Files
@ 84a71d898692
Branch filter:
Location: majic-ansible-roles/roles/web_server/tasks/main.yml - annotation
84a71d898692
4.6 KiB
text/x-yaml
MAR-129: Updated backup_server tests to use the group_vars directory.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 | 373cdfe71c66 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 351cd42e5f56 373cdfe71c66 373cdfe71c66 373cdfe71c66 aa2802e42d9d 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 aa2802e42d9d 9767536963e6 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 9767536963e6 9767536963e6 9767536963e6 9767536963e6 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 9767536963e6 9767536963e6 9767536963e6 be92dd65fc60 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 be92dd65fc60 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 a3d735d2655f 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 a3d735d2655f a3d735d2655f a3d735d2655f 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0079746d9a8b 0079746d9a8b 0bab7aaa84d6 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0bab7aaa84d6 0bab7aaa84d6 0bab7aaa84d6 0bab7aaa84d6 0bab7aaa84d6 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0bab7aaa84d6 0bab7aaa84d6 0bab7aaa84d6 467a66f3ec65 0079746d9a8b 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0079746d9a8b d71d401dbd28 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 d71d401dbd28 d71d401dbd28 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 d71d401dbd28 d71d401dbd28 d71d401dbd28 467a66f3ec65 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0079746d9a8b 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0079746d9a8b 0079746d9a8b 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 | ---
- name: Install nginx
apt:
name: nginx
state: installed
- name: Allow nginx user to traverse the directory with TLS private keys
user:
name: www-data
append: yes
groups: ssl-cert
notify:
- Restart nginx
- name: Deploy nginx TLS private key
copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
content: "{{ default_https_tls_key }}"
mode: 0640
owner: root
group: root
notify:
- Restart nginx
- name: Deploy nginx TLS certificate
copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
content: "{{ default_https_tls_certificate }}"
mode: 0644
owner: root
group: root
notify:
- Restart nginx
- name: Deploy configuration file for checking certificate validity via cron
copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
owner: root
group: root
mode: 0644
- name: Remove TLS protocol configuration from the main configuration file
lineinfile:
dest: "/etc/nginx/nginx.conf"
backrefs: yes
regexp: "^\\s*ssl_protocols"
state: absent
notify:
- Restart nginx
- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
template:
dest: "/etc/nginx/conf.d/tls.conf"
src: "tls.conf.j2"
owner: "root"
group: "root"
mode: 0644
notify:
- Restart nginx
- name: Deploy script for verification of nginx vhost configurations
copy:
src: "nginx_verify_site.sh"
dest: "/usr/local/bin/nginx_verify_site.sh"
owner: root
group: root
mode: 0755
- name: Deploy default vhost configuration
template:
src: "nginx-default.j2"
dest: "/etc/nginx/sites-available/default"
owner: root
group: root
mode: 0640
validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
notify:
- Restart nginx
- name: Enable default website
file:
src: "/etc/nginx/sites-available/default"
dest: "/etc/nginx/sites-enabled/default"
state: link
notify:
- Restart nginx
- name: Deploy firewall configuration for web server
copy:
src: "ferm_http.conf"
dest: "/etc/ferm/conf.d/30-web.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Remove the default Debian html files
file:
path: "{{ item }}"
state: absent
with_items:
- /var/www/html/index.nginx-debian.html
- /var/www/html/
- name: Create directory for storing the default website page
file:
path: "/var/www/default/"
state: directory
owner: root
group: www-data
mode: 0750
- name: Deploy the default index.html
template:
src: "index.html.j2"
dest: /var/www/default/index.html
owner: root
group: www-data
mode: 0640
- name: Enable nginx service
service:
name: nginx
enabled: yes
state: started
- name: Install base packages for Python web applications
apt:
name: "{{ item }}"
state: installed
with_items:
- virtualenv
- virtualenvwrapper
- name: Create directories for storing per-site socket files
file:
path: "{{ item }}"
state: directory
owner: root
group: www-data
mode: 0750
with_items:
- "/run/wsgi/"
- "/run/php5-fpm/"
- name: Create directories for storing per-site socket files on boot
copy:
content: "d /run/{{ item }}/ 0750 root www-data - -"
dest: "/etc/tmpfiles.d/{{ item }}.conf"
owner: root
group: root
mode: 0644
with_items:
- wsgi
- php5-fpm
- name: Install base packages for PHP web applications
apt:
name: "{{ item }}"
state: installed
with_items:
- php5-fpm
- name: Create directory for storing PHP FPM service configuration overrides
file:
path: "/etc/systemd/system/php5-fpm.service.d/"
state: directory
owner: root
group: root
mode: 0755
- name: Configure php5-fpm service to run with umask 0007
copy:
src: "php5_fpm_umask.conf"
dest: "/etc/systemd/system/php5-fpm.service.d/umask.conf"
owner: root
group: root
mode: 0644
notify:
- Restart php5-fpm
- name: Enable service used for running PHP web applications
service:
name: "php5-fpm"
enabled: yes
state: started
- name: Read timezone on server
slurp:
src: "/etc/timezone"
register: server_timezone
- name: Configure timezone for PHP
template:
src: "php_timezone.ini.j2"
dest: "{{ item }}/30-timezone.ini"
owner: root
group: root
mode: 0644
with_items:
- /etc/php5/cli/conf.d/
- /etc/php5/fpm/conf.d/
notify:
- Restart php5-fpm
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "handlers | default(False) | bool() == True"
tags:
- handlers
|