majic-ansible-roles Files · roles/web

Files @ 17cf34f73ca6

Branch filter:

Location: majic-ansible-roles/roles/web_server/tasks/main.yml

17cf34f73ca6 4.3 KiB text/x-yaml Show Annotation Show as Raw Download as Raw

branko

MAR-28: Implemented additional tests for mail_server role:

- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.

---

- name: Install nginx
  apt: name=nginx state=installed

- name: Allow nginx user to traverse the directory with TLS private keys
  user: name=www-data append=yes groups=ssl-cert
  notify:
    - Restart nginx

- name: Deploy nginx TLS private key
  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_https.key" content="{{ default_https_tls_key }}"
        mode=640 owner=root group=root
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate
  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" content="{{ default_https_tls_certificate }}"
        mode=644 owner=root group=root
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  copy: content="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" dest="/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
        owner=root group=root mode=644

- name: Remove TLS protocol configuration from the main configuration file
  lineinfile: dest="/etc/nginx/nginx.conf" backrefs=yes regexp="^\s*ssl_protocols" state=absent
  notify:
    - Restart nginx

- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
  template: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf.j2"
            owner="root" group="root" mode=644
  notify:
    - Restart nginx

- name: Deploy script for verification of nginx vhost configurations
  copy: src="nginx_verify_site.sh" dest="/usr/local/bin/nginx_verify_site.sh"
        owner=root group=root mode=755

- name: Deploy default vhost configuration
  template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default"
             owner=root group=root mode=640 validate="/usr/local/bin/nginx_verify_site.sh -n default %s"
  notify:
    - Restart nginx

- name: Enable default website
  file: src="/etc/nginx/sites-available/default" dest="/etc/nginx/sites-enabled/default"
        state=link
  notify:
    - Restart nginx

- name: Deploy firewall configuration for web server
  copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Remove the default Debian html files
  file: path="{{ item }}" state=absent
  with_items:
    - /var/www/html/index.nginx-debian.html
    - /var/www/html/

- name: Create directory for storing the default website page
  file: path="/var/www/default/" state=directory
        owner=root group=www-data mode=750

- name: Deploy the default index.html
  template: src="index.html.j2" dest=/var/www/default/index.html
            owner=root group=www-data mode=640

- name: Enable nginx service
  service: name=nginx enabled=yes state=started

- name: Install base packages for Python web applications
  apt: name="{{ item }}" state=installed
  with_items:
    - virtualenv
    - virtualenvwrapper

- name: Create directories for storing per-site socket files
  file: path="{{ item }}" state="directory"
        owner="root" group="www-data" mode="750"
  with_items:
    - "/run/wsgi/"
    - "/run/php5-fpm/"

- name: Create directories for storing per-site socket files on boot
  copy: content="d /run/{{ item }}/ 0750 root www-data - -" dest="/etc/tmpfiles.d/{{ item }}.conf"
        owner="root" group="root" mode=644
  with_items:
    - wsgi
    - php5-fpm

- name: Install base packages for PHP web applications
  apt: name="{{ item }}" state=installed
  with_items:
    - php5-fpm

- name: Create directory for storing PHP FPM service configuration overrides
  file: path="/etc/systemd/system/php5-fpm.service.d/" state=directory
        owner=root group=root mode=755

- name: Configure php5-fpm service to run with umask 0007
  copy: src="php5_fpm_umask.conf" dest="/etc/systemd/system/php5-fpm.service.d/umask.conf"
        owner=root group=root mode=644
  notify:
    - Restart php5-fpm

- name: Enable service used for running PHP web applications
  service: name="php5-fpm" enabled=yes state=started

- name: Read timezone on server
  slurp: src=/etc/timezone
  register: server_timezone

- name: Configure timezone for PHP
  template: src="php_timezone.ini.j2" dest="{{ item }}/30-timezone.ini"
            owner=root group=root mode=644
  with_items:
    - /etc/php5/cli/conf.d/
    - /etc/php5/fpm/conf.d/
  notify:
    - Restart php5-fpm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers