--- - name: Install nginx apt: name=nginx state=installed - name: Allow nginx user to traverse the directory with TLS private keys user: name=www-data append=yes groups=ssl-cert notify: - Restart nginx - name: Deploy nginx TLS private key copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_https.key" content="{{ default_https_tls_key }}" mode=640 owner=root group=root notify: - Restart nginx - name: Deploy nginx TLS certificate copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" content="{{ default_https_tls_certificate }}" mode=644 owner=root group=root notify: - Restart nginx - name: Remove TLS protocol configuration from the main configuration file lineinfile: dest="/etc/nginx/nginx.conf" backrefs=yes regexp="^ssl_protocols" state=absent notify: - Restart nginx - name: Harden TLS by allowing only TLSv1.2 and PFS ciphers copy: dest="/etc/nginx/conf.d/tls.conf" src="tls.conf" owner="root" group="root" mode=644 notify: - Restart nginx - name: Deploy script for verification of nginx vhost configurations copy: src="nginx_verify_site.sh" dest="/usr/local/bin/nginx_verify_site.sh" owner=root group=root mode=755 - name: Deploy default vhost configuration template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default" owner=root group=root mode=640 validate="/usr/local/bin/nginx_verify_site.sh -n default %s" notify: - Restart nginx - name: Enable default website file: src="/etc/nginx/sites-available/default" dest="/etc/nginx/sites-enabled/default" state=link notify: - Restart nginx - name: Deploy firewall configuration for web server copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=640 notify: - Restart ferm - name: Remove the default Debian html files file: path="{{ item }}" state=absent with_items: - /var/www/html/index.nginx-debian.html - /var/www/html/ - name: Create directory for storing the default website page file: path="/var/www/default/" state=directory owner=root group=www-data mode=750 - name: Deploy the default index.html template: src="index.html.j2" dest=/var/www/default/index.html owner=root group=www-data mode=640 - name: Enable nginx service service: name=nginx enabled=yes state=started - name: Install base packages for Python web applications apt: name="{{ item }}" state=installed with_items: - virtualenv - virtualenvwrapper - name: Create directories for storing per-site socket files file: path="{{ item }}" state="directory" owner="root" group="www-data" mode="750" with_items: - "/run/wsgi/" - "/run/php5-fpm/" - name: Create directories for storing per-site socket files on boot copy: content="d /run/{{ item }}/ 0750 root www-data - -" dest="/etc/tmpfiles.d/{{ item }}.conf" owner="root" group="root" mode=644 with_items: - wsgi - php5-fpm - name: Install base packages for PHP web applications apt: name="{{ item }}" state=installed with_items: - php5-fpm - name: Create directory for storing PHP FPM service configuration overrides file: path="/etc/systemd/system/php5-fpm.service.d/" state=directory owner=root group=root mode=755 - name: Configure php5-fpm service to run with umask 0007 copy: src="php5_fpm_umask.conf" dest="/etc/systemd/system/php5-fpm.service.d/umask.conf" owner=root group=root mode=644 notify: - Restart php5-fpm - name: Enable service used for running PHP web applications service: name="php5-fpm" enabled=yes state=started - name: Read timezone on server slurp: src=/etc/timezone register: server_timezone - name: Configure timezone for PHP template: src="php_timezone.ini.j2" dest="{{ item }}/30-timezone.ini" owner=root group=root mode=644 with_items: - /etc/php5/cli/conf.d/ - /etc/php5/fpm/conf.d/ notify: - Restart php5-fpm - name: Explicitly run all handlers include: ../handlers/main.yml when: "handlers | default(False) | bool() == True" tags: - handlers