add ansible role for the webserver
This commit is contained in:
parent
48599f17f4
commit
a220f143ef
|
@ -0,0 +1,346 @@
|
|||
# config file for ansible -- http://ansible.com/
|
||||
# ==============================================
|
||||
|
||||
# nearly all parameters can be overridden in ansible-playbook
|
||||
# or with command line flags. ansible will read ANSIBLE_CONFIG,
|
||||
# ansible.cfg in the current working directory, .ansible.cfg in
|
||||
# the home directory or /etc/ansible/ansible.cfg, whichever it
|
||||
# finds first
|
||||
|
||||
[defaults]
|
||||
|
||||
# some basic default values...
|
||||
|
||||
inventory = inventories/hosts
|
||||
library = my_modules/
|
||||
#remote_tmp = $HOME/.ansible/tmp
|
||||
#local_tmp = $HOME/.ansible/tmp
|
||||
#forks = 5
|
||||
#poll_interval = 15
|
||||
#sudo_user = root
|
||||
#ask_sudo_pass = True
|
||||
#ask_pass = True
|
||||
#transport = smart
|
||||
#remote_port = 22
|
||||
#module_lang = C
|
||||
#module_set_locale = True
|
||||
|
||||
# plays will gather facts by default, which contain information about
|
||||
# the remote system.
|
||||
#
|
||||
# smart - gather by default, but don't regather if already gathered
|
||||
# implicit - gather by default, turn off with gather_facts: False
|
||||
# explicit - do not gather by default, must say gather_facts: True
|
||||
#gathering = implicit
|
||||
|
||||
# by default retrieve all facts subsets
|
||||
# all - gather all subsets
|
||||
# network - gather min and network facts
|
||||
# hardware - gather hardware facts (longest facts to retrieve)
|
||||
# virtual - gather min and virtual facts
|
||||
# facter - import facts from facter
|
||||
# ohai - import facts from ohai
|
||||
# You can combine them using comma (ex: network,virtual)
|
||||
# You can negate them using ! (ex: !hardware,!facter,!ohai)
|
||||
# A minimal set of facts is always gathered.
|
||||
#gather_subset = all
|
||||
|
||||
# additional paths to search for roles in, colon separated
|
||||
roles_path = roles
|
||||
|
||||
# uncomment this to disable SSH key host checking
|
||||
host_key_checking = False
|
||||
|
||||
# change the default callback
|
||||
#stdout_callback = skippy
|
||||
# enable additional callbacks
|
||||
#callback_whitelist = timer, mail
|
||||
|
||||
# Determine whether includes in tasks and handlers are "static" by
|
||||
# default. As of 2.0, includes are dynamic by default. Setting these
|
||||
# values to True will make includes behave more like they did in the
|
||||
# 1.x versions.
|
||||
#task_includes_static = True
|
||||
#handler_includes_static = True
|
||||
|
||||
# change this for alternative sudo implementations
|
||||
#sudo_exe = sudo
|
||||
|
||||
# What flags to pass to sudo
|
||||
# WARNING: leaving out the defaults might create unexpected behaviours
|
||||
#sudo_flags = -H -S -n
|
||||
|
||||
# SSH timeout
|
||||
#timeout = 10
|
||||
|
||||
# default user to use for playbooks if user is not specified
|
||||
# (/usr/bin/ansible will use current user as default)
|
||||
remote_user = ansible
|
||||
|
||||
# logging is off by default unless this path is defined
|
||||
# if so defined, consider logrotate
|
||||
#log_path = /home/andreas/ansible.log
|
||||
|
||||
# default module name for /usr/bin/ansible
|
||||
#module_name = command
|
||||
|
||||
# use this shell for commands executed under sudo
|
||||
# you may need to change this to bin/bash in rare instances
|
||||
# if sudo is constrained
|
||||
#executable = /bin/sh
|
||||
|
||||
# if inventory variables overlap, does the higher precedence one win
|
||||
# or are hash values merged together? The default is 'replace' but
|
||||
# this can also be set to 'merge'.
|
||||
#hash_behaviour = replace
|
||||
|
||||
# by default, variables from roles will be visible in the global variable
|
||||
# scope. To prevent this, the following option can be enabled, and only
|
||||
# tasks and handlers within the role will see the variables there
|
||||
#private_role_vars = yes
|
||||
|
||||
# list any Jinja2 extensions to enable here:
|
||||
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
|
||||
|
||||
# if set, always use this private key file for authentication, same as
|
||||
# if passing --private-key to ansible or ansible-playbook
|
||||
private_key_file = keys/ansible.key
|
||||
|
||||
# If set, configures the path to the Vault password file as an alternative to
|
||||
# specifying --vault-password-file on the command line.
|
||||
#vault_password_file = /path/to/vault_password_file
|
||||
|
||||
# format of string {{ ansible_managed }} available within Jinja2
|
||||
# templates indicates to users editing templates files will be replaced.
|
||||
# replacing {file}, {host} and {uid} and strftime codes with proper values.
|
||||
#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
|
||||
# This short version is better used in templates as it won't flag the file as changed every run.
|
||||
#ansible_managed = Ansible managed: {file} on {host}
|
||||
|
||||
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
|
||||
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
|
||||
# messages. NOTE: the task header will still be shown regardless of whether or not the
|
||||
# task is skipped.
|
||||
#display_skipped_hosts = True
|
||||
|
||||
# by default, if a task in a playbook does not include a name: field then
|
||||
# ansible-playbook will construct a header that includes the task's action but
|
||||
# not the task's args. This is a security feature because ansible cannot know
|
||||
# if the *module* considers an argument to be no_log at the time that the
|
||||
# header is printed. If your environment doesn't have a problem securing
|
||||
# stdout from ansible-playbook (or you have manually specified no_log in your
|
||||
# playbook on all of the tasks where you have secret information) then you can
|
||||
# safely set this to True to get more informative messages.
|
||||
#display_args_to_stdout = False
|
||||
|
||||
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
|
||||
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
|
||||
# to revert the behavior to pre-1.3.
|
||||
#error_on_undefined_vars = False
|
||||
|
||||
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
|
||||
# system running ansible itself. This may include warnings about 3rd party packages or
|
||||
# other conditions that should be resolved if possible.
|
||||
# to disable these warnings, set the following value to False:
|
||||
#system_warnings = True
|
||||
|
||||
# by default (as of 1.4), Ansible may display deprecation warnings for language
|
||||
# features that should no longer be used and will be removed in future versions.
|
||||
# to disable these warnings, set the following value to False:
|
||||
#deprecation_warnings = True
|
||||
|
||||
# (as of 1.8), Ansible can optionally warn when usage of the shell and
|
||||
# command module appear to be simplified by using a default Ansible module
|
||||
# instead. These warnings can be silenced by adjusting the following
|
||||
# setting or adding warn=yes or warn=no to the end of the command line
|
||||
# parameter string. This will for example suggest using the git module
|
||||
# instead of shelling out to the git command.
|
||||
# command_warnings = False
|
||||
|
||||
|
||||
# set plugin path directories here, separate with colons
|
||||
#action_plugins = /usr/share/ansible/plugins/action
|
||||
#callback_plugins = /usr/share/ansible/plugins/callback
|
||||
#connection_plugins = /usr/share/ansible/plugins/connection
|
||||
#lookup_plugins = /usr/share/ansible/plugins/lookup
|
||||
#vars_plugins = /usr/share/ansible/plugins/vars
|
||||
#filter_plugins = /usr/share/ansible/plugins/filter
|
||||
#test_plugins = /usr/share/ansible/plugins/test
|
||||
#strategy_plugins = /usr/share/ansible/plugins/strategy
|
||||
|
||||
# by default callbacks are not loaded for /bin/ansible, enable this if you
|
||||
# want, for example, a notification or logging callback to also apply to
|
||||
# /bin/ansible runs
|
||||
#bin_ansible_callbacks = False
|
||||
|
||||
|
||||
# don't like cows? that's unfortunate.
|
||||
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
|
||||
#nocows = 1
|
||||
|
||||
# set which cowsay stencil you'd like to use by default. When set to 'random',
|
||||
# a random stencil will be selected for each task. The selection will be filtered
|
||||
# against the `cow_whitelist` option below.
|
||||
#cow_selection = default
|
||||
#cow_selection = random
|
||||
|
||||
# when using the 'random' option for cowsay, stencils will be restricted to this list.
|
||||
# it should be formatted as a comma-separated list with no spaces between names.
|
||||
# NOTE: line continuations here are for formatting purposes only, as the INI parser
|
||||
# in python does not support them.
|
||||
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
|
||||
# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
|
||||
# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
|
||||
|
||||
# don't like colors either?
|
||||
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
|
||||
#nocolor = 1
|
||||
|
||||
# if set to a persistent type (not 'memory', for example 'redis') fact values
|
||||
# from previous runs in Ansible will be stored. This may be useful when
|
||||
# wanting to use, for example, IP information from one group of servers
|
||||
# without having to talk to them in the same playbook run to get their
|
||||
# current IP information.
|
||||
#fact_caching = memory
|
||||
|
||||
|
||||
# retry files
|
||||
# When a playbook fails by default a .retry file will be created in ~/
|
||||
# You can disable this feature by setting retry_files_enabled to False
|
||||
# and you can change the location of the files by setting retry_files_save_path
|
||||
|
||||
retry_files_enabled = False
|
||||
#retry_files_save_path = ~/.ansible-retry
|
||||
|
||||
# squash actions
|
||||
# Ansible can optimise actions that call modules with list parameters
|
||||
# when looping. Instead of calling the module once per with_ item, the
|
||||
# module is called once with all items at once. Currently this only works
|
||||
# under limited circumstances, and only with parameters named 'name'.
|
||||
#squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper
|
||||
|
||||
# prevents logging of task data, off by default
|
||||
#no_log = False
|
||||
|
||||
# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
|
||||
#no_target_syslog = False
|
||||
|
||||
# controls whether Ansible will raise an error or warning if a task has no
|
||||
# choice but to create world readable temporary files to execute a module on
|
||||
# the remote machine. This option is False by default for security. Users may
|
||||
# turn this on to have behaviour more like Ansible prior to 2.1.x. See
|
||||
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
|
||||
# for more secure ways to fix this than enabling this option.
|
||||
#allow_world_readable_tmpfiles = False
|
||||
|
||||
# controls the compression level of variables sent to
|
||||
# worker processes. At the default of 0, no compression
|
||||
# is used. This value must be an integer from 0 to 9.
|
||||
#var_compression_level = 9
|
||||
|
||||
# controls what compression method is used for new-style ansible modules when
|
||||
# they are sent to the remote system. The compression types depend on having
|
||||
# support compiled into both the controller's python and the client's python.
|
||||
# The names should match with the python Zipfile compression types:
|
||||
# * ZIP_STORED (no compression. available everywhere)
|
||||
# * ZIP_DEFLATED (uses zlib, the default)
|
||||
# These values may be set per host via the ansible_module_compression inventory
|
||||
# variable
|
||||
#module_compression = 'ZIP_DEFLATED'
|
||||
|
||||
# This controls the cutoff point (in bytes) on --diff for files
|
||||
# set to 0 for unlimited (RAM may suffer!).
|
||||
#max_diff_size = 1048576
|
||||
|
||||
[privilege_escalation]
|
||||
#become=True
|
||||
#become_method=sudo
|
||||
#become_user=root
|
||||
#become_ask_pass=False
|
||||
|
||||
[paramiko_connection]
|
||||
|
||||
# uncomment this line to cause the paramiko connection plugin to not record new host
|
||||
# keys encountered. Increases performance on new host additions. Setting works independently of the
|
||||
# host key checking setting above.
|
||||
#record_host_keys=False
|
||||
|
||||
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
|
||||
# line to disable this behaviour.
|
||||
#pty=False
|
||||
|
||||
[ssh_connection]
|
||||
|
||||
# ssh arguments to use
|
||||
# Leaving off ControlPersist will result in poor performance, so use
|
||||
# paramiko on older platforms rather than removing it
|
||||
#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
|
||||
|
||||
# The path to use for the ControlPath sockets. This defaults to
|
||||
# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
|
||||
# very long hostnames or very long path names (caused by long user names or
|
||||
# deeply nested home directories) this can exceed the character limit on
|
||||
# file socket names (108 characters for most platforms). In that case, you
|
||||
# may wish to shorten the string below.
|
||||
#
|
||||
# Example:
|
||||
# control_path = %(directory)s/%%h-%%r
|
||||
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
|
||||
|
||||
# Enabling pipelining reduces the number of SSH operations required to
|
||||
# execute a module on the remote server. This can result in a significant
|
||||
# performance improvement when enabled, however when using "sudo:" you must
|
||||
# first disable 'requiretty' in /etc/sudoers
|
||||
#
|
||||
# By default, this option is disabled to preserve compatibility with
|
||||
# sudoers configurations that have requiretty (the default on many distros).
|
||||
#
|
||||
#pipelining = False
|
||||
|
||||
# if True, make ansible use scp if the connection type is ssh
|
||||
# (default is sftp)
|
||||
#scp_if_ssh = True
|
||||
|
||||
# if False, sftp will not use batch mode to transfer files. This may cause some
|
||||
# types of file transfer failures impossible to catch however, and should
|
||||
# only be disabled if your sftp version has problems with batch mode
|
||||
#sftp_batch_mode = False
|
||||
|
||||
[accelerate]
|
||||
#accelerate_port = 5099
|
||||
#accelerate_timeout = 30
|
||||
#accelerate_connect_timeout = 5.0
|
||||
|
||||
# The daemon timeout is measured in minutes. This time is measured
|
||||
# from the last activity to the accelerate daemon.
|
||||
#accelerate_daemon_timeout = 30
|
||||
|
||||
# If set to yes, accelerate_multi_key will allow multiple
|
||||
# private keys to be uploaded to it, though each user must
|
||||
# have access to the system via SSH to add a new key. The default
|
||||
# is "no".
|
||||
#accelerate_multi_key = yes
|
||||
|
||||
[selinux]
|
||||
# file systems that require special treatment when dealing with security context
|
||||
# the default behaviour that copies the existing context or uses the user default
|
||||
# needs to be changed to use the file system dependent context.
|
||||
#special_context_filesystems=nfs,vboxsf,fuse,ramfs
|
||||
|
||||
# Set this to yes to allow libvirt_lxc connections to work without SELinux.
|
||||
#libvirt_lxc_noseclabel = yes
|
||||
|
||||
[colors]
|
||||
#highlight = white
|
||||
#verbose = blue
|
||||
#warn = bright purple
|
||||
#error = red
|
||||
#debug = dark gray
|
||||
#deprecate = purple
|
||||
#skip = cyan
|
||||
#unreachable = red
|
||||
#ok = green
|
||||
#changed = yellow
|
||||
#diff_add = green
|
||||
#diff_remove = red
|
||||
#diff_lines = cyan
|
|
@ -0,0 +1,5 @@
|
|||
[webserver]
|
||||
webtech.2li.local
|
||||
|
||||
[rebootable:children]
|
||||
webserver
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: reconfigure tzdata
|
||||
command: dpkg-reconfigure -f noninteractive tzdata
|
||||
remote_user: ansible
|
||||
notify: Restart NTP service
|
||||
|
||||
- name: Restart NTP service
|
||||
remote_user: ansible
|
||||
service: name=ntp state=restarted
|
||||
|
||||
- name: rebuild locales
|
||||
remote_user: ansible
|
||||
command: /usr/sbin/locale-gen
|
|
@ -0,0 +1,52 @@
|
|||
# System Upgrade and package installation
|
||||
- include: tasks/apt_update_cache.yml
|
||||
- include: tasks/apt_distupgrade.yml
|
||||
- include: tasks/apt_install.yml
|
||||
|
||||
# User configuration
|
||||
- name: Lock root user
|
||||
command: passwd -l root
|
||||
|
||||
- name: Add deploy user
|
||||
user: name={{ deploy_user_name }} shell=/bin/bash password=123456789
|
||||
|
||||
- name: Add deploy user to sudoers
|
||||
lineinfile: "dest=/etc/sudoers
|
||||
regexp='{{ deploy_user_name }} ALL'
|
||||
line='{{ deploy_user_name }} ALL=(ALL) NOPASSWD: ALL'
|
||||
state=present"
|
||||
|
||||
- include: tasks/ufw_tcp.yml
|
||||
|
||||
- name: Copy over the sshd_config file
|
||||
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root
|
||||
|
||||
- name: Copy over the timezone file
|
||||
template: src=timezone.j2 dest=/etc/timezone owner=root group=root
|
||||
notify: reconfigure tzdata
|
||||
|
||||
- name: Copy over the 20auto-upgrades file
|
||||
template: src=20auto-upgrades.j2
|
||||
dest=/etc/apt/apt.conf.d/20auto-upgrades
|
||||
owner=root
|
||||
group=root
|
||||
|
||||
- name: Copy over the 50unattended-upgrades file
|
||||
template: src=50unattended-upgrades.j2
|
||||
dest=/etc/apt/apt.conf.d/50unattended-upgrades
|
||||
owner=root
|
||||
group=root
|
||||
|
||||
- name: update locales
|
||||
lineinfile:
|
||||
dest: /etc/locale.gen
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: "{{ item.state }}"
|
||||
with_items:
|
||||
- { regexp: '^#? ?en_GB.UTF-8 UTF-8', line: 'en_GB.UTF-8 UTF-8', state: present }
|
||||
notify:
|
||||
- rebuild locales
|
||||
|
||||
- name: restart ssh
|
||||
service: name=ssh state=restarted
|
|
@ -0,0 +1,3 @@
|
|||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::Verbose "2";
|
|
@ -0,0 +1,92 @@
|
|||
// Unattended-Upgrade::Origins-Pattern controls which packages are
|
||||
// upgraded.
|
||||
//
|
||||
// Lines below have the format format is "keyword=value,...". A
|
||||
// package will be upgraded only if the values in its metadata match
|
||||
// all the supplied keywords in a line. (In other words, omitted
|
||||
// keywords are wild cards.) The keywords originate from the Release
|
||||
// file, but several aliases are accepted. The accepted keywords are:
|
||||
// a,archive,suite (eg, "stable")
|
||||
// c,component (eg, "main", "crontrib", "non-free")
|
||||
// l,label (eg, "Debian", "Debian-Security")
|
||||
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
|
||||
// n,codename (eg, "jessie", "jessie-updates")
|
||||
// site (eg, "http.debian.net")
|
||||
// The available values on the system are printed by the command
|
||||
// "apt-cache policy", and can be debugged by running
|
||||
// "unattended-upgrades -d" and looking at the log file.
|
||||
//
|
||||
// Within lines unattended-upgrades allows 2 macros whose values are
|
||||
// derived from /etc/debian_version:
|
||||
// ${distro_id} Installed origin.
