Files
@ 4f29bd1aa05b
Branch filter:
Location: majic-ansible-roles/roles/web_server/tasks/main.yml - annotation
4f29bd1aa05b
5.1 KiB
text/x-yaml
MAR-181: Drop support for Debian 9 Stretch from the xmpp_server role:
- Switch to using IPs from VirtualBox default allowed host-only
network subnets.
- Drop Stretch-specific workarounds, code, and tests.
- Switch to using IPs from VirtualBox default allowed host-only
network subnets.
- Drop Stretch-specific workarounds, code, and tests.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 | 373cdfe71c66 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 a5f4c1ec6853 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 a5f4c1ec6853 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 373cdfe71c66 373cdfe71c66 373cdfe71c66 af834be42e8e a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 aa2802e42d9d 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 aa2802e42d9d 9767536963e6 0f24d5b272f5 0f24d5b272f5 a5f4c1ec6853 0f24d5b272f5 0f24d5b272f5 9767536963e6 9767536963e6 9767536963e6 9767536963e6 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 9767536963e6 9767536963e6 9767536963e6 be92dd65fc60 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 be92dd65fc60 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 a3d735d2655f 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 a3d735d2655f a3d735d2655f a3d735d2655f 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 a5f4c1ec6853 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0f24d5b272f5 a20ca43cd967 a20ca43cd967 a20ca43cd967 a20ca43cd967 a20ca43cd967 a5f4c1ec6853 0079746d9a8b a932640479cf a932640479cf a932640479cf a932640479cf a932640479cf 0bab7aaa84d6 0f24d5b272f5 423f330ec482 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0bab7aaa84d6 423f330ec482 423f330ec482 0bab7aaa84d6 0bab7aaa84d6 0f24d5b272f5 423f330ec482 423f330ec482 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0bab7aaa84d6 423f330ec482 423f330ec482 423f330ec482 423f330ec482 467a66f3ec65 a52f9fdabd0f 0f24d5b272f5 a52f9fdabd0f 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 d71d401dbd28 a52f9fdabd0f 0f24d5b272f5 a52f9fdabd0f a52f9fdabd0f 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 d71d401dbd28 a932640479cf a52f9fdabd0f d71d401dbd28 467a66f3ec65 0f24d5b272f5 a52f9fdabd0f a5f4c1ec6853 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0079746d9a8b 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0079746d9a8b a52f9fdabd0f a52f9fdabd0f 0079746d9a8b a52f9fdabd0f 7387caca37f3 7387caca37f3 7387caca37f3 fcf5abdd3ad5 7387caca37f3 7387caca37f3 | ---
- name: Install nginx
apt:
name: nginx
state: present
- name: Allow nginx user to traverse the directory with TLS private keys
user:
name: www-data
append: true
groups: ssl-cert
notify:
- Restart nginx
- name: Deploy nginx TLS private key
copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
content: "{{ default_https_tls_key }}"
mode: 0640
owner: root
group: root
notify:
- Restart nginx
- name: Deploy nginx TLS certificate
copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
content: "{{ default_https_tls_certificate }}"
mode: 0644
owner: root
group: root
notify:
- Restart nginx
- name: Generate the HTTPS server Diffie-Hellman parameter
openssl_dhparam:
owner: root
group: root
mode: 0640
path: "/etc/ssl/private/{{ ansible_fqdn }}_https.dh.pem"
size: 2048
notify:
- Restart nginx
- name: Deploy configuration file for checking certificate validity via cron
copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
owner: root
group: root
mode: 0644
- name: Remove TLS protocol configuration from the main configuration file
lineinfile:
dest: "/etc/nginx/nginx.conf"
backrefs: true
regexp: "^\\s*ssl_protocols"
state: absent
notify:
- Restart nginx
- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
template:
dest: "/etc/nginx/conf.d/tls.conf"
src: "tls.conf.j2"
owner: "root"
group: "root"
mode: 0644
notify:
- Restart nginx
- name: Deploy script for verification of nginx vhost configurations
copy:
src: "nginx_verify_site.sh"
dest: "/usr/local/bin/nginx_verify_site.sh"
owner: root
group: root
mode: 0755
- name: Deploy default vhost configuration
template:
src: "nginx-default.j2"
dest: "/etc/nginx/sites-available/default"
owner: root
group: root
mode: 0640
validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
notify:
- Restart nginx
- name: Enable default website
file:
src: "/etc/nginx/sites-available/default"
dest: "/etc/nginx/sites-enabled/default"
state: link
notify:
- Restart nginx
- name: Deploy firewall configuration for web server
copy:
src: "ferm_http.conf"
dest: "/etc/ferm/conf.d/30-web.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Remove the default Debian html files
file:
path: "{{ item }}"
state: absent
with_items:
- /var/www/html/index.nginx-debian.html
- /var/www/html/
- name: Create directory for storing the default website page
file:
path: "/var/www/default/"
state: directory
owner: root
group: www-data
mode: 0750
- name: Deploy the default index.html
template:
src: "index.html.j2"
dest: /var/www/default/index.html
owner: root
group: www-data
mode: 0640
- name: Enable nginx service
service:
name: nginx
enabled: true
state: started
- name: Install base packages for Python web applications
apt:
name:
- python-setuptools
- python3-setuptools
- virtualenv
- virtualenvwrapper
state: present
- name: Install base packages for PHP web applications
apt:
name: "{{ php_fpm_package_name }}"
state: present
- name: Create directories for storing per-site socket files
file:
path: "/run/{{ item }}"
state: directory
owner: root
group: www-data
mode: 0750
with_items:
- wsgi
- php
- name: Create directories for storing per-site socket files on boot
copy:
content: "d /run/{{ item.socket_dir }}/ 0750 root www-data - -"
dest: "/etc/tmpfiles.d/{{ item.tmpfiles_d }}"
owner: root
group: root
mode: 0644
with_items:
- socket_dir: wsgi
tmpfiles_d: "wsgi.conf"
- socket_dir: php
tmpfiles_d: "{{ php_fpm_service_name }}.conf"
- name: Create directory for storing PHP-FPM service configuration overrides
file:
path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/"
state: directory
owner: root
group: root
mode: 0755
- name: Configure PHP-FPM service to run with umask 0007
copy:
src: "php_fpm_umask.conf"
dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf"
owner: root
group: root
mode: 0644
notify:
- Reload systemd
- Restart PHP-FPM
- name: Enable service used for running PHP web applications
service:
name: "{{ php_fpm_service_name }}"
enabled: true
state: started
- name: Read timezone on server
slurp:
src: "/etc/timezone"
register: server_timezone
- name: Configure timezone for PHP
template:
src: "php_timezone.ini.j2"
dest: "{{ item }}/30-timezone.ini"
owner: root
group: root
mode: 0644
with_items:
- "{{ php_base_config_dir }}/cli/conf.d/"
- "{{ php_base_config_dir }}/fpm/conf.d/"
notify:
- Restart PHP-FPM
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|