Ansible playbook for base and initial configuration of web server hosting my personal websites.
Go to file
Alan Orth c2a92269e4
roles/common: Add ipsets of abusive IPs to firewalld
This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support
2019-10-05 12:28:30 +03:00
group_vars Update nginx cipher suite and TLS protocols 2019-07-23 17:53:22 +03:00
host_vars Remove web17 2019-09-26 18:11:20 +03:00
misc-plays misc-plays/change_password.yml: Use become 2017-10-14 14:20:34 +03:00
roles roles/common: Add ipsets of abusive IPs to firewalld 2019-10-05 12:28:30 +03:00
vars Import OS-specific vars from task in common role 2018-04-25 18:04:29 +03:00
.gitignore .gitignore: Ignore Vagrant directory 2015-05-24 23:00:48 +03:00
ansible.cfg ansible.cfg: Adjust ansible_managed template 2019-01-10 12:50:33 +02:00
LICENSE Add copy of GPLv3 license 2015-05-08 15:59:15 +03:00
Pipfile pipenv update 2019-01-10 08:07:09 +02:00
Pipfile.lock Pipfile.lock: Run pipenv update 2019-09-13 22:17:38 +03:00
README.md README.md: Update notes for Debian 10 2019-09-16 15:02:11 +03:00
site.yml Remove tor-relay stuff 2018-05-16 09:58:08 +03:00
web.yml Import OS-specific vars from task in common role 2018-04-25 18:04:29 +03:00

Ansible Playbook

Ansible playbook for base and initial configuration of the web server hosting my personal websites. After successful execution of this playbook, however, there is still some manual work to import databases, copy site content, etc.

Assumptions

Before you can run this, a few things are assumed:

  • You have a clean, minimal Debian 9, Ubuntu 16.04, Ubuntu 18.04, or Debian 10 host up and running
  • Python 2 or 3 is installed on the remote server (requirement of Ansible)
  • You have a user account with password-less SSH access to the machine
  • You have sudo privileges on the remote host
  • You have created a hosts file with something like:
[web]
web01

Use

Once you've satisfied the the above assumptions, you can execute:

$ ansible-playbook web.yml

Todo

License

Copyright (C) 2014 - 2019 Alan Orth

The contents of this repository are free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.