|
||||
// ${distro_codename} Installed codename (eg, "jessie")
|
||||
Unattended-Upgrade::Origins-Pattern {
|
||||
// Codename based matching:
|
||||
// This will follow the migration of a release through different
|
||||
// archives (e.g. from testing to stable and later oldstable).
|
||||
// "o=Debian,n=jessie";
|
||||
// "o=Debian,n=jessie-updates";
|
||||
// "o=Debian,n=jessie-proposed-updates";
|
||||
// "o=Debian,n=jessie,l=Debian-Security";
|
||||
|
||||
// Archive or Suite based matching:
|
||||
// Note that this will silently match a different release after
|
||||
// migration to the specified archive (e.g. testing becomes the
|
||||
// new stable).
|
||||
// "o=Debian,a=stable";
|
||||
// "o=Debian,a=stable-updates";
|
||||
// "o=Debian,a=proposed-updates";
|
||||
"origin=Debian,codename=${distro_codename},label=Debian-Security";
|
||||
};
|
||||
|
||||
// List of packages to not update (regexp are supported)
|
||||
Unattended-Upgrade::Package-Blacklist {
|
||||
// "vim";
|
||||
// "libc6";
|
||||
// "libc6-dev";
|
||||
// "libc6-i686";
|
||||
};
|
||||
|
||||
// This option allows you to control if on a unclean dpkg exit
|
||||
// unattended-upgrades will automatically run
|
||||
// dpkg --force-confold --configure -a
|
||||
// The default is true, to ensure updates keep getting installed
|
||||
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
|
||||
|
||||
// Split the upgrade into the smallest possible chunks so that
|
||||
// they can be interrupted with SIGUSR1. This makes the upgrade
|
||||
// a bit slower but it has the benefit that shutdown while a upgrade
|
||||
// is running is possible (with a small delay)
|
||||
//Unattended-Upgrade::MinimalSteps "true";
|
||||
|
||||
// Install all unattended-upgrades when the machine is shuting down
|
||||
// instead of doing it in the background while the machine is running
|
||||
// This will (obviously) make shutdown slower
|
||||
//Unattended-Upgrade::InstallOnShutdown "true";
|
||||
|
||||
// Send email to this address for problems or packages upgrades
|
||||
// If empty or unset then no email is sent, make sure that you
|
||||
// have a working mail setup on your system. A package that provides
|
||||
// 'mailx' must be installed. E.g. "user@example.com"
|
||||
Unattended-Upgrade::Mail "root";
|
||||
|
||||
// Set this value to "true" to get emails only on errors. Default
|
||||
// is to always send a mail if Unattended-Upgrade::Mail is set
|
||||
//Unattended-Upgrade::MailOnlyOnError "true";
|
||||
|
||||
// Do automatic removal of new unused dependencies after the upgrade
|
||||
// (equivalent to apt-get autoremove)
|
||||
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
|
||||
|
||||
// Automatically reboot *WITHOUT CONFIRMATION* if
|
||||
// the file /var/run/reboot-required is found after the upgrade
|
||||
//Unattended-Upgrade::Automatic-Reboot "false";
|
||||
|
||||
// If automatic reboot is enabled and needed, reboot at the specific
|
||||
// time instead of immediately
|
||||
// Default: "now"
|
||||
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
|
||||
|
||||
// Use apt bandwidth limit feature, this example limits the download
|
||||
// speed to 70kb/sec
|
||||
//Acquire::http::Dl-Limit "70";
|
|
@ -0,0 +1,6 @@
|
|||
[apt]
|
||||
frontend=pager
|
||||
email_address=root
|
||||
confirm=0
|
||||
save_seen=/var/lib/apt/listchanges.db
|
||||
which=news
|
|
@ -0,0 +1,93 @@
|
|||
# Package generated configuration file
|
||||
# See the sshd_config(5) manpage for details
|
||||
|
||||
# What ports, IPs and protocols we listen for
|
||||
Port 22
|
||||
# Use these options to restrict which interfaces