majic-ansible-roles Files · roles/web

Files @ 84a71d898692
Branch filter:
Location: majic-ansible-roles/roles/web_server/tasks/main.yml

84a71d898692 4.6 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-129: Updated backup_server tests to use the group_vars directory.
---

- name: Install nginx
  apt:
    name: nginx
    state: installed

- name: Allow nginx user to traverse the directory with TLS private keys
  user:
    name: www-data
    append: yes
    groups: ssl-cert
  notify:
    - Restart nginx

- name: Deploy nginx TLS private key
  copy:
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
    content: "{{ default_https_tls_key }}"
    mode: 0640
    owner: root
    group: root
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate
  copy:
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
    content: "{{ default_https_tls_certificate }}"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
    owner: root
    group: root
    mode: 0644

- name: Remove TLS protocol configuration from the main configuration file
  lineinfile:
    dest: "/etc/nginx/nginx.conf"
    backrefs: yes
    regexp: "^\\s*ssl_protocols"
    state: absent
  notify:
    - Restart nginx

- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
  template:
    dest: "/etc/nginx/conf.d/tls.conf"
    src: "tls.conf.j2"
    owner: "root"
    group: "root"
    mode: 0644
  notify:
    - Restart nginx

- name: Deploy script for verification of nginx vhost configurations
  copy:
    src: "nginx_verify_site.sh"
    dest: "/usr/local/bin/nginx_verify_site.sh"
    owner: root
    group: root
    mode: 0755

- name: Deploy default vhost configuration
  template:
    src: "nginx-default.j2"
    dest: "/etc/nginx/sites-available/default"
    owner: root
    group: root
    mode: 0640
    validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
  notify:
    - Restart nginx

- name: Enable default website
  file:
    src: "/etc/nginx/sites-available/default"
    dest: "/etc/nginx/sites-enabled/default"
    state: link
  notify:
    - Restart nginx

- name: Deploy firewall configuration for web server
  copy:
    src: "ferm_http.conf"
    dest: "/etc/ferm/conf.d/30-web.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Remove the default Debian html files
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /var/www/html/index.nginx-debian.html
    - /var/www/html/

- name: Create directory for storing the default website page
  file:
    path: "/var/www/default/"
    state: directory
    owner: root
    group: www-data
    mode: 0750

- name: Deploy the default index.html
  template:
    src: "index.html.j2"
    dest: /var/www/default/index.html
    owner: root
    group: www-data
    mode: 0640

- name: Enable nginx service
  service:
    name: nginx
    enabled: yes
    state: started

- name: Install base packages for Python web applications
  apt:
    name: "{{ item }}"
    state: installed
  with_items:
    - virtualenv
    - virtualenvwrapper

- name: Create directories for storing per-site socket files
  file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: www-data
    mode: 0750
  with_items:
    - "/run/wsgi/"
    - "/run/php5-fpm/"

- name: Create directories for storing per-site socket files on boot
  copy:
    content: "d /run/{{ item }}/ 0750 root www-data - -"
    dest: "/etc/tmpfiles.d/{{ item }}.conf"
    owner: root
    group: root
    mode: 0644
  with_items:
    - wsgi
    - php5-fpm

- name: Install base packages for PHP web applications
  apt:
    name: "{{ item }}"
    state: installed
  with_items:
    - php5-fpm

- name: Create directory for storing PHP FPM service configuration overrides
  file:
    path: "/etc/systemd/system/php5-fpm.service.d/"
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Configure php5-fpm service to run with umask 0007
  copy:
    src: "php5_fpm_umask.conf"
    dest: "/etc/systemd/system/php5-fpm.service.d/umask.conf"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart php5-fpm

- name: Enable service used for running PHP web applications
  service:
    name: "php5-fpm"
    enabled: yes
    state: started

- name: Read timezone on server
  slurp:
    src: "/etc/timezone"
  register: server_timezone

- name: Configure timezone for PHP
  template:
    src: "php_timezone.ini.j2"
    dest: "{{ item }}/30-timezone.ini"
    owner: root
    group: root
    mode: 0644
  with_items:
    - /etc/php5/cli/conf.d/
    - /etc/php5/fpm/conf.d/
  notify:
    - Restart php5-fpm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers