Files
@ b70cbdc05748
Branch filter:
Location: majic-ansible-roles/roles/web_server/tasks/main.yml - annotation
b70cbdc05748
5.5 KiB
text/x-yaml
MAR-218: Update the get_url invocation to use the new checksum attribute.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 | 373cdfe71c66 373cdfe71c66 373cdfe71c66 c10934519e18 0f24d5b272f5 a5f4c1ec6853 373cdfe71c66 373cdfe71c66 c10934519e18 0f24d5b272f5 a5f4c1ec6853 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 c10934519e18 351cd42e5f56 351cd42e5f56 7cabc17c71c3 351cd42e5f56 351cd42e5f56 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 c10934519e18 351cd42e5f56 351cd42e5f56 7cabc17c71c3 351cd42e5f56 351cd42e5f56 373cdfe71c66 373cdfe71c66 373cdfe71c66 af834be42e8e c10934519e18 a8ad1fdf6f60 a8ad1fdf6f60 7cabc17c71c3 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 a8ad1fdf6f60 aa2802e42d9d c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 aa2802e42d9d 9767536963e6 c10934519e18 0f24d5b272f5 a5f4c1ec6853 0f24d5b272f5 0f24d5b272f5 9767536963e6 9767536963e6 9767536963e6 9767536963e6 c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 9767536963e6 9767536963e6 9767536963e6 be92dd65fc60 c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 be92dd65fc60 373cdfe71c66 c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 a3d735d2655f c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 a3d735d2655f a3d735d2655f a3d735d2655f 373cdfe71c66 c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 c10934519e18 0f24d5b272f5 0f24d5b272f5 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 373cdfe71c66 c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 373cdfe71c66 373cdfe71c66 c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 373cdfe71c66 373cdfe71c66 c10934519e18 0f24d5b272f5 a5f4c1ec6853 0f24d5b272f5 0079746d9a8b 0079746d9a8b c10934519e18 a20ca43cd967 a20ca43cd967 a20ca43cd967 a20ca43cd967 a5f4c1ec6853 0079746d9a8b a932640479cf c10934519e18 a932640479cf a932640479cf a932640479cf 0bab7aaa84d6 c10934519e18 423f330ec482 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 0bab7aaa84d6 423f330ec482 423f330ec482 0bab7aaa84d6 0bab7aaa84d6 c10934519e18 423f330ec482 423f330ec482 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 0bab7aaa84d6 423f330ec482 423f330ec482 423f330ec482 423f330ec482 467a66f3ec65 a52f9fdabd0f c10934519e18 a52f9fdabd0f 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 d71d401dbd28 a52f9fdabd0f c10934519e18 a52f9fdabd0f a52f9fdabd0f 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 d71d401dbd28 a932640479cf a52f9fdabd0f d71d401dbd28 467a66f3ec65 c10934519e18 a52f9fdabd0f a5f4c1ec6853 0f24d5b272f5 0079746d9a8b 0079746d9a8b c10934519e18 0f24d5b272f5 0079746d9a8b 0079746d9a8b 0079746d9a8b c10934519e18 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 0f24d5b272f5 7cabc17c71c3 0079746d9a8b a52f9fdabd0f a52f9fdabd0f 0079746d9a8b a52f9fdabd0f 7387caca37f3 7387caca37f3 c10934519e18 fcf5abdd3ad5 7387caca37f3 7387caca37f3 | ---
- name: Install nginx
ansible.builtin.apt:
name: nginx
state: present
- name: Allow nginx user to traverse the directory with TLS private keys
ansible.builtin.user:
name: www-data
append: true
groups: ssl-cert
notify:
- Restart nginx
- name: Deploy nginx TLS private key
ansible.builtin.copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
content: "{{ default_https_tls_key }}"
mode: "0640"
owner: root
group: root
notify:
- Restart nginx
- name: Deploy nginx TLS certificate
ansible.builtin.copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
content: "{{ default_https_tls_certificate }}"
mode: "0644"
owner: root
group: root
notify:
- Restart nginx
- name: Generate the HTTPS server Diffie-Hellman parameter
community.crypto.openssl_dhparam:
owner: root
group: root
mode: "0640"
path: "/etc/ssl/private/{{ ansible_fqdn }}_https.dh.pem"
size: 2048
notify:
- Restart nginx
- name: Deploy configuration file for checking certificate validity via cron
