Files
@ fcf5abdd3ad5
Branch filter:
Location: majic-ansible-roles/roles/web_server/tasks/main.yml
fcf5abdd3ad5
4.7 KiB
text/x-yaml
MAR-148: Fixing linting errors:
- Do not compare against booleans when value is already boolean in
"when" conditions.
- Use pipefail in conjunction with setting the shell to Bash when
extracting the backup encryption key IDs.
- Do not compare variables to empty strings in "when" conditions. This
change currently works only for complex variables (stuff can break
badly in case of simple variables in current default Ansible
configuration).
- Fix missing space in one of Jinja2 templates.
- Do not compare against booleans when value is already boolean in
"when" conditions.
- Use pipefail in conjunction with setting the shell to Bash when
extracting the backup encryption key IDs.
- Do not compare variables to empty strings in "when" conditions. This
change currently works only for complex variables (stuff can break
badly in case of simple variables in current default Ansible
configuration).
- Fix missing space in one of Jinja2 templates.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 | ---
- name: Install nginx
apt:
name: nginx
state: present
- name: Allow nginx user to traverse the directory with TLS private keys
user:
name: www-data
append: true
groups: ssl-cert
notify:
- Restart nginx
- name: Deploy nginx TLS private key
copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_https.key"
content: "{{ default_https_tls_key }}"
mode: 0640
owner: root
group: root
notify:
- Restart nginx
- name: Deploy nginx TLS certificate
copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
content: "{{ default_https_tls_certificate }}"
mode: 0644
owner: root
group: root
notify:
- Restart nginx
- name: Deploy configuration file for checking certificate validity via cron
copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_https.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_https.conf"
owner: root
group: root
mode: 0644
- name: Remove TLS protocol configuration from the main configuration file
lineinfile:
dest: "/etc/nginx/nginx.conf"
backrefs: true
regexp: "^\\s*ssl_protocols"
state: absent
notify:
- Restart nginx
- name: Harden TLS by allowing only TLSv1.2 and PFS ciphers
template:
dest: "/etc/nginx/conf.d/tls.conf"
src: "tls.conf.j2"
owner: "root"
group: "root"
mode: 0644
notify:
- Restart nginx
- name: Deploy script for verification of nginx vhost configurations
copy:
src: "nginx_verify_site.sh"
dest: "/usr/local/bin/nginx_verify_site.sh"
owner: root
group: root
mode: 0755
- name: Deploy default vhost configuration
template:
src: "nginx-default.j2"
dest: "/etc/nginx/sites-available/default"
owner: root
group: root
mode: 0640
validate: "/usr/local/bin/nginx_verify_site.sh -n default %s"
notify:
- Restart nginx
- name: Enable default website
file:
src: "/etc/nginx/sites-available/default"
dest: "/etc/nginx/sites-enabled/default"
state: link
notify:
- Restart nginx
- name: Deploy firewall configuration for web server
copy:
src: "ferm_http.conf"
dest: "/etc/ferm/conf.d/30-web.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Remove the default Debian html files
file:
path: "{{ item }}"
state: absent
with_items:
- /var/www/html/index.nginx-debian.html
- /var/www/html/
- name: Create directory for storing the default website page
file:
path: "/var/www/default/"
state: directory
owner: root
group: www-data
mode: 0750
- name: Deploy the default index.html
template:
src: "index.html.j2"
dest: /var/www/default/index.html
owner: root
group: www-data
mode: 0640
- name: Enable nginx service
service:
name: nginx
enabled: true
state: started
- name: Install base packages for Python web applications
apt:
name:
- python-setuptools
- python3-setuptools
- virtualenv
- virtualenvwrapper
state: present
- name: Create directories for storing per-site socket files
file:
path: "{{ item }}"
state: directory
owner: root
group: www-data
mode: 0750
with_items:
- "/run/wsgi/"
- "/run/{{ php_fpm_service_name }}/"
- name: Create directories for storing per-site socket files on boot
copy:
content: "d /run/{{ item }}/ 0750 root www-data - -"
dest: "/etc/tmpfiles.d/{{ item }}.conf"
owner: root
group: root
mode: 0644
with_items:
- wsgi
- "{{ php_fpm_service_name }}"
- name: Install base packages for PHP web applications
apt:
name: "{{ php_fpm_package_name }}"
state: present
- name: Create directory for storing PHP-FPM service configuration overrides
file:
path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/"
state: directory
owner: root
group: root
mode: 0755
- name: Configure PHP-FPM service to run with umask 0007
copy:
src: "php_fpm_umask.conf"
dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf"
owner: root
group: root
mode: 0644
notify:
- Restart PHP-FPM
- name: Enable service used for running PHP web applications
service:
name: "{{ php_fpm_service_name }}"
enabled: true
state: started
- name: Read timezone on server
slurp:
src: "/etc/timezone"
register: server_timezone
- name: Configure timezone for PHP
template:
src: "php_timezone.ini.j2"
dest: "{{ item }}/30-timezone.ini"
owner: root
group: root
mode: 0644
with_items:
- "{{ php_base_config_dir }}/cli/conf.d/"
- "{{ php_base_config_dir }}/fpm/conf.d/"
notify:
- Restart PHP-FPM
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|