07 +03:00
Alan Orth
c317429f6d roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
Alan Orth
b512a7f765 roles/common: create /etc/apt/keyrings 
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
 2022-09-12 10:05:12 +03:00
Alan Orth
e3a87d4f79 roles/mariadb: MariaDB 10.6 
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
 2022-09-12 09:25:46 +03:00
Alan Orth
dec2d50fbc host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
Alan Orth
34be0013b7 Remove Debian 10 support 2022-09-11 09:21:08 +03:00
Alan Orth
399585f4e7 roles: don't compare literal true and false 
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
 2022-09-11 08:41:25 +03:00
Alan Orth
0240897b1b Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
Alan Orth
1da0da53ec roles: use longer format for when conditionals 
When the condition is an AND we can use this more succinct format.
 2022-09-10 23:12:49 +03:00
Alan Orth
677cc9f160 roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
Alan Orth
ffe7a872dd roles: strict truthy values 
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
 2022-09-10 22:33:19 +03:00
Alan Orth
95d0005978 Add ansible-lint 2022-09-10 18:36:53 +03:00
Alan Orth
498766fdc4 Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
Alan Orth
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
Alan Orth
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
Alan Orth
92a4c72809 Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
Alan Orth
a2d61abba2 roles/mariadb: update mirror 
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
 2022-08-14 22:09:47 -07:00
Alan Orth
d2a5a28809 Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
Alan Orth
84c0589aee host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
Alan Orth
2961578a54 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-28 18:51:35 +03:00
Alan Orth
4d74f76b3c Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
Alan Orth
9e737466c5 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
 2022-02-04 21:47:37 +03:00
Alan Orth
0ffb1b1a36 roles/common: use pyinotify backend for nginx fail2ban jail 
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
 2022-01-04 15:10:02 +02:00
Alan Orth
68f0b85eb3 Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
Alan Orth
ebbde530d2 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
 2021-12-22 11:40:27 +02:00
Alan Orth
ab47df6031 Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
Alan Orth
de75b2ffb6 host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
Alan Orth
e10d83dadd Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
Alan Orth
f070fd9a64 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-11-07 10:12:43 +02:00
Alan Orth
6e1527b1a8 Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
Alan Orth
ebd8b0632b roles/common: Disable unsafe Diffie-Hellman SSH moduli 
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
 2021-10-10 16:57:05 +03:00
Alan Orth
df26b6c17e roles/common: notify fail2ban after updating firewall 
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
 2021-09-28 10:45:51 +03:00
Alan Orth
d92151b8a6 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
 2021-09-28 10:28:02 +03:00
Alan Orth
b13ead0657 roles/common: use a range for mosh ports in nftables 
This is better than a loop in Jinja (though that is useful!).
 2021-09-28 07:34:25 +03:00
Alan Orth
89ced6f952 Pipfile.lock: run pipenv update 2021-09-27 17:28:41 +03:00
Alan Orth
ae5ba0607a Remove host_vars/nomad01 
Replaced by web23.
 2021-09-27 14:17:48 +03:00
Alan Orth
89fd642b78 roles/nginx: minor rework of acme.sh tasks 
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
 2021-09-27 13:40:17 +03:00
Alan Orth
65e6dd34cd roles/common: Add missing section to Debian 11 sshd_config 
We need to be able to configure the list of SSH users.
 2021-09-27 12:59:27 +03:00
Alan Orth
0421807e4d Add web23 
Will replace nomad01
 2021-09-27 12:22:45 +03:00
Alan Orth
d5eed5055e roles/nginx: Add support for gitea 
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
 2021-09-27 12:15:47 +03:00
Alan Orth
f8752bb3e7 roles/nginx: add todo about document roots 
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
 2021-09-27 12:05:53 +03:00
Alan Orth
170e591701 roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
Alan Orth
8d6c3c57c3 roles/nginx: install acme.sh after downloading 
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
 2021-09-27 11:28:02 +03:00
Alan Orth
79b29f0c51 roles/nginx: generate snakeoil cert manually 
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
 2021-09-27 10:48:24 +03:00
Alan Orth
a4acc85704 roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
Alan Orth
f7b9aa67f5 roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
Alan Orth
0a39c4f0ef README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
Alan Orth
85323d789c Remove host_vars/web19 
Replaced by web22.
 2021-09-13 11:49:32 +03:00
Alan Orth
341a1bf11e roles/php-fpm: Install php7.4-xml 
The RSS feeds in the WordPress admin dashboard need this.
 2021-09-13 10:19:33 +03:00
Alan Orth
6ee389eda5 roles/php-fpm: Use concrete dependencies 
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
 2021-09-13 10:18:40 +03:00
Alan Orth
83fea62b0f host_vars/web22: WordPress 5.8.1 2021-09-13 07:37:40 +03:00
Alan Orth
0d1a5fbb25 Add host_vars/web22 
Will replace web19 soon.
 2021-09-12 21:59:38 +03:00
Alan Orth
4d8444abf2 host_vars/web21: Fix path to cert 2021-09-12 20:39:45 +03:00
Alan Orth
e8486f6c9e host_vars/nomad02: Update Drone to version 2 2021-09-10 21:49:00 +03:00
Alan Orth
20cd6f213c roles/common: cache_valid_time explicitly sets update_cache 
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
 2021-09-08 21:59:51 +03:00
Alan Orth
eb80e797c6 Add host_vars/web21 
Replaces web20.
 2021-09-08 21:57:04 +03:00
Alan Orth
736bb8eb38 Remove host_vars/web20 
Will be replaced by web21.
 2021-09-08 21:56:43 +03:00
Alan Orth
34a30c4d13 roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
Alan Orth
c03e75d736 roles/common: explicitly install systemd-timesyncd 
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
 2021-09-08 17:04:46 +03:00
Alan Orth
d08f10f9c8 roles/common: Fix comment in ntp playbook 2021-09-08 17:04:20 +03:00
Alan Orth
8467dc1300 roles/mariadb: Change socket location 
Instead of using /var/run, just use /run directly. This is the real
path and it's the default anyways.
 2021-09-08 15:50:48 +03:00
Alan Orth
635bb5234d roles/common: fix logic for copying AbuseIPDB.com nft sets 
We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
 2021-09-08 09:58:13 +03:00
Alan Orth
37901da5b5 roles/common: update AbuseIPDB lists for nftables 2021-09-08 09:57:58 +03:00
Alan Orth
e36ae3b11e roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-09-08 09:35:36 +03:00
Alan Orth
81c1231a28 roles/php-fpm: Fix logic 
First, we cannot do a global check for has_wordpress or needs_php,
as those are defined per nginx vhost. Second, I realized that this
was only working in the past because vhosts that had WordPress or
needed PHP were listed first in the nginx_vhosts dict.

This changes the logic to first check if any vhosts have WordPress
or need PHP, then sets a fact that we can use to decide whether to
run php-fpm tasks or not.
 2021-09-08 09:32:06 +03:00
Alan Orth
bb6f058025 roles/php-fpm: whitespace 2021-09-07 20:12:31 +03:00
Alan Orth
547395b26e roles/nginx: Use php7.4-fpm socket on Debian 11 as well 2021-09-07 17:51:54 +03:00
Alan Orth
15208241d3 roles/common: Add git-lfs to base packages 2021-09-07 17:51:33 +03:00
Alan Orth
0fd05d496e roles/nginx: Set mode of downloaded acme.sh 2021-09-07 17:10:35 +03:00
Alan Orth
023a0d48ba roles/nginx: Remove old comment 2021-09-07 17:07:53 +03:00
Alan Orth
c687b7a91a roles/nginx: Run Let's Encrypt on Debian 11 too 2021-09-07 17:07:33 +03:00
Alan Orth
bd4ae36bb6 roles/mariadb: use socket for all operations 
Otherwise Ansible will try to connect with host 'localhost', which
we do not use (and we have disabled name resolution anyways).
 2021-09-07 16:48:15 +03:00
Alan Orth
b60637c7d9 roles/mariadb: Update comments for Ansible module 2021-09-07 16:47:47 +03:00
Alan Orth
479127a5e4 roles/common: Fix nftables handler in Debian firewall 
We used to use reload, but now the idempotent thing to do is to use
restart instead of reload.
 2021-09-07 15:43:33 +03:00
Alan Orth
d261f81642 roles/php-fpm: Use Ubuntu 20.04 configs on Debian 11 
They both use PHP 7.4.
 2021-09-06 21:19:57 +03:00
Alan Orth
6bc044d454 host_vars: remove mosh rules 
They are in roles/common now.
 2021-09-05 16:33:45 +03:00
Alan Orth
9e07e27fbe host_vars/web19: remove extra mosh rules 
These are now in the common role for all hosts.
 2021-09-05 16:24:28 +03:00
Alan Orth
575a9fdfe6 roles/common: Add mosh ports to common 
These have been in each hosts's "extra" rules lists forever and I
use them on every single host so they might as well be in the base
rules.
 2021-09-05 16:23:42 +03:00
Alan Orth
35fa3b0d72 roles/common: Fix typo in handlers 2021-09-05 16:19:31 +03:00
Alan Orth
ba5760bf8c host_vars/web19: WordPress 5.8 2021-09-05 15:55:58 +03:00
Alan Orth
5e918da88e Pipfile.lock: run pipenv update 2021-09-05 15:38:51 +03:00
Alan Orth
f7e87ea7be roles/common: Fix fail2ban ignoreip 
According to jail.conf we actually need to separate multiple values
with spaces instead of commas. On some versions of fail2ban this is
a fatal error:

> CRITICAL Unhandled exception in Fail2Ban:
> Traceback (most recent call last):
>   File "/usr/lib/python3/dist-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
>     run(*args, **kwargs)
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filtersystemd.py", line 246, in run
>     *self.formatJournalEntry(logentry))
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 432, in processLineAndAdd
>     if self.inIgnoreIPList(ip, log_ignore=True):
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 371, in inIgnoreIPList
>     "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group())
>   File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 928, in addr2bin
>     return struct.unpack("!L", socket.inet_aton(ipstring))[0]
> OSError: illegal IP address string passed to inet_aton

This affects (at least) fail2ban 0.9.3 on Ubuntu 16.04, but I never
noticed.
 2021-08-12 15:24:50 +03:00
Alan Orth
7b233eb31d Pipfile.lock: Run pipenv update 
Ansible 4.3.0
 2021-08-01 16:14:42 +03:00
Alan Orth
b5ea575d8d roles/common: Always restart nftables service 
The "reload" capability only exists on Ubuntu, and it is exactly
the same as the "restart" functionality.
 2021-08-01 14:23:00 +03:00
Alan Orth
98cc3a8c2e Add nginx filter for fail2ban 
Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.
 2021-08-01 09:56:43 +03:00
Alan Orth
a67d901641 roles/common: Use AbuseIPDB.com list in nftables 
For now I am still manually updating this, as we can only hit their
API five times per day, so it is not possible to have each host get
the list themselves every day with our one API key.
 2021-07-31 21:46:50 +03:00
Alan Orth
7ae100faeb roles/common: Add comments to nftables.conf 2021-07-30 09:37:30 +03:00
Alan Orth
debcb21161 roles/common: Install curl for Abuse.ch update scripts 2021-07-29 10:24:32 +03:00
Alan Orth
8dd7663b3c roles/common: Use Abuse.ch's SSL Blacklist in nftables 
This adds Abuse.sh's list of IPs using blacklisted SSL certificates
to nftables. These IPs are high confidence indicators of compromise
and we should not route them. The list is updated daily by a systemd
timer.

See: https://sslbl.abuse.ch/blacklist/
 2021-07-29 10:16:00 +03:00
Alan Orth
cba2a7a996 roles/common: Fix nftables in Debian firewall 
The previous commit meant to move the service start, not the config
copying task.
 2021-07-29 10:10:04 +03:00
Alan Orth
197bdf7666 roles/common: Start nftables service later 
We should only try to start the nftables service after we finish
copying all the config files just in case there is some unclean
state in one of them. On a first run this shouldn't matter, but
after nftables and some abuse list update scripts have run this
can happen (mostly in testing!).
 2021-07-29 10:05:15 +03:00
Alan Orth
46fc2ce3d4 roles/common: Move cleanup to a one-off play 
We only need to run this once on existing hosts that are using the
old firewalld/ipsets setup before applying the new nftables config.
 2021-07-29 10:00:30 +03:00
Alan Orth
b4d50166f4 roles/common: Fix loop in firewall cleanup 2021-07-28 23:46:53 +03:00
Alan Orth
c336b217c5 Remove extra TCP ports from firewall rules 
Now all web hosts get TCP 80 and 443 open automatically.
 2021-07-28 14:49:50 +03:00
Alan Orth
af6c3dd12a roles/common: Update cache in firewall playbook 
cron-apt updates the system against the security-only databases at
night so many packages are "missing" unless you run apt update. We
need to update the cache on all apt tasks actually because I might
be running them by their tag and they currently only get updated at
the beginning of the playbook.
 2021-07-28 14:46:58 +03:00
Alan Orth
b66c724109 roles/common: Use nftables on Ubuntu 20.04 as well 
This mostly copies the Debian 11 nftables setup and includes a play
to clean up the old firewalld settings, timers, etc.
 2021-07-28 14:18:41 +03:00
Alan Orth
8bc2b6f493 roles/common: Retab nftables.conf.j2 2021-07-27 22:03:23 +03:00
Alan Orth
a74d6dfc08 roles/common: Don't overwrite spamhaus nft sets 
The ones in this repo are only placeholders that get updated by the
update-spamhaus-nftables service, so we shouldn't overwrite them if
they exist.
 2021-07-27 22:01:57 +03:00
Alan Orth
d3922e7878 roles/common: Port configurable firewall logic to nftables 
This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts
in the web group, and allows configuration of "extra" rules in the
host or group vars.
 2021-07-27 21:22:32 +03:00
Alan Orth
14814aa5d9 roles/common: Wire up fail2ban 
The nftables support works easily and creates the table, chains, and
sets on demand.
 2021-07-26 22:07:31 +03:00
Alan Orth
3b053167b1 roles/common: Fix sources.list for Debian 11 Bullseye 
Seems the path to the security updates repo changed.
 2021-07-26 21:12:05 +03:00
Alan Orth
9bba0d96bb roles/common: Add initial support for nftables on Debian 11 
I will try using nftables directly instead of via firewalld as of
Debian 11 as it is the replacement for the iptables/ipset stack in
recent years and is easier to work with.

This also includes a systemd service, timer, and script to update
the spamhaus DROP lists as nftables sets.

Still need to add fail2ban support.
 2021-07-26 13:09:41 +03:00
Alan Orth
38c333045b roles/common: bring Ubuntu firewall changes to Debian 11 
Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
 2021-07-24 23:09:33 +03:00
Alan Orth
d4ede33099 roles/common: Don't configure apt sources on ARM 
I was using this on Ubuntu, but might as well bring it here too so
that I can run Debian on Scaleway's ARM instances, for example.
 2021-07-24 22:32:20 +03:00
Alan Orth
0bad75788d roles/common: Add encryption settings to Debian 11 sshd_config 
Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any
algorithms using less than 256 bits removed. NSA's Suite B removed
these long ago, and the new CNSA suite only uses 256 and up.

See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 2021-07-24 22:28:59 +03:00
Alan Orth
892033b880 roles/common: port common settings to Debian 11 sshd_config 
Still need to add the encryption settings.
 2021-07-22 14:16:20 +03:00
Alan Orth
7c6ab2a652 roles/common: Add sshd_config from Debian 11 RC2 2021-07-22 14:15:00 +03:00
Alan Orth
1c95c1faa8 roles/common: Update KexAlgorithms in Ubuntu 20.04 sshd_config 
Recommended by ssh-audit. Note that curve25519-sha256 is the new name
for the previously private implementation in libssh.
 2021-07-22 12:57:31 +03:00
Alan Orth
9ea14de6f5 roles/common: Remove Encrypt-and-MAC modes from Ubuntu 20.04 sshd_config 
Recommended by ssh-audit, but also generally the concensus for a few
years that Encrypt-and-MAC is hard to get right. OpenSSH has several
Encrypt-then-MAC schemes available so we can use those.

See: https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
 2021-07-22 12:48:12 +03:00
Alan Orth
9b7a31ebf9 roles/common: Remove 00-persistent-journal.conf 
This was to enable the persistent systemd journal, but it is no lo-
nger needed as of Ubuntu 18.04 and Debian 11. I had removed the ta-
asks long ago, but forgot to remove this file.
 2021-07-21 10:02:33 +03:00
Alan Orth
d7c34a30a3 roles/common: Add Spamhaus DROP lists to firewalld ipsets 
This configures the recommended DROP, EDROP, and DROPv6 lists from
Spamhaus as ipsets in firewalld. First we copy an empty placeholder
ipset to seed firewalld, then we use a shell script to download the
real lists and activate them. The same shell script is run daily as
a service (update-spamhaus-lists.service) by a systemd timer.

I am strictly avoiding any direct ipset commands here because I want
to make sure that this works on older hosts where ipsets is used as
well as newer hosts that have moved to nftables such as Ubuntu 20.04.
So far I have tested this on Ubuntu 16.04, 18.04, and 20.04, but ev-
entually I need to abstract the tasks and run them on CentOS 7+ as
well.

See: https://www.spamhaus.org/drop/
 2021-07-21 09:34:51 +03:00
Alan Orth
ee5f4cdf74 host_vars: don't hard code python path 
We now use auto mode in ansible.cfg, so we don't need to hard code
this in every single host's vars file.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
 2021-07-07 12:23:05 +03:00
Alan Orth
b014c09a2c ansible.cfg: Use auto discovery of Python interpreter 
Uses a built-in table of OSes and Python versions to decide which
Python interpreter to use. This is better than hard coding python3
in every single host's host_vars.

See: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html
 2021-07-07 12:22:00 +03:00
Alan Orth
531ff99af0 roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-07-04 11:15:32 +03:00
Alan Orth
82d3a7ff2a roles/nginx: Add convenience tags to fact task 2021-07-01 18:17:14 +03:00
Alan Orth
6c3cf40a16 roles/nginx: Use snakeoil cert from ssl-cert 
Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.
 2021-07-01 18:11:34 +03:00
Alan Orth
681be5eb19 Pipfile.lock: run pipenv update 
Ansible 4.2.0 and Ansible Core 2.11.2
 2021-07-01 18:11:11 +03:00
Alan Orth
4fae56a386 host_vars/web19: WordPress 5.7.2 2021-06-13 16:14:22 +03:00
Alan Orth
1d5db7bdbe Pipfile.lock: run pipenv update 2021-06-13 16:14:05 +03:00
Alan Orth
32da3a3341 Pipfile.lock: Re-create pipenv environment for Ansible 4.0.0 
Seems we need to manually uninstall and re-install.
 2021-05-20 10:21:01 +03:00
Alan Orth
31a3f5832a roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-05-20 10:20:47 +03:00
Alan Orth
3e7130b519 Pipfile.lock: run pipenv update 2021-05-14 13:56:56 +03:00
Alan Orth
bd0b6a16de roles/nginx/defaults/main.yml: Update version comment 
Stable is now 1.20.0
 2021-05-10 16:00:44 +03:00
Alan Orth
7145298f90 Pipfile.lock: Run pipenv update 2021-05-10 15:59:34 +03:00
Alan Orth
1bfd2bc441 Pipfile.lock: Run pipenv update 
Ansible 3.3.0
 2021-04-28 12:49:23 +03:00
Alan Orth
884b3b8425 host_vars/web19: remove dead host 2021-04-24 20:17:17 +03:00
Alan Orth
e06a0c4093 host_vars/web19: WordPress 5.7.1 2021-04-16 19:51:55 +03:00
Alan Orth
7ba5afcec4 roles/nginx: Opt out of Google FLoC 
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
 2021-04-16 12:41:09 +03:00
Alan Orth
d3978e5b07 Pipfile.lock: run pipenv update 2021-04-13 14:28:34 +03:00
Alan Orth
4150dac57b roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-04-13 12:11:11 +03:00
Alan Orth
58bc9d191f roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-03-24 10:02:43 +02:00
Alan Orth
96cefc7f74 roles/nginx: Parameterize HSTS header 
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
 2021-03-23 15:36:28 +02:00
Alan Orth
f85eb2841a roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
Alan Orth
5d506ebc65 README.md: Update copyright year 2021-03-20 00:16:16 +02:00
Alan Orth
af49f27551 roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
Alan Orth
f341d2e5eb roles/nginx: Remove nginx pre/post hooks 
We are now using the well-known webroot.
 2021-03-19 23:46:22 +02:00
Alan Orth
ceba0ea417 roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
Alan Orth
a34cb1e666 roles/nginx: Switch to acme.sh for Let's Encrypt 
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
 2021-03-19 23:39:30 +02:00
Alan Orth
65fc52c5e5 roles/nginx: Use variable for nginx_ssl_dhparam 
I went years without realizing that I was hard coding the file dest
in this particular task.
 2021-03-19 18:13:55 +02:00
Alan Orth
7f13c8c675 host_vars/web19: WordPress 3.7 2021-03-19 13:27:34 +02:00
Alan Orth
9c36cfb8e5 Pipfile.lock: Run pipenv update 2021-03-19 13:18:19 +02:00
Alan Orth
7f72a9eda4 roles/nginx: Use RFC 7919 4096-bit dhparams 
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
 2021-03-19 13:13:56 +02:00
Alan Orth
6e96d48ea6 Pipfile.lock: Run pipenv update 
Ansible 3.0.0
 2021-03-01 15:27:58 +02:00
Alan Orth
db412066b3 roles/mariadb: Only create users on 127.0.0.1 and ::1 
A few months ago I disabled hostname lookups so only IP addresses
work now anyways.
 2021-02-13 13:11:28 +02:00
Alan Orth
63a836e2a7 roles/common: Update Tarsnap GPG key 
Apparently this changed since I last ran the tarsnap task.
 2021-02-13 12:57:17 +02:00
Alan Orth
dd04238a83 host_vars/web19: Add dev domain 2021-02-13 12:18:31 +02:00
Alan Orth
efdbeb75ea host_vars/web19: WordPress 5.6.1 2021-02-13 11:48:21 +02:00
Alan Orth
cd4411260c roles/common: Update list of abusive IP addresses 
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
 2021-02-07 15:56:33 +02:00
Alan Orth
8cb232a765 Pipfile.lock: Run pipenv update 2021-02-07 15:53:10 +02:00
Alan Orth
d4ca119265 Pipfile.lock: run pipenv update 
Minor Ansible update
 2021-01-27 11:06:12 +02:00
Alan Orth
f72f8c7a8d host_vars/web19: Remove piwik nginx host 2021-01-06 09:07:41 +02:00
Alan Orth
d7fa1697a1 host_vars/web19: Remove piwik database 2021-01-06 09:00:54 +02:00
Alan Orth
b0420d2adb roles: Remove mentions of Piwik 
I never check the damn analytics stats and the database is huge.
 2021-01-06 09:00:18 +02:00
Alan Orth
c70ebba151 Add host_vars/web20 2021-01-01 19:55:14 +02:00
Alan Orth
ac860e72f2 roles/php-fpm: Only run PHP tasks if we need them 2021-01-01 19:54:12 +02:00
Alan Orth
101c05d248 web.yml: Only run MariaDB role if it is needed 
Not all web hosts need this. Some are static sites, for example.
 2021-01-01 19:28:40 +02:00
Alan Orth
1b75679496 roles/mariadb: The service is mariadb 2020-12-29 11:25:30 +02:00
Alan Orth
ebf4a4c2ac roles/mariadb: Disable name lookups 
Add skip-name-resolve=1 to disable lookups of hostnames to IPs. We
need to make sure all accounts are using IPs like 127.0.0.1 instead
of "localhost" now.
 2020-12-29 11:19:01 +02:00
Alan Orth
57a83cef26 roles/mariadb: Tweak temp table size 
mysqltuner.pl said:

    When making adjustments, make tmp_table_size/max_heap_table_size equal
 2020-12-29 11:10:31 +02:00
Alan Orth
8ee52143fc roles/mariadb: Disable the query cache by default 
It seems that the usefulness of the query cache is diminishing in
recent years. If your cache is large then the time taken to scan
the cache can be longer than the SQL query itself.