ansible.builtin.copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
owner: root
group: root
mode: "0644"
- name: Remove TLS protocol configuration from the main configuration file
ansible.builtin.lineinfile:
dest: "/etc/nginx/nginx.conf"
backrefs: true
regexp: "^\\s*ssl_protocols"
state: absent
notify:
- Restart nginx
- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
ansible.builtin.template:
dest: "/etc/nginx/conf.d/tls.conf"
src: "tls.conf.j2"
owner: "root"
group: "root"
mode: "0644"
notify:
- Restart nginx
- name: Deploy script for verification of nginx vhost configurations
ansible.builtin.copy:
src: "nginx_verify_site.sh"
dest: "/usr/local/bin/nginx_verify_site.sh"
owner: root
group: root
mode: "0755"
- name: Deploy default vhost configuration
ansible.builtin.template:
src: "nginx-default.j2"
dest: "/etc/nginx/sites-available/default"
owner: root
group: root
mode: "0640"
validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
notify:
- Restart nginx
- name: Enable default website
ansible.builtin.file:
src: "/etc/nginx/sites-available/default"
dest: "/etc/nginx/sites-enabled/default"
state: link
notify:
- Restart nginx
- name: Deploy firewall configuration for web server
ansible.builtin.copy:
src: "ferm_http.conf"
dest: "/etc/ferm/conf.d/30-web.conf"
owner: root
group: root
mode: "0640"
notify:
- Restart ferm
- name: Remove the default Debian html files
ansible.builtin.file:
path: "{{ item }}"
state: absent
with_items:
- /var/www/html/index.nginx-debian.html
- /var/www/html/
- name: Create directory for storing the default website page
ansible.builtin.file:
path: "/var/www/default/"
state: directory
owner: root
group: www-data
mode: "0750"
- name: Deploy the default index.html
ansible.builtin.template:
src: "index.html.j2"
dest: /var/www/default/index.html
owner: root
group: www-data
mode: "0640"
- name: Enable nginx service
ansible.builtin.service:
name: nginx
enabled: true
state: started
- name: Install base packages for Python web applications
ansible.builtin.apt:
name:
- python3-setuptools
- virtualenv
- virtualenvwrapper
state: present
- name: Install base packages for PHP web applications
ansible.builtin.apt:
name: "{{ php_fpm_package_name }}"
state: present
- name: Create directories for storing per-site socket files
ansible.builtin.file:
path: "/run/{{ item }}"
state: directory
owner: root
group: www-data
mode: "0750"
with_items:
- wsgi
- php
- name: Create directories for storing per-site socket files on boot
ansible.builtin.copy:
content: "d /run/{{ item.socket_dir }}/ 0750 root www-data - -"
dest: "/etc/tmpfiles.d/{{ item.tmpfiles_d }}"
owner: root
group: root
mode: "0644"
with_items:
- socket_dir: wsgi
tmpfiles_d: "wsgi.conf"
- socket_dir: php
tmpfiles_d: "{{ php_fpm_service_name }}.conf"
- name: Create directory for storing PHP-FPM service configuration overrides
ansible.builtin.file:
path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/"
state: directory
owner: root
group: root
mode: "0755"
- name: Configure PHP-FPM service to run with umask 0007
ansible.builtin.copy:
src: "php_fpm_umask.conf"
dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf"
owner: root
group: root
mode: "0644"
notify:
- Reload systemd
- Restart PHP-FPM
- name: Enable service used for running PHP web applications
ansible.builtin.service:
name: "{{ php_fpm_service_name }}"
enabled: true
state: started
- name: Read timezone on server
ansible.builtin.slurp:
src: "/etc/timezone"
register: server_timezone
- name: Configure timezone for PHP
ansible.builtin.template:
src: "php_timezone.ini.j2"
dest: "{{ item }}/30-timezone.ini"
owner: root
group: root
mode: "0644"
with_items:
- "{{ php_base_config_dir }}/cli/conf.d/"
- "{{ php_base_config_dir }}/fpm/conf.d/"
notify:
- Restart PHP-FPM
- name: Explicitly run all handlers
ansible.builtin.include_tasks: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|