packetcat
/
ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: packetcat:nextgen
Branches Tags
packetcat:nextgen
packetcat:master
..
compare: packetcat:master
Branches Tags
packetcat:nextgen
packetcat:master

No commits in common. "nextgen" and "master" have entirely different histories.
nextgen ... master

92 changed files with 1647 additions and 1414 deletions
Show Stats Expand all files Collapse all files

3
README.md
View File

@ -1,5 +1,4 @@
ansible-playbooks
=================
Repo for my Ansible playbooks.
nextgen branch is for Ubuntu 18.04 systems only as that is what I am standardizing on.
Repo for my Ansible playbooks

2
centos/roles/icinga-client/files/restart.conf
View File

@ -1,2 +0,0 @@
[Service]
Restart=on-failure

35
centos/roles/icinga-client/tasks/main.yml
View File

@ -1,35 +0,0 @@
---
# This role installs Icinga 2 and the plugins required on a Icinga client nodes
- name: Make sure EPEL repository is enabled
yum:
name: epel-release
state: latest
- name: Add Icinga2 repository key
rpm_key:
state: present
key: https://packages.icinga.com/icinga.key
- name: Install Icinga2 repository
yum:
name: https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
state: latest
- name: Install Icinga2 packages
yum:
name: "{{ packages }}"
vars:
packages:
- icinga2
- nagios-plugins-all
- name: Ensure icinga2 systemd folder exists
file:
path: /etc/systemd/system/icinga2.service.d/
state: directory
- name: Copy custom icinga2 systemd service file modifications
copy:
src: restart.conf
dest: /etc/systemd/system/icinga2.service.d/restart.conf
- name: Ensure that icinga2 systemd service is enabled
systemd:
name: icinga2
enabled: yes
daemon_reload: yes

6
centos/site.yml
View File

@ -1,6 +0,0 @@
- name: install Icinga 2 for client usage
hosts: icinga-clients
user: root
roles:
- icinga-client

392
debian/roles/appservers-php/files/www.conf vendored Normal file
View File

@ -0,0 +1,392 @@
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
;listen.backlog = -1
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0666
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; priority = -19
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: ${prefix}/share/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = /var/log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: ouput header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = /var/log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = /
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

3
debian/roles/appservers-php/handlers/main.yml vendored Normal file
View File

@ -0,0 +1,3 @@
---
- name: start php5-fpm
service: name=php5-fpm state=started

9
debian/roles/appservers-php/tasks/main.yml vendored Normal file
View File

@ -0,0 +1,9 @@
---
- name: Install php5-fpm
apt: pkg=php5-fpm state=latest
- name: Stop the php5-fpm daemon for now and ensure it starts on boot
service: name=php5-fpm state=stopped enabled=yes
- name: Copy over the php5-fpm www pool config
copy: src=www.conf dest=/etc/php5/fpm/pool.d/www.conf backup=yes
notify:
- start php5-fpm

72
debian/roles/appservers-uwsgi/files/uwsgi.init vendored Normal file
View File

@ -0,0 +1,72 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: uwsgi
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the uwsgi app server
# Description: starts uwsgi app server using start-stop-daemon
### END INIT INFO
PATH=/opt/uwsgi:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/uwsgi
OWNER=uwsgi
NAME=uwsgi
DESC=uwsgi
test -x $DAEMON || exit 0
# Include uwsgi defaults if available
if [ -f /etc/default/uwsgi ] ; then
. /etc/default/uwsgi
fi
set -e
#DAEMON_OPTS="-s 127.0.0.1:9001 -M 4 -t 30 -A 4 -p 4 -d /var/log/uwsgi.log --pythonpath $PYTHONPATH --module $MODULE"
DAEMON_OPTS="--emperor /etc/uwsgi/apps -d /var/log/uwsgi.log"
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --chuid $OWNER:$OWNER --user $OWNER \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
--exec $DAEMON
echo "$NAME."
;;
reload)
killall -1 $DAEMON
;;
force-reload)
killall -15 $DAEMON
;;
restart)
echo -n "Restarting $DESC: "
start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
--exec $DAEMON
sleep 1
start-stop-daemon --user $OWNER --start --quiet --chuid $OWNER:$OWNER \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
status)
killall -10 $DAEMON
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2
exit 1
;;
esac
exit 0

9
debian/roles/appservers-uwsgi/files/uwsgi.logrotate vendored Normal file
View File

@ -0,0 +1,9 @@
"/var/log/uwsgi/*.log" "/var/log/uwsgi/*/*.log" {
copytruncate
daily
rotate 5
compress
delaycompress
missingok
notifempty
}

3
debian/roles/appservers-uwsgi/handlers/main.yml vendored Normal file
View File

@ -0,0 +1,3 @@
---
- name: start uwsgi
service: name=uwsgi state=started

24
debian/roles/appservers-uwsgi/tasks/main.yml vendored Normal file
View File

@ -0,0 +1,24 @@
---
- name: Install virtualenv
apt: name=python-virtualenv state=latest
- name: Install uwsgi from PyPI
pip: name=uWSGI
- name: Add uwsgi group
group: name=uwsgi state=present
- name: Add uwsgi user
user: name=uwsgi shell=/sbin/nologin createhome=no group=uwsgi password=$6$Qu5GfWUlAPXh$Ie8Fd9Vzl.PpaFciUbRCI4sIryI6i0rDE29Vf86/WYHgPSWG7x9IIkVU.tG1Mtfq2OM9IeH2IuvOKCcnErMgC1
- name: Copy over the uwsgi init script and logrotate config
copy: src={{ item.name }} dest={{ item.dir }} backup=yes
with_items:
- { name: 'uwsgi.init', dir: '/etc/init.d/uwsgi' }
- { name: 'uwsgi.logrotate', dir: '/etc/logrotate.d/uwsgi' }
- name: Make sure the init script is executable
file: path=/etc/init.d/uwsgi owner=root group=root mode=0755
- name: Make configuration directory
file: path=/etc/uwsgi/apps state=directory
- name: Make log file with correct permissions
file: path=/var/log/uwsgi.log owner=uwsgi group=uwsgi mode=0750 state=touch
- name: Make sure uwsgi starts on boot
service: name=uwsgi enabled=yes
notify:
- start uwsgi

2
debian/roles/common/files/resolv.conf vendored Normal file
View File

@ -0,0 +1,2 @@
nameserver ::1
nameserver 8.8.8.8

6
debian/roles/common/handlers/main.yml vendored Normal file
View File

@ -0,0 +1,6 @@
---
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: restart cron
service: name=cron state=restarted