See: https://haydenjames.io/mysql-query-cache-size-performance/
 2020-12-29 11:07:33 +02:00
Alan Orth
67a18c4f49 roles/mariadb: Reduce key buffer size 
mysqltuner.pl shows currently 6M out of 33M being used.
 2020-12-29 10:58:12 +02:00
Alan Orth
b8428e67a8 roles/mariadb: Install MariaDB 10.5 2020-12-29 10:41:27 +02:00
Alan Orth
e18529e6e1 roles/mariadb: Update service name 
As of MariaDB 10.5 the service name and binaries have changed from
mysql, mysqld, etc to mariadbd.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/
 2020-12-29 10:40:13 +02:00
Alan Orth
89db1449d1 roles/mariadb: Fetch signing key from mariadb.org 
I downloaded the key and checked the fingerprint with gpg:

    $ gpg --dry-run --import mariadb_release_signing_key.asc
    gpg: key F1656F24C74CD1D8: 6 signatures not checked due to missing keys
    gpg: Total number processed: 1
 2020-12-29 10:36:33 +02:00
Alan Orth
6660a0cd36 roles/mariadb: Remove innodb_buffer_pool_instances 
This was deprecated in MariaDB 10.5. The setting is now ignored and
will be removed in a future version.

See: https://mariadb.com/kb/en/changes-improvements-in-mariadb-105/#innodb-removed-or-deprecated-variables
 2020-12-29 10:18:23 +02:00
98 changed files with 2744 additions and 16340 deletions
Expand all files Collapse all files

3
Pipfile
View File

@ -7,6 +7,7 @@ verify_ssl = true
[packages] [packages]
ansible = "*" ansible = "*"
ansible-lint = "*"
[requires] [requires]
python_version = "3.9" python_version = "3.13"

763
Pipfile.lock generated
View File

@ -1,11 +1,11 @@
{ {
"_meta": { "_meta": {
"hash": { "hash": {
"sha256": "65b615b857250757470e21fc3a4b1cdfe75b4b012c0d1d633a5ebf1988d9cb91" "sha256": "47970866f4ffc7775e3a95dd04ee8b75f9784c457baadd8a31fe1783584fa73f"
}, },
"pipfile-spec": 6, "pipfile-spec": 6,
"requires": { "requires": {
"python_version": "3.9" "python_version": "3.13"
}, },
"sources": [ "sources": [
{ {
@ -18,175 +18,668 @@
"default": { "default": {
"ansible": { "ansible": {
"hashes": [ "hashes": [
"sha256:98e718aea82199be62db7731373d660627aa1e938d34446588f2f49c228638ee" "sha256:caa56fc92e5bea012abf37f08aa348da27d2fcaf94bf398e24cadcb618a4dc3b",
"sha256:f9df37c71d407f65bcb9c5c06c9918e297d9ea74b5cdaf5926c4c9aa9e44db5f"
], ],
"index": "pypi", "index": "pypi",
"version": "==2.10.4" "markers": "python_version >= '3.11'",
"version": "==11.7.0"
}, },
"ansible-base": { "ansible-compat": {
"hashes": [ "hashes": [
"sha256:d4dad569864c08d8efb6ad99acf48ec46d7d118f8ced64f1185f8eac2c280ec3" "sha256:c2b4bfeca6383b2047b2e1dea473cec4f1f9f2dd59beef71d6c47f632eaf97c9",
"sha256:cced722001bd7b617d418e54017e308c8b27ef3815f377843c00e020fa07165e"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.10'",
"version": "==2.10.4" "version": "==25.6.0"
},
"ansible-core": {
"hashes": [
"sha256:12a34749a7b20f0f1536bd3e3b2e137341867e4642e351273e96647161f595c0",
"sha256:25bb20ce1516a1b7307831b263cef684043b3720711466bd9d4164e5fd576557"
],
"markers": "python_version >= '3.11'",
"version": "==2.18.6"
},
"ansible-lint": {
"hashes": [
"sha256:69fe294a3cc30d8819b5a30625a7e25225f48558cadb83ad3d4dec597c1b8c2c",
"sha256:6a1dd2b7a9f3f202c9e92a6c80296ff33ca863348c3acf978f80fb0d4536dce4"
],
"index": "pypi",
"markers": "python_version >= '3.10'",
"version": "==25.6.1"
},
"attrs": {
"hashes": [
"sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3",
"sha256:75d7cefc7fb576747b2c81b4442d4d4a1ce0900973527c011d1030fd3bf4af1b"
],
"markers": "python_version >= '3.8'",
"version": "==25.3.0"
},
"black": {
"hashes": [
"sha256:030b9759066a4ee5e5aca28c3c77f9c64789cdd4de8ac1df642c40b708be6171",
"sha256:055e59b198df7ac0b7efca5ad7ff2516bca343276c466be72eb04a3bcc1f82d7",
"sha256:0e519ecf93120f34243e6b0054db49c00a35f84f195d5bce7e9f5cfc578fc2da",
"sha256:172b1dbff09f86ce6f4eb8edf9dede08b1fce58ba194c87d7a4f1a5aa2f5b3c2",
"sha256:1e2978f6df243b155ef5fa7e558a43037c3079093ed5d10fd84c43900f2d8ecc",
"sha256:33496d5cd1222ad73391352b4ae8da15253c5de89b93a80b3e2c8d9a19ec2666",
"sha256:3b48735872ec535027d979e8dcb20bf4f70b5ac75a8ea99f127c106a7d7aba9f",
"sha256:4b60580e829091e6f9238c848ea6750efed72140b91b048770b64e74fe04908b",
"sha256:759e7ec1e050a15f89b770cefbf91ebee8917aac5c20483bc2d80a6c3a04df32",
"sha256:8f0b18a02996a836cc9c9c78e5babec10930862827b1b724ddfe98ccf2f2fe4f",
"sha256:95e8176dae143ba9097f351d174fdaf0ccd29efb414b362ae3fd72bf0f710717",
"sha256:96c1c7cd856bba8e20094e36e0f948718dc688dba4a9d78c3adde52b9e6c2299",
"sha256:a1ee0a0c330f7b5130ce0caed9936a904793576ef4d2b98c40835d6a65afa6a0",
"sha256:a22f402b410566e2d1c950708c77ebf5ebd5d0d88a6a2e87c86d9fb48afa0d18",
"sha256:a39337598244de4bae26475f77dda852ea00a93bd4c728e09eacd827ec929df0",
"sha256:afebb7098bfbc70037a053b91ae8437c3857482d3a690fefc03e9ff7aa9a5fd3",
"sha256:bacabb307dca5ebaf9c118d2d2f6903da0d62c9faa82bd21a33eecc319559355",
"sha256:bce2e264d59c91e52d8000d507eb20a9aca4a778731a08cfff7e5ac4a4bb7096",
"sha256:d9e6827d563a2c820772b32ce8a42828dc6790f095f441beef18f96aa6f8294e",
"sha256:db8ea9917d6f8fc62abd90d944920d95e73c83a5ee3383493e35d271aca872e9",
"sha256:ea0213189960bda9cf99be5b8c8ce66bb054af5e9e861249cd23471bd7b0b3ba",
"sha256:f3df5f1bf91d36002b0a75389ca8663510cf0531cca8aa5c1ef695b46d98655f"
],
"markers": "python_version >= '3.9'",
"version": "==25.1.0"
},
"bracex": {
"hashes": [
"sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952",
"sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7"
],
"markers": "python_version >= '3.9'",
"version": "==2.6"
}, },
"cffi": { "cffi": {
"hashes": [ "hashes": [
"sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e", "sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8",
"sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d", "sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2",
"sha256:045d792900a75e8b1e1b0ab6787dd733a8190ffcf80e8c8ceb2fb10a29ff238a", "sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1",
"sha256:0638c3ae1a0edfb77c6765d487fee624d2b1ee1bdfeffc1f0b58c64d149e7eec", "sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15",
"sha256:105abaf8a6075dc96c1fe5ae7aae073f4696f2905fde6aeada4c9d2926752362", "sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36",
"sha256:155136b51fd733fa94e1c2ea5211dcd4c8879869008fc811648f16541bf99668", "sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824",
"sha256:1a465cbe98a7fd391d47dce4b8f7e5b921e6cd805ef421d04f5f66ba8f06086c", "sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8",
"sha256:1d2c4994f515e5b485fd6d3a73d05526aa0fcf248eb135996b088d25dfa1865b", "sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36",
"sha256:2c24d61263f511551f740d1a065eb0212db1dbbbbd241db758f5244281590c06", "sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17",
"sha256:51a8b381b16ddd370178a65360ebe15fbc1c71cf6f584613a7ea08bfad946698", "sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf",
"sha256:594234691ac0e9b770aee9fcdb8fa02c22e43e5c619456efd0d6c2bf276f3eb2", "sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc",
"sha256:5cf4be6c304ad0b6602f5c4e90e2f59b47653ac1ed9c662ed379fe48a8f26b0c", "sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3",
"sha256:64081b3f8f6f3c3de6191ec89d7dc6c86a8a43911f7ecb422c60e90c70be41c7", "sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed",
"sha256:6bc25fc545a6b3d57b5f8618e59fc13d3a3a68431e8ca5fd4c13241cd70d0009", "sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702",
"sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03", "sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1",
"sha256:7c6b1dece89874d9541fc974917b631406233ea0440d0bdfbb8e03bf39a49b3b", "sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8",
"sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909", "sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903",
"sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53", "sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6",
"sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35", "sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d",
"sha256:9f7a31251289b2ab6d4012f6e83e58bc3b96bd151f5b5262467f4bb6b34a7c26", "sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b",
"sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b", "sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e",
"sha256:a5ed8c05548b54b998b9498753fb9cadbfd92ee88e884641377d8a8b291bcc01", "sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be",
"sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb", "sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c",
"sha256:af5c59122a011049aad5dd87424b8e65a80e4a6477419c0c1015f73fb5ea0293", "sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683",
"sha256:b18e0a9ef57d2b41f5c68beefa32317d286c3d6ac0484efd10d6e07491bb95dd", "sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9",
"sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d", "sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c",
"sha256:ba4e9e0ae13fc41c6b23299545e5ef73055213e466bd107953e4a013a5ddd7e3", "sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8",
"sha256:c6332685306b6417a91b1ff9fae889b3ba65c2292d64bd9245c093b1b284809d", "sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1",
"sha256:d5ff0621c88ce83a28a10d2ce719b2ee85635e85c515f12bac99a95306da4b2e", "sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4",
"sha256:d9efd8b7a3ef378dd61a1e77367f1924375befc2eba06168b6ebfa903a5e59ca", "sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655",
"sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d", "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67",
"sha256:ebb253464a5d0482b191274f1c8bf00e33f7e0b9c66405fbffc61ed2c839c775", "sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595",
"sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375", "sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0",
"sha256:f032b34669220030f905152045dfa27741ce1a6db3324a5bc0b96b6c7420c87b", "sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65",
"sha256:f60567825f791c6f8a592f3c6e3bd93dd2934e3f9dac189308426bd76b00ef3b", "sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41",
"sha256:f803eaa94c2fcda012c047e62bc7a51b0bdabda1cad7a92a522694ea2d76e49f" "sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6",
"sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401",
"sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6",
"sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3",
"sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16",
"sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93",
"sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e",
"sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4",
"sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964",
"sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c",
"sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576",
"sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0",
"sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3",
"sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662",
"sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3",
"sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff",
"sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5",
"sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd",
"sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f",
"sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5",
"sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14",
"sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d",
"sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9",
"sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7",
"sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382",
"sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a",
"sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e",
"sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a",
"sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4",
"sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99",
"sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87",
"sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b"
], ],
"version": "==1.14.4" "markers": "python_version >= '3.8'",
"version": "==1.17.1"
},
"click": {
"hashes": [
"sha256:27c491cc05d968d271d5a1db13e3b5a184636d9d930f148c50b038f0d0646202",
"sha256:61a3265b914e850b85317d0b3109c7f8cd35a670f963866005d6ef1d5175a12b"
],
"markers": "python_version >= '3.10'",
"version": "==8.2.1"
}, },
"cryptography": { "cryptography": {
"hashes": [ "hashes": [
"sha256:0003a52a123602e1acee177dc90dd201f9bb1e73f24a070db7d36c588e8f5c7d", "sha256:0027d566d65a38497bc37e0dd7c2f8ceda73597d2ac9ba93810204f56f52ebc7",
"sha256:0e85aaae861d0485eb5a79d33226dd6248d2a9f133b81532c8f5aae37de10ff7", "sha256:101ee65078f6dd3e5a028d4f19c07ffa4dd22cce6a20eaa160f8b5219911e7d8",
"sha256:594a1db4511bc4d960571536abe21b4e5c3003e8750ab8365fafce71c5d86901", "sha256:12e55281d993a793b0e883066f590c1ae1e802e3acb67f8b442e721e475e6463",
"sha256:69e836c9e5ff4373ce6d3ab311c1a2eed274793083858d3cd4c7d12ce20d5f9c", "sha256:14d96584701a887763384f3c47f0ca7c1cce322aa1c31172680eb596b890ec30",
"sha256:788a3c9942df5e4371c199d10383f44a105d67d401fb4304178020142f020244", "sha256:1e1da5accc0c750056c556a93c3e9cb828970206c68867712ca5805e46dc806f",
"sha256:7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6", "sha256:206210d03c1193f4e1ff681d22885181d47efa1ab3018766a7b32a7b3d6e6afd",
"sha256:83d9d2dfec70364a74f4e7c70ad04d3ca2e6a08b703606993407bf46b97868c5", "sha256:2089cc8f70a6e454601525e5bf2779e665d7865af002a5dec8d14e561002e135",
"sha256:84ef7a0c10c24a7773163f917f1cb6b4444597efd505a8aed0a22e8c4780f27e", "sha256:3a264aae5f7fbb089dbc01e0242d3b67dffe3e6292e1f5182122bdf58e65215d",
"sha256:9e21301f7a1e7c03dbea73e8602905a4ebba641547a462b26dd03451e5769e7c", "sha256:3af26738f2db354aafe492fb3869e955b12b2ef2e16908c8b9cb928128d42c57",
"sha256:9f6b0492d111b43de5f70052e24c1f0951cb9e6022188ebcb1cc3a3d301469b0", "sha256:3fcfbefc4a7f332dece7272a88e410f611e79458fab97b5efe14e54fe476f4fd",
"sha256:a69bd3c68b98298f490e84519b954335154917eaab52cf582fa2c5c7efc6e812", "sha256:460f8c39ba66af7db0545a8c6f2eabcbc5a5528fc1cf6c3fa9a1e44cec33385e",
"sha256:b4890d5fb9b7a23e3bf8abf5a8a7da8e228f1e97dc96b30b95685df840b6914a", "sha256:57c816dfbd1659a367831baca4b775b2a5b43c003daf52e9d57e1d30bc2e1b0e",
"sha256:c366df0401d1ec4e548bebe8f91d55ebcc0ec3137900d214dd7aac8427ef3030", "sha256:5aa1e32983d4443e310f726ee4b071ab7569f58eedfdd65e9675484a4eb67bd1",
"sha256:dc42f645f8f3a489c3dd416730a514e7a91a59510ddaadc09d04224c098d3302" "sha256:6ff8728d8d890b3dda5765276d1bc6fb099252915a2cd3aff960c4c195745dd0",
"sha256:7259038202a47fdecee7e62e0fd0b0738b6daa335354396c6ddebdbe1206af2a",
"sha256:72e76caa004ab63accdf26023fccd1d087f6d90ec6048ff33ad0445abf7f605a",
"sha256:7760c1c2e1a7084153a0f68fab76e754083b126a47d0117c9ed15e69e2103492",
"sha256:8c4a6ff8a30e9e3d38ac0539e9a9e02540ab3f827a3394f8852432f6b0ea152e",
"sha256:9024beb59aca9d31d36fcdc1604dd9bbeed0a55bface9f1908df19178e2f116e",
"sha256:90cb0a7bb35959f37e23303b7eed0a32280510030daba3f7fdfbb65defde6a97",
"sha256:91098f02ca81579c85f66df8a588c78f331ca19089763d733e34ad359f474174",
"sha256:926c3ea71a6043921050eaa639137e13dbe7b4ab25800932a8498364fc1abec9",
"sha256:982518cd64c54fcada9d7e5cf28eabd3ee76bd03ab18e08a48cad7e8b6f31b18",
"sha256:9b4cf6318915dccfe218e69bbec417fdd7c7185aa7aab139a2c0beb7468c89f0",
"sha256:ad0caded895a00261a5b4aa9af828baede54638754b51955a0ac75576b831b27",
"sha256:b85980d1e345fe769cfc57c57db2b59cff5464ee0c045d52c0df087e926fbe63",
"sha256:b8fa8b0a35a9982a3c60ec79905ba5bb090fc0b9addcfd3dc2dd04267e45f25e",
"sha256:b9e38e0a83cd51e07f5a48ff9691cae95a79bea28fe4ded168a8e5c6c77e819d",
"sha256:bd4c45986472694e5121084c6ebbd112aa919a25e783b87eb95953c9573906d6",
"sha256:be97d3a19c16a9be00edf79dca949c8fa7eff621763666a145f9f9535a5d7f42",
"sha256:c648025b6840fe62e57107e0a25f604db740e728bd67da4f6f060f03017d5097",
"sha256:d05a38884db2ba215218745f0781775806bde4f32e07b135348355fe8e4991d9",
"sha256:dd420e577921c8c2d31289536c386aaa30140b473835e97f83bc71ea9d2baf2d",
"sha256:e357286c1b76403dd384d938f93c46b2b058ed4dfcdce64a770f0537ed3feb6f",
"sha256:e6c00130ed423201c5bc5544c23359141660b07999ad82e34e7bb8f882bb78e0",
"sha256:e74d30ec9c7cb2f404af331d5b4099a9b322a8a6b25c4632755c8757345baac5",
"sha256:f3562c2f23c612f2e4a6964a61d942f891d29ee320edb62ff48ffb99f3de9ae8"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", "markers": "python_version >= '3.7' and python_full_version not in '3.9.0, 3.9.1'",
"version": "==3.3.1" "version": "==45.0.5"
},
"filelock": {
"hashes": [
"sha256:adbc88eabb99d2fec8c9c1b229b171f18afa655400173ddc653d5d01501fb9f2",
"sha256:c401f4f8377c4464e6db25fff06205fd89bdd83b65eb0488ed1b160f780e21de"
],
"markers": "python_version >= '3.9'",
"version": "==3.18.0"
},
"importlib-metadata": {
"hashes": [
"sha256:d13b81ad223b890aa16c5471f2ac3056cf76c5f10f82d6f9292f0b415f389000",
"sha256:e5dd1551894c77868a30651cef00984d50e1002d06942a7101d34870c5f02afd"
],
"markers": "python_version >= '3.9'",
"version": "==8.7.0"
}, },
"jinja2": { "jinja2": {
"hashes": [ "hashes": [
"sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0", "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d",
"sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035" "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "markers": "python_version >= '3.7'",
"version": "==2.11.2" "version": "==3.1.6"
},
"jsonschema": {
"hashes": [
"sha256:0b4e8069eb12aedfa881333004bccaec24ecef5a8a6a4b6df142b2cc9599d196",
"sha256:a462455f19f5faf404a7902952b6f0e3ce868f3ee09a359b05eca6673bd8412d"
],
"markers": "python_version >= '3.9'",
"version": "==4.24.0"
},
"jsonschema-specifications": {
"hashes": [
"sha256:4653bffbd6584f7de83a67e0d620ef16900b390ddc7939d56684d6c81e33f1af",
"sha256:630159c9f4dbea161a6a2205c3011cc4f18ff381b189fff48bb39b9bf26ae608"
],
"markers": "python_version >= '3.9'",
"version": "==2025.4.1"
}, },
"markupsafe": { "markupsafe": {
"hashes": [ "hashes": [
"sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473", "sha256:0bff5e0ae4ef2e1ae4fdf2dfd5b76c75e5c2fa4132d05fc1b0dabcd20c7e28c4",
"sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161", "sha256:0f4ca02bea9a23221c0182836703cbf8930c5e9454bacce27e767509fa286a30",
"sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235", "sha256:1225beacc926f536dc82e45f8a4d68502949dc67eea90eab715dea3a21c1b5f0",
"sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5", "sha256:131a3c7689c85f5ad20f9f6fb1b866f402c445b220c19fe4308c0b147ccd2ad9",
"sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42", "sha256:15ab75ef81add55874e7ab7055e9c397312385bd9ced94920f2802310c930396",
"sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff", "sha256:1a9d3f5f0901fdec14d8d2f66ef7d035f2157240a433441719ac9a3fba440b13",
"sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b", "sha256:1c99d261bd2d5f6b59325c92c73df481e05e57f19837bdca8413b9eac4bd8028",
"sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1", "sha256:1e084f686b92e5b83186b07e8a17fc09e38fff551f3602b249881fec658d3eca",
"sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e", "sha256:2181e67807fc2fa785d0592dc2d6206c019b9502410671cc905d132a92866557",
"sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183", "sha256:2cb8438c3cbb25e220c2ab33bb226559e7afb3baec11c4f218ffa7308603c832",
"sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66", "sha256:3169b1eefae027567d1ce6ee7cae382c57fe26e82775f460f0b2778beaad66c0",
"sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b", "sha256:3809ede931876f5b2ec92eef964286840ed3540dadf803dd570c3b7e13141a3b",
"sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1", "sha256:38a9ef736c01fccdd6600705b09dc574584b89bea478200c5fbf112a6b0d5579",
"sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15", "sha256:3d79d162e7be8f996986c064d1c7c817f6df3a77fe3d6859f6f9e7be4b8c213a",
"sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1", "sha256:444dcda765c8a838eaae23112db52f1efaf750daddb2d9ca300bcae1039adc5c",
"sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e", "sha256:48032821bbdf20f5799ff537c7ac3d1fba0ba032cfc06194faffa8cda8b560ff",
"sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b", "sha256:4aa4e5faecf353ed117801a068ebab7b7e09ffb6e1d5e412dc852e0da018126c",
"sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905", "sha256:52305740fe773d09cffb16f8ed0427942901f00adedac82ec8b67752f58a1b22",
"sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735", "sha256:569511d3b58c8791ab4c2e1285575265991e6d8f8700c7be0e88f86cb0672094",
"sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d", "sha256:57cb5a3cf367aeb1d316576250f65edec5bb3be939e9247ae594b4bcbc317dfb",
"sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e", "sha256:5b02fb34468b6aaa40dfc198d813a641e3a63b98c2b05a16b9f80b7ec314185e",
"sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d", "sha256:6381026f158fdb7c72a168278597a5e3a5222e83ea18f543112b2662a9b699c5",
"sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c", "sha256:6af100e168aa82a50e186c82875a5893c5597a0c1ccdb0d8b40240b1f28b969a",
"sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21", "sha256:6c89876f41da747c8d3677a2b540fb32ef5715f97b66eeb0c6b66f5e3ef6f59d",
"sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2", "sha256:6e296a513ca3d94054c2c881cc913116e90fd030ad1c656b3869762b754f5f8a",
"sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5", "sha256:70a87b411535ccad5ef2f1df5136506a10775d267e197e4cf531ced10537bd6b",
"sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b", "sha256:7e94c425039cde14257288fd61dcfb01963e658efbc0ff54f5306b06054700f8",
"sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6", "sha256:846ade7b71e3536c4e56b386c2a47adf5741d2d8b94ec9dc3e92e5e1ee1e2225",
"sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f", "sha256:88416bd1e65dcea10bc7569faacb2c20ce071dd1f87539ca2ab364bf6231393c",
"sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f", "sha256:88b49a3b9ff31e19998750c38e030fc7bb937398b1f78cfa599aaef92d693144",
"sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2", "sha256:8c4e8c3ce11e1f92f6536ff07154f9d49677ebaaafc32db9db4620bc11ed480f",
"sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7", "sha256:8e06879fc22a25ca47312fbe7c8264eb0b662f6db27cb2d3bbbc74b1df4b9b87",
"sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be" "sha256:9025b4018f3a1314059769c7bf15441064b2207cb3f065e6ea1e7359cb46db9d",
"sha256:93335ca3812df2f366e80509ae119189886b0f3c2b81325d39efdb84a1e2ae93",
"sha256:9778bd8ab0a994ebf6f84c2b949e65736d5575320a17ae8984a77fab08db94cf",
"sha256:9e2d922824181480953426608b81967de705c3cef4d1af983af849d7bd619158",
"sha256:a123e330ef0853c6e822384873bef7507557d8e4a082961e1defa947aa59ba84",
"sha256:a904af0a6162c73e3edcb969eeeb53a63ceeb5d8cf642fade7d39e7963a22ddb",
"sha256:ad10d3ded218f1039f11a75f8091880239651b52e9bb592ca27de44eed242a48",
"sha256:b424c77b206d63d500bcb69fa55ed8d0e6a3774056bdc4839fc9298a7edca171",
"sha256:b5a6b3ada725cea8a5e634536b1b01c30bcdcd7f9c6fff4151548d5bf6b3a36c",
"sha256:ba8062ed2cf21c07a9e295d5b8a2a5ce678b913b45fdf68c32d95d6c1291e0b6",
"sha256:ba9527cdd4c926ed0760bc301f6728ef34d841f405abf9d4f959c478421e4efd",
"sha256:bbcb445fa71794da8f178f0f6d66789a28d7319071af7a496d4d507ed566270d",
"sha256:bcf3e58998965654fdaff38e58584d8937aa3096ab5354d493c77d1fdd66d7a1",
"sha256:c0ef13eaeee5b615fb07c9a7dadb38eac06a0608b41570d8ade51c56539e509d",
"sha256:cabc348d87e913db6ab4aa100f01b08f481097838bdddf7c7a84b7575b7309ca",
"sha256:cdb82a876c47801bb54a690c5ae105a46b392ac6099881cdfb9f6e95e4014c6a",
"sha256:cfad01eed2c2e0c01fd0ecd2ef42c492f7f93902e39a42fc9ee1692961443a29",
"sha256:d16a81a06776313e817c951135cf7340a3e91e8c1ff2fac444cfd75fffa04afe",
"sha256:d8213e09c917a951de9d09ecee036d5c7d36cb6cb7dbaece4c71a60d79fb9798",
"sha256:e07c3764494e3776c602c1e78e298937c3315ccc9043ead7e685b7f2b8d47b3c",
"sha256:e17c96c14e19278594aa4841ec148115f9c7615a47382ecb6b82bd8fea3ab0c8",
"sha256:e444a31f8db13eb18ada366ab3cf45fd4b31e4db1236a4448f68778c1d1a5a2f",
"sha256:e6a2a455bd412959b57a172ce6328d2dd1f01cb2135efda2e4576e8a23fa3b0f",
"sha256:eaa0a10b7f72326f1372a713e73c3f739b524b3af41feb43e4921cb529f5929a",
"sha256:eb7972a85c54febfb25b5c4b4f3af4dcc731994c7da0d8a0b4a6eb0640e1d178",
"sha256:ee55d3edf80167e48ea11a923c7386f4669df67d7994554387f84e7d8b0a2bf0",
"sha256:f3818cb119498c0678015754eba762e0d61e5b52d34c8b13d770f0719f7b1d79",
"sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430",
"sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.9'",
"version": "==1.1.1" "version": "==3.0.2"
},
"mypy-extensions": {
"hashes": [
"sha256:1be4cccdb0f2482337c4743e60421de3a356cd97508abadd57d47403e94f5505",
"sha256:52e68efc3284861e772bbcd66823fde5ae21fd2fdb51c62a211403730b916558"
],
"markers": "python_version >= '3.8'",
"version": "==1.1.0"
}, },
"packaging": { "packaging": {
"hashes": [ "hashes": [
"sha256:24e0da08660a87484d1602c30bb4902d74816b6985b93de36926f5bc95741858", "sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484",
"sha256:78598185a7008a470d64526a8059de9aaa449238f280fc9eb6b13ba6c4109093" "sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.8'",
"version": "==20.8" "version": "==25.0"
},
"pathspec": {
"hashes": [
"sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08",
"sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712"
],
"markers": "python_version >= '3.8'",
"version": "==0.12.1"
},
"platformdirs": {
"hashes": [
"sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc",
"sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4"
],
"markers": "python_version >= '3.9'",
"version": "==4.3.8"
}, },
"pycparser": { "pycparser": {
"hashes": [ "hashes": [
"sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0", "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6",
"sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705" "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.8'",
"version": "==2.20" "version": "==2.22"
},
"pyparsing": {
"hashes": [
"sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
"sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
],
"markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.4.7"
}, },
"pyyaml": { "pyyaml": {
"hashes": [ "hashes": [
"sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", "sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff",
"sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", "sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48",
"sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2", "sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086",
"sha256:6034f55dab5fea9e53f436aa68fa3ace2634918e8b5994d82f3621c04ff5ed2e", "sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e",
"sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", "sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133",
"sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", "sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5",
"sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", "sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484",
"sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", "sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee",
"sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", "sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5",
"sha256:ad9c67312c84def58f3c04504727ca879cb0013b2517c85a9a253f0cb6380c0a", "sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68",
"sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", "sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a",
"sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", "sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf",
"sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a" "sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99",
"sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8",
"sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85",
"sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19",
"sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc",
"sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a",
"sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1",
"sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317",
"sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c",
"sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631",
"sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d",
"sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652",
"sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5",
"sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e",
"sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b",
"sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8",
"sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476",
"sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706",
"sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563",
"sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237",
"sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b",
"sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083",
"sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180",
"sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425",
"sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e",
"sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f",
"sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725",
"sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183",
"sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab",
"sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774",
"sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725",
"sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e",
"sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5",
"sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d",
"sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290",
"sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44",
"sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed",
"sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4",
"sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba",
"sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12",
"sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4"
], ],
"version": "==5.3.1" "markers": "python_version >= '3.8'",
"version": "==6.0.2"
}, },
"six": { "referencing": {
"hashes": [ "hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", "sha256:df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" "sha256:e8699adbbf8b5c7de96d8ffa0eb5c158b3beafce084968e2ea8bb08c6794dcd0"
], ],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "markers": "python_version >= '3.9'",
"version": "==1.15.0" "version": "==0.36.2"
},
"resolvelib": {
"hashes": [
"sha256:04ce76cbd63fded2078ce224785da6ecd42b9564b1390793f64ddecbe997b309",
"sha256:d2da45d1a8dfee81bdd591647783e340ef3bcb104b54c383f70d422ef5cc7dbf"
],
"version": "==1.0.1"
},
"rpds-py": {
"hashes": [
"sha256:0919f38f5542c0a87e7b4afcafab6fd2c15386632d249e9a087498571250abe3",
"sha256:093d63b4b0f52d98ebae33b8c50900d3d67e0666094b1be7a12fffd7f65de74b",
"sha256:0a0b60701f2300c81b2ac88a5fb893ccfa408e1c4a555a77f908a2596eb875a5",
"sha256:0c71c2f6bf36e61ee5c47b2b9b5d47e4d1baad6426bfed9eea3e858fc6ee8806",
"sha256:0dc23bbb3e06ec1ea72d515fb572c1fea59695aefbffb106501138762e1e915e",
"sha256:0dfa6115c6def37905344d56fb54c03afc49104e2ca473d5dedec0f6606913b4",
"sha256:12bff2ad9447188377f1b2794772f91fe68bb4bbfa5a39d7941fbebdbf8c500f",
"sha256:1533b7eb683fb5f38c1d68a3c78f5fdd8f1412fa6b9bf03b40f450785a0ab915",
"sha256:1766b5724c3f779317d5321664a343c07773c8c5fd1532e4039e6cc7d1a815be",
"sha256:181ef9b6bbf9845a264f9aa45c31836e9f3c1f13be565d0d010e964c661d1e2b",
"sha256:183f857a53bcf4b1b42ef0f57ca553ab56bdd170e49d8091e96c51c3d69ca696",
"sha256:191aa858f7d4902e975d4cf2f2d9243816c91e9605070aeb09c0a800d187e323",
"sha256:1a8b0dd8648709b62d9372fc00a57466f5fdeefed666afe3fea5a6c9539a0331",
"sha256:1c962145c7473723df9722ba4c058de12eb5ebedcb4e27e7d902920aa3831ee8",
"sha256:1cc81d14ddfa53d7f3906694d35d54d9d3f850ef8e4e99ee68bc0d1e5fed9a9c",
"sha256:1d815d48b1804ed7867b539236b6dd62997850ca1c91cad187f2ddb1b7bbef19",
"sha256:1e6c15d2080a63aaed876e228efe4f814bc7889c63b1e112ad46fdc8b368b9e1",
"sha256:20ab1ae4fa534f73647aad289003f1104092890849e0266271351922ed5574f8",
"sha256:20dae58a859b0906f0685642e591056f1e787f3a8b39c8e8749a45dc7d26bdb0",
"sha256:238e8c8610cb7c29460e37184f6799547f7e09e6a9bdbdab4e8edb90986a2318",
"sha256:24a4146ccb15be237fdef10f331c568e1b0e505f8c8c9ed5d67759dac58ac246",
"sha256:257d011919f133a4746958257f2c75238e3ff54255acd5e3e11f3ff41fd14256",
"sha256:2a343f91b17097c546b93f7999976fd6c9d5900617aa848c81d794e062ab302b",
"sha256:2abe21d8ba64cded53a2a677e149ceb76dcf44284202d737178afe7ba540c1eb",
"sha256:2c03c9b0c64afd0320ae57de4c982801271c0c211aa2d37f3003ff5feb75bb04",
"sha256:2c9c1b92b774b2e68d11193dc39620d62fd8ab33f0a3c77ecdabe19c179cdbc1",
"sha256:3021933c2cb7def39d927b9862292e0f4c75a13d7de70eb0ab06efed4c508c19",
"sha256:3100b3090269f3a7ea727b06a6080d4eb7439dca4c0e91a07c5d133bb1727ea7",
"sha256:313cfcd6af1a55a286a3c9a25f64af6d0e46cf60bc5798f1db152d97a216ff6f",
"sha256:35e9a70a0f335371275cdcd08bc5b8051ac494dd58bff3bbfb421038220dc871",
"sha256:38721d4c9edd3eb6670437d8d5e2070063f305bfa2d5aa4278c51cedcd508a84",
"sha256:390e3170babf42462739a93321e657444f0862c6d722a291accc46f9d21ed04e",
"sha256:39bfea47c375f379d8e87ab4bb9eb2c836e4f2069f0f65731d85e55d74666387",
"sha256:3ac51b65e8dc76cf4949419c54c5528adb24fc721df722fd452e5fbc236f5c40",
"sha256:3c0909c5234543ada2515c05dc08595b08d621ba919629e94427e8e03539c958",
"sha256:3da5852aad63fa0c6f836f3359647870e21ea96cf433eb393ffa45263a170d44",
"sha256:3e1157659470aa42a75448b6e943c895be8c70531c43cb78b9ba990778955582",
"sha256:4019a9d473c708cf2f16415688ef0b4639e07abaa569d72f74745bbeffafa2c7",
"sha256:43f10b007033f359bc3fa9cd5e6c1e76723f056ffa9a6b5c117cc35720a80292",
"sha256:49028aa684c144ea502a8e847d23aed5e4c2ef7cadfa7d5eaafcb40864844b7a",
"sha256:4916dc96489616a6f9667e7526af8fa693c0fdb4f3acb0e5d9f4400eb06a47ba",
"sha256:4a59e5bc386de021f56337f757301b337d7ab58baa40174fb150accd480bc953",
"sha256:4b1f66eb81eab2e0ff5775a3a312e5e2e16bf758f7b06be82fb0d04078c7ac51",
"sha256:4c5fe114a6dd480a510b6d3661d09d67d1622c4bf20660a474507aaee7eeeee9",
"sha256:4c70c70f9169692b36307a95f3d8c0a9fcd79f7b4a383aad5eaa0e9718b79b37",
"sha256:4d11382bcaf12f80b51d790dee295c56a159633a8e81e6323b16e55d81ae37e9",
"sha256:4f01a5d6444a3258b00dc07b6ea4733e26f8072b788bef750baa37b370266137",
"sha256:4f789e32fa1fb6a7bf890e0124e7b42d1e60d28ebff57fe806719abb75f0e9a3",
"sha256:4feb7511c29f8442cbbc28149a92093d32e815a28aa2c50d333826ad2a20fdf0",
"sha256:511d15193cbe013619dd05414c35a7dedf2088fcee93c6bbb7c77859765bd4e8",
"sha256:519067e29f67b5c90e64fb1a6b6e9d2ec0ba28705c51956637bac23a2f4ddae1",
"sha256:521ccf56f45bb3a791182dc6b88ae5f8fa079dd705ee42138c76deb1238e554e",
"sha256:529c8156d7506fba5740e05da8795688f87119cce330c244519cf706a4a3d618",
"sha256:582462833ba7cee52e968b0341b85e392ae53d44c0f9af6a5927c80e539a8b67",
"sha256:5963b72ccd199ade6ee493723d18a3f21ba7d5b957017607f815788cef50eaf1",
"sha256:59b2093224a18c6508d95cfdeba8db9cbfd6f3494e94793b58972933fcee4c6d",
"sha256:5afaddaa8e8c7f1f7b4c5c725c0070b6eed0228f705b90a1732a48e84350f4e9",
"sha256:5afea17ab3a126006dc2f293b14ffc7ef3c85336cf451564a0515ed7648033da",
"sha256:5e09330b21d98adc8ccb2dbb9fc6cb434e8908d4c119aeaa772cb1caab5440a0",
"sha256:6188de70e190847bb6db3dc3981cbadff87d27d6fe9b4f0e18726d55795cee9b",
"sha256:68ffcf982715f5b5b7686bdd349ff75d422e8f22551000c24b30eaa1b7f7ae84",
"sha256:696764a5be111b036256c0b18cd29783fab22154690fc698062fc1b0084b511d",
"sha256:69a607203441e07e9a8a529cff1d5b73f6a160f22db1097211e6212a68567d11",
"sha256:69b312fecc1d017b5327afa81d4da1480f51c68810963a7336d92203dbb3d4f1",
"sha256:69f0c0a3df7fd3a7eec50a00396104bb9a843ea6d45fcc31c2d5243446ffd7a7",
"sha256:6a1cb5d6ce81379401bbb7f6dbe3d56de537fb8235979843f0d53bc2e9815a79",
"sha256:6d3498ad0df07d81112aa6ec6c95a7e7b1ae00929fb73e7ebee0f3faaeabad2f",
"sha256:72a8d9564a717ee291f554eeb4bfeafe2309d5ec0aa6c475170bdab0f9ee8e88",
"sha256:777c62479d12395bfb932944e61e915741e364c843afc3196b694db3d669fcd0",
"sha256:77a7711fa562ba2da1aa757e11024ad6d93bad6ad7ede5afb9af144623e5f76a",
"sha256:79061ba1a11b6a12743a2b0f72a46aa2758613d454aa6ba4f5a265cc48850158",
"sha256:7a48af25d9b3c15684059d0d1fc0bc30e8eee5ca521030e2bffddcab5be40226",
"sha256:7ab504c4d654e4a29558eaa5bb8cea5fdc1703ea60a8099ffd9c758472cf913f",
"sha256:7bdb17009696214c3b66bb3590c6d62e14ac5935e53e929bcdbc5a495987a84f",
"sha256:7da84c2c74c0f5bc97d853d9e17bb83e2dcafcff0dc48286916001cc114379a1",
"sha256:801a71f70f9813e82d2513c9a96532551fce1e278ec0c64610992c49c04c2dad",
"sha256:824e6d3503ab990d7090768e4dfd9e840837bae057f212ff9f4f05ec6d1975e7",
"sha256:82b165b07f416bdccf5c84546a484cc8f15137ca38325403864bfdf2b5b72f6a",
"sha256:84cfbd4d4d2cdeb2be61a057a258d26b22877266dd905809e94172dff01a42ae",
"sha256:84d142d2d6cf9b31c12aa4878d82ed3b2324226270b89b676ac62ccd7df52d08",
"sha256:87a5531de9f71aceb8af041d72fc4cab4943648d91875ed56d2e629bef6d4c03",
"sha256:893b022bfbdf26d7bedb083efeea624e8550ca6eb98bf7fea30211ce95b9201a",
"sha256:894514d47e012e794f1350f076c427d2347ebf82f9b958d554d12819849a369d",
"sha256:8a7898b6ca3b7d6659e55cdac825a2e58c638cbf335cde41f4619e290dd0ad11",
"sha256:8ad7fd2258228bf288f2331f0a6148ad0186b2e3643055ed0db30990e59817a6",
"sha256:92c8db839367ef16a662478f0a2fe13e15f2227da3c1430a782ad0f6ee009ec9",
"sha256:941c1cfdf4799d623cf3aa1d326a6b4fdb7a5799ee2687f3516738216d2262fb",
"sha256:9bc596b30f86dc6f0929499c9e574601679d0341a0108c25b9b358a042f51bca",
"sha256:9c55b0a669976cf258afd718de3d9ad1b7d1fe0a91cd1ab36f38b03d4d4aeaaf",
"sha256:9da4e873860ad5bab3291438525cae80169daecbfafe5657f7f5fb4d6b3f96b9",
"sha256:9def736773fd56b305c0eef698be5192c77bfa30d55a0e5885f80126c4831a15",
"sha256:9dfbe56b299cf5875b68eb6f0ebaadc9cac520a1989cac0db0765abfb3709c19",
"sha256:9e851920caab2dbcae311fd28f4313c6953993893eb5c1bb367ec69d9a39e7ed",
"sha256:9e8cb77286025bdb21be2941d64ac6ca016130bfdcd228739e8ab137eb4406ed",
"sha256:a547e21c5610b7e9093d870be50682a6a6cf180d6da0f42c47c306073bfdbbf6",
"sha256:a90a13408a7a856b87be8a9f008fff53c5080eea4e4180f6c2e546e4a972fb5d",
"sha256:a9a63785467b2d73635957d32a4f6e73d5e4df497a16a6392fa066b753e87387",
"sha256:aa81873e2c8c5aa616ab8e017a481a96742fdf9313c40f14338ca7dbf50cb55f",
"sha256:ac64f4b2bdb4ea622175c9ab7cf09444e412e22c0e02e906978b3b488af5fde8",
"sha256:aea1f9741b603a8d8fedb0ed5502c2bc0accbc51f43e2ad1337fe7259c2b77a5",
"sha256:b0afb8cdd034150d4d9f53926226ed27ad15b7f465e93d7468caaf5eafae0d37",
"sha256:b37a04d9f52cb76b6b78f35109b513f6519efb481d8ca4c321f6a3b9580b3f45",
"sha256:b5f7a446ddaf6ca0fad9a5535b56fbfc29998bf0e0b450d174bbec0d600e1d72",
"sha256:b6d9e5a2ed9c4988c8f9b28b3bc0e3e5b1aaa10c28d210a594ff3a8c02742daf",
"sha256:b6e2c12160c72aeda9d1283e612f68804621f448145a210f1bf1d79151c47090",
"sha256:b818a592bd69bfe437ee8368603d4a2d928c34cffcdf77c2e761a759ffd17d20",
"sha256:c1851f429b822831bd2edcbe0cfd12ee9ea77868f8d3daf267b189371671c80e",
"sha256:c1fb0cda2abcc0ac62f64e2ea4b4e64c57dfd6b885e693095460c61bde7bb18e",
"sha256:c5ab0ee51f560d179b057555b4f601b7df909ed31312d301b99f8b9fc6028284",
"sha256:c70d9ec912802ecfd6cd390dadb34a9578b04f9bcb8e863d0a7598ba5e9e7ccc",
"sha256:c741107203954f6fc34d3066d213d0a0c40f7bb5aafd698fb39888af277c70d8",
"sha256:ca3f059f4ba485d90c8dc75cb5ca897e15325e4e609812ce57f896607c1c0867",
"sha256:caf51943715b12af827696ec395bfa68f090a4c1a1d2509eb4e2cb69abbbdb33",
"sha256:cb28c1f569f8d33b2b5dcd05d0e6ef7005d8639c54c2f0be824f05aedf715255",
"sha256:cdad4ea3b4513b475e027be79e5a0ceac8ee1c113a1a11e5edc3c30c29f964d8",
"sha256:cf47cfdabc2194a669dcf7a8dbba62e37a04c5041d2125fae0233b720da6f05c",
"sha256:d04cab0a54b9dba4d278fe955a1390da3cf71f57feb78ddc7cb67cbe0bd30323",
"sha256:d422b945683e409000c888e384546dbab9009bb92f7c0b456e217988cf316107",
"sha256:d80bf832ac7b1920ee29a426cdca335f96a2b5caa839811803e999b41ba9030d",
"sha256:da619979df60a940cd434084355c514c25cf8eb4cf9a508510682f6c851a4f7a",
"sha256:dafd4c44b74aa4bed4b250f1aed165b8ef5de743bcca3b88fc9619b6087093d2",
"sha256:dca83c498b4650a91efcf7b88d669b170256bf8017a5db6f3e06c2bf031f57e0",
"sha256:de2713f48c1ad57f89ac25b3cb7daed2156d8e822cf0eca9b96a6f990718cc41",
"sha256:de4ed93a8c91debfd5a047be327b7cc8b0cc6afe32a716bbbc4aedca9e2a83af",
"sha256:df52098cde6d5e02fa75c1f6244f07971773adb4a26625edd5c18fee906fa84d",
"sha256:dfbf280da5f876d0b00c81f26bedce274e72a678c28845453885a9b3c22ae632",
"sha256:e3730a48e5622e598293eee0762b09cff34dd3f271530f47b0894891281f051d",
"sha256:e5162afc9e0d1f9cae3b577d9c29ddbab3505ab39012cb794d94a005825bde21",
"sha256:e5d524d68a474a9688336045bbf76cb0def88549c1b2ad9dbfec1fb7cfbe9170",
"sha256:e99685fc95d386da368013e7fb4269dd39c30d99f812a8372d62f244f662709c",
"sha256:ea89a2458a1a75f87caabefe789c87539ea4e43b40f18cff526052e35bbb4fdf",
"sha256:ec671691e72dff75817386aa02d81e708b5a7ec0dec6669ec05213ff6b77e1bd",
"sha256:eed5ac260dd545fbc20da5f4f15e7efe36a55e0e7cf706e4ec005b491a9546a0",
"sha256:f14440b9573a6f76b4ee4770c13f0b5921f71dde3b6fcb8dabbefd13b7fe05d7",
"sha256:f405c93675d8d4c5ac87364bb38d06c988e11028a64b52a47158a355079661f3",
"sha256:f53ec51f9d24e9638a40cabb95078ade8c99251945dad8d57bf4aabe86ecee35",
"sha256:f61a9326f80ca59214d1cceb0a09bb2ece5b2563d4e0cd37bfd5515c28510674",
"sha256:f7bf2496fa563c046d05e4d232d7b7fd61346e2402052064b773e5c378bf6f73",
"sha256:fbaa70553ca116c77717f513e08815aec458e6b69a028d4028d403b3bc84ff37",
"sha256:fc3e55a7db08dc9a6ed5fb7103019d2c1a38a349ac41901f9f66d7f95750942f",
"sha256:fc921b96fa95a097add244da36a1d9e4f3039160d1d30f1b35837bf108c21136",
"sha256:fd0641abca296bc1a00183fe44f7fced8807ed49d501f188faa642d0e4975b83",
"sha256:feac1045b3327a45944e7dcbeb57530339f6b17baff154df51ef8b0da34c8c12",
"sha256:ff110acded3c22c033e637dd8896e411c7d3a11289b2edf041f86663dbc791e9"
],
"markers": "python_version >= '3.9'",
"version": "==0.26.0"
},
"ruamel.yaml": {
"hashes": [
"sha256:710ff198bb53da66718c7db27eec4fbcc9aa6ca7204e4c1df2f282b6fe5eb6b2",
"sha256:7227b76aaec364df15936730efbf7d72b30c0b79b1d578bbb8e3dcb2d81f52b7"
],
"markers": "python_version >= '3.8'",
"version": "==0.18.14"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:040ae85536960525ea62868b642bdb0c2cc6021c9f9d507810c0c604e66f5a7b",
"sha256:0467c5965282c62203273b838ae77c0d29d7638c8a4e3a1c8bdd3602c10904e4",
"sha256:0b7e75b4965e1d4690e93021adfcecccbca7d61c7bddd8e22406ef2ff20d74ef",
"sha256:11f891336688faf5156a36293a9c362bdc7c88f03a8a027c2c1d8e0bcde998e5",
"sha256:1492a6051dab8d912fc2adeef0e8c72216b24d57bd896ea607cb90bb0c4981d3",
"sha256:20b0f8dc160ba83b6dcc0e256846e1a02d044e13f7ea74a3d1d56ede4e48c632",
"sha256:22353049ba4181685023b25b5b51a574bce33e7f51c759371a7422dcae5402a6",
"sha256:2c59aa6170b990d8d2719323e628aaf36f3bfbc1c26279c0eeeb24d05d2d11c7",
"sha256:32621c177bbf782ca5a18ba4d7af0f1082a3f6e517ac2a18b3974d4edf349680",
"sha256:3bc2a80e6420ca8b7d3590791e2dfc709c88ab9152c00eeb511c9875ce5778bf",
"sha256:3eac5a91891ceb88138c113f9db04f3cebdae277f5d44eaa3651a4f573e6a5da",
"sha256:4a6679521a58256a90b0d89e03992c15144c5f3858f40d7c18886023d7943db6",
"sha256:4c8c5d82f50bb53986a5e02d1b3092b03622c02c2eb78e29bec33fd9593bae1a",
"sha256:4f6f3eac23941b32afccc23081e1f50612bdbe4e982012ef4f5797986828cd01",
"sha256:5a0e060aace4c24dcaf71023bbd7d42674e3b230f7e7b97317baf1e953e5b519",
"sha256:6442cb36270b3afb1b4951f060eccca1ce49f3d087ca1ca4563a6eb479cb3de6",
"sha256:6c8fbb13ec503f99a91901ab46e0b07ae7941cd527393187039aec586fdfd36f",
"sha256:749c16fcc4a2b09f28843cda5a193e0283e47454b63ec4b81eaa2242f50e4ccd",
"sha256:7dd5adc8b930b12c8fc5b99e2d535a09889941aa0d0bd06f4749e9a9397c71d2",
"sha256:811ea1594b8a0fb466172c384267a4e5e367298af6b228931f273b111f17ef52",
"sha256:932205970b9f9991b34f55136be327501903f7c66830e9760a8ffb15b07f05cd",
"sha256:943f32bc9dedb3abff9879edc134901df92cfce2c3d5c9348f172f62eb2d771d",
"sha256:95c3829bb364fdb8e0332c9931ecf57d9be3519241323c5274bd82f709cebc0c",
"sha256:96777d473c05ee3e5e3c3e999f5d23c6f4ec5b0c38c098b3a5229085f74236c6",
"sha256:a274fb2cb086c7a3dea4322ec27f4cb5cc4b6298adb583ab0e211a4682f241eb",
"sha256:a52d48f4e7bf9005e8f0a89209bf9a73f7190ddf0489eee5eb51377385f59f2a",
"sha256:a606ef75a60ecf3d924613892cc603b154178ee25abb3055db5062da811fd969",
"sha256:ab007f2f5a87bd08ab1499bdf96f3d5c6ad4dcfa364884cb4549aa0154b13a28",
"sha256:b82a7c94a498853aa0b272fd5bc67f29008da798d4f93a2f9f289feb8426a58d",
"sha256:bb43a269eb827806502c7c8efb7ae7e9e9d0573257a46e8e952f4d4caba4f31e",
"sha256:bc5f1e1c28e966d61d2519f2a3d451ba989f9ea0f2307de7bc45baa526de9e45",
"sha256:bd0a08f0bab19093c54e18a14a10b4322e1eacc5217056f3c063bd2f59853ce4",
"sha256:beffaed67936fbbeffd10966a4eb53c402fafd3d6833770516bf7314bc6ffa12",
"sha256:bf165fef1f223beae7333275156ab2022cffe255dcc51c27f066b4370da81e31",
"sha256:cf12567a7b565cbf65d438dec6cfbe2917d3c1bdddfce84a9930b7d35ea59642",
"sha256:d84318609196d6bd6da0edfa25cedfbabd8dbde5140a0a23af29ad4b8f91fb1e",
"sha256:d85252669dc32f98ebcd5d36768f5d4faeaeaa2d655ac0473be490ecdae3c285",
"sha256:e143ada795c341b56de9418c58d028989093ee611aa27ffb9b7f609c00d813ed",
"sha256:e188d2699864c11c36cdfdada94d781fd5d6b0071cd9c427bceb08ad3d7c70e1",
"sha256:e2f1c3765db32be59d18ab3953f43ab62a761327aafc1594a2a1fbe038b8b8a7",
"sha256:e5b8daf27af0b90da7bb903a876477a9e6d7270be6146906b276605997c7e9a3",
"sha256:e7e3736715fbf53e9be2a79eb4db68e4ed857017344d697e8b9749444ae57475",
"sha256:e8c4ebfcfd57177b572e2040777b8abc537cdef58a2120e830124946aa9b42c5",
"sha256:f66efbc1caa63c088dead1c4170d148eabc9b80d95fb75b6c92ac0aad2437d76",
"sha256:fc4b630cd3fa2cf7fce38afa91d7cfe844a9f75d7f0f36393fa98815e911d987",
"sha256:fd5415dded15c3822597455bc02bcd66e81ef8b7a48cb71a33628fc9fdde39df"
],
"markers": "python_version >= '3.9'",
"version": "==0.2.12"
},
"subprocess-tee": {
"hashes": [
"sha256:21942e976715af4a19a526918adb03a8a27a8edab959f2d075b777e3d78f532d",
"sha256:91b2b4da3aae9a7088d84acaf2ea0abee3f4fd9c0d2eae69a9b9122a71476590"
],
"markers": "python_version >= '3.8'",
"version": "==0.4.2"
},
"wcmatch": {
"hashes": [
"sha256:5848ace7dbb0476e5e55ab63c6bbd529745089343427caa5537f230cc01beb8a",
"sha256:f11f94208c8c8484a16f4f48638a85d771d9513f4ab3f37595978801cb9465af"
],
"markers": "python_version >= '3.9'",
"version": "==10.1"
},
"yamllint": {
"hashes": [
"sha256:364f0d79e81409f591e323725e6a9f4504c8699ddf2d7263d8d2b539cd66a583",
"sha256:81f7c0c5559becc8049470d86046b36e96113637bcbe4753ecef06977c00245d"
],
"markers": "python_version >= '3.9'",
"version": "==1.37.1"
},
"zipp": {
"hashes": [
"sha256:071652d6115ed432f5ce1d34c336c0adfd6a884660d1e9712a256d3d3bd4b14e",
"sha256:a07157588a12518c9d4034df3fbbee09c814741a33ff63c05fa29d26a2404166"
],
"markers": "python_version >= '3.9'",
"version": "==3.23.0"
} }
}, },
"develop": {} "develop": {}

4
README.md
View File

@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
## Assumptions ## Assumptions
Before you can run this, a few things are assumed: Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running - You have a clean, minimal Debian 12 host up and running
- Python 3 is installed on the remote server (requirement of Ansible) - Python 3 is installed on the remote server (requirement of Ansible)
- You have a user account with password-less SSH access to the machine - You have a user account with password-less SSH access to the machine
- You have sudo privileges on the remote host - You have sudo privileges on the remote host
@ -25,7 +25,7 @@ Once you've satisfied the the above assumptions, you can execute:
- Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades) - Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)
## License ## License
Copyright (C) 20142020 Alan Orth Copyright (C) 20142021 Alan Orth
The contents of this repository are free software: you can redistribute The contents of this repository are free software: you can redistribute
it and/or modify it under the terms of the GNU General Public License it and/or modify it under the terms of the GNU General Public License

7
ansible.cfg
View File

@ -2,9 +2,16 @@
retry_files_enabled=False retry_files_enabled=False
force_handlers=True force_handlers=True
inventory=hosts inventory=hosts
gathering = smart
# instead of using --ask-vault-pass # instead of using --ask-vault-pass
ask_vault_pass=True ask_vault_pass=True
remote_user = provisioning remote_user = provisioning
interpreter_python=auto
# Don't warn on unknown SSH host keys because it's super annoying for new hosts
# or if you get a new laptop and run Ansible there!
#
# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
host_key_checking = False
ansible_managed = This file is managed by Ansible.%n ansible_managed = This file is managed by Ansible.%n
template: {file} template: {file}

14
group_vars/web Normal file
View File

@ -0,0 +1,14 @@
---
# file: group_vars/web
# run nginx by default
webserver: nginx
# all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters:
- nginx
# root prefix for all web servers
web_root_prefix: /var/www
# vim: set ts=2 sw=2:

87
host_vars/nomad01
View File

@ -1,87 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
37356463383831623061363666396235346361663734326234323239633332383431656534636337
3238613566336363636235393535373330363562333135630a626531343430396666323139633833
37656533353537393335393966323637326335666134613633643330313334383237383736623637
6533343338396536640a376466633436643162393533646464343930346665616165613835373630
66353037653339633038353033316463393234313630646138636633643066653636343739383730
65343161306339343931323737336531646131363034343163366137616231363638313330343365
31663932343436313364326331373733373830646637313733323335306161626135616438656363
32623333646637633636316139613234613232393462306364633966666639623231643735663266
35396266313936326532383139346361626532323263633662373139363638303961616638636535
65343862623865386436643930353834323566356164386432373434336536363262356638313333
64626633353565303538353634626438363131633164636263643938386538323932346337343730
31336266343532306531626234323962353930343333656436356436343666336335633233386462
34623332393734633761303762306336656232326533313131316331326639376338393437363834
32663766633037316266373064376638643237343434356166613862383963633231353531646432
36393438653234326330316438333862396163383231623034383963336435393533393263653739
38373764373034313231373536653233666230333437626431383161346636376434383135393434
30353361343136663135356536316630643163613930306363343830323932393635343936396535
38366638353737336637356237646332353438303632396238356364343464323064373031656331
31346134323965646336666336303835326463656339356131613633336539613234653332353539
35613362653335663863626532363433663634393036373462663833636333646661643865353533
39376535313635373434633466643135323762613539366135376536653761303134303964343534
65333934396638373239646339343732623139303037336133363533653330383261383437393061
37336334363237333437633664313637366566396232336337303235366337616530333261356662
39666531653762326364353534623431333530653935316161383535663762636136316239336233
35373962623934633663656337306439616431316165666563336532373135323566386431303733
36313264323066653164346338653433393337623666646162383666303930613939396662373965
38653863623935336632666366373764383136376163663137313234663761343066336235626232
35303532376537643663653431323830623364623362346437396664386363396632646364666130
62663265363334383663626661363632646432393463373564396633393235353434636437623261
30323866636332356136396662363930613961613961343963313733343033616539316131323262
65666665663731636633623464353430623135373430313065626438396363366335363466316132
64353730383761386563353133396262366265343637643931643565386461303138613565303239
37646339316366316431663237653230346464643433376639356462643133643234386131613965
66333831663832326131343134633231636633373735333634663861393531633738366136356130
38653534666662303539353534636537343665366231346565376437313037646162663365666630
33366631653530326234326333623333346535343362666263376561333334633533356264393637
64633864616430653663366133343962376233656562643335633336326335626664653861323334
65653864323062616234343636633435396332636635653266353032623637356133383538383034
36383936666238333366386637313434656332626266346439346566666537623039323936303936
62353130663632636636623466326663623639313433353766346230383138323461643962666562
65646234346631613139393265666663663537323236383832373532393662643566636164653364
39636133613937393433636231626238386463376434666166643662313661663635356436636165
38333830313638643863373162636530346433613366613437643932383035643464363732663633
38633065366638656635356462393935383665386532633936366437333233316563366231393935
32393736343365383164346634326336373436386630386630616436373139646531353038333562
39646132643332373563613664303931633735656135376561646166343934396130343834653461
62343662386239313731336538393430316263333966306530616161633763306331633834323633
35633237333136366439376666636461356131663830323832646462653035643561396337633362
64323532663637323966663262353266316361353931333738323762656532343165626266653035
36353462306361383233303464353766323466393862313037386139326231656230343630616139
34626533323065646636643736323535356461623063663262656562333466666634376239356633
38373362363030346434316261643236363337663237323032623339393936303130393662666434
33386134386633623930376334333466666137356432636131373562306533333836353332316136
63653533336232336632353465373263363037313933663131633763343366663034353364373661
63333166306332663837313334623231653561363964306337353564326266353366343538366433
63383335336566366564333735383337353765613035383135616135653662346133333338303730
36303334623335613836333938646366376634353664633731666235346638346662656634393631
35396262323939393562306530323763353939363264666331373266363937653063366138636364
36623835383961336331303439613731633734343135323938306263363637616235336461333732
65303636623766313038356266363666316665343832623662643263623233356232333062333933
65373763376430366565363161333330376138313130363534623364653434616438363732643333
61336631653762613231373236613164623566663730396163383136366430353439346637623965
39356138633037313165333034633234353666646132656532386332393962626239383633383833
64396430343535346438623233326632663839336233316336383261346330353739633331396362
65643161396430646436376636613061656566623038633665623938656232633665633365613837
36386633313032306238373063346662333539313931366232323931613165343639666437386630
63343766633336346632393231303566323562373236656135366135376262613163646235646635
31356264393231353335363331663666623832643638653064366438373063623462333631663631
32356664663332356538636462383364633036303733393161366565393361363530626431623532
34303538653032313138373339663833613637356364376561316535643238356633356130376665
37643231333037626164663634383666323333316235353832333335393262366235613461623166
30343933643637656262613337313962666432656632323631353066353838373864383734646361
35393966646331633466316636326162343831393639383034396133383537313138646339646163
37363736613135326634363031626132326664343732646161623362373036323337623063653064
37373839396261653764626338393438643634666463336263346566653366336536376464643934
31366261353734383064346433363730623762636463613432373338356337656665376338353965
34353866343734633661633466313132663463323962653431316536643565666364386438336236
35376163313462383130366337653239623866663837666238346262636238623932333435623634
65333132373436353533333834653131656638336362623535613366346266653863326431666137
32613563316138333837333131663637346634663962616230623534383239616132623130646137
62613863626632323838343736633765393666336664313563316535346130333462353063656166
62376237663566396665366238323937343434363964653133393163343932353761353038373234
33303462613837653730646462643765396631656536353335353532663033663433613032623833
36656534646163353266316531343137626131316536396338666262336136653734613838333133
62663937346566626131323033313432333562633337326634623866656363393165363235386265
6332653639336330336135333865633662363738613565303766

127
host_vars/nomad02
View File

@ -1,127 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
35356461313263333464373365643730653766393437316133336138313761343130646131363861
3834623038366139376261326439633334393565346666650a323963393665366134386535316530
61316264343737383331663361353838656333623335393635393762303533313036373161393462
6664616164633039360a613766323932323266613166646635376333626333356364316233633931
37646436383339343938356164646262363032663063393038616535346139633435623265343762
33663036393761643861386538336665366537626464373931386535666237636439383133393636
31383938376331313531366237336463323563323134313037393435333239613663663234376239
62346163663061316666636138353962383336623133333030396534323033626632343561386466
30356266313566316565626562376364643238386561323165633730383262343638326337636264
35636264386262363264633833653265393962373435653639363733636562343238363931663031
63666135613437366166643130623034616636616632633838653464666130383365326434666234
32643164353766323131343137373438613663646635326338303934613065653466613036323961
38353034636434663061353138393130316432366539643937623935643834633964653630326564
31636563336138623433366536663632313863313435333531353865623066656631343032383937
65313535303563653762646261396366333737306331643037366433323030303265613638616164
36336338333837393235326539303964323261393039393533643538623634613432643532333863
66376166336662306564323433356330336662333433633061313266323638396165656665663965
38376465383662626633396366326466333436333338373361363039306539396337333061643264
37356562623130373765366331643332376337353065366561656261353131666533636466386432
31643438633464356464333065316139626166326164616666363666393562356239343637333030
39366231316462663265346464613333306336316163643131303235616432613565613733333466
33343036326435643736336465303861643739663536343965346433363231323065643733336634
63646133633037613964393935373161666161383862616333376638616336616537616363643661
36326665316332303537663935633431626533323838393638653661343665306332396130393866
66303231666533393132396538393963626132643366373539656437386663653261323465613366
39633964366362353866326562313834313266656265363161316261386638623737393034663665
66303966623830366431316432323863386332383362396534396166343238616534346335323761
31366164623465643331323330323736336337653230623362626230623365636364633261653765
38613566626537386134373133376139623062383736356634393739353665326164343131323833
31313038363663316636356431613032636131303964373564633462303735323364636131373033
30623336306663346639326638303930383466323938356163633964623565313261363139303238
31326666363164376261393062616339643039316163346362633865356433346636323664656262
65323565346137333338363864346437373261383936626531316330316539653339303464623462
32616635373631323465646632323732323432316332353033656339366639663732313939303733
37306130656662383237613361326161313039326561396538396333373362633365353130343963
35613833616635353266636265313766323635303764346236306664346432366632376132333034
65303235366137356634666138343232366533613966363030376537386162396638656637663932
66663939393737313634383430323339663634333533653265656163326637636635386163313333
38666236626131333139633834373534316638303364666135396361616130303061313431643936
64666134623666363937356334356134306463386466613365363136663136393833616430623836
65373663363664333766373136336636393663376535623532626632396665366436623661636665
62333961383034353664323333353766343939666636616539653236646634313333373639643765
32353161633665306463386633616131333130303139306134646134663865306463353838323565
39313538393034323065333031386634396261336131333763393466633335666238373663623564
38316633663536383730376532633830623939633662346636356632653031633335313732666663
33613133653666313564626261353730373637396137323964363866653964373838613130643337
32376165356236663332366566626639313038363138343061306438313435613862626564613830
61306262613262366539663338643962313066613665353063306537643561666462333763623866
30643230313334646535336662616137326437323438336361376562663361376230316362323235
65363630666464323638323761343033313763633866623361376636653631396263626239613764
64656163343435643838353033316364306134663833616231343831613338653330643466643630
62323039396231366136353432373732613465336163326132353731313765356163323866633736
35326665613165373339353165613036646665313065343432663563306664323163306535613338
31663138333639666133323139326339313733663334336637373866636661636538666630346233
31393364313433626565616661313265336165613534666232333835383963646433316632303533
62626134623830363533393833633439313034633965346163393932636464326664653335643833
35386332663736343766656232313031306534653434363164623530613232306531336561373534
37333763626135373538313561303737623035653832333533663534313035313530373037616634
30613937626664373333643735633164663930316235336663376132353338356333623431343535
37623138363937646665626535303463643330333233363136313134383939343535646539346363
61633966396234393961663735646634373266373264626635306162386632376262646336316266
36363166393332626533613736353038656266323263333036303964656662663436616532396665
64366638386164313466313630663138333066653061666362336661336539653339616234646538
30316334346162363065313438663865346434313564363863613532313637313430653439333962
34643039383030623564666230623264303338343564643961653531366463623166333661653630
38613062626464663963626233663837653533626532653239343065383036663162646261386535
36356231383263396365653639613664346361643666336463623136616330336161373336643535
36613530396266633861643530633732333436373966613437343736653537333531663466383438
64323064356262646133363463316639353630653766663731653030616461393139396265343033
31336662366465633264643065386432376435346236323565326562663161396435373762613839
36316365633937636330643837646335613262363734396261313633373731363466356632636532
37653036336665393733343832363739323739383730306635306666333566366663396230623433
64663338626239313265623838383933653539666666383633623939343461393036303230663562
35363232636635613739356536386439326537363965626261363962383231386532623565343662
61633931613131303836356366653030656333623235663266636535666632353666386666386630
36303134613262663335623330356639383432353133333137363665633565363037333136653933
64396230613837396435333835343265633638346232303738663764663032343061346539393135
63303064366130333030663739326331633762386332333162393631346234306363313737663261
31303437376339353634393438316139663862333530653339393030633932343765326435303530
30326566336361646563313433663063396338663661353832666561393437306131336465343332
63316533623362613062626337306530633833323132616662613366653566396136643936653435
33323938333666333439653037383335353763386132643362643361386232383964366237326538
32343061643462343265383234366465366232666434623634383132303138643333343663613039
65663339663030326364663561383833333432633437313232356265396532303735316234353565
39313532306437333238373064643238666632383166313832326662663762316165323936623239
62366239393530366666343866376566623863373333666266316334346138396566613263333539
38373438653663353537323961373434363735303838306262323330616538636333306366373663
62666462336331623761363036353331356632643664373665656332663530613931376666353261
64346531363265316439393633346334383439623338653334343739353464316436626635653139
39633232626463303463646162633131626538353232646663356335363663613234376338623539
30303765636635633331326337373334626664343063623130393438633863306531653631323763
63323661356362346536646430623864306135663766313833366165653066343439663064336331
33353135383830373831623463646461616665326139623565666464363961306461343361343665
30633331666533383161623130613963376266613533366334393262313730313630323836623162
33613637363431306632366230336537373732613337613830666635353632383834383465303261
39633334616561386163353661306564333632653731363434666562353561363462376563626563
63353666653637336666376138333966643237633434396561386164623435333836653238383261
30643331373138313062616532366265313831613938373865336435383564636266663462636461
63663230626532613130623566376437356337653564303033393737663735316130633234643163
30373264363331366435383837303762363531333335613738613463336139643333626239346232
31393631663861623330353536313731353332313135363436643161353435653865313666373639
37313734306461633338363033623535653066633135666463303261383366333266613830623138
37303963666139306632666537633137326434366231333435323335623130356332313165353733
37656238613138396635303765376666303631633034306133393639363662313066653062373638
63313961343932393964643538663863313664616164363264663438393639306161373539653265
34346535373939316563353437663066656439353161623337343935396463363231636262656565
61653766616238393030333837616631373736323837363136623337623539336661633533653663
37376530303630313861376261323231303464653666323237373466353037313230333861373366
61323964636235373030343462326166323533343266353236653138326639363664633066346239
66636439373262646536333134306363313531333437316536656337633764356339633933336131
64366565323438343864666462356232616263623530613631303265313861383135333562343263
39633938313435313266386538346132336638303938373964616535313035653063636435643538
31636134393930363635613733343538326637366661623833396531623832616238323637633866
35666266656465323830356432653839633763643430363431326632393664656464363238363364
64356132326561376330316434393765663661356466346463366538323439393531343632316134
65313436623664613230616562323138343831623033643338363839343837303334346361356433
63356163626432343733336531366333636466613863613438373662643266636134633934326432
31386634363161653965303230306336373434613232613237343836353061613533616237666462
35393935383431323764646465636563363633336463353064346631363531383061333135386161
64363366303262336464646232316231613332333732373932643562626534666634316565343164
39336436366163326137396236393034363162366634616233376465303063663330386137343733
65393231343634316365326663666532646162623633373530393563313861653638353932396137
38666161336432303666316263396538663665353334376637343762613262303062313932363831
65346637366163333233633562393535306263666330666636613363383939393035643132326162
35656130366237363136643938633931363731623662343536623136313436616265333138646239
3765356139356136346264386137316437303865646335643530

112
host_vars/web19
View File

@ -1,112 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
34636661633964333963313436313765666332666339336233356538653664643432383732356635
6137633362376666343931393930636336616335666161310a626439616637643531363739646536
34393135666639636161633566313264336363646666323963366331616362383436396462376631
6666356161386237370a633463353738626131353263353337376638353465383330393062336464
36633930623933616135653439626466653930336366666265313566653839346237333966353036
61376564656539326535393830373634343237663865326635363364663230356434376437356665
35633762663036623831373465363836646366616330633962383538393965333832366433363866
63333337356132323630656538666635333234343838306330646361623833353336326132643238
61383337373666313364656333326264633763633062636265396637656630373033363133663834
63656333313161666566333131333534306133653365636164656139313531623439373639363234
38636265613337323733323364373832656465653266363334306133613035393937333539643736
35363231663662366633373264663636333735643064316262646436616139643364616534316462
64383734326132663734383435653034663061393561313438363934313661613463346338616466
64616565623136316261366563356538313532336439373031646561336631633830323437303632
61333761663538333762333736323865376365333963346331313432633862363436366366643235
34653832666362643162643136656132336465643966336438316563643161636136343536653932
39626335376338313334663564363863646563336435343162623562653431663432306537616161
35623865343833343863336664383163636430396637346639653738613739333961613938633032
34396462313033323061353639643465386433613734313664663336613833323764653635336233
63646362323362643936313330636131346562323233393036323036656465656662353163386665
66333036396161356539346330306165613438386438623732636634353365303836373565396364
34393336626166613465353833613031656537383730623761653333313332356164356534313031
36376139383065313563303962313664636361376631383335343131336139303233326162306633
39393432303839613133363231336665353636366165333564313330663763303233343462646664
38653936383566623461386536333836353833303764393663393066363234336537613331623363
31353338323164666265613464643532663938363064626431383938393136396361653464643730
31663838343030313930396632306136646335306562326561353237636266326464663464633166
65306661346438626332343864646534336435653239623135346639303330313330333362353039
63613266636563616265333534346164333134316537356138323632666138336362356664613734
62356266376135353636343362336135623662376361343766663034363765376130613730386236
39343638303732613635376530633231376534643266333031653233656361353439303334313238
31353431323133666439663835346230333665326561383339616532373036346366653332663539
33343034653633303432343731376538646263336436323438303961663730666438333435343362
33616230643863313465363562393263323633666232653839356636313264353365633765613865
65643862366464383233346239653431383439303439353838333864653433353165383533393437
37616436376633313633383866363830303536326435656366613638653064376433393730396466
31613137366538643636303964373339383466373734636235393030333461366466373963373962
61663661663936366233613762353462656664326566333734383466316336623636383733616130
33653662626134356232373438653937646234356630393732393533653430386464313134393037
31633330663531343833313265666237616164383561363063643866633930656630663866313630
38383932393132366231333932663765623662396266363362376135383064303265653733363763
61346230386231393165663062643464313436313635343933363133663463636366363135323430
66643461396237656336643062643166313335663261633964663935333034613034393864656635
34363936393538316364323836623939633330393130323631376265346439353438396433333231
64623635343439646466333234643835613365663633373365656439333563663337623537393830
63386436613963323938643030633435623563636265326463313534353664613930336437643939
37383835343636316230323765303539383933623637396461666666663462316338663835646564
39613362353764663939626631363862373235303462376532303131626431646165363730323035
36343734383536653166616564336431346236623266306661346536623263316332666661333837
38373765393435363030303362383362396532626130353036376237633030313336666663636562
33313262613332386365383861393261386333396530386565623537643330363135323039616563
65376163333963326234653535316235363339656236396465373435343138323765643566393432
39366231376364633836356230353538343030303533356130653864346336633238303264306130
35306130616464396439656432313930653161393262356333323066343065343264356163613761
32656631636237303031313366653065323463343039303132396639653866376563393132636437
62396236363835383533306265646162666339623966656465396630633931396262333432653730
37643864643066623662616331653734343765323362326366623238333732316235643435303961
36636565636539663163336166633363376438303364633034306330393630653835613465353663
65393961356539653164343231663836366363663637643834633066663562366465316562356537
33383039343764343933383937363361386235643163363934396666353864323865666434653935
62633134643536653138316230346431643636623966643833646131633336346263653665343533
65626235646337623832663764363832303232333936363034616535636530303231653530643564
35363963393030333432326562636338343664353132343731323137303965613239613663323631
32316534636238373037303830313530323130363964616161333832343963646262373065663138
39343363663131386564626263353233353230386266343232303361316630333835636137306332
30343836623636633966666434326539356233643234356333376633303230306235623564326166
33386361336163626430376139656335656230636337306133326339663532313131633931383934
66316531643266383436386537663239623533636362323031366135656539613734316339383964
61383837643663373162623763353335326636366164616261623231353538653862366565326463
35633639363238653261303834303835346361623766636631616538353036356230316161626261
66663736373838303265336339383230343563336664383737623865653133343034373862373865
33626232663637313539663564623837336539366138393562383532636164633433353565666239
38636637633665303032646437663862346365333231373161353464633438313032636331303263
65623438666439333239646261613631363664356537396163353532393532343561383966353438
35376336613133633261656364623436643939323166373362346230316336343166663762636336
31396465366263633435616463396530343830393361323738616330393766656237373862323066
66663337366137363362383934373763373634363763633538363461316134616530386131316261
64643862373831343234356532376265633362633961313163333738353730643237316539333234
61343738656138353264376465636332376562303631643665636539323439373764393239353837
63613264653064333537363436383861656430383430366462323764636564643264633962336162
63643532626333656132393362376131396535623762646132356637343738633130303936663038
64643337373232356238616233343564316134343939326135653164613536646336353965323762
39346463353130376335346165346235366538356137646366383336313630653366336165613530
36653962326265643962653464623061376432636632343732616637393963663937383932313138
35353837373261646161663838633862663333656237353733303033663364373237623765393661
36333662373237646466333062306133303637363862333839653663346530353162356562343134
30326461343432653332396464333062666536623964363465663639643464393437646638326537
33323830633235313030616139363663373565343836616530623732316133613035626430363839
30613733656563323034383061303837323338393866363364393832306139396337323636613032
30383966663765303564356263363038383864613965306163326432323663396134326431353732
39663130346337323464396634623831626466616361343834656238326138666266363861306339
61393334646432373038373235363735623733346635653934303135346534343133653762613362
39643632663337326232316162396463663638303863616635633737326166313933396337376433
38383731373536316361303430313730656364633032396135356665366538623032656234343436
38653935636565313237326631383135366261363064613937306135643336343636386165626137
34346161366564323131343538316338633162333434646666666334316439653434623237393737
65613231316165666330373734366234646366313131633030373839353733323936336461366665
39643161373963646130656636326130613131316263333632356338303863343739313232626530
36343165396239616662386263363238393130333431303230303831653130343031353263623039
37393766616232363465356437366639396264313062643935363437373636623566343463303736
39393166323638663032633064646638306230313061626366306439353236623862393837366666
37303366333861643664383662303433353263303831313636653933366137623033656139373338
39646564373762303238346665373732633534333137376231666262623862333361636236386263
62383538343361363132616231663233323562323964383964346531343530643965366439393163
65383534356234383162656138313763613636323439386234386463336139653233323862633739
30613837363135666564393834383233353937346163303764393131663863396631373232616237
38373865383832356536343633373764313839626233666130323364303632323066636661353764
65636138646335313831313032653163633831373736653036326136353239613463376262333530
39383434643538316163643934396265353962616537633161663233633966656265646563373333
63626533333030353434316364653833333161366663343030326636313530316430356363396434
346338653161323532663932626435323866

27
host_vars/web21 Normal file
View File

@ -0,0 +1,27 @@
$ANSIBLE_VAULT;1.1;AES256
38663333313561616264323430323162323837623430363739623561633331656664613936666665
6364373033623163393239663035306337383066343438310a383666313434323036643037363065
30396333626130303633663930663965666662646233393439376661346265616565616236623366
3930373433646231610a336233663132306263656465633034333030316362643939316465666534
38353961393038613961353732613434663565633466303265383231343336386330333464376363
33616330643364376332623634363766656366666239633964316439376463313063333162343963
61356634393438313063666434626338616264613639656462626639616263366531663135393466
66346635616439306364356133303664376134626636616131373138656562363363306633333164
62623135343633393834393165383231316562643062343165663235313930663039623135373263
61343336643235303962333938613230356465346436376334373438386461366231383737643137
36343832353730366131653430633465383163396336353065306638373166386438356264616139
65346635663338366463343932336231386235393836616238373864626235623935663661396663
31633565356465333737303339333435383162316530396563333335613062623138333232336162
62376363666431363931663231643561616562383230643737393261623934363633313231333137
39383238656237343661626662366465356463396336386261326334613436396364633062646532
61313136366636363861316166396134316562666435653437326331363563653035343138636163
66336139636533656334643966383962383734623565323435333665666164353732663736326364
35616264383237316330386539363065376334643432393636643464646238633034333166663665
33313166393738626133636136346637646437306335326263393634363133663736666338313838
64623139613037653461643563666539613237323934376534376461313833336338623032616661
64643062663633366436383232366137373936383430306332616634636331326361383931363961
62313236313563326438303935373837666434313435653236643135303739373763656562393537
31653265653739346433663937343439656231663963333633373066356231623762313438393763
36306336656566633034373834316363333233326130626639313130643935333437653934313636
32383034346234333561333466653561323834346166633831303566376266373933356536383031
6236303934323963336662386666653138313165366133303434

141
host_vars/web22 Normal file
View File

@ -0,0 +1,141 @@
$ANSIBLE_VAULT;1.1;AES256
61623539626162633765633037643066613863623631336534396535353439376238646263306463
3762323765316137356636623430333662386564626536350a333334393630653733353864636162
64623562623462373337363339343832336439363832653666316335313633343663396438346365
6531343731363736340a373839663837396138366237303636326363663366656564306663663934
34333862643232383566306335363462653035313039353764643261663165613861623333663136
31333131303630356239636334346466643433356661383234383132653865326634643138613666
35386430646239643535373264386535316135623633303863646564313538323532333739653636
37393833363564323533333963376334326536666535626530383165613938353232356539633732
30633761336638636265353764643063316538353065376431616165343936323834303733326433
62626233643630643835323834343461333365333232373236376234376532636431396232633034
34303538313331383332643731653634313736383261393563393232643466386339363836623466
33383633353239623930363765326638643066373332653264633437323536366233383030346135
61353636353239376564396336353538616135663237613137366263353730366263643961373461
36646132646563646133373563653034646330653931396562643832666634383439313764646535
35643161356263316638363662626662346232633230363731633263333566376262396236363161
38636138306366666163663861346639323630663039353863346161613336363730633738386635
31356638623938353964346436353565363431636238326266373863316464396563336461336162
37323962343637626634386539643062343565313431386265323166623437346639363630343739
63613738656465346261653538643932666235356635346564356234613265353761393263373965
37326438346432306165616538363334653732643138643864633731363936626433303961373465
38383535396665643037363665623739346230666539643835343862646464303436303561313035
31356462656230326137616531363461316365333432326230373632356632313765333464313164
65393537656364656464343237646137396331643165343639643330353264333066633432363066
31336132373162393033363636386632313938333039393533313038623633613362646134363162
36346532306166346335643636353439323732663763396432613537316234376366616262626638
38613936626237343464373937383464356439383934353264643632386239353666396133656635
37666534383461663433653139383732383062643939653066656231646532666262386239616433
34386335363663313933663465623534633163316635353439616532386565613234373039653364
62376565613863656232643631343634636366643034386466323963643837653831653635333865
37383834626362613235623264613234653236323236383632356666643465313561626137343330
61643963306363366638306335653364616264613766346539316337623466666537616535333363
35306665383339643834616463396362663538303031386639343932346537363866663536373634
32623738363234326361336436626330363962316163653733663663316139393134666632633438
32303463343363383663636165643730653138356538326137613730383863373635646533373066
38323361373665376435313266373439636533646634326533626135313462303739313430383730
32333636633737376566623663323234376235623039313865663232323761616532666466306264
39623434333638323065623830656535353331326435643464333035326338366136666136663337
34336366333539333232653263396231633234313935396366646639383465326333653236383362
36656563653465346439653230333534656530373766653733373765623234336466663631323765
38636262373831393633343262356538393736666134633264353037383033343436346333306565
38663637333062653565666163616330393637616434666634633839373966373666323831353338
33666235646162343234343336356563663430643035306333623136323461636135386238396137
63323830316634653666333735663533336262303931653666356531343464656132326134313831
30666466373833313331316330353539646534333135373364343066643536636335633264306334
63396133626234323734666162343835613436393763303836383839323338323339313261383033
33616430376436663966626230343436643032353636363765303032333637396531623265393064
62336330396533346462313638613262363435306330366561303336316239313731623562316366
36373864373763383236663163363335373435636431613562373334396432323633373063346564
38616637316162396638356234323436383765663036366363323964613264373638656161393661
38623234356137383936303738306263376632393533613739613636613561333262333537616336
35393739636533373865343533633961316137626337363336316333616162643538343362613634
34376334393134643963383634646432643763316232656135663031373361346332636662653266
38663931663239666462626664373064666366613834623033346133306335333462623931646535
65343966313966386632333133363965623436313237343331366565323133343833623232326337
38363234336137633035333362383164656238326434366330336662653435343639663438613062
30346336353964346362393832653835303730383934316563333538376333353830376661313065
31353837333563363561663931386264346263323665616231383538353937393330303163306433
64376662393464643836636162373564376664306161656539626132313232343861396537386462
32376636333564323137623862396135313863306337346131323834396633333261633438646561
31613734343839373735356464643865663061363338346663353932313635393138613538303463
33373333373230383336336462636333353137303563366234363737343437323336386335633739
61363266633065383738336537346331376663313133393761633530633932643739636238633565
33343236633834383933336466636663383566633932643464353665643733613137633538346437
33366361663537343931653537333737633463336135623836373261663538303532633763646432
39343361383335636433666431616363373161646265393231353265393436633238303066613963
39633765663339643864386334613337666138333538333762353866333464386232396530306335
64306461363730313061633831343839613065313061326132613563666563656131383236623032
33346234333966653732643263313138333262343461623736386334356662383536633062653832
37626132376336643563396561626636346237393138343133656565643631646530326166613061
31353863623430656433356636616636303961336262613063616464313832343030333937356662
61353136633539306265386335393035313864366464303131663337383636363431636537646461
37646431643862646262623038336635653764383165376433666639363337623035616562663561
36613165393931336639306662656136663231316530663266666135353461613538653734316661
36363065663261323439653733336266613539363732323230346433353363333637616635666234
36373439343762336161313965396537363332316561303235666264653038353132633561393038
30373366303136656661353664396261393136623436323930666430636435623362396636646161
63613734663964656139393531316465623130666663376266616137316137616233373630396663
32326166663731643837623262393835656532393139396535393732626164316136626239663230
35326166346162626134626566313963333661643531353437666139396333343335306633643531
63386437646536633430643539623164306139316364646136306366373732373065376561303431
65363237353163656162393264316263303366633630303532623130343066636132613865363662
63323233323064633238356236616665373933626465393032326134363434613262653165343166
38313263376637383163336565376538326532353766626264346536353563663464623737653430
66373866343865326331333833353261386132393234303536353864343934353039323038363630
37373632356461633137336230353762316562353430323761623861343639393030653038313632
66636133643566306432333038623866333531613334396432306666316439366435383661336531
36373333623266353461383431333462343037306563616231663563353833653839313538613631
30646130383932343865363062313836323365616639346537663461343164363934653737613466
38326234356261343764323063613366313633313766613736663033666664613433363438646366
64366333373164333838363934636366336430343032316562653137323634303833616363393063
35343330663434356530333535663664336463396533393564663138623162666563323736366135
63653662306265326238363266393864393630333064303861376432333432386262306363336135
32333762333339383662303931376631326638666635353433636461386264633166313336636663
36313336663730363937316539623132313937633032396462616634346630383937353034343332
32346164363362346264353965633761306163343131323661313836636438646337396238653962
66306666366663343731333338666463313139373033306137643631313930353932616339636337
39363337376232616139663863303430353530643964633333376561326339373334663862383230
37613861373836643762386339666434623931376266643361383761373235393035303137613838
39383230393831373836396435323734316332663465376136333365393433633065666565393033
62356661346433643532633366313132313137623134626431343532373461396462653738613030
39323566326239383434616663626330646136386463646331616431386235633435333838363732
33633063363065343032383736643634313034663632373237663132373561656530396661326366
31313738633662616663646163386461336537313236313930336466346161306535373965366137
32383934626563663033356466653162333732633639363563663464353466383233373830633361
37326531636262313337333665626233303263633461356331343261353838396661656138323130
39316634666432656638623733333531303662613062323430333933626264376138393665363964
62633765313262653165393332336539363263636362383262303766373331353363363564333037
39373164633563303461313830383632623438666333333938613066313562623233353665653631
62313634373537356365633065333763333533313730353235363963643131316364323031643235
64313731343735346533646430346565393365363334626563353030313663363930363966313339
34346130626633333239663935376663393962363761663935303639346333326230363730363366
39313230353130373733396264616530303534383466633231303661663635623266346235363163
61383761623039666462383266666565643930303664616432393434666566636437616536626365
33336366333139633138386366333938343630373965613865663830366333363363303565633238
32313762303739356433383534653966376231316366396333616435343539376432633837666635
31396137373263386365616237396232376664653266663562356533613263323131356266666264
36636266623338323861303237623361666130373938306539343438316662326536376438306465
62656463356364363837353738663539316163346565333431343363303564376436666631383435
65333066383335633462613034383139336262393865383534323032323730343865303339343239
62343962363566643566356433623133333363343535376534333938623033656334613432326533
63666339373135353331326363303064666137383439663738373236623137383562346439356432
62383365373063376637313437346333643637376234376434613666353734333039353463313335
32326564343139383035313261646635313939366531323530393434303735306138633435333037
65666533366634666665393838616533656338353938333437363939616435636538313937303631
32663439396165333633653531353835366436323062326535366432313936323031613639633164
66323234613139626433326130396232366231623135366462393366616365653337346261663836
61386435636361336334333235663865343262633333633162376433383062336663396162303133
32666437336634323132396664373930316365626131646636366632616138626366613737616131
64386439386265373631373232626538323936383162333535383134643438336336636435613033
31336139376434316432343139363464616136626463396534646239646633363164646330373161
31663233393234393837356133316462346563303435663262363532333963333535373031656434
64303262633166346534396166643365326262636431353065613236666463336238633838633636
35356265653935663963343737616563373663376239613436663138386566393438323735393362
32616238623538366639373762336363353638306539336263316338323666303866633935386433
62313865303732613266393066386533313263313432356434363734626365643338646438646633
31346463313236643862303034363737343731343934666632623130613932323137376134653265
35326164303031623235303265613765663263663333353066333633663636323635383832373865
35626135333634346637346537373962646236376431393266306436333634646263646266326234
37383037363364306230646334333532613464353931376338366532326134393437303535393033
34316232326462343662

67
host_vars/web23 Normal file
View File

@ -0,0 +1,67 @@
$ANSIBLE_VAULT;1.1;AES256
64326662336532386161646564656439396461666266656463393335663130323930326139386562
3639653630336132663666646161363938386334323064320a663564613066313533353433333434
30346561616465646163646534356339666639333862623637613435376361323032636439633930
3731313063363337380a373961353530383764623830363935626231333734303364313565626633
37343037633862633632613165323136373662396438613663636433346566653064653632313338
36396333393334336434326630646164333531306432386133353664336535343363343939393464
34626335626436353239366138323863656336636536383733363931633933636331643263653566
30613931616462373336393337363430353962613665353936383533326364353365623333316664
62383439396131303831326562323264336638623461643361663763356236373464346464316237
65393232343733643338653734326562626166366562303037613862396564636662363066356664
32656363616637303039373732396533643432343961666365313963383131643464333765643737
32386165666131626365313938633530346361383734323334613464353862393931323836626563
62656531346532646530306463653364326362613162323536643836643839663933343132613435
63303234646335306632316166626266313635303566396363333464363631353834373761353837
65643461623135363139646564336430353461336433633765303138313730613630346465326666
61393133636262653836333664623333656164663361353130623863653863323131326136373238
33376333316433653337373834666136363130373261333330643439313734343036636364306532
63343662383539633235356162656366323965383331343139616361653466633865626337326562
63643761613536613334333065643533323066393764633931633066353064393966646161376361
37623939386636346161346164303832303534323038626335336665653634386132343031303861
61323765306366333936303765636436633465356539316631343562363535663932333666363035
30386233623265636464393662386464333430396337626230306438396563303437363938303061
32653939383136376365343934613339383563303935623664633639326137353437363261393637
66613331643530623862636665396536613730306537373666623135663837393466343261646461
62376162613861643633656334303132353034333834626664666237393534386439313638393933
35643663613432323432646466386434363335353234643264643463613334356462313766643030
30336364396235663230356235303264323339643761333036333537633862343862386130626533
36626536396663393031303533313238616133323239356634303830353439363133353839663266
36306539636563633734623162356230383232306138393831393336626336383966643335376564
36303730313936633361643736613736303163363536313038316432323039643362636538333037
65613663333032623035656665393565366363396134363832363163656532363537373435623233
36373961333237373264326634353363356537356538343663613034396132396366626330303365
62353461616434343938386237373365633861333733613631633234623034366364363761613636
34393532316466323264363363653335366639613731326131393335313039646538626665356333
62663435633539643237326631636563363833633130363535653336333538366137306235663730
36633934636536633865376262356239303966646638626638386536366662386432343466366161
36646436636538643366623864326630396565373462393132343834626638313437316137353564
34646138616438323065336266366434316135613938643131353034646230396632386433366365
38616436346232363563336439613939313464323861616530633962316634363462373530613665
63653636646565303664326631363535373037663734663965346430363831613431613365393832
62373030336262643430313635626261613232656236333130396537633238623265363932333966
34326135363762396564613064323135313663613565646461376162306532643433333336666532
65383661303137613335653336663666653463623565386137326662653839633536326135633764
33623437333931393737363061356235336232376437643131373531356566323336306138353561
66333863313461613930383231663162616261616639323238646439656166666261626533636161
38333362393033316266633364313739366262636530363937386137616234326638303137613433
65313962653566333364383732386165396136303666383439303064326463346563663434646364
62396130646632653039383661613638303162363538376236666338623865366639663138363636
36373766386234383465316635323931356233366262386135363238366538623135623361386436
64653533646233653463656334633566373433303365353965663732636566663332343337626337
34623861373562386264346430333133343631653631376366373735626664363965666561306262
35666235653235346233636361383566616533646662333662323139313865383264633734643263
63656431393834633935613430643839613433326431666665323136376562333737383862313261
65656431336439303563373833343965323965346439636131633366633431393032613963666539
38326539343132326334316233323362633835356265333031663066643535363639623031336362
64346230383638363763323462386261666266623134393139303264343234623132323437396630
66363738376133393731616535653230303262313937373333353932303038626166346366303163
66613831353731373165636532363165356561383137626437333563616561386666623234313438
37333435306530323235393164383138346131653235633536383636316161316238313064636261
33353963333430383236303038333939316637326130396430623964633338353863613534653663
30333839393230626261663966616230303330636335323565663938343562666663303536636332
34336665323764663163653161373166313631393534326532613538313637313136356336313433
34353036653738343433613763383137336562373332333062326134626638633938336364376131
61303435333163663636653135363162303663663266393438656430306532343438386436343735
31343231653263373532386263653263386435363633396638396164323539306233303562303862
3339306136613431636138333266633739323666633431363039

4
misc-plays/change_password.yml
View File

@ -13,13 +13,13 @@
- hosts: all - hosts: all
user: provisioning user: provisioning
become: yes become: true
vars_files: vars_files:
- "../vars/{{ ansible_distribution }}.yml" - "../vars/{{ ansible_distribution }}.yml"
tasks: tasks:
- name: Set password, shell, homedir for provisioning user - name: Set password, shell, homedir for provisioning user
when: provisioning_user is defined when: provisioning_user is defined
user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

2
nomads.yml
View File

@ -2,7 +2,7 @@
# file: nomads.yml # file: nomads.yml
- hosts: nomads - hosts: nomads
become: yes become: true
roles: roles:
- common - common
- munin - munin

11
roles/caddy/defaults/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
# file: roles/caddy/defaults/main.yml
# parent directory of vhost document roots
caddy_root_prefix: "{{ web_root_prefix }}"
# Email address to use for the ACME account managing the site's certificates.
# Not sure what Caddy does if this doesn't exist.
caddy_email: foo@example.com
# vim: set ts=2 sw=2:

10
roles/caddy/handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
# file: roles/caddy/handlers/main.yml
# I'm currently not sure when we need to restart versus reload
- name: reload caddy
ansible.builtin.systemd:
name: caddy
state: reloaded
# vim: set sw=2 ts=2:

82
roles/caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,82 @@
---
# file: roles/caddy/tasks/main.yml
#
# Configure Caddy.
- name: Check Caddy package signing key
ansible.builtin.stat:
path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
register: caddy_signing_key_stat
tags:
- packages
- caddy
# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
- name: Download Caddy package signing key
ansible.builtin.get_url:
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
owner: root
group: root
mode: "0644"
register: download_caddy_signing_key
when: not caddy_signing_key_stat.stat.exists
tags:
- packages
- caddy
- name: Add Caddy stable repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
filename: caddy-stable
state: present
register: add_caddy_apt_repository
tags:
- packages
- caddy
- name: Update apt cache
ansible.builtin.apt: # noqa no-handler
update_cache: true
when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
tags:
- packages
- caddy
- name: Install Caddy
ansible.builtin.apt:
name: caddy
state: present
install_recommends: false
cache_valid_time: 3600
tags:
- caddy
- packages
- name: Create Caddyfile
ansible.builtin.template:
src: etc/caddy/Caddyfile.j2
dest: /etc/caddy/Caddyfile
mode: "0755"
owner: root
group: root
notify:
- reload caddy
tags: caddy
- name: Create Caddy conf.d directory
ansible.builtin.file:
path: /etc/caddy/conf.d
state: directory
mode: "0755"
owner: root
group: root
tags: caddy
# TODO: the variable is still named nginx_vhosts
- name: Configure Caddy virtual hosts
ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: caddy
# vim: set sw=2 ts=2:

