Files
@ b55cb83f8342
Branch filter:
Location: majic-ansible-roles/roles/web_server/tasks/main.yml
b55cb83f8342
5.0 KiB
text/x-yaml
Noticket: Added workaround to development process for outdated Molecule version:
- Unfortunately, the Molecule version used for running tests does not
generate valid Ruby 3.x code. For now just work around the way Hash
is unpacked in function calls to optional arguments (until the test
stack gets a revamp).
- Unfortunately, the Molecule version used for running tests does not
generate valid Ruby 3.x code. For now just work around the way Hash
is unpacked in function calls to optional arguments (until the test
stack gets a revamp).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 | ---
- name: Install nginx
apt:
name: nginx
state: present
- name: Allow nginx user to traverse the directory with TLS private keys
user:
name: www-data
append: true
groups: ssl-cert
notify:
- Restart nginx
- name: Deploy nginx TLS private key
copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
content: "{{ default_https_tls_key }}"
mode: 0640
owner: root
group: root
notify:
- Restart nginx
- name: Deploy nginx TLS certificate
copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
content: "{{ default_https_tls_certificate }}"
mode: 0644
owner: root
group: root
notify:
- Restart nginx
- name: Generate the HTTPS server Diffie-Hellman parameter
openssl_dhparam:
owner: root
group: root
mode: 0640
path: "/etc/ssl/private/{{ ansible_fqdn }}_https.dh.pem"
size: 2048
notify:
- Restart nginx
- name: Deploy configuration file for checking certificate validity via cron
copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
owner: root
group: root
mode: 0644
- name: Remove TLS protocol configuration from the main configuration file
lineinfile:
dest: "/etc/nginx/nginx.conf"
backrefs: true
regexp: "^\\s*ssl_protocols"
state: absent
notify:
- Restart nginx
- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
template:
dest: "/etc/nginx/conf.d/tls.conf"
src: "tls.conf.j2"
owner: "root"
group: "root"
mode: 0644
notify:
- Restart nginx
- name: Deploy script for verification of nginx vhost configurations
copy:
src: "nginx_verify_site.sh"
dest: "/usr/local/bin/nginx_verify_site.sh"
owner: root
group: root
mode: 0755
- name: Deploy default vhost configuration
template:
src: "nginx-default.j2"
dest: "/etc/nginx/sites-available/default"
owner: root
group: root
mode: 0640
validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
notify:
- Restart nginx
- name: Enable default website
file:
src: "/etc/nginx/sites-available/default"
dest: "/etc/nginx/sites-enabled/default"
state: link
notify:
- Restart nginx
- name: Deploy firewall configuration for web server
copy:
src: "ferm_http.conf"
dest: "/etc/ferm/conf.d/30-web.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Remove the default Debian html files
file:
path: "{{ item }}"
state: absent
with_items:
- /var/www/html/index.nginx-debian.html
- /var/www/html/
- name: Create directory for storing the default website page
file:
path: "/var/www/default/"
state: directory
owner: root
group: www-data
mode: 0750
- name: Deploy the default index.html
template:
src: "index.html.j2"
dest: /var/www/default/index.html
owner: root
group: www-data
mode: 0640
- name: Enable nginx service
service:
name: nginx
enabled: true
state: started
- name: Install base packages for Python web applications
apt:
name:
- python3-setuptools
- virtualenv
- virtualenvwrapper
state: present
- name: Install base packages for PHP web applications
apt:
name: "{{ php_fpm_package_name }}"
state: present
- name: Create directories for storing per-site socket files
file:
path: "/run/{{ item }}"
state: directory
owner: root
group: www-data
mode: 0750
with_items:
- wsgi
- php
- name: Create directories for storing per-site socket files on boot
copy:
content: "d /run/{{ item.socket_dir }}/ 0750 root www-data - -"
dest: "/etc/tmpfiles.d/{{ item.tmpfiles_d }}"
owner: root
group: root
mode: 0644
with_items:
- socket_dir: wsgi
tmpfiles_d: "wsgi.conf"
- socket_dir: php
tmpfiles_d: "{{ php_fpm_service_name }}.conf"
- name: Create directory for storing PHP-FPM service configuration overrides
file:
path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/"
state: directory
owner: root
group: root
mode: 0755
- name: Configure PHP-FPM service to run with umask 0007
copy:
src: "php_fpm_umask.conf"
dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf"
owner: root
group: root
mode: 0644
notify:
- Reload systemd
- Restart PHP-FPM
- name: Enable service used for running PHP web applications
service:
name: "{{ php_fpm_service_name }}"
enabled: true
state: started
- name: Read timezone on server
slurp:
src: "/etc/timezone"
register: server_timezone
- name: Configure timezone for PHP
template:
src: "php_timezone.ini.j2"
dest: "{{ item }}/30-timezone.ini"
owner: root
group: root
mode: 0644
with_items:
- "{{ php_base_config_dir }}/cli/conf.d/"
- "{{ php_base_config_dir }}/fpm/conf.d/"
notify:
- Restart PHP-FPM
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|