59
debian/roles/common/tasks/main.yml vendored Normal file
View File

@ -0,0 +1,59 @@
---
# This playbook contains common plays that will be run all nodes.
- name: Install python-apt, aptitude, and debconf-utils
shell: apt-get update && apt-get -y install python-apt aptitude debconf-utils
- name: Do any package upgrades
apt: upgrade=dist
- name: Set default locale to en_US.UTF-8
debconf: name=locales question='locales/default_environment_locale' value=en_US.UTF-8 vtype='select'
- name: Generate locales
debconf: name=locales question='locales/locales_to_be_generated' value='en_US.UTF-8 UTF-8' vtype='multiselect'
- name: Set timezone area
debconf: name=tzdata question='tzdata/Areas' value='Etc' vtype='select'
- name: Set timezone
debconf: name=tzdata question='tzdata/Zones/Etc' value='UTC' vtype='select'
notify:
- restart rsyslog
- restart cron
- name: Install required packages
apt: pkg={{ item }} state=latest
with_items:
- most
- zsh
- vim
- vim-scripts
- git
- subversion
- tmux
- multitail
- mtr-tiny
- curl
- dnsutils
- sudo
- gnupg
- traceroute
- htop
- haveged
- python-pip
- unbound
- duplicity
- python-boto
- build-essential
- vnstat
- python-dev
- ntp
- name: Remove exim4 and consolekit
apt: pkg={{ item }} state=absent
with_items:
- exim4-daemon-light
- consolekit
- name: Ensure haveged, unbound, ntp, and vnstat are started on boot
service: name={{ item }} enabled=yes
with_items:
- haveged
- unbound
- vnstat
- ntp
- name: use local unbound instance for DNS and Google Public DNS as backup
copy: src=resolv.conf dest=/etc/resolv.conf

12
debian/roles/webservers-nginx/files/0-catch-all vendored Normal file
View File

@ -0,0 +1,12 @@
# This file is a nginx catch-all vhost, probably put here in an automated
# fashion.
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name _; # This is just an invalid value which will never trigger on a real hostname.
access_log /var/log/nginx/default.access.log;
index index.html;
server_name_in_redirect off;
root /srv/www/catch-all;
}

11
debian/roles/webservers-nginx/files/cloudflare.conf vendored Normal file
View File

@ -0,0 +1,11 @@
# Cloudflare
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
real_ip_header CF-Connecting-IP;

63
debian/roles/webservers-nginx/files/nginx.conf vendored Normal file
View File

@ -0,0 +1,63 @@
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 70;
types_hash_max_size 2048;
server_tokens off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# Upstream to abstract backend connection(s) for PHP.
upstream php {
# server unix:/tmp/php-fpm.sock;
server 127.0.0.1:9000;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

14
debian/roles/webservers-nginx/files/php-generic.conf vendored Normal file
View File

@ -0,0 +1,14 @@
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
}

23
debian/roles/webservers-nginx/files/security-generic.conf vendored Normal file
View File

@ -0,0 +1,23 @@
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ {
expires 24h;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}

39
debian/roles/webservers-nginx/files/wordpress-generic.conf vendored Normal file
View File

@ -0,0 +1,39 @@
# WordPress single blog rules.
# Designed to be included in any server {} block.
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 24h;
}
# Uncomment one of the lines below for the appropriate caching plugin (if used).
#include global/wordpress-supercache.conf;
#include global/wordpress-w3cache.conf;
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_intercept_errors on;
fastcgi_pass php;
}

34
debian/roles/webservers-nginx/files/wordpress-security.conf vendored Normal file
View File

@ -0,0 +1,34 @@
# Global restrictions configuration file.
# Designed to be included in any server {} block.</p>
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory
location ~* ^/wp-content/uploads/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory for multisite
location ~* /files/(.*).php$ {
deny all;
access_log off;
log_not_found off;
}

3
debian/roles/webservers-nginx/handlers/main.yml vendored Normal file
View File

@ -0,0 +1,3 @@
---
- name: start nginx
service: name=nginx state=started

35
debian/roles/webservers-nginx/tasks/main.yml vendored Normal file
View File

@ -0,0 +1,35 @@
---
- name: Add nginx upstream repo key
apt_key: url=http://nginx.org/keys/nginx_signing.key state=present
- name: Add nginx upstream repository
apt_repository: repo='deb http://nginx.org/packages/debian/ wheezy nginx' state=present update_cache=yes
- name: Install nginx package
apt: pkg=nginx state=latest
- name: Stop nginx for now and also make it start on boot
service: name=nginx state=stopped enabled=yes
- name: Make nginx related dirs
file: path={{ item }} state=directory
with_items:
- /etc/nginx/global
- /etc/nginx/sites-available
- /etc/nginx/sites-enabled
- /srv/www/catch-all
- name: Clean out default vhost file in enabled and available dirs
file: path={{ item }} state=absent
with_items:
- /etc/nginx/sites-enabled/default
- /etc/nginx/sites-available/default
- name: Copy over all nginx configuration files
copy: src={{ item.name }} dest={{ item.dir }}
with_items:
- { name: 'nginx.conf', dir: '/etc/nginx/nginx.conf' }
- { name: '0-catch-all', dir: '/etc/nginx/sites-available/0-catch-all' }
- { name: 'cloudflare.conf', dir: '/etc/nginx/global/cloudflare.conf' }
- { name: 'php-generic.conf', dir: '/etc/nginx/global/php-generic.conf' }
- { name: 'security-generic.conf', dir: '/etc/nginx/global/security-generic.conf' }
- { name: 'wordpress-generic.conf', dir: '/etc/nginx/global/wordpress-generic.conf' }
- { name: 'wordpress-security.conf', dir: '/etc/nginx/global/wordpress-security.conf' }
- name: Symlink the default catch-all vhost
file: src=/etc/nginx/sites-available/0-catch-all dest=/etc/nginx/sites-enabled/0-catch-all state=link
notify:
- start nginx

29
debian/site.yml vendored Normal file
View File

@ -0,0 +1,29 @@
---
- name: apply common configuration to all nodes
hosts: all
user: root
roles:
- common
- name: apply configuration to web servers (nginx)
hosts: webservers-nginx
user: root
roles:
- webservers-nginx
- name: apply configuration to PHP app servers
hosts: appservers-php
user: root
roles:
- appservers-php
- name: apply configuration to uwsgi app servers
hosts: appservers-uwsgi
user: root
roles:
- appservers-uwsgi

7
ubuntu/disable-rpcbind.yml
View File

@ -1,7 +0,0 @@
---
- name: Disable rpcbind service
hosts: cloud
user: root
roles:
- disable-rpcbind

120
ubuntu/dresden.silvestris.systems.yml
View File

@ -1,120 +0,0 @@
---
- hosts: dresden.silvestris.systems
roles:
- role: jdauphant.nginx
nginx_user: "www-data"
nginx_events_params:
- worker_connections 1024
nginx_http_params:
- sendfile "on"
- server_names_hash_bucket_size 512
nginx_sites:
donate.tenforward.social.http:
- listen *:80
- listen [::]:80
- server_name donate.tenforward.social
- root "/srv/www/donate.tenforward.social/"
- location /.well-known/acme-challenge/ {
allow all;
}
- return 301 "https://$host$request_uri"
donate.tenforward.social.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name donate.tenforward.social
- root "/srv/www/donate.tenforward.social"
- index index.html
- access_log "/var/log/nginx/donate.tenforward.social.access.log"
- error_log "/var/log/nginx/donate.tenforward.social.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/donate.tenforward.social.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/donate.tenforward.social.pem"
- include snippets/sslstapling_hsts.conf
wiki.tenforward.social.http:
- listen *:80
- listen [::]:80
- server_name wiki.tenforward.social
- return 301 "https://$host$request_uri"
wiki.tenforward.social.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name wiki.tenforward.social
- root "/srv/www/wiki.tenforward.social"
- index index.php
- access_log "/var/log/nginx/wiki.tenforward.social.access.log"
- error_log "/var/log/nginx/wiki.tenforward.social.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/wiki.tenforward.social.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/wiki.tenforward.social.pem"
- include snippets/sslstapling_hsts.conf
- location ~ /(data|conf|bin|inc)/ {
deny all;
}
- location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
}
nginx_snippets:
sslstapling_hsts:
- ssl_stapling on
- resolver [::1] valid=300s
- add_header Strict-Transport-Security max-age=31536000
php_standard:
- location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
}
wp_with_supercache:
- set $cache_uri $request_uri
- if ( $request_method = POST ) { set $cache_uri 'null cache'; }
- if ( $query_string != "" ) { set $cache_uri 'null cache'; }
- if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; }
- if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; }
- location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
}
- location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ {
expires max;
}
- location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
}
nginx_configs:
gzip:
- gzip on
- gzip_disable msie6
- gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
upstream:
- upstream php { server unix:/run/php/php8.1-fpm.sock; }
ssl:
- ssl_protocols TLSv1.2 TLSv1.3
- ssl_prefer_server_ciphers on
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
- ssl_dhparam "/etc/nginx/dhparams.pem"
- ssl_session_timeout 1d
- ssl_session_cache shared:SSL:50m
- ssl_session_tickets off
fcgicache:
- fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m
- fastcgi_cache_key "$scheme$request_method$host$request_uri"
- fastcgi_cache_use_stale error timeout invalid_header http_500
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie
- add_header rt-Fastcgi-Cache $upstream_cache_status

269
ubuntu/erlking.silvestris.systems.yml
View File

@ -1,269 +0,0 @@
---
- hosts: erlking.silvestris.systems
roles:
- role: jdauphant.nginx
nginx_user: "www-data"
nginx_events_params:
- worker_connections 1024
nginx_http_params:
- sendfile "on"
- server_names_hash_bucket_size 512
nginx_sites:
nullrouted.space.http:
- listen *:80
- listen [::]:80
- server_name nullrouted.space
- return 301 "https://$host$request_uri"
nullrouted.space.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name nullrouted.space
- root "/srv/www/nullrouted.space"
- index index.php index.html
- access_log "/var/log/nginx/nullrouted.space.access.log"
- error_log "/var/log/nginx/nullrouted.space.error.log"
- client_max_body_size 10M
- ssl_certificate "/etc/ssl/letsencrypt/nullrouted.space.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/nullrouted.space.pem"
- include snippets/sslstapling_hsts.conf
- include snippets/wp_with_supercache.conf
- include snippets/blockbots.conf
entropynet.net.http:
- listen *:80
- listen [::]:80
- server_name entropynet.net
- return 301 "https://$host$request_uri"
entropynet.net.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name entropynet.net
- root "/srv/www/entropynet.net"
- error_page 404 /404.html
- index index.html
- access_log "/var/log/nginx/entropynet.net.access.log"
- error_log "/var/log/nginx/entropynet.net.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/entropynet.net.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/entropynet.net.pem"
- include snippets/sslstapling_hsts.conf
- include snippets/blockbots.conf
twoshadesofbrown.com.http:
- listen *:80
- listen [::]:80
- server_name twoshadesofbrown.com
- return 301 "https://$host$request_uri"
twoshadesofbrown.com.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name twoshadesofbrown.com
- root "/srv/www/twoshadesofbrown.com"
- index index.php index.html
- access_log "/var/log/nginx/twoshadesofbrown.com.access.log"
- error_log "/var/log/nginx/twoshadesofbrown.com.error.log"
- client_max_body_size 10M
- ssl_certificate "/etc/ssl/letsencrypt/twoshadesofbrown.com.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/twoshadesofbrown.com.pem"
- include snippets/sslstapling_hsts.conf
- include snippets/wp_with_supercache.conf
- include snippets/blockbots.conf
wiki.packetcat.ca.http:
- listen *:80
- listen [::]:80
- server_name wiki.packetcat.ca
- return 301 "https://$host$request_uri"
wiki.packetcat.ca.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name wiki.packetcat.ca
- root "/srv/www/wiki.packetcat.ca"
- index index.php
- access_log "/var/log/nginx/wiki.packetcat.ca.access.log"
- error_log "/var/log/nginx/wiki.packetcat.ca.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/wiki.packetcat.ca.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/wiki.packetcat.ca.pem"
- include snippets/sslstapling_hsts.conf
- include snippets/blockbots.conf
- location ~ /(data|conf|bin|inc)/ {
deny all;
}
- location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
}
sadiqsaif.com.http:
- listen *:80
- listen [::]:80
- server_name sadiqsaif.com
- return 301 "https://$host$request_uri"
sadiqsaif.com.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name sadiqsaif.com
- root "/srv/www/sadiqsaif.com/public"
- index index.html
- error_page 404 /404.html
- access_log "/var/log/nginx/sadiqsaif.com.access.log"
- error_log "/var/log/nginx/sadiqsaif.com.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.com.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.com.pem"
- include snippets/sslstapling_hsts.conf
- include snippets/blockbots.conf
sadiqsaif.ca.http:
- listen *:80
- listen [::]:80
- server_name sadiqsaif.ca
- return 301 "https://sadiqsaif.com$request_uri"
sadiqsaif.ca.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name sadiqsaif.ca
- access_log "/var/log/nginx/sadiqsaif.ca.access.log"
- error_log "/var/log/nginx/sadiqsaif.ca.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/sadiqsaif.ca.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/sadiqsaif.ca.pem"
- return 301 "https://sadiqsaif.com$request_uri"
wallabag.packetcat.ca.http:
- listen *:80
- listen [::]:80
- server_name wallabag.packetcat.ca
- return 301 "https://$host$request_uri"
wallabag.packetcat.ca.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name wallabag.packetcat.ca
- root "/srv/www/wallabag.packetcat.ca/web"
- index app.php
- access_log "/var/log/nginx/wallabag.packetcat.ca.access.log"
- error_log "/var/log/nginx/wallabag.packetcat.ca.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/wallabag.packetcat.ca.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/wallabag.packetcat.ca.pem"
- include snippets/sslstapling_hsts.conf
- include snippets/blockbots.conf
- location / {
try_files $uri /app.php$is_args$args;
}
- location ~ ^/app\.php(/|$) {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
internal;
}
- location ~ \.php$ {
return 404;
}
bastetrix.com.http:
- listen *:80
- listen [::]:80
- server_name bastetrix.com
- root "/srv/www/bastetrix.com/public"
- location /.well-known/acme-challenge/ {
allow all;
}
- return 301 "https://$host$request_uri"
bastetrix.com.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name bastetrix.com
- root "/srv/www/bastetrix.com/public"
- index index.html
- access_log "/var/log/nginx/bastetrix.com.access.log"
- error_log "/var/log/nginx/bastetrix.com.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/bastetrix.com.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/bastetrix.com.pem"
- include snippets/sslstapling_hsts.conf
wiki.bastetrix.org.http:
- listen *:80
- listen [::]:80
- server_name wiki.bastetrix.org
- root "/srv/www/wiki.bastetrix.org"
- location /.well-known/acme-challenge/ {
allow all;
}
- return 301 "https://$host$request_uri"
wiki.bastetrix.org.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name wiki.bastetrix.org
- root "/srv/www/wiki.bastetrix.org"
- index index.php
- access_log "/var/log/nginx/wiki.bastetrix.org.access.log"
- error_log "/var/log/nginx/wiki.bastetrix.org.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/wiki.bastetrix.org.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/wiki.bastetrix.org.pem"
- include snippets/sslstapling_hsts.conf
- location ~ /(data|conf|bin|inc)/ {
deny all;
}
- include snippets/php_standard.conf
nginx_snippets:
sslstapling_hsts:
- ssl_stapling on
- resolver [::1] valid=300s
- add_header Strict-Transport-Security max-age=31536000
php_standard:
- location / {
try_files $uri $uri/ /index.php?$args;
}
- location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
}
wp_with_supercache:
- set $cache_uri $request_uri
- if ( $request_method = POST ) { set $cache_uri 'null cache'; }
- if ( $query_string != "" ) { set $cache_uri 'null cache'; }
- if ( $request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml" ) { set $cache_uri 'null cache'; }
- if ( $http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in" ) { set $cache_uri 'null cache'; }
- location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;
}
- location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|woff2)$ {
expires max;
}
- location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
}
blockbots:
- if ($http_user_agent ~* (thesis-research-bot|fidget-spinner-bot|ClaudeBot) ) {
return 403;
}
nginx_configs:
gzip:
- gzip on
- gzip_disable msie6
- gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
upstream:
- upstream php { server unix:/run/php/php8.1-fpm.sock; }
ssl:
- ssl_protocols TLSv1.2 TLSv1.3
- ssl_prefer_server_ciphers on
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
- ssl_dhparam "/etc/nginx/dhparams.pem"
- ssl_session_timeout 1d
- ssl_session_cache shared:SSL:50m
- ssl_session_tickets off
fcgicache:
- fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m
- fastcgi_cache_key "$scheme$request_method$host$request_uri"
- fastcgi_cache_use_stale error timeout invalid_header http_500
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie
- add_header rt-Fastcgi-Cache $upstream_cache_status

7
ubuntu/firewall.yml
View File

@ -1,7 +0,0 @@
---
- name: Deploy firewall rules
hosts: firewalled
user: root
roles:
- firewall-ruleset-deploy

7
ubuntu/icinga-client-install.yml
View File

@ -1,7 +0,0 @@
---
- name: install Icinga 2 for client usage
hosts: icingaclients
user: root
roles:
- icinga-client

7
ubuntu/ipset.yml
View File

@ -1,7 +0,0 @@
---
- name: Deploy ipset rulesets
hosts: ipset
user: root
roles:
- ipset-deploy

110
ubuntu/molly.silvestris.systems.yml
View File

@ -1,110 +0,0 @@
---
- hosts: molly.silvestris.systems
roles:
- role: jdauphant.nginx
nginx_user: "www-data"
nginx_events_params:
- worker_connections 1024
nginx_http_params:
- sendfile "on"
- server_names_hash_bucket_size 512
nginx_sites:
tenforward.social.http:
- listen *:80
- listen [::]:80
- server_name tenforward.social
- location /.well-known/acme-challenge/ {
allow all;
}
- return 301 "https://$host$request_uri"
tenforward.social.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name tenforward.social
- root "/home/mastodon/live/public"
- access_log "/var/log/nginx/tenforward.social.access.log"
- error_log "/var/log/nginx/tenforward.social.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/tenforward.social.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/tenforward.social.pem"
- add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
- add_header Strict-Transport-Security max-age=31536000
- add_header Access-Control-Allow-Origin *
- include snippets/blockbots.conf
- client_max_body_size 0
- location / {
try_files $uri @proxy;
}
- location ~ ^/(emoji|packs|system/media_attachments/files|system/accounts/avatars) {
add_header Cache-Control "public, max-age=31536000, immutable";
}
- location ^~ /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass http://streaming;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
tcp_nodelay on;
}
- location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://backend;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
tcp_nodelay on;
}
- error_page 404 500 501 502 503 504 /500.html
nginx_configs:
gzip:
- gzip on
- gzip_disable msie6
- gzip_vary on
- gzip_proxied any
- gzip_comp_level 6
- gzip_buffers 16 8k
- gzip_http_version 1.1
- gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
connectionupgrade:
- map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
proxycache:
- proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g
ssl:
- ssl_protocols TLSv1.2 TLSv1.3
- ssl_session_timeout 1d
- ssl_session_cache shared:SSL:50m
- ssl_session_tickets off
upstreams:
- upstream backend {
server 127.0.0.1:3000 fail_timeout=0;
}
- upstream streaming {
server 127.0.0.1:4000 fail_timeout=0;
}
nginx_snippets:
blockbots:
- if ($http_user_agent ~* (LanaiBotmarch|lanaibot|TinyTestBot|TinyBotTestUA|Content-Nation) ) {
return 403;
}

14
ubuntu/package-update.yml
View File

@ -1,14 +0,0 @@
---
- name: Update packages on cloud nodes
hosts: cloud
user: root
roles:
- package-update
- name: Update packages on home nodes
hosts: home
user: root
roles:
- package-update

7
ubuntu/pgbackrest-install.yml
View File

@ -1,7 +0,0 @@
---
- name: Install pgbackrest
hosts: pgbackrest
user: root
roles:
- pgbackrest-install

4
ubuntu/rclone-install.yml
View File

@ -1,4 +0,0 @@
---
- hosts: rclone-hosts
roles:
- stefangweichinger.ansible_rclone

392
ubuntu/roles/appservers-php/files/www.conf Normal file
View File

@ -0,0 +1,392 @@
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
;listen.backlog = -1
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0666
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; priority = -19
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: ${prefix}/share/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = /var/log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: ouput header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = /var/log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = /
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

3
ubuntu/roles/appservers-php/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: start php5-fpm
service: name=php5-fpm state=started

9
ubuntu/roles/appservers-php/tasks/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Install php5-fpm
apt: pkg=php5-fpm state=latest
- name: Stop the php5-fpm daemon for now and ensure it starts on boot
service: name=php5-fpm state=stopped enabled=yes
- name: Copy over the php5-fpm www pool config
copy: src=www.conf dest=/etc/php5/fpm/pool.d/www.conf backup=yes
notify:
- start php5-fpm

72
ubuntu/roles/appservers-uwsgi/files/uwsgi.init Normal file
View File

@ -0,0 +1,72 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: uwsgi
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the uwsgi app server
# Description: starts uwsgi app server using start-stop-daemon
### END INIT INFO
PATH=/opt/uwsgi:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/uwsgi
OWNER=uwsgi
NAME=uwsgi
DESC=uwsgi
test -x $DAEMON || exit 0
# Include uwsgi defaults if available
if [ -f /etc/default/uwsgi ] ; then
. /etc/default/uwsgi
fi
set -e
#DAEMON_OPTS="-s 127.0.0.1:9001 -M 4 -t 30 -A 4 -p 4 -d /var/log/uwsgi.log --pythonpath $PYTHONPATH --module $MODULE"
DAEMON_OPTS="--emperor /etc/uwsgi/apps -d /var/log/uwsgi.log"
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --chuid $OWNER:$OWNER --user $OWNER \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
--exec $DAEMON
echo "$NAME."
;;
reload)
killall -1 $DAEMON
;;
force-reload)
killall -15 $DAEMON
;;
restart)
echo -n "Restarting $DESC: "
start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \
--exec $DAEMON
sleep 1
start-stop-daemon --user $OWNER --start --quiet --chuid $OWNER:$OWNER \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
status)
killall -10 $DAEMON
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2
exit 1
;;
esac
exit 0

9
ubuntu/roles/appservers-uwsgi/files/uwsgi.logrotate Normal file
View File

@ -0,0 +1,9 @@
"/var/log/uwsgi/*.log" "/var/log/uwsgi/*/*.log" {
copytruncate
daily
rotate 5
compress
delaycompress
missingok
notifempty
}

3
ubuntu/roles/appservers-uwsgi/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: start uwsgi
service: name=uwsgi state=started

24
ubuntu/roles/appservers-uwsgi/tasks/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Install virtualenv
apt: name=python-virtualenv state=latest
- name: Install uwsgi from PyPI
pip: name=uWSGI
- name: Add uwsgi group
group: name=uwsgi state=present
- name: Add uwsgi user
user: name=uwsgi shell=/sbin/nologin createhome=no group=uwsgi password=$6$Qu5GfWUlAPXh$Ie8Fd9Vzl.PpaFciUbRCI4sIryI6i0rDE29Vf86/WYHgPSWG7x9IIkVU.tG1Mtfq2OM9IeH2IuvOKCcnErMgC1
- name: Copy over the uwsgi init script and logrotate config
copy: src={{ item.name }} dest={{ item.dir }} backup=yes
with_items:
- { name: 'uwsgi.init', dir: '/etc/init.d/uwsgi' }
- { name: 'uwsgi.logrotate', dir: '/etc/logrotate.d/uwsgi' }
- name: Make sure the init script is executable
file: path=/etc/init.d/uwsgi owner=root group=root mode=0755
- name: Make configuration directory
file: path=/etc/uwsgi/apps state=directory
- name: Make log file with correct permissions
file: path=/var/log/uwsgi.log owner=uwsgi group=uwsgi mode=0750 state=touch
- name: Make sure uwsgi starts on boot
service: name=uwsgi enabled=yes
notify:
- start uwsgi

91
ubuntu/roles/apt-maintenance/files/50unattended-upgrades
View File

@ -1,91 +0,0 @@
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option will controls whether the development release of Ubuntu will be
// upgraded automatically.
Unattended-Upgrade::DevRelease "false";
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "false";
// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "s+cron@sadiqs.com";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

21
ubuntu/roles/apt-maintenance/tasks/main.yml
View File

@ -1,21 +0,0 @@
---
# This task sets up unattended-upgrade's config
- name: Install unattended-upgrade and apt-listchanges
apt: name={{ packages }} state=latest update_cache=yes
vars:
packages:
- unattended-upgrades
- apt-listchanges
- name: Copy our 50unattended-upgrades
copy:
src: 50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
- name: Ensure 20auto-upgrades has the correct values using debconf
debconf:
name: unattended-upgrades
question: unattended-upgrades/enable_auto_updates
vtype: boolean
value: true

4
ubuntu/roles/common/files/10periodic
View File

@ -1,4 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "7";

3
ubuntu/roles/common/files/aliases
View File

@ -1,3 +0,0 @@
# See man 5 aliases for format
postmaster: root
root: s+cron@sadiqs.com

2
ubuntu/roles/common/files/resolv.conf Normal file
View File

@ -0,0 +1,2 @@
nameserver ::1
nameserver 8.8.8.8

3
ubuntu/roles/common/handlers/main.yml
View File

@ -3,5 +3,4 @@
service: name=rsyslog state=restarted
- name: restart cron
service: name=cron state=restarted
- name: newaliases
shell: newaliases

93
ubuntu/roles/common/tasks/main.yml
View File

@ -1,12 +1,8 @@
---
# This playbook contains common plays that will be run all nodes.
- name: Install python-apt, aptitude, and debconf-utils (20.04)
- name: Install python-apt, aptitude, and debconf-utils
shell: apt-get update && apt-get -y install python-apt aptitude debconf-utils
when: ansible_distribution_release == 'focal'
- name: Install python-apt, aptitude, and debconf-utils (22.04)
shell: apt-get update && apt-get -y install python3-apt aptitude debconf-utils
when: ansible_distribution_release == 'jammy'
- name: Do any package upgrades
apt: upgrade=dist
- name: Set default locale to en_US.UTF-8
@ -20,59 +16,44 @@
notify:
- restart rsyslog
- restart cron
- name: Set hostname
hostname:
name: "{{ inventory_hostname }}"
use: systemd
- name: Remove packages we do not need
apt:
name: "{{ packages }}"
state: absent
vars:
packages:
- exim4-daemon-light
- consolekit
- snapd
- lxcfs
- rpcbind
- ufw
- name: Install required packages
apt:
name: "{{ packages }}"
state: latest
vars:
packages:
- most
- vim
- vim-scripts
- git
- tmux
- multitail
- mtr-tiny
- curl
- dnsutils
- sudo
- gnupg
- traceroute
- htop
- haveged
- build-essential
- vnstat
- chrony
- unattended-upgrades
- mailutils
- postfix
- python-is-python3
- net-tools
- name: Ensure haveged, ntp, and vnstat are started on boot
apt: pkg={{ item }} state=latest
with_items:
- most
- zsh
- vim
- vim-scripts
- git
- subversion
- tmux
- multitail
- mtr-tiny
- curl
- dnsutils
- sudo
- gnupg
- traceroute
- htop
- haveged
- python-pip
- unbound
- duplicity
- python-boto
- build-essential
- vnstat
- python-dev
- ntp
- name: Remove exim4 and consolekit
apt: pkg={{ item }} state=absent
with_items:
- exim4-daemon-light
- consolekit
- name: Ensure haveged, unbound, ntp, and vnstat are started on boot
service: name={{ item }} enabled=yes
with_items:
- haveged
- unbound
- vnstat
- chrony
- name: Ensure that the periodic APT cron task clears out old kernels and does unattended security upgrades
copy: src=10periodic dest=/etc/apt/apt.conf.d/10periodic backup=yes owner=root group=root mode=0644
- name: Copy over our aliases file
copy: src=aliases dest=/etc/aliases
notify:
- newaliases
- ntp
- name: use local unbound instance for DNS and Google Public DNS as backup
copy: src=resolv.conf dest=/etc/resolv.conf

23
ubuntu/roles/disable-rpcbind/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
# This role disables the rpcbind service on hosts
- name: Disable and mask the rpcbind service
systemd:
name: rpcbind.service
enabled: false
state: stopped
masked: true
- name: Disable and mask the rpcbind socket
systemd:
name: rpcbind.socket
enabled: false
state: stopped
masked: true
- name: Disable and mask the rpcbind target
systemd:
name: rpcbind.target
enabled: false
state: stopped
masked: true

28
ubuntu/roles/firewall-ruleset-deploy/files/demonreach.silvestris.systems.rules.v4
View File

@ -1,28 +0,0 @@
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type ping -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
-A INPUT -p tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5269,5222 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -p udp --dport 53 -s 10.8.0.1/24 -j ACCEPT
-A INPUT -p tcp --dport 53 -s 10.8.0.1/24 -j ACCEPT
-A INPUT -p udp --dport 53 -s 10.66.66.0/24 -j ACCEPT
-A INPUT -p tcp --dport 53 -s 10.66.66.0/24 -j ACCEPT
-A INPUT -p udp --dport 53 -s 100.64.0.0/10 -j ACCEPT
-A INPUT -p tcp --dport 53 -s 100.64.0.0/10 -j ACCEPT
-A INPUT -p udp --dport 51802 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.66.66.0/24 -o eth0 -j MASQUERADE
COMMIT

32
ubuntu/roles/firewall-ruleset-deploy/files/demonreach.silvestris.systems.rules.v6
View File

@ -1,32 +0,0 @@
*filter
:INPUT DROP
:FORWARD ACCEPT
:OUTPUT ACCEPT
:icmp_in -
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
-A INPUT -p tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5269,5222 -j ACCEPT
-A INPUT -p udp -s 2620:98:4002::/48 --dport 53 -j ACCEPT
-A INPUT -p tcp -s 2620:98:4002::/48 --dport 53 -j ACCEPT
-A INPUT -p udp -s fd7a:115c:a1e0:ab12:4843:cd96:6241:b43c/128 --dport 53 -j ACCEPT
-A INPUT -p tcp -s fd7a:115c:a1e0:ab12:4843:cd96:6241:b43c/128 --dport 53 -j ACCEPT
-A INPUT -p ipv6-icmp -j icmp_in
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -s fd42:42:42::/64 -o eth0 -j MASQUERADE
COMMIT

12
ubuntu/roles/firewall-ruleset-deploy/files/erlking.silvestris.systems.rules.v4
View File

@ -1,12 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -m set --match-set nasties src -j DROP
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type ping -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
COMMIT

20
ubuntu/roles/firewall-ruleset-deploy/files/erlking.silvestris.systems.rules.v6
View File

@ -1,20 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:icmp_in -
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
-A INPUT -p ipv6-icmp -j icmp_in
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
COMMIT

10
ubuntu/roles/firewall-ruleset-deploy/files/gard.silvestris.systems.rules.v4
View File

@ -1,10 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type ping -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
COMMIT

19
ubuntu/roles/firewall-ruleset-deploy/files/gard.silvestris.systems.rules.v6
View File

@ -1,19 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:icmp_in -
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
-A INPUT -p ipv6-icmp -j icmp_in
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
COMMIT

24
ubuntu/roles/firewall-ruleset-deploy/files/molly.silvestris.systems.rules.v4
View File

@ -1,24 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A INPUT -m set --match-set nasties src -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5665 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5665 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
COMMIT

31
ubuntu/roles/firewall-ruleset-deploy/files/molly.silvestris.systems.rules.v6
View File

@ -1,31 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
:icmp_in -
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5665 -j ACCEPT
-A INPUT -p ipv6-icmp -j icmp_in
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5665 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
COMMIT

4
ubuntu/roles/firewall-ruleset-deploy/files/netfilter-persistent
View File

@ -1,4 +0,0 @@
# Configuration for netfilter-persistent
# Plugins may extend this file or have their own
FLUSH_ON_STOP=0

12
ubuntu/roles/firewall-ruleset-deploy/files/uriel.silvestris.systems.rules.v4
View File

@ -1,12 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type ping -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT

21
ubuntu/roles/firewall-ruleset-deploy/files/uriel.silvestris.systems.rules.v6
View File

@ -1,21 +0,0 @@
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:icmp_in -
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 5665 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p ipv6-icmp -j icmp_in
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A icmp_in -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
COMMIT

13
ubuntu/roles/firewall-ruleset-deploy/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
- name: restart netfilter-persistent-v4
service:
name: netfilter-persistent
state: restarted
enabled: yes
- name: restart netfilter-persistent-v6
service:
name: netfilter-persistent
state: restarted
enabled: yes

31
ubuntu/roles/firewall-ruleset-deploy/tasks/main.yml
View File

@ -1,31 +0,0 @@
---
# This role deploys firewall rulesets to Ubuntu hosts
- name: Make sure iptables and netfilter-persistent are installed
apt:
name: "{{ packages }}"
state: latest
vars:
packages:
- iptables-persistent
- netfilter-persistent
- ipset
- name: Copy defaults file with our mods
copy:
src: netfilter-persistent
dest: /etc/default/netfilter-persistent
- name: Copy IPv4 ruleset
copy:
src: "{{ ansible_fqdn }}.rules.v4"
dest: /etc/iptables/rules.v4
notify:
- restart netfilter-persistent-v4
- name: Copy IPv6 ruleset
copy:
src: "{{ ansible_fqdn }}.rules.v6"
dest: /etc/iptables/rules.v6
notify:
- restart netfilter-persistent-v6

2
ubuntu/roles/icinga-client/files/restart.conf
View File

@ -1,2 +0,0 @@
[Service]
Restart=on-failure

26
ubuntu/roles/icinga-client/tasks/main.yml
View File

@ -1,26 +0,0 @@
---
# This role installs Icinga 2 and the plugins required on a Icinga client nodes
- name: Add Icinga package repository key
apt_key: url="https://packages.icinga.com/icinga.key" state=present
- name: Add Icinga apt repository
apt_repository: repo="deb https://packages.icinga.com/ubuntu icinga-{{ ansible_distribution_release }} main" state=present
- name: Update apt cache and install Icinga packages
apt: name={{ packages }} state=latest update_cache=yes
vars:
packages:
- icinga2
- monitoring-plugins
- name: Ensure icinga2 systemd folder exists
file:
path: /etc/systemd/system/icinga2.service.d/
state: directory
- name: Copy custom icinga2 systemd service file modifications
copy:
src: restart.conf
dest: /etc/systemd/system/icinga2.service.d/restart.conf
- name: Ensure that icinga2 systemd service is enabled
systemd:
name: icinga2
enabled: yes
daemon_reload: yes

31
ubuntu/roles/ipset-deploy/files/erlking.silvestris.systems.ipset
View File

@ -1,31 +0,0 @@
create nasties hash:net family inet hashsize 1024 maxelem 65536
# domaincrawler.com aggressive crawler/bot
add nasties 185.6.8.3/32
add nasties 185.6.8.7/32
# Seekport Crawler, aggressive
add nasties 95.216.172.167/32
# SearchAtlas.com SEO Crawler, doesn't respect robots.txt
add nasties 147.75.106.146/32
# moz.com SEO crawler
add nasties 216.244.66.229/32
# Aspiegel (Huawei) bot range
add nasties 114.119.160.0/21
add nasties 114.119.128.0/19
# Centurybot
add nasties 64.62.202.73/32
# Adsbot
add nasties 216.18.204.0/24
add nasties 173.231.59.0/24
# Unknown crawler, no user agent, doesn't actually respect robots.txt
add nasties 217.160.142.105/32
# MegaIndex.ru Crawler
add nasties 176.9.41.28/32
# AS206728 Media Land LLC, seems to be botnet IPs
add nasties 45.141.84.0/24
add nasties 45.141.85.0/24
add nasties 45.141.86.0/24
add nasties 45.141.87.0/24
add nasties 91.220.163.0/24
add nasties 193.242.153.0/24
add nasties 194.26.29.0/24
add nasties 194.113.209.0/24

15
ubuntu/roles/ipset-deploy/files/ipset.service
View File

@ -1,15 +0,0 @@
[Unit]
Description=Loading IP Sets
Before=network.target
Before=netfilter-persistent.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/ipset -! -f /etc/ipset.conf restore
ExecReload=/sbin/ipset -! -f /etc/ipset.conf restore
ExecStop=/sbin/ipset flush
[Install]
WantedBy=multi-user.target
RequiredBy=netfilter-persistent.service

49
ubuntu/roles/ipset-deploy/files/molly.silvestris.systems.ipset
View File

@ -1,49 +0,0 @@
create nasties hash:net family inet hashsize 1024 maxelem 65536
# Scrapy bot from University of Milan
add nasties 159.149.133.66/32
# domaincrawler.com aggressive crawler/bot
add nasties 185.6.8.3/32
add nasties 185.6.8.7/32
# infegy data collection
add nasties 173.244.135.0/25
# 1776 Solutions, kiwifarms
add nasties 103.114.191.0/24
# Bytespider crawler, aggressive
add nasties 110.240.0.0/12
add nasties 111.224.0.0/14
add nasties 220.243.128.0/20
# Seekport Crawler, aggressive
add nasties 95.216.172.167/32
# SearchAtlas.com SEO Crawler, doesn't respect robots.txt
add nasties 147.75.106.146/32
# AlkonavtNetwork, Russian spam account creation source
add nasties 5.188.210.0/24
# moz.com SEO crawler
add nasties 216.244.66.229/32
# Aspiegel (Huawei) bot range
add nasties 114.119.160.0/21
add nasties 114.119.128.0/19
# Centurybot
add nasties 64.62.202.73/32
# search.noc.social
add nasties 149.248.4.242/32
# Adsbot
add nasties 216.18.204.0/24
add nasties 173.231.59.0/24
# Unknown crawler, no user agent, doesn't actually respect robots.txt
add nasties 217.160.142.105/32
# MegaIndex.ru Crawler
add nasties 176.9.41.28/32
# Unknown crawler, ignores robots.txt
add nasties 101.200.169.64/32
# AS206728 Media Land LLC, seems to be botnet IPs
add nasties 45.141.84.0/24
add nasties 45.141.85.0/24
add nasties 45.141.86.0/24
add nasties 45.141.87.0/24
add nasties 91.220.163.0/24
add nasties 193.242.153.0/24
add nasties 194.26.29.0/24
add nasties 194.113.209.0/24
# webmeup crawler, doesn't respect robots.txt
add nasties 157.90.177.214/32

3
ubuntu/roles/ipset-deploy/handlers/main.yml
View File

@ -1,3 +0,0 @@
- name: reload systemd
systemd:
daemon_reload: yes

23
ubuntu/roles/ipset-deploy/tasks/main.yml
View File

@ -1,23 +0,0 @@
---
# This role deploys ipset rulesets to Ubuntu hosts
- name: Copy ipset.service
copy:
src: ipset.service
dest: /etc/systemd/system/ipset.service
- name: Enable ipset.service
systemd:
name: ipset
enabled: yes
daemon_reload: yes
- name: Copy ipset rulesets
copy:
src: "{{ ansible_fqdn }}.ipset"
dest: /etc/ipset.conf
- name: Restart ipset service
systemd:
name: ipset
state: restarted

5
ubuntu/roles/mysql/tasks/main.yml
View File

@ -1,5 +0,0 @@
---
- name: Install MySQL server
apt: pkg=mysql-server state=latest
- name: Start MySQL daemon and ensure it starts on boot
service: name=mysql state=started enabled=yes

5
ubuntu/roles/package-update/tasks/main.yml
View File

@ -1,5 +0,0 @@
---
# This role updates packages and performs autoremove
- name: Update apt cache and then packages with autoremove
apt: update_cache=yes upgrade=safe autoremove=yes

9
ubuntu/roles/pgbackrest-install/files/pgbackrest
View File

@ -1,9 +0,0 @@
/var/log/pgbackrest/*.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 640 postgres postgres
}

39
ubuntu/roles/pgbackrest-install/tasks/main.yml
View File

@ -1,39 +0,0 @@
---
# This task installs pgbackrest on a host
- name: Copy pgbackrest binary to host
copy:
src: /builds/pgbackrest-release-2.44/src/pgbackrest
dest: /usr/bin/pgbackrest
mode: '0755'
- name: Make sure Perl is installed
apt:
name: perl
state: latest
- name: Make pgbackrest log directory with the correct permissions
file:
path: /var/log/pgbackrest
state: directory
owner: postgres
group: postgres
mode: '0770'
- name: Make pgbackrest config directory
file:
path: /etc/pgbackrest/conf.d
state: directory
- name: Touch pgbackrest.conf
file:
path: /etc/pgbackrest/pgbackrest.conf
state: touch
owner: postgres
group: postgres
mode: '0640'
- name: Copy pgbackrest logrotate configuration
copy:
src: pgbackrest
dest: /etc/logrotate.d/pgbackrest

16
ubuntu/roles/php/tasks/main.yml
View File

@ -1,16 +0,0 @@
---
- name: Install PHP libraries
apt: pkg={{ item }} state=latest
with_items:
- php-mysql
- php-xml
- php-gd
- name: Install php-fpm
apt: pkg=php-fpm state=latest
- name: Start PHP-FPM daemon, and make sure it is started on boot
when: ansible_distribution_release == 'xenial'
service: name=php7.0-fpm state=started enabled=yes
- name: Start PHP-FPM daemon, and make sure it is started on boot
when: ansible_distribution_release == 'bionic'
service: name=php7.2-fpm state=started enabled=yes

1
ubuntu/roles/ssh-enforcement/files/authorized_keys
View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2DmG7640FmD9QDLDrydiU5kmhJM/ScKOhhHPYndWEdFGMmfnJpqyoPOq5a6cDwLAFyl6ALTjVr6+y4U2hqHmqIs/ds9SeiNzOnPsMUp1DkuVoNyH4WekaA9oXgsb9ZCjHSXB+W3rOgvGYTAuC8GyLYGppInrd6+OKoyZtgx01JYAatfSWGncerNw+x8LiQaF+o62cCDq+3OpyZBbGpLg/wNMtg/Wsaton7fwo2hi8lOkQjzJZPUvPaOcpezK9SLXExyUl+oIcMmGqmExHpXwhA8+TuwbeM5XXT5RJCOw4c2WlMTb93FmdCjtXtInUYc/M80SftdLPokmbzc7uWDV+PX5XVoQCp7JiYS92gkAdlv8aeNMzpbGvd9uUjGKm08dh1aT76I9b9O4sA+vL2PwW2lKdsesksiseF92446kqvOEumB/wh+7yd1N9yOS3Vggasl2iEYgbNiDoCqyXnH6GSHkdxr9CwAyuWy5vmqR5zdV1UsQnRzECrQIFbJpFU98rLfuRM1L9qN4kqxuciv+DAPRm17WAhrjhoZL5xh5+t8TfaO+7qMmjvNO1oRbeTkM0JqdlvcvTUFB7sxDIPuCySIMfi2KTTUpk0i9HHRfJrOr1K02VvwKC302GkFnVEDYKPlXivoI6i1bLaubSZHqDIgUuZeGLTXhG47ner6dMKw== Network Management

26
ubuntu/roles/ssh-enforcement/files/sshd_config
View File

@ -1,26 +0,0 @@
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Some of the Debian specific options sans X11 Forwarding
# X11 Forwarding is turned off because we don't run X11 on servers
ChallengeResponseAuthentication no
PrintMotd no
AcceptEnv LANG LC_*
UsePAM yes

5
ubuntu/roles/ssh-enforcement/handlers/main.yml
View File

@ -1,5 +0,0 @@
- name: restart sshd
service:
name: ssh
state: restarted
enabled: yes

15
ubuntu/roles/ssh-enforcement/tasks/main.yml
View File

@ -1,15 +0,0 @@
---
# This task enforces our OpenSSH server config and authorized_keys for
# cloud servers
- name: Copy our authorized_keys
copy:
src: authorized_keys
dest: /root/.ssh/authorized_keys
- name: Copy our sshd_config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
notify:
- restart sshd

19
ubuntu/roles/turn-off-motd-news/files/motd-news
View File

@ -1,19 +0,0 @@
# Enable/disable the dynamic MOTD news service
# This is a useful way to provide dynamic, informative
# information pertinent to the users and administrators
# of the local system
ENABLED=0
# Configure the source of dynamic MOTD news
# White space separated list of 0 to many news services
# For security reasons, these must be https
# and have a valid certificate
# Canonical runs a service at motd.ubuntu.com, and you
# can easily run one too
URLS="https://motd.ubuntu.com"
# Specify the time in seconds, you're willing to wait for
# dynamic MOTD news
# Note that news messages are fetched in the background by
# a systemd timer, so this should never block boot or login
WAIT=5

12
ubuntu/roles/turn-off-motd-news/tasks/main.yml
View File

@ -1,12 +0,0 @@
---
# This role turns off the MOTD news in Ubuntu 18.04
- name: Copy motd-news file
when: ansible_distribution_release == 'bionic' or ansible_distribution_release == 'focal'
copy:
src: motd-news
dest: /etc/default/motd-news
owner: root
group: root
mode: 0644
backup: yes

12
ubuntu/roles/webservers-nginx/files/0-catch-all Normal file
View File

@ -0,0 +1,12 @@
# This file is a nginx catch-all vhost, probably put here in an automated
# fashion.
server {
listen 80;
listen [::]:80 ipv6only=on;
server_name _; # This is just an invalid value which will never trigger on a real hostname.
access_log /var/log/nginx/default.access.log;
index index.html;
server_name_in_redirect off;
root /srv/www/catch-all;
}

11
ubuntu/roles/webservers-nginx/files/cloudflare.conf Normal file
View File

@ -0,0 +1,11 @@
# Cloudflare
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
real_ip_header CF-Connecting-IP;

63
ubuntu/roles/webservers-nginx/files/nginx.conf Normal file
View File

@ -0,0 +1,63 @@
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 70;
types_hash_max_size 2048;
server_tokens off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# Upstream to abstract backend connection(s) for PHP.
upstream php {
# server unix:/tmp/php-fpm.sock;
server 127.0.0.1:9000;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

14
ubuntu/roles/webservers-nginx/files/php-generic.conf Normal file
View File

@ -0,0 +1,14 @@
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php;
fastcgi_index index.php;
}

23
ubuntu/roles/webservers-nginx/files/security-generic.conf Normal file
View File

@ -0,0 +1,23 @@
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ {
expires 24h;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}

39
ubuntu/roles/webservers-nginx/files/wordpress-generic.conf Normal file
View File

@ -0,0 +1,39 @@
# WordPress single blog rules.
# Designed to be included in any server {} block.
# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 24h;
}
# Uncomment one of the lines below for the appropriate caching plugin (if used).
#include global/wordpress-supercache.conf;
#include global/wordpress-w3cache.conf;
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_intercept_errors on;
fastcgi_pass php;
}

34
ubuntu/roles/webservers-nginx/files/wordpress-security.conf Normal file
View File

@ -0,0 +1,34 @@
# Global restrictions configuration file.
# Designed to be included in any server {} block.</p>
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory
location ~* ^/wp-content/uploads/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory for multisite
location ~* /files/(.*).php$ {
deny all;
access_log off;
log_not_found off;
}

3
ubuntu/roles/webservers-nginx/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: start nginx
service: name=nginx state=started

31
ubuntu/roles/webservers-nginx/tasks/main.yml Normal file
View File

@ -0,0 +1,31 @@
---
- name: Install nginx package
apt: pkg=nginx state=latest
- name: Stop nginx for now and also make it start on boot
service: name=nginx state=stopped enabled=yes
- name: Make nginx related dirs
file: path={{ item }} state=directory
with_items:
- /etc/nginx/global
- /etc/nginx/sites-available
- /etc/nginx/sites-enabled
- /srv/www/catch-all
- name: Clean out default vhost file in enabled and available dirs
file: path={{ item }} state=absent
with_items:
- /etc/nginx/sites-enabled/default
- /etc/nginx/sites-available/default
- name: Copy over all nginx configuration files
copy: src={{ item.name }} dest={{ item.dir }}
with_items:
- { name: 'nginx.conf', dir: '/etc/nginx/nginx.conf' }
- { name: '0-catch-all', dir: '/etc/nginx/sites-available/0-catch-all' }
- { name: 'cloudflare.conf', dir: '/etc/nginx/global/cloudflare.conf' }
- { name: 'php-generic.conf', dir: '/etc/nginx/global/php-generic.conf' }
- { name: 'security-generic.conf', dir: '/etc/nginx/global/security-generic.conf' }
- { name: 'wordpress-generic.conf', dir: '/etc/nginx/global/wordpress-generic.conf' }
- { name: 'wordpress-security.conf', dir: '/etc/nginx/global/wordpress-security.conf' }
- name: Symlink the default catch-all vhost
file: src=/etc/nginx/sites-available/0-catch-all dest=/etc/nginx/sites-enabled/0-catch-all state=link
notify:
- start nginx

47
ubuntu/sanya.silvestris.systems.yml
View File

@ -1,47 +0,0 @@
---
- hosts: sanya.silvestris.systems
roles:
- role: jdauphant.nginx
nginx_user: "www-data"
nginx_events_params:
- worker_connections 1024
nginx_http_params:
- sendfile "on"
- server_names_hash_bucket_size 512
nginx_sites:
git.packetcat.ca.http:
- listen *:80
- listen [::]:80
- server_name git.packetcat.ca
- return 301 "https://$host$request_uri"
git.packetcat.ca.https:
- listen *:443 ssl http2
- listen [::]:443 ssl http2
- server_name git.packetcat.ca
- access_log "/var/log/nginx/git.packetcat.ca.access.log"
- error_log "/var/log/nginx/git.packetcat.ca.error.log"
- ssl_certificate "/etc/ssl/letsencrypt/git.packetcat.ca.crt"
- ssl_certificate_key "/etc/ssl/letsencrypt/git.packetcat.ca.pem"
- ssl_stapling on
- resolver [::1] valid=300s
- add_header Strict-Transport-Security max-age=31536000
- location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
nginx_configs:
gzip:
- gzip on
- gzip_disable msie6
- gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript
ssl:
- ssl_protocols TLSv1.2 TLSv1.3
- ssl_prefer_server_ciphers on
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
- ssl_session_timeout 1d
- ssl_session_cache shared:SSL:50m
- ssl_session_tickets off

27
ubuntu/site.yml
View File

@ -1,12 +1,29 @@
---
- name: apply common configuration to all nodes
hosts: unsetup
hosts: all
user: root
roles:
- common
- turn-off-motd-news
- apt-maintenance
- ssh-enforcement
- disable-rpcbind
- name: apply configuration to web servers (nginx)
hosts: webservers-nginx
user: root
roles:
- webservers-nginx
- name: apply configuration to PHP app servers
hosts: appservers-php
user: root
roles:
- appservers-php
- name: apply configuration to uwsgi app servers
hosts: appservers-uwsgi
user: root
roles:
- appservers-uwsgi

7
ubuntu/ssh-enforcement.yml
View File

@ -1,7 +0,0 @@
---
- name: SSH Enforcement
hosts: cloud
user: root
roles:
- ssh-enforcement