14
roles/caddy/tasks/vhosts.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Configure vhosts
ansible.builtin.template:
src: etc/caddy/conf.d/vhost.j2
dest: /etc/caddy/conf.d/{{ item.domain_name }}
mode: "0644"
owner: root
group: root
loop: "{{ nginx_vhosts }}"
notify:
- reload caddy
tags: caddy
# vim: set ts=2 sw=2:

29
roles/caddy/templates/etc/caddy/Caddyfile.j2 Normal file
View File

@ -0,0 +1,29 @@
# Global options
{
email {{ caddy_email }}
}
# Common security response headers
(security-headers) {
header {
# disable Google FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection: refuse to allow rendering this page
# in a frame, iframe, etc.
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
# Note: these are imported in lexical sort order!
import /etc/caddy/conf.d/*

46
roles/caddy/templates/etc/caddy/conf.d/vhost.j2 Normal file
View File

@ -0,0 +1,46 @@
{{ ansible_managed | comment }}
{# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #}
{% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{% set static_site = item.static_site | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
{% if domain_aliases %}
{# domain_aliases is a string, so we split on space #}
{% for domain in domain_aliases | split (' ') %}
{{ domain }} {
redir https://{{domain_name}}{uri}
}
{% endfor %}
{% endif %}
{{ domain_name }} {
{% if has_gitea %}
reverse_proxy :3000
{% elif static_site -%}
root * {{ document_root }}
encode
file_server
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server
{% endif -%}
import security-headers
}

8
roles/common/defaults/main.yml
View File

@ -1,11 +1,17 @@
--- ---
#file - roles/common/defaults/main.yml #file - roles/common/defaults/main.yml
# add a dummy API key for AbuseIPDB.com (override with real one in host_vars)
abuseipdb_api_key: dummy
fail2ban_maxretry: 6 fail2ban_maxretry: 6
# 1 hour in seconds # 1 hour in seconds
fail2ban_findtime: 3600 fail2ban_findtime: 3600
# 2 weeks in seconds # 2 weeks in seconds
fail2ban_bantime: 1209600 fail2ban_bantime: 1209600
fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
# before re-configuring the SSH daemon to disable passwords.
ssh_password_authentication: disabled
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

2
roles/common/files/00-persistent-journal.conf
View File

@ -1,2 +0,0 @@
[Journal]
Storage=persistent

5
roles/common/files/abusech-ipv4.nft Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define ABUSECH_IPV4 = {
192.168.254.254
}

10001
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

11
roles/common/files/abusers-ipv6.xml
View File

@ -1,11 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="family" value="inet6" />
<short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description>
<entry>2001:41d0:a:3307::</entry>
<entry>2402:1f00:8001:8bd::</entry>
<entry>2604:a880:800:10::5bf:2001</entry>
<entry>2607:5300:120:878::</entry>
<entry>2a03:b0c0:3:d0::d4d:b001</entry>
</ipset>

2
roles/common/files/etc/cron-apt/3-download
View File

@ -1,2 +0,0 @@
autoclean -y
upgrade -y -o APT::Get::Show-Upgraded=true

5
roles/common/files/etc/cron-apt/config
View File

@ -1,5 +0,0 @@
# Configuration for cron-apt. For further information about the possible
# configuration settings see the README file.
MAILON="never"
OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

5
roles/common/files/firehol_level1-ipv4.nft Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
192.168.254.254/32
}

1
roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

24
roles/common/files/update-firehol-nftables.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=Update FireHOL lists
# Make sure the network is up
After=network-online.target
Wants=network-online.target update-firehol-nftables.timer
[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/nftables
PrivateTmp=true
WorkingDirectory=/var/tmp
SyslogIdentifier=update-firehol-nftables
ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
/usr/local/bin/update-firehol-nftables.sh
[Install]
WantedBy=multi-user.target

12
roles/common/files/update-firehol-nftables.timer Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Update FireHOL lists
[Timer]
# Once a day at midnight
OnCalendar=*-*-* 00:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

28
roles/common/handlers/main.yml
View File

@ -1,17 +1,27 @@
--- ---
# file: roles/common/handlers/main.yml # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd - name: reload sshd
systemd: name={{ sshd_service_name }} state=reloaded ansible.builtin.systemd:
name: "{{ sshd_service_name }}"
state: reloaded
- name: reload sysctl - name: reload sysctl
command: sysctl -p /etc/sysctl.conf command: sysctl -p /etc/sysctl.conf
- name: restart firewalld
systemd: name=firewalld state=restarted
- name: restart fail2ban
systemd: name=fail2ban state=restarted
- name: reload systemd - name: reload systemd
systemd: daemon_reload=yes ansible.builtin.systemd:
daemon_reload: true
- name: restart nftables
ansible.builtin.systemd:
name: nftables
state: restarted
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
ansible.builtin.systemd:
name: fail2ban
state: restarted

19
roles/common/tasks/cron-apt.yml
View File

@ -1,12 +1,17 @@
--- ---
- name: Remove cron-apt
ansible.builtin.apt:
name: cron-apt
state: absent
cache_valid_time: 3600
- name: Configure cron-apt (config) - name: Remove cron-apt configs
copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} ansible.builtin.file:
path: "{{ item }}"
state: absent
loop: loop:
- { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/config
- { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - /etc/cron-apt/action.d/3-download
- /etc/apt/security.sources.list
- name: Configure cron-apt (security)
template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

44
roles/common/tasks/fail2ban.yml
View File

@ -1,20 +1,56 @@
--- ---
- name: Install fail2ban
when:
- ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: "0644"
notify: restart fail2ban
- name: Configure fail2ban nginx filter
when:
- webserver is defined and webserver == 'nginx'
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: "0644"
notify: restart fail2ban notify: restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: "0755"
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override - name: Configure fail2ban service override
template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 ansible.builtin.template:
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: "0644"
notify: notify:
- reload systemd - reload systemd
- restart fail2ban - restart fail2ban
- name: Start and enable fail2ban service - name: Start and enable fail2ban service
systemd: name=fail2ban state=started enabled=yes ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

20
roles/common/tasks/firewall.yml Normal file
View File

@ -0,0 +1,20 @@
---
- name: Configure firewall (Debian)
when: ansible_distribution == 'Debian'
ansible.builtin.include_tasks:
file: firewall_Debian.yml
apply:
tags:
- firewall
tags: firewall
- name: Configure firewall (Ubuntu)
when: ansible_distribution == 'Ubuntu'
ansible.builtin.include_tasks:
file: firewall_Ubuntu.yml
apply:
tags:
- firewall
tags: firewall

74
roles/common/tasks/firewall_Debian.yml
View File

@ -1,60 +1,28 @@
--- ---
# Debian 11+ will use nftables directly, with no firewalld.
- block: - name: Install Debian firewall packages
- name: Set Debian firewall packages when: ansible_distribution_major_version is version('11', '>=')
set_fact: ansible.builtin.package:
debian_firewall_packages: name:
- firewalld - libnet-ip-perl # for aggregate-cidr-addresses.pl
- tidy - nftables
- fail2ban - curl # for nftables update scripts
- python3-systemd # for fail2ban systemd backend state: present
cache_valid_time: 3600
- name: Install firewalld and deps - name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('11', '>=')
apt: pkg={{ debian_firewall_packages }} state=present ansible.builtin.apt:
pkg: iptables
state: absent
- name: Use iptables backend in firewalld - name: Configure nftables
when: ansible_distribution_major_version is version('10', '>=') ansible.builtin.include_tasks: nftables.yml
lineinfile: when: ansible_distribution_version is version('11', '>=')
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
notify:
- restart firewalld
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables - ansible.builtin.include_tasks: fail2ban.yml
# backend. Using individual calls seems to work around it. when:
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 - ansible_distribution_major_version is version('9', '>=')
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '>=')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('9', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('9', '>=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy ipsets of abusive IPs
when: ansible_distribution_major_version is version('9', '>=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
notify:
- restart firewalld
- include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=')
tags: firewall
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

77
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -1,64 +1,27 @@
--- ---
# Ubuntu 20.04 will use nftables directly, with no firewalld.
- block: - name: Install Ubuntu firewall packages
- name: Set Ubuntu firewall packages when: ansible_distribution_version is version('20.04', '>=')
set_fact: ansible.builtin.package:
ubuntu_firewall_packages: name:
- firewalld - libnet-ip-perl # for aggregate-cidr-addresses.pl
- tidy - nftables
- fail2ban - curl # for nftables update scripts
- python3-systemd # for fail2ban systemd backend state: present
cache_valid_time: 3600
- name: Install firewalld and deps - name: Remove ufw
when: ansible_distribution_version is version('16.04', '>=') ansible.builtin.package:
apt: pkg={{ ubuntu_firewall_packages }} state=present name: ufw
state: absent
- name: Remove ufw - name: Configure nftables
when: ansible_distribution_version is version('16.04', '>=') ansible.builtin.include_tasks: nftables.yml
apt: pkg=ufw state=absent when: ansible_distribution_version is version('20.04', '>=')
# I'm not sure why, but you can use firewalld with the nftables backend even - ansible.builtin.include_tasks: fail2ban.yml
# if nftables itself is not installed. In that case the only way to see the when:
# currently active rules is with firewall-cmd. I prefer installing nftables - ansible_distribution_version is version('16.04', '>=')
# so that we can have somewhat of a parallel with iptables:
#
# nft list ruleset
#
# See: https://firewalld.org/2018/07/nftables-backend
- name: Install nftables
when: ansible_distribution_version is version('20.04', '==')
apt: pkg=nftables state=present
- name: Use nftables backend in firewalld
when: ansible_distribution_version is version('20.04', '==')
lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=iptables$'
line: 'FirewallBackend=nftables'
notify:
- restart firewalld
- name: Copy firewalld public zone file
when: ansible_distribution_version is version('16.04', '>=')
template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_version is version('16.04', '>=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- name: Copy ipsets of abusive IPs
when: ansible_distribution_version is version('16.04', '>=')
copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
notify:
- restart firewalld
- include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=')
tags: firewall
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

28
roles/common/tasks/main.yml
View File

@ -1,54 +1,44 @@
--- ---
- name: Import OS-specific variables - name: Import OS-specific variables
include_vars: "vars/{{ ansible_distribution }}.yml" ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
tags: always tags: always
- name: Configure network time - name: Configure network time
import_tasks: ntp.yml ansible.builtin.import_tasks: ntp.yml
tags: ntp tags: ntp
- name: Install common packages - name: Install common packages
include_tasks: packages_Debian.yml ansible.builtin.include_tasks: packages_Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
tags: packages tags: packages
- name: Install common packages - name: Install common packages
include_tasks: packages_Ubuntu.yml ansible.builtin.include_tasks: packages_Ubuntu.yml
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
tags: packages tags: packages
- name: Configure firewall - name: Configure firewall
include_tasks: firewall_Debian.yml ansible.builtin.import_tasks: firewall.yml
when: ansible_distribution == 'Debian'
tags: firewall
- name: Configure firewall
include_tasks: firewall_Ubuntu.yml
when: ansible_distribution == 'Ubuntu'
tags: firewall tags: firewall
- name: Configure secure shell daemon - name: Configure secure shell daemon
import_tasks: sshd.yml ansible.builtin.import_tasks: sshd.yml
tags: sshd tags: sshd
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
- name: Reconfigure /etc/sysctl.conf - name: Reconfigure /etc/sysctl.conf
when: ansible_virtualization_role != 'host' when: ansible_virtualization_role != 'host'
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
notify: notify:
- reload sysctl - reload sysctl
tags: sysctl tags: sysctl
- name: Reconfigure /etc/rc.local
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
- name: Set I/O scheduler - name: Set I/O scheduler
template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
tags: udev tags: udev
- name: Copy admin SSH keys - name: Copy admin SSH keys
import_tasks: ssh-keys.yml ansible.builtin.import_tasks: ssh-keys.yml
tags: ssh-keys tags: ssh-keys
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

97
roles/common/tasks/nftables.yml Normal file
View File

@ -0,0 +1,97 @@
---
# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
# and Debian 12.
- name: Copy nftables.conf
ansible.builtin.template:
src: nftables.conf.j2
dest: /etc/nftables.conf
owner: root
mode: "0644"
notify:
- restart nftables
- restart fail2ban
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
path: /etc/nftables
state: directory
owner: root
mode: "0755"
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: "{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: "0644"
force: "{{ item.force }}"
loop:
- { src: firehol_level1-ipv4.nft, force: false }
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables update scripts
ansible.builtin.template:
src: update-firehol-nftables.sh.j2
dest: /usr/local/bin/update-firehol-nftables.sh
mode: "0755"
owner: root
group: root
- name: Remove deprecated data and scripts
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/nftables/spamhaus-ipv4.nft
- /etc/nftables/spamhaus-ipv6.nft
- /etc/nftables/abuseipdb-ipv4.nft
- /etc/nftables/abuseipdb-ipv6.nft
- /etc/nftables/abusech-ipv4.nft
- /usr/local/bin/update-abusech-nftables.sh
- /usr/local/bin/update-spamhaus-nftables.sh
- /etc/systemd/system/update-abusech-nftables.service
- /etc/systemd/system/update-abusech-nftables.timer
- /etc/systemd/system/update-spamhaus-nftables.service
- /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl
notify:
- restart nftables
- restart fail2ban
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/systemd/system/{{ item }}
mode: "0644"
owner: root
group: root
loop:
- update-firehol-nftables.service
- update-firehol-nftables.timer
register: nftables_systemd_units
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd: # noqa no-handler
daemon_reload: true
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
loop:
- update-firehol-nftables.timer
- name: Start and enable nftables
ansible.builtin.systemd:
name: nftables
state: started
enabled: true
# vim: set sw=2 ts=2:

22
roles/common/tasks/ntp.yml
View File

@ -1,18 +1,30 @@
--- ---
# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should # Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
# use timedatectl as a network time client instead of the standalone ntp client. # use systemd-timesyncd as a network time client instead of the standalone ntp
# client.
- name: Set timezone - name: Set timezone
when: timezone is defined and ansible_service_mgr == 'systemd' when:
command: /usr/bin/timedatectl set-timezone {{ timezone }} - timezone is defined
- ansible_service_mgr == 'systemd'
community.general.timezone:
name: "{{ timezone }}"
tags: timezone tags: timezone
# Apparently some cloud images don't have this installed by default. From what
# I can see on existing servers, systemd-timesyncd is a standalone package on
# Ubuntu 20.04 and Debian 11.
- name: Install systemd-timesyncd
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
- name: Start and enable systemd's NTP client - name: Start and enable systemd's NTP client
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
systemd: name=systemd-timesyncd state=started enabled=yes ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
- name: Uninstall ntp on modern Ubuntu/Debian - name: Uninstall ntp on modern Ubuntu/Debian
apt: name=ntp state=absent update_cache=yes ansible.builtin.apt: name=ntp state=absent
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

68
roles/common/tasks/packages_Debian.yml
View File

@ -1,37 +1,49 @@
--- ---
- name: Configure Debian packages
block:
# Scaleway seems to use a weird sources.list format as of Debian 12?
- name: Check for weird Debian sources
ansible.builtin.stat:
path: /etc/apt/sources.list.d/debian.sources
register: weird_debian_sources_stat
- block: - name: Configure apt mirror
- name: Configure apt mirror ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 when:
- ansible_architecture != 'armv7l'
- not weird_debian_sources_stat
- name: Set fact for base packages - name: Set fact for base packages
set_fact: ansible.builtin.set_fact:
base_packages: base_packages:
- git - git
- tmux - git-lfs
- iotop - tmux
- htop - iotop
- strace - htop
- cron-apt - strace
- safe-rm - safe-rm
- debian-goodies - debian-goodies
- mosh - mosh
- python3-pycurl # for ansible's apt_repository - python3-pycurl # for ansible's apt_repository
- vim - vim
- unzip - unzip
- apt-transport-https # for https support in apt - apt-transport-https # for https support in apt
- gnupg2 - gnupg2
- zstd - zstd
- rsync
- lsof
- unattended-upgrades
- name: Install base packages - name: Install base packages
apt: name={{ base_packages }} state=present update_cache=yes cache_valid_time=3600 ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
- name: Configure cron-apt - name: Remove cron-apt
import_tasks: cron-apt.yml ansible.builtin.import_tasks: cron-apt.yml
tags: cron-apt tags: cron-apt
- name: Install tarsnap - name: Install tarsnap
import_tasks: tarsnap.yml ansible.builtin.import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

143
roles/common/tasks/packages_Ubuntu.yml
View File

@ -1,105 +1,60 @@
--- ---
- name: Configure Ubuntu packages
block:
- name: Configure apt mirror
ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- block: - name: Upgrade base OS
- name: Configure apt mirror ansible.builtin.apt: upgrade=dist cache_valid_time=3600
template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
when: ansible_architecture != 'armv7l'
- name: Upgrade base OS - name: Set Ubuntu base packages
apt: upgrade=dist update_cache=yes cache_valid_time=3600 ansible.builtin.set_fact:
ubuntu_base_packages:
- git
- git-lfs
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- rsync
- lsof
- name: Set Ubuntu base packages - name: Install base packages
set_fact: ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
ubuntu_base_packages:
- git
- tmux
- iotop
- htop
- strace
- cron-apt
- safe-rm
- debian-goodies
- mosh
- python-pycurl # for ansible's apt_repository
- vim
- unzip
- apt-transport-https # for https support in apt
- zstd
- name: Install base packages - name: Disable annoying Canonical spam in MOTD
apt: pkg={{ ubuntu_base_packages }} state=present update_cache=yes cache_valid_time=3600 ansible.builtin.file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: true
# We have to remove snaps one by one in a specific order because some depend - name: Disable annoying Canonical spam in MOTD
# on others. Only after that can we remove the corresponding system packages. ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
- name: Remove lxd snap when: ansible_service_mgr == 'systemd'
snap: name=lxd state=absent loop:
when: ansible_distribution_version is version('20.04', '==') - motd-news.service
ignore_errors: yes - motd-news.timer
- name: Remove core18 snap - name: Configure cron-apt
snap: name=core18 state=absent ansible.builtin.import_tasks: cron-apt.yml
when: ansible_distribution_version is version('20.04', '==') tags: cron-apt
ignore_errors: yes
- name: Remove snapd snap - name: Install tarsnap
snap: name=snapd state=absent ansible.builtin.import_tasks: tarsnap.yml
when: ansible_distribution_version is version('20.04', '==')
ignore_errors: yes
- name: Set fact for packages to remove (Ubuntu <= 18.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd # annoying (Ubuntu >= 16.04)
- lxd-client # annoying (Ubuntu >= 16.04)
- liblxc1 # annoying (Ubuntu >= 16.04)
- lxc-common # annoying (Ubuntu >= 16.04)
- lxcfs #annoying (Ubuntu >= 16.04)
when: ansible_distribution_version is version('18.04', '<=')
- name: Set fact for packages to remove (Ubuntu 20.04)
set_fact:
ubuntu_annoying_packages:
- whoopsie # security (CIS 4.1)
- apport # security (CIS 4.1)
- command-not-found # annoying
- command-not-found-data # annoying
- python3-commandnotfound # annoying
- snapd # annoying (Ubuntu >= 16.04)
- lxd-agent-loader # annoying (Ubuntu 20.04)
when: ansible_distribution_version is version('20.04', '==')
- name: Remove packages
apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
- name: Disable annoying Canonical spam in MOTD
file: path={{ item }} mode=0644 state=absent
loop:
- /etc/update-motd.d/99-esm # Ubuntu 14.04
- /etc/update-motd.d/10-help-text # Ubuntu 14.04+
- /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
- /etc/update-motd.d/80-esm # Ubuntu 18.04+
- /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
ignore_errors: yes
- name: Disable annoying Canonical spam in MOTD
systemd: name={{ item }} state=stopped enabled=no
when: ansible_service_mgr == 'systemd'
loop:
- motd-news.service
- motd-news.timer
- name: Configure cron-apt
import_tasks: cron-apt.yml
tags: cron-apt
- name: Install tarsnap
import_tasks: tarsnap.yml
tags: packages tags: packages
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

4
roles/common/tasks/ssh-keys.yml
View File

@ -1,9 +1,9 @@
--- ---
- name: Zero .ssh/authorized_keys for provisioning user - name: Zero .ssh/authorized_keys for provisioning user
file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
- name: Add public keys to authorized_keys - name: Add public keys to authorized_keys
authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
with_fileglob: with_fileglob:
# use descriptive names for keys, like: aorth-mzito-rsa.pub # use descriptive names for keys, like: aorth-mzito-rsa.pub
- ssh-pub-keys/*.pub - ssh-pub-keys/*.pub

34
roles/common/tasks/sshd.yml
View File

@ -1,20 +1,46 @@
--- ---
# SSH configs don't change in Debian minor versions # SSH configs don't change in Debian minor versions
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
mode=0600
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'
notify: reload sshd notify: reload sshd
# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
# ie with new ciphers supported etc. # ie with new ciphers supported etc.
- name: Reconfigure /etc/ssh/sshd_config - name: Reconfigure /etc/ssh/sshd_config
template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
when: ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Ubuntu'
notify: reload sshd notify: reload sshd
# See: WeakDH (2015): https://weakdh.org/sysadmin.html
- name: Remove small Diffie-Hellman SSH moduli
block:
- name: Check unsafe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 < 3071' moduli
chdir: /etc/ssh
creates: moduli.safe
register: check_unsafe_moduli
- name: Extract safe Diffie-Hellman SSH moduli
ansible.builtin.shell:
cmd: awk '$5 >= 3071' moduli > moduli.safe
chdir: /etc/ssh
creates: moduli.safe
when: check_unsafe_moduli.stdout | length > 0
register: extract_safe_moduli
- name: Replace unsafe Diffie-Hellman SSH moduli
ansible.builtin.command:
cmd: mv moduli.safe moduli
chdir: /etc/ssh
register: replace_small_moduli
when: extract_safe_moduli is changed
notify: reload sshd
- name: Remove DSA and ECDSA host keys - name: Remove DSA and ECDSA host keys
file: name=/etc/ssh/{{ item }} state=absent ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
loop: loop:
- ssh_host_dsa_key - ssh_host_dsa_key
- ssh_host_dsa_key.pub - ssh_host_dsa_key.pub

47
roles/common/tasks/tarsnap.yml
View File

@ -1,24 +1,45 @@
--- ---
- name: Add Tarsnap apt mirror - name: Check tarsnap apt signing key
template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
register: tarsnap_signing_key_stat
- name: Download tarsnap apt signing key
ansible.builtin.get_url:
url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
owner: root
group: root
mode: "0644"
register: download_tarsnap_signing_key
when: not tarsnap_signing_key_stat.stat.exists
- name: Add tarsnap.org repo
ansible.builtin.template:
src: tarsnap_sources.list.j2
dest: /etc/apt/sources.list.d/tarsnap.list
owner: root
group: root
mode: "0644"
register: add_tarsnap_apt_repository register: add_tarsnap_apt_repository
when: ansible_architecture != 'armv7l' when: ansible_architecture != 'armv7l'
- name: Add GPG key for Tarsnap
apt_key: id=0xFC72A10BF6B692AA url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
register: add_tarsnap_apt_key
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
add_tarsnap_apt_key is changed or
add_tarsnap_apt_repository is changed
- name: Install tarsnap - name: Install tarsnap
apt: pkg=tarsnap cache_valid_time=3600 ansible.builtin.apt:
pkg: tarsnap
cache_valid_time: 3600
- name: Copy tarsnaprc - name: Copy tarsnaprc
copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 ansible.builtin.copy:
src: tarsnaprc
dest: /root/.tarsnaprc
owner: root
group: root
mode: "0600"
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

13
roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2 Normal file
View File

@ -0,0 +1,13 @@
[nginx]
enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch
# Integrate with nftables
banaction=nftables[type=allports]
backend = pyinotify
logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck.
maxretry = 1
findtime = {{ fail2ban_findtime }}
bantime = {{ fail2ban_bantime }}
ignoreip = {{ fail2ban_ignoreip }}

4
roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
View File

@ -2,8 +2,8 @@
enabled = true enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf # See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd filter = sshd
# Integrate with firewalld and ipsets # Integrate with nftables
banaction = firewallcmd-ipset banaction=nftables[type=allports]
backend = systemd backend = systemd
maxretry = {{ fail2ban_maxretry }} maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }} findtime = {{ fail2ban_findtime }}

8
roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
View File

@ -1,15 +1,19 @@
[Unit]
# If nftables is stopped or restarted, propagate to fail2ban as well
PartOf=nftables.service
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectHome=read-only ProtectHome=read-only
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ProtectSystem=strict ProtectSystem=strict
{% else %} {% else %}
{# Older systemd versions don't have ProtectSystem=strict #} {# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full ProtectSystem=full
{% endif %} {% endif %}
NoNewPrivileges=yes NoNewPrivileges=yes
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log ReadWritePaths=-/var/log/fail2ban.log

75
roles/common/templates/nftables.conf.j2 Executable file
View File

@ -0,0 +1,75 @@
#!/usr/sbin/nft -f
#
# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
#
flush ruleset
# List updated daily by update-firehol-nftables.sh
include "/etc/nftables/firehol_level1-ipv4.nft"
# Notes:
# - tables hold chains, chains hold rules
# - inet is for both ipv4 and ipv6
table inet filter {
set firehol_level1-ipv4 {
type ipv4_addr
# if the set contains prefixes we need to use the interval flag
flags interval
elements = $FIREHOL_LEVEL1_IPV4
}
chain input {
type filter hook input priority 0;
ct state {established, related} accept comment "Allow traffic from established and related packets"
ct state invalid counter drop comment "Early drop of invalid connections"
ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
iifname lo accept comment "Allow from loopback"
ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
{# SSH rules #}
ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
{# Web rules #}
{% if 'web' in group_names %}
ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
{% endif %}
ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
{# Extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
{% endif %}
{% endfor %}
{% endif %}
# everything else
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
}
}

72
roles/common/templates/public.xml.j2
View File

@ -1,72 +0,0 @@
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interface name="{{ ansible_default_ipv4.interface }}"/>
{# ssh rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# ipv6 ssh rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# web rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# ipv6 web rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# munin rules #}
{% if munin_master_host is defined %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
<port protocol="tcp" port="{{ munin_node_port }}"/>
<accept/>
</rule>
{% endif %}
{# extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[rule.acl].src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{# ipv6 extra rules #}
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
<rule family="ipv6">
<source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{% endif %}
{% endfor %}
{% endif %}
<rule>
<source ipset="abusers-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="abusers-ipv6"/>
<drop/>
</rule>
</zone>

14
roles/common/templates/rc.local_Ubuntu.j2
View File

@ -1,14 +0,0 @@
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
exit 0

5
roles/common/templates/security.sources.list.j2
View File

@ -1,5 +0,0 @@
{% if ansible_distribution == 'Ubuntu' %}
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
{% elif ansible_distribution == 'Debian' %}
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
{% endif %}

2
roles/common/templates/sources.list.j2
View File

@ -9,7 +9,7 @@ deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-securi
{% set apt_mirror = apt_mirror | default('deb.debian.org') %} {% set apt_mirror = apt_mirror | default('deb.debian.org') %}
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free

33
roles/common/templates/sshd_config_Ubuntu-18.04.j2 → roles/common/templates/sshd_config_Debian-11.j2
View File

@ -1,4 +1,4 @@
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See # This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information. # sshd_config(5) for more information.
@ -10,6 +10,8 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
@ -54,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@ -94,7 +100,6 @@ X11Forwarding no
PrintMotd no PrintMotd no
#PrintLastLog yes #PrintLastLog yes
#TCPKeepAlive yes #TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no #PermitUserEnvironment no
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
@ -122,12 +127,20 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # with less than 256 bits removed, as NSA's Suite B removed them years ago and
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# only allow shell access by provisioning user {% if ssh_allowed_users is defined and ssh_allowed_users %}
AllowUsers {{ provisioning_user.name }} # Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

146
roles/common/templates/sshd_config_Debian-12.j2 Normal file
View File

@ -0,0 +1,146 @@
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
MaxAuthTries 4
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
{% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
# with less than 256 bits removed, as NSA's Suite B removed them years ago and
# the new (2018) CNSA suite is 256 bits and up.
#
# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users?
# Is it populated? (An empty list is 'None', which evaluates as False in Python)
# merge the items of a list into one string using a space as a separator
# http://jinja.pocoo.org/docs/dev/templates/#join
AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
{% endif %}

11
roles/common/templates/sshd_config_Ubuntu-20.04.j2
View File

@ -56,7 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys
#IgnoreRhosts yes #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes {% if ssh_password_authentication == 'disabled' %}
PasswordAuthentication no
{% else %}
PasswordAuthentication yes
{% endif %}
#PermitEmptyPasswords no #PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with # Change to yes to enable challenge-response passwords (beware issues with
@ -122,14 +126,13 @@ Subsystem sftp /usr/lib/openssh/sftp-server
# AllowTcpForwarding no # AllowTcpForwarding no
# PermitTTY no # PermitTTY no
# ForceCommand cvs server # ForceCommand cvs server
PasswordAuthentication yes
# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml # does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
{% if ssh_allowed_users is defined and ssh_allowed_users %} {% if ssh_allowed_users is defined and ssh_allowed_users %}
# Is there a list of allowed users? # Is there a list of allowed users?

2
roles/common/templates/tarsnap_sources.list.j2
View File

@ -1 +1 @@
deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./ deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./

65
roles/common/templates/update-firehol-nftables.sh.j2 Executable file
View File

@ -0,0 +1,65 @@
#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
#
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only
# Exit on first error
set -o errexit
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
function download() {
echo "Downloading $1"
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}
download firehol_level1.netset
if [[ -f "firehol_level1.netset" ]]; then
echo "Processing FireHOL Level 1 list"
firehol_level1_ipv4_list_temp=$(mktemp)
firehol_level1_ipv4_set_temp=$(mktemp)
# Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
# for local services like systemd-resolved and others on localhost. Ideally
# these are blocked already at the WAN side by network administrators.
cat firehol_level1.netset \
| sed \
-e '/^$/d' \
-e '/^#.*/d' \
-e '/^127\.0\.0\.0\/8/d' \
> "$firehol_level1_ipv4_list_temp"
echo "Building firehol_level1-ipv4 set"
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f
define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD
while read -r network; do
# nftables doesn't mind if the last element in the set has a trailing
# comma so we don't need to do anything special here.
echo "$network," >> "$firehol_level1_ipv4_set_temp"
done < $firehol_level1_ipv4_list_temp
echo "}" >> "$firehol_level1_ipv4_set_temp"
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi
echo "Restarting nftables"
/usr/bin/systemctl restart nftables.service
rm -v firehol_level1.netset

19
roles/mariadb/defaults/main.yml
View File

@ -1,12 +1,11 @@
--- ---
# file: roles/mariadb/defaults/main.yml # ansible.builtin.file: roles/mariadb/defaults/main.yml
# #
# Based on my running of mysqltuner.pl on a host with three WordPress databases # Based on my running of mysqltuner.pl on a host with three WordPress databases
# and a Piwik instance monitoring three sites.
# #
# default is 128MB but is a waste because it seems only the mysql table uses it # default is 128MB but is a waste because it seems only the mysql table uses it
key_buffer_size: 32M key_buffer_size: 8M
# default is 128MB but is a waste because it seems only information_schema uses # default is 128MB but is a waste because it seems only information_schema uses
# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables # AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
@ -15,16 +14,20 @@ aria_pagecache_buffer_size: 8M
# default is 128M, but set to at least the size of your InnoDB data # default is 128M, but set to at least the size of your InnoDB data
innodb_buffer_pool_size: 256M innodb_buffer_pool_size: 256M
# Unless you have a pool size over 1GB, use a single instance
# See: https://mariadb.com/kb/en/mariadb/xtradbinnodb-server-system-variables
innodb_buffer_pool_instances: 1
# Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should # Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should
# force it to use a Unix socket. # force it to use a Unix socket.
# See: https://github.com/ansible/ansible/issues/47736 # See: https://github.com/ansible/ansible/issues/47736
mariadb_login_unix_socket: /var/run/mysqld/mysqld.sock mariadb_login_unix_socket: /run/mysqld/mysqld.sock
# default is 100 but the max I've seen used is 5, so let's reduce it # default is 100 but the max I've seen used is 5, so let's reduce it
max_connections: 33 max_connections: 33
# disable the query cache by default
query_cache_size: 0
query_cache_type: 0
# mysqltuner says we should use larger than 32M on our setup
tmp_table_size: 64M
max_heap_table_size: 64M
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

4
roles/mariadb/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: restart mysql - name: restart mariadb
systemd: name=mysql state=restarted ansible.builtin.systemd: name=mariadb state=restarted
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

104
roles/mariadb/tasks/main.yml
View File

@ -1,57 +1,109 @@
--- ---
- name: Add GPG key for MariaDB repo - name: Remove MariaDB key from apt-key
apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x177F4010FE56CA3336300305F1656F24C74CD1D8 ansible.builtin.apt_key:
register: add_mariadb_apt_key id: "013577200103762554506315430003013705453362230723150730"
tags: mariadb, packages state: absent
tags:
- packages
- mariadb
- name: Add MariaDB 10.4 repo - name: Check MariaDB package signing key
template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 ansible.builtin.stat:
path: /etc/apt/keyrings/mariadb_release_signing_key.asc
register: mariadb_signing_key_stat
tags:
- packages
- mariadb
- name: Download MariaDB package signing key
ansible.builtin.get_url:
url: https://mariadb.org/mariadb_release_signing_key.asc
dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
owner: root
group: root
mode: "0644"
register: download_mariadb_signing_key
when: not mariadb_signing_key_stat.stat.exists
tags:
- packages
- mariadb
- name: Add MariaDB 10.11 repo
ansible.builtin.apt_repository:
repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
}} main
filename: mariadb
state: present
register: add_mariadb_apt_repository register: add_mariadb_apt_repository
tags: mariadb, packages tags:
- packages
- mariadb
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
add_mariadb_apt_key is changed or tags:
add_mariadb_apt_repository is changed - packages
- mariadb
- name: Install mariadb-server - name: Install mariadb-server
apt: name={{ item }} state=present cache_valid_time=3600 ansible.builtin.apt:
loop: name: [mariadb-server, python3-pymysql]
- mariadb-server state: present
- python3-pymysql # for ansible cache_valid_time: 3600
tags: mariadb, packages tags: mariadb, packages
- name: Create system my.cnf - name: Create system my.cnf
template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 ansible.builtin.template:
src: my.cnf.j2
dest: /etc/mysql/my.cnf
owner: root
group: root
mode: "0644"
notify: notify:
- restart mysql - restart mariadb
tags: mariadb tags: mariadb
# 'localhost' needs to be the last item for idempotency, see # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
# https://docs.ansible.com/ansible/latest/mysql_user_module.html
- name: Update MariaDB root password for all root accounts - name: Update MariaDB root password for all root accounts
mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} community.mysql.mysql_user:
name: root
host: "{{ item }}"
password: "{{ mariadb_root_password }}"
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: loop:
- "{{ inventory_hostname }}"
- 127.0.0.1 - 127.0.0.1
- ::1 - ::1
- localhost
tags: mariadb tags: mariadb
- name: Create .my.conf file with root credentials - name: Create .my.conf file with root credentials
template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 ansible.builtin.template:
src: .my.cnf.j2
dest: /root/.my.cnf
owner: root
mode: "0600"
tags: mariadb tags: mariadb
# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
- name: Create MariaDB database(s) - name: Create MariaDB database(s)
mysql_db: db={{ item.name }} state=present encoding=utf8mb4 community.mysql.mysql_db:
db: "{{ item.name }}"
state: present
encoding: utf8mb4
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb
- name: Create MariaDB user(s) - name: Create MariaDB user(s)
mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL state=present community.mysql.mysql_user:
name: "{{ item.user }}"
password: "{{ item.pass }}"
priv: "{{ item.name }}.*:ALL"
host: 127.0.0.1
state: present
login_unix_socket: "{{ mariadb_login_unix_socket }}"
loop: "{{ mariadb_databases }}" loop: "{{ mariadb_databases }}"
when: mariadb_databases is defined when: mariadb_databases is defined
tags: mariadb tags: mariadb

3
roles/mariadb/templates/mariadb.list.j2
View File

@ -1,3 +0,0 @@
{{ ansible_managed | comment }}
deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.4/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

23
roles/mariadb/templates/my.cnf.j2
View File

@ -19,14 +19,14 @@
# Remember to edit /etc/mysql/debian.cnf when changing the socket location. # Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client] [client]
port = 3306 port = 3306
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
# Here is entries for some specific programs # Here is entries for some specific programs
# The following values assume you have at least 32M ram # The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed. # This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe] [mysqld_safe]
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
nice = 0 nice = 0
[mysqld] [mysqld]
@ -34,8 +34,8 @@ nice = 0
# * Basic Settings # * Basic Settings
# #
user = mysql user = mysql
pid-file = /var/run/mysqld/mysqld.pid pid-file = /run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock socket = /run/mysqld/mysqld.sock
port = 3306 port = 3306
basedir = /usr basedir = /usr
datadir = /var/lib/mysql datadir = /var/lib/mysql
@ -47,6 +47,10 @@ skip-external-locking
# Instead of skip-networking the default is now to listen only on # Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure. # localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1 bind-address = 127.0.0.1
# don't resolve connection IPs to hostnames (make sure user accounts are using
# IPs instead of "localhost")
skip-name-resolve=1
# #
# * Fine Tuning # * Fine Tuning
# #
@ -57,8 +61,8 @@ max_allowed_packet = 16M
thread_cache_size = 128 thread_cache_size = 128
sort_buffer_size = 4M sort_buffer_size = 4M
bulk_insert_buffer_size = 16M bulk_insert_buffer_size = 16M
tmp_table_size = 32M tmp_table_size = {{ tmp_table_size }}
max_heap_table_size = 32M max_heap_table_size = {{ max_heap_table_size }}
# #
# * MyISAM # * MyISAM
# #
@ -75,11 +79,9 @@ read_rnd_buffer_size = 1M
# #
# * Query Cache Configuration # * Query Cache Configuration
# #
# Cache only tiny result sets, so we can fit more in the query cache.
query_cache_limit = 128K query_cache_limit = 128K
query_cache_size = 64M query_cache_size = {{ query_cache_size }}
# for more write intensive setups, set to DEMAND or OFF query_cache_type = {{ query_cache_type }}
#query_cache_type = DEMAND
# #
# * Logging and Replication # * Logging and Replication
# #
@ -141,7 +143,6 @@ innodb_file_per_table = 1
innodb_open_files = 400 innodb_open_files = 400
innodb_io_capacity = 400 innodb_io_capacity = 400
innodb_flush_method = O_DIRECT innodb_flush_method = O_DIRECT
innodb_buffer_pool_instances = {{ innodb_buffer_pool_instances }}
aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }} aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
# #

4
roles/munin/handlers/main.yml
View File

@ -1,4 +1,4 @@
--- ---
# file: roles/munin/handlers/main.yml # ansible.builtin.file: roles/munin/handlers/main.yml
- name: restart munin-node - name: restart munin-node
systemd: name=munin-node state=restarted ansible.builtin.systemd: name=munin-node state=restarted

4
roles/munin/tasks/main.yml
View File

@ -1,8 +1,8 @@
--- ---
- name: Configure munin scraper - name: Configure munin scraper
import_tasks: munin.yml ansible.builtin.import_tasks: munin.yml
tags: munin tags: munin
- name: Configure munin listener - name: Configure munin listener
import_tasks: munin-node.yml ansible.builtin.import_tasks: munin-node.yml
tags: munin-node tags: munin-node

10
roles/munin/tasks/munin-node.yml
View File

@ -1,25 +1,25 @@
--- ---
- name: Install munin-node - name: Install munin-node
apt: name=munin-node state=present ansible.builtin.apt: name=munin-node state=present
tags: packages tags: packages
# some nice things to have for munin-node on Ubuntu # some nice things to have for munin-node on Ubuntu
# libwww-perl: for munin's nginx_status check # libwww-perl: for munin's nginx_status check
- name: Install munin-node deps - name: Install munin-node deps
apt: name=libwww-perl state=present ansible.builtin.apt: name=libwww-perl state=present
tags: packages tags: packages
- name: Create munin-node.conf - name: Create munin-node.conf
template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
notify: notify:
- restart munin-node - restart munin-node
- name: Configure munin-node - name: Configure munin-node
shell: munin-node-configure --shell --families=contrib,auto | sh -x ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
notify: notify:
- restart munin-node - restart munin-node
- name: Start munin-node - name: Start munin-node
systemd: name=munin-node state=started enabled=true ansible.builtin.systemd: name=munin-node state=started enabled=true
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

4
roles/munin/tasks/munin.yml
View File

@ -1,9 +1,9 @@
--- ---
- name: Install munin package - name: Install munin package
apt: name=munin state=present ansible.builtin.apt: name=munin state=present
tags: packages tags: packages
- name: Create munin configuration file - name: Create munin configuration file
template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

39
roles/nginx/defaults/main.yml
View File

@ -1,37 +1,44 @@
--- ---
# file: roles/nginx/defaults/main.yml # ansible.builtin.file: roles/nginx/defaults/main.yml
# path config # path config
nginx_confd_path: /etc/nginx/conf.d nginx_confd_path: /etc/nginx/conf.d
# parent directory of vhost roots # parent directory of vhost roots
nginx_root_prefix: /var/www nginx_root_prefix: "{{ web_root_prefix }}"
# 1 hour timeout # 1 day timeout
nginx_ssl_session_timeout: 1h nginx_ssl_session_timeout: 1d
# 10MB -> 40,000 sessions # 10MB -> 40,000 sessions
nginx_ssl_session_cache: shared:SSL:10m nginx_ssl_session_cache: shared:SSL:10m
# 1400 bytes to fit in one MTU (default is 16k!) nginx_ssl_buffer_size: 4k
nginx_ssl_buffer_size: 1400
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3' nginx_ssl_protocols: TLSv1.2 TLSv1.3
nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS) # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]' nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# install certbot + dependencies? # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
# True unless you're in development and using "localhost" + snakeoil certs # in seconds, see: https://hstspreload.org/
use_letsencrypt: True nginx_hsts_max_age: 31536000
# install acme.sh?
# true unless you're in development and using "localhost" + snakeoil certs
use_letsencrypt: true
# Directory root for Let's Encrypt certs # Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live letsencrypt_root: /etc/ssl
# Location of Let's Encrypt's certbot script # Location where to save initial acme.sh script. After installation the script
letsencrypt_certbot_dest: /opt/certbot-auto # will automatically create its home in the /root/.acme.sh directory (including
# a copy of the script itself). The initial script is not needed after.
letsencrypt_acme_script_temp: /root/acme.sh
letsencrypt_acme_home: /root/.acme.sh
# stable is 1.18.x # stable is 1.26.x
# mainline is 1.19.x # mainline is 1.27.x
nginx_version: mainline nginx_version: mainline
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

3
roles/nginx/files/extra-security.conf
View File

@ -15,3 +15,6 @@ add_header X-XSS-Protection "1; mode=block" always;
# CSP can be quite difficult to configure, and cause real issues if you get it wrong # CSP can be quite difficult to configure, and cause real issues if you get it wrong
# There is website that helps you generate a policy here http://cspisawesome.com/ # There is website that helps you generate a policy here http://cspisawesome.com/
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always; # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
add_header Permissions-Policy interest-cohort=() always;

3
roles/nginx/files/start-nginx.sh
View File

@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl start nginx

3
roles/nginx/files/stop-nginx.sh
View File

@ -1,3 +0,0 @@
#!/usr/bin/env bash
/bin/systemctl stop nginx

2
roles/nginx/handlers/main.yml
View File

@ -1,5 +1,5 @@
--- ---
- name: reload nginx - name: reload nginx
systemd: name=nginx state=reloaded ansible.builtin.systemd: name=nginx state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

197
roles/nginx/tasks/letsencrypt.yml
View File

@ -1,137 +1,90 @@
--- ---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block: - block:
- name: Copy systemd service to renew Let's Encrypt certs - name: Remove certbot
template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root ansible.builtin.apt:
name: certbot
state: absent
- name: Copy systemd timer to renew Let's Encrypt certs - name: Remove old certbot post and pre hooks for nginx
copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root ansible.builtin.file:
dest: "{{ item }}"
state: absent
with_items:
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
# always issues daemon-reload just in case the server/timer changed - name: Check if acme.sh is installed
- name: Start and enable systemd timer to renew Let's Encrypt certs ansible.builtin.stat:
systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes path: "{{ letsencrypt_acme_home }}"
register: acme_home
- name: Download certbot - name: Download acme.sh
get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700 ansible.builtin.get_url:
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
dest: "{{ letsencrypt_acme_script_temp }}"
mode: "0700"
register: acme_download
when: not acme_home.stat.exists
# Dependencies certbot checks for on its first run. I set them in a fact so that # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
# I can pass the list directly to the apt module to install in one transaction. # have to chdir to the /root directory where the script exists or else it
- name: Set certbot dependencies (Debian 10) # fails. Ansible runs it, but the script can't find itself...).
when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==') - name: Install acme.sh
set_fact: ansible.builtin.command:
certbot_dependencies: cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
- augeas-lenses creates: "{{ letsencrypt_acme_home }}/acme.sh"
- binutils chdir: /root
- binutils-common register: acme_install
- binutils-x86-64-linux-gnu when: acme_download is changed
- cpp
- cpp-8
- gcc
- gcc-8
- libasan5
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libexpat1-dev
- libffi-dev
- libgcc-8-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpfr6
- libmpx2
- libpython-dev
- libpython2-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan1
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2-dev
- python2.7-dev
- python3-distutils
- python3-lib2to3
- python3-virtualenv
- virtualenv
# Dependencies certbot checks for on its first run. I set them in a fact so that - name: Remove temporary acme.sh script
# I can pass the list directly to the apt module to install in one transaction. ansible.builtin.file:
- name: Set certbot dependencies (Ubuntu 18.04) dest: "{{ letsencrypt_acme_script_temp }}"
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') state: absent
set_fact: when:
certbot_dependencies: - acme_install.rc is defined
- augeas-lenses - acme_install.rc == 0
- binutils
- binutils-common
- binutils-x86-64-linux-gnu
- cpp
- cpp-7
- gcc
- gcc-7
- gcc-7-base
- libasan4
- libatomic1
- libaugeas0
- libbinutils
- libc-dev-bin
- libc6-dev
- libcc1-0
- libcilkrts5
- libexpat1-dev
- libffi-dev
- libgcc-7-dev
- libgomp1
- libisl19
- libitm1
- liblsan0
- libmpc3
- libmpx2
- libpython-dev
- libpython2.7
- libpython2.7-dev
- libquadmath0
- libssl-dev
- libtsan0
- libubsan0
- linux-libc-dev
- python-dev
- python-pip-whl
- python-pkg-resources
- python-virtualenv
- python2.7-dev
- python3-virtualenv
- virtualenv
- name: Install certbot dependencies - name: Set default certificate authority for acme.sh
apt: name={{ certbot_dependencies }} state=present update_cache=yes ansible.builtin.command:
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=') - name: Prepare Let's Encrypt well-known directory
tags: letsencrypt ansible.builtin.file:
state: directory
path: /var/lib/letsencrypt/.well-known
owner: root
group: nginx
mode: g+s
# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone - name: Copy systemd service to renew Let's Encrypt certs
# certbot-auto so I guess we need to use the one from the repositories. ansible.builtin.template:
- block: src: renew-letsencrypt.service.j2
- name: Install certbot (Ubuntu 20.04) dest: /etc/systemd/system/renew-letsencrypt.service
apt: name=certbot state=present update_cache=yes mode: "0644"
owner: root
group: root
- name: Copy certbot post and pre hooks for nginx - name: Copy systemd timer to renew Let's Encrypt certs
copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755 ansible.builtin.copy:
with_items: src: renew-letsencrypt.timer
- { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh' } dest: /etc/systemd/system/renew-letsencrypt.timer
- { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' } mode: "0644"
owner: root
group: root
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') # always issues daemon-reload just in case the service/timer changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
ansible.builtin.systemd:
name: renew-letsencrypt.timer
state: started
enabled: true
daemon_reload: true
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
is version('11', '>='))
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

103
roles/nginx/tasks/main.yml
View File

@ -1,33 +1,69 @@
--- ---
- name: Add nginx.org apt signing key - name: Remove nginx apt signing key from apt-key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present ansible.builtin.apt_key:
register: add_nginx_apt_key id: "053473772654754373614404074646527257655730117366337542"
tags: nginx, packages state: absent
tags:
- packages
- nginx
- name: Download nginx apt signing key
ansible.builtin.get_url:
url: https://nginx.org/keys/nginx_signing.key
dest: /usr/share/keyrings/nginx_signing.key
owner: root
group: root
mode: "0644"
checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
register: download_nginx_signing_key
tags:
- packages
- nginx
- name: Add nginx.org repo - name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 ansible.builtin.template:
src: nginx_org_sources.list.j2
dest: /etc/apt/sources.list.d/nginx_org_sources.list
owner: root
group: root
mode: "0644"
register: add_nginx_apt_repository register: add_nginx_apt_repository
tags: nginx, packages tags:
- nginx
- packages
- name: Update apt cache - name: Update apt cache
apt: ansible.builtin.apt: # noqa no-handler
update_cache: yes update_cache: true
when: when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
- name: Install nginx - name: Install nginx
apt: pkg=nginx cache_valid_time=3600 state=present ansible.builtin.apt:
tags: nginx, packages pkg: nginx
cache_valid_time: 3600
state: present
tags:
- nginx
- packages
- name: Copy nginx.conf - name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root ansible.builtin.template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Copy extra nginx configs - name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root ansible.builtin.copy:
src: "{{ item }}"
dest: /etc/nginx/{{ item }}
mode: "0644"
owner: root
group: root
loop: loop:
- extra-security.conf - extra-security.conf
- fastcgi_cache - fastcgi_cache
@ -36,42 +72,61 @@
tags: nginx tags: nginx
- name: Remove default nginx vhost - name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent ansible.builtin.file:
path: /etc/nginx/conf.d/default.conf
state: absent
tags: nginx tags: nginx
- name: Create fastcgi cache dir - name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 ansible.builtin.file:
path: /var/cache/nginx/cached/fastcgi
state: directory
owner: nginx
group: nginx
mode: "0755"
tags: nginx tags: nginx
- name: Configure nginx virtual hosts - name: Configure nginx virtual hosts
include_tasks: vhosts.yml ansible.builtin.include_tasks: vhosts.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: nginx tags: nginx
- name: Configure WordPress - name: Configure WordPress
include_tasks: wordpress.yml ansible.builtin.include_tasks: wordpress.yml
when: nginx_vhosts is defined when: nginx_vhosts is defined
tags: wordpress tags: wordpress
- name: Configure blank nginx vhost - name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root ansible.builtin.template:
src: blank-vhost.conf.j2
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Configure munin vhost - name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root ansible.builtin.copy:
src: munin.conf
dest: /etc/nginx/conf.d/munin.conf
mode: "0644"
owner: root
group: root
notify: notify:
- reload nginx - reload nginx
tags: nginx tags: nginx
- name: Start and enable nginx service - name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes ansible.builtin.systemd:
name: nginx
state: started
enabled: true
tags: nginx tags: nginx
- name: Configure Let's Encrypt - name: Configure Let's Encrypt
include_tasks: letsencrypt.yml ansible.builtin.include_tasks: letsencrypt.yml
when: use_letsencrypt is defined and use_letsencrypt
tags: letsencrypt tags: letsencrypt
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

38
roles/nginx/tasks/vhosts.yml
View File

@ -1,25 +1,29 @@
--- ---
- block: - block:
- name: Configure https vhosts - name: Configure https vhosts
template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
loop: "{{ nginx_vhosts }}" loop: "{{ nginx_vhosts }}"
notify: notify:
- reload nginx - reload nginx
- name: Generate self-signed TLS cert - name: Generate self-signed TLS cert
command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
notify: -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
- reload nginx notify:
- reload nginx
- name: Generate 2048-bit dhparam - name: Download 4096-bit RFC 7919 dhparams
command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem ansible.builtin.get_url:
notify: url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
- reload nginx checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
dest: "{{ nginx_ssl_dhparam }}"
notify:
- reload nginx
- name: Create vhost document roots # TODO: this could break because we can override the document root in host vars
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx - name: Create vhost document roots
loop: "{{ nginx_vhosts }}" ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
loop: "{{ nginx_vhosts }}"
tags: nginx tags: nginx
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

22
roles/nginx/tasks/wordpress.yml
View File

@ -1,15 +1,19 @@
--- ---
- block: - block:
- name: Install WordPress - name: Install WordPress
git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
when: item.has_wordpress is defined and item.has_wordpress }} depth=1 force=true
loop: "{{ nginx_vhosts }}" when:
- item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}"
- name: Fix WordPress directory permissions - name: Fix WordPress directory permissions
file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
when: item.has_wordpress is defined and item.has_wordpress when:
loop: "{{ nginx_vhosts }}" - item.has_wordpress is defined
- item.has_wordpress
loop: "{{ nginx_vhosts }}"
tags: wordpress tags: wordpress
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

8
roles/nginx/templates/blank-vhost.conf.j2
View File

@ -11,12 +11,14 @@ server {
return 444; return 444;
} }
server { server {
listen 443 ssl http2 default_server; listen 443 ssl default_server;
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl default_server;
http2 on;
server_name _; server_name _;
# "snakeoil" certificate (self signed!) # self-signed "snakeoil" certificate
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;

5
roles/nginx/templates/gitea.j2 Normal file
View File

@ -0,0 +1,5 @@
location / {
proxy_pass http://localhost:3000;
}

26
roles/nginx/templates/https.j2
View File

@ -1,7 +1,7 @@
{# helper variables and per-site defaults that we can't set in role defaults #} {# helper variables and per-site defaults that we can't set in role defaults #}
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to True #} {# assume HSTS is off unless a vhost explicitly sets it to true #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{# first, check if the current vhost has a custom cert (perhaps self-signed) #} {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
{% if item.tls_certificate_path is defined and item.tls_key_path is defined %} {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@ -16,8 +16,8 @@
# concatenated key + cert # concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html # See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem; ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem; ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;
{% endif %} {% endif %}
@ -27,29 +27,21 @@
ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }}; ssl_protocols {{ nginx_ssl_protocols }};
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_ciphers "{{ tls_cipher_suite }}"; ssl_ciphers "{{ tls_cipher_suite }}";
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers off;
{# OSCP stapling only works with real certs #} {# OSCP stapling only works with real certs #}
{% if use_letsencrypt == True or item.tls_certificate_path %} {% if use_letsencrypt == true or item.tls_certificate_path %}
# OCSP stapling... # OCSP stapling...
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver {{ nginx_ssl_stapling_resolver }}; resolver {{ nginx_ssl_stapling_resolver }};
{% endif %} {# end: use_letsencrypt #} {% endif %} {# end: use_letsencrypt #}
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and {% if enable_hsts == true %}
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;
{% if enable_hsts == True %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}

8
roles/nginx/templates/nginx_org_sources.list.j2
View File

@ -3,17 +3,17 @@
{% if ansible_distribution == 'Ubuntu' %} {% if ansible_distribution == 'Ubuntu' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
{% endif %} {% endif %}
{% elif ansible_distribution == 'Debian' %} {% elif ansible_distribution == 'Debian' %}
{% if nginx_version == "stable" %} {% if nginx_version == "stable" %}
deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
{% elif nginx_version == "mainline" %} {% elif nginx_version == "mainline" %}
deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
{% endif %} {% endif %}
{% endif %} {% endif %}

6
roles/nginx/templates/renew-letsencrypt.service.j2
View File

@ -1,7 +1,9 @@
[Unit] [Unit]
Description=Renew Let's Encrypt certificates Description=Renew Let's Encrypt certificates
ConditionFileIsExecutable={{ letsencrypt_certbot_dest }} ConditionFileIsExecutable={{ letsencrypt_acme_home }}/acme.sh
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx" ExecStart={{ letsencrypt_acme_home }}/acme.sh --cron --home {{ letsencrypt_acme_home }} --reloadcmd "/bin/systemctl reload nginx" -w /var/lib/letsencrypt
SuccessExitStatus=0 2

56
roles/nginx/templates/vhost.conf.j2
View File

@ -4,9 +4,16 @@
{% set domain_name = item.domain_name %} {% set domain_name = item.domain_name %}
{% set domain_aliases = item.domain_aliases | default("") %} {% set domain_aliases = item.domain_aliases | default("") %}
{# assume optional features are off unless a vhost explicitly sets them #} {# assume optional features are off unless a vhost explicitly sets them #}
{% set enable_hsts = item.enable_hsts | default(False) %} {% set enable_hsts = item.enable_hsts | default(false) %}
{% set has_wordpress = item.has_wordpress | default(False) %} {% set has_wordpress = item.has_wordpress | default(false) %}
{% set needs_php = item.needs_php | default(False) %} {% set needs_php = item.needs_php | default(false) %}
{% set has_gitea = item.has_gitea | default(false) %}
{# Allow sites to override the document root #}
{% if item.document_root is defined %}
{% set document_root = item.document_root %}
{% else %}
{% set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
{% endif %}
# http -> https vhost # http -> https vhost
server { server {
@ -14,6 +21,8 @@ server {
listen [::]:80; listen [::]:80;
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
{% include 'well-known.j2' %}
# redirect http -> https # redirect http -> https
location / { location / {
# ? in rewrite makes sure nginx doesn't append query string again # ? in rewrite makes sure nginx doesn't append query string again
@ -23,36 +32,36 @@ server {
} }
server { server {
listen 443 ssl http2; listen 443 ssl;
listen [::]:443 ssl http2; listen [::]:443 ssl;
http2 on;
{# Allow sites to override the nginx document root #} root {{ document_root }};
{% if item.document_root is defined %}
root {{ item.document_root }};
{% else %}
root {{ nginx_root_prefix }}/{{ domain_name }};
{% endif %}
{# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #} {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
server_name {{ domain_name }} {{ domain_aliases }}; server_name {{ domain_name }} {{ domain_aliases }};
index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %}; index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
access_log /var/log/nginx/{{ domain_name }}-access.log; access_log /var/log/nginx/{{ domain_name }}-access.log;
error_log /var/log/nginx/{{ domain_name }}-error.log; error_log /var/log/nginx/{{ domain_name }}-error.log;
{% include 'https.j2' %} {% include 'https.j2' %}
{% if has_wordpress == True %} {% if has_wordpress == true %}
{% include 'wordpress.j2' %} {% include 'wordpress.j2' %}
{% endif %} {% endif %}
{% if has_gitea == true %}
{% include 'gitea.j2' %}
{% endif %}
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {
root /usr/share/nginx/html; root /usr/share/nginx/html;
} }
{% if has_wordpress == True or needs_php == True %} {% if has_wordpress == true or needs_php == true %}
location ~ [^/]\.php(/|$) { location ~ [^/]\.php(/|$) {
# Zero-day exploit defense. # Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3 # http://forum.nginx.org/read.php?2,88845,page=3
@ -68,17 +77,8 @@ server {
# See: https://httpoxy.org/ # See: https://httpoxy.org/
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
{# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #} {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %} fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
{% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}
fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
{% else %}
fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
{% endif %} {% endif %}
fastcgi_index index.php; fastcgi_index index.php;
# set script path relative to document root in server block # set script path relative to document root in server block
@ -92,11 +92,11 @@ server {
fastcgi_cache_bypass $http_pragma $wordpress_logged_in; fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
fastcgi_no_cache $http_pragma $wordpress_logged_in; fastcgi_no_cache $http_pragma $wordpress_logged_in;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
include extra-security.conf; include extra-security.conf;
@ -106,7 +106,7 @@ server {
include extra-security.conf; include extra-security.conf;
} }
{% if has_wordpress == True %} {% if has_wordpress == true %}
# Check if a user is logged in # Check if a user is logged in
# if so, set $wordpress_logged_in = 1 # if so, set $wordpress_logged_in = 1
# otherwise, set $wordpress_logged_in = 0 # otherwise, set $wordpress_logged_in = 0

6
roles/nginx/templates/well-known.j2 Normal file
View File

@ -0,0 +1,6 @@
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}

8
roles/nginx/templates/wordpress.j2
View File

@ -5,22 +5,22 @@
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }
location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ { location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
add_header Cache-Control "max-age=604800"; add_header Cache-Control "max-age=604800";
{% if enable_hsts == True %} {% if enable_hsts == true %}
# Enable this if you want HSTS (recommended, but be careful) # Enable this if you want HSTS (recommended, but be careful)
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
# See: https://hstspreload.appspot.com/ # See: https://hstspreload.appspot.com/
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
{% endif %} {% endif %}
} }

2
roles/php-fpm/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
# file: roles/php-fpm/defaults/main.yml # ansible.builtin.file: roles/php-fpm/defaults/main.yml
# default is on, but turn it off because of protection in nginx vhosts # default is on, but turn it off because of protection in nginx vhosts
cgi_fix_pathinfo: 0 cgi_fix_pathinfo: 0

16
roles/php-fpm/handlers/main.yml
View File

@ -1,14 +1,8 @@
--- ---
# For Ubuntu 18.04 # For Debian 12
- name: reload php7.2-fpm - name: reload php8.2-fpm
systemd: name=php7.2-fpm state=reloaded ansible.builtin.systemd:
name: php8.2-fpm
# For Debian 10 state: reloaded
- name: reload php7.3-fpm
systemd: name=php7.3-fpm state=reloaded
# For Ubuntu 20.04
- name: reload php7.4-fpm
systemd: name=php7.4-fpm state=reloaded
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Debian_10.yml
View File

@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
# for Piwik
- php-mbstring
- php-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.3-fpm
- name: Remove default www pool
file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
notify: reload php7.3-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.3-fpm
tags: php-fpm
# vim: set ts=2 sw=2:

50
roles/php-fpm/tasks/Debian_12.yml Normal file
View File

@ -0,0 +1,50 @@
---
- block:
- name: Set php-fpm packages
ansible.builtin.set_fact:
php_fpm_packages:
- php8.2-fpm
# for WordPress
- php8.2-mysql
- php8.2-gd
- php8.2-curl
- php8.2-xml
- name: Install php-fpm and deps
ansible.builtin.apt:
name: "{{ php_fpm_packages }}"
state: present
update_cache: true
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
ansible.builtin.template:
src: php8.2-pool.conf.j2
dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
owner: root
group: root
mode: "0644"
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php8.2-fpm
- name: Remove default www pool
ansible.builtin.file:
path: /etc/php/8.2/fpm/pool.d/www.conf
state: absent
notify: reload php8.2-fpm
# re-configure php.ini
- name: Update php.ini
ansible.builtin.template:
src: php8.2-php.ini.j2
dest: /etc/php/8.2/fpm/php.ini
owner: root
group: root
mode: "0644"
notify: reload php8.2-fpm
tags: php-fpm
when: install_php
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Ubuntu_18.04.yml
View File

@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
# for Piwik
- php-mbstring
- php-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.2-fpm
- name: Remove default www pool
file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
notify: reload php7.2-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.2-fpm
tags: php-fpm
# vim: set ts=2 sw=2:

36
roles/php-fpm/tasks/Ubuntu_20.04.yml
View File

@ -1,36 +0,0 @@
---
- block:
- name: Set php-fpm packages
set_fact:
php_fpm_packages:
- php-fpm
# for WordPress
- php-mysql
- php-gd
- php-curl
# for Piwik
- php-mbstring
- php-xml
- name: Install php-fpm and deps
apt: name={{ php_fpm_packages }} state=present update_cache=yes
# only copy php-fpm config for vhosts that need WordPress or PHP
- name: Copy php-fpm pool config
template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
loop: "{{ nginx_vhosts }}"
when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
notify: reload php7.4-fpm
- name: Remove default www pool
file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
notify: reload php7.4-fpm
# re-configure php.ini
- name: Update php.ini
template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
notify: reload php7.4-fpm
tags: php-fpm
# vim: set ts=2 sw=2:

42
roles/php-fpm/tasks/main.yml
View File

@ -1,21 +1,35 @@
--- ---
# Ubuntu 18.04 uses php-fpm 7.2 # Debian 12 uses PHP 8.2
# Debian 10 uses php-fpm 7.3
# Ubuntu 20.04 uses PHP 7.4
- name: Configure php-fpm on Ubuntu 18.04 # If any of the vhosts on this host need WordPress then we need to install PHP.
include_tasks: Ubuntu_18.04.yml # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') # any that have has_wordpress defined, and has_wordpress set to true.
tags: php-fpm #
# See: https://stackoverflow.com/a/31896249
- name: Check if any vhost needs WordPress
ansible.builtin.set_fact:
install_php: true
when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
- name: Configure php-fpm on Debian 10 # Legacy, was only for Piwik, but leaving for now.
include_tasks: Debian_10.yml - name: Check if any vhost needs PHP
when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') ansible.builtin.set_fact:
tags: php-fpm install_php: true
when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
- name: Configure php-fpm on Ubuntu 20.04 # If install_php has not been set, then we assume no vhosts need PHP. This is
include_tasks: Ubuntu_20.04.yml # a bit hacky, but it's the closest we come to an if/then/else.
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') - name: Set install_php to false
ansible.builtin.set_fact:
install_php: false
when: install_php is not defined
- name: Configure php-fpm on Debian 12
ansible.builtin.include_tasks: Debian_12.yml
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version is version('12', '==')
- install_php
tags: php-fpm tags: php-fpm
# vim: set ts=2 sw=2: # vim: set ts=2 sw=2:

1915
roles/php-fpm/templates/php7.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

415
roles/php-fpm/templates/php7.2-pool.conf.j2
View File

@ -1,415 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.2/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

1946
roles/php-fpm/templates/php7.3-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

428
roles/php-fpm/templates/php7.3-pool.conf.j2
View File

@ -1,428 +0,0 @@
{% set domain_name = item.domain_name %}
; Start a new pool named '{{ domain_name }}'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('{{ domain_name }}' here)
[{{ domain_name }}]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.3-fpm-{{ domain_name }}.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = nginx
listen.group = nginx
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.3/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

561
roles/php-fpm/templates/php7.4-php.ini.j2 → roles/php-fpm/templates/php8.2-php.ini.j2
View File

File diff suppressed because it is too large Load Diff

98
roles/php-fpm/templates/php7.4-pool.conf.j2 → roles/php-fpm/templates/php8.2-pool.conf.j2
View File

@ -19,11 +19,16 @@
; Default Value: none ; Default Value: none
;prefix = /path/to/pools/$pool ;prefix = /path/to/pools/$pool
; Unix user/group of processes ; Unix user/group of the child processes. This can be used only if the master
; Note: The user is mandatory. If the group is not set, the default user's group ; process running user is root. It is set after the child process is created.
; will be used. ; The user and group can be specified either by their name or by their numeric
user = nginx ; IDs.
group = nginx ; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = {{ webserver }}
group = {{ webserver }}
; The address on which to accept FastCGI requests. ; The address on which to accept FastCGI requests.
; Valid syntaxes are: ; Valid syntaxes are:
@ -35,20 +40,22 @@ group = nginx
; (IPv6 and IPv4-mapped) on a specific port; ; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket. ; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory. ; Note: This value is mandatory.
listen = /run/php/php7.4-fpm-{{ domain_name }}.sock listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
; Set listen(2) backlog. ; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD) ; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511 ;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write ; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many ; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. ; BSD-derived systems allow connections regardless of permissions. The owner
; Default Values: user and group are set as the running user ; and group can be specified either by name or by their numeric IDs.
; mode is set to 0660 ; Default Values: Owner is set to the master process running user. If the group
listen.owner = nginx ; is not set, the owner's group is used. Mode is set to 0660.
listen.group = nginx listen.owner = {{ webserver }}
listen.group = {{ webserver }}
;listen.mode = 0660 ;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using ; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names. ; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored ; When set, listen.owner and listen.group are ignored
@ -63,6 +70,10 @@ listen.group = nginx
; Default Value: any ; Default Value: any
;listen.allowed_clients = 127.0.0.1 ;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set) ; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority) ; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root ; Note: - It will only work if the FPM master process is launched as root
@ -71,8 +82,9 @@ listen.group = nginx
; Default Value: no set ; Default Value: no set
; process.priority = -19 ; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user ; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; or group is differrent than the master process user. It allows to create process ; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user. ; core dump and ptrace the process for the pool user.
; Default Value: no ; Default Value: no
; process.dumpable = yes ; process.dumpable = yes
@ -94,6 +106,8 @@ listen.group = nginx
; state (waiting to process). If the number ; state (waiting to process). If the number
; of 'idle' processes is greater than this ; of 'idle' processes is greater than this
; number then some children will be killed. ; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when ; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used: ; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that ; pm.max_children - the maximum number of children that
@ -129,6 +143,12 @@ pm.min_spare_servers = 1
; Note: Mandatory when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3 pm.max_spare_servers = 3
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed. ; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand' ; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s ; Default Value: 10s
@ -141,7 +161,7 @@ pm.max_spare_servers = 3
;pm.max_requests = 500 ;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be ; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations: ; recognized as a status page. It shows the following information:
; pool - the name of the pool; ; pool - the name of the pool;
; process manager - static, dynamic or ondemand; ; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started; ; start time - the date and time FPM has started;
@ -231,7 +251,7 @@ pm.max_spare_servers = 3
; last request memory: 0 ; last request memory: 0
; ;
; Note: There is a real-time FPM status monitoring sample web page available ; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.4/fpm/status.html ; It's available in: /usr/share/php/8.2/fpm/status.html
; ;
; Note: The value must start with a leading slash (/). The value can be ; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it ; anything, but it may not be a good idea to use the .php extension or it
@ -239,6 +259,22 @@ pm.max_spare_servers = 3
; Default Value: not set ; Default Value: not set
;pm.status_path = /status ;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no ; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside ; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to ; that FPM is alive and responding, or to
@ -271,13 +307,13 @@ pm.max_spare_servers = 3
; %d: time taken to serve the request ; %d: time taken to serve the request
; it can accept the following format: ; it can accept the following format:
; - %{seconds}d (default) ; - %{seconds}d (default)
; - %{miliseconds}d ; - %{milliseconds}d
; - %{mili}d ; - %{milli}d
; - %{microseconds}d ; - %{microseconds}d
; - %{micro}d ; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER) ; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env ; it must be associated with embraces to specify the name of the env
; variable. Some exemples: ; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e ; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e ; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename ; %f: script filename
@ -306,14 +342,30 @@ pm.max_spare_servers = 3
; %s: status (response code) ; %s: status (response code)
; %t: server time the request was received ; %t: server time the request was received
; it can accept a strftime(3) format: ; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag ; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %T: time the log has been written (the request has finished) ; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format: ; it can accept a strftime(3) format:
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag ; The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
; %u: remote user ; %u: remote user
; ;
; Default: "%R - %u %t \"%m %r\" %s" ; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precuation, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests ; The log file for slow requests
; Default Value: not set ; Default Value: not set
@ -372,7 +424,7 @@ pm.max_spare_servers = 3
; Redirect worker stdout and stderr into main error log. If not set, stdout and ; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs. ; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page ; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms). ; process time (several ms).
; Default Value: no ; Default Value: no
;catch_workers_output = yes ;catch_workers_output = yes

7
site.yml
View File

@ -1,7 +1,10 @@
--- ---
# file: site.yml # file: site.yml
- import_playbook: nomads.yml - name: Import nomads playbook
- import_playbook: web.yml ansible.builtin.import_playbook: nomads.yml
- name: Import web playbook
ansible.builtin.import_playbook: web.yml
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

7
web.yml
View File

@ -3,11 +3,12 @@
- name: Configure web servers - name: Configure web servers
hosts: web hosts: web
become: yes become: true
roles: roles:
- common - common
- mariadb - { role: mariadb, when: mariadb_databases is defined}
- nginx - { role: nginx, when: webserver is defined and webserver == 'nginx' }
- { role: caddy, when: webserver is defined and webserver == 'caddy' }
- php-fpm - php-fpm
- munin - munin
vars_files: vars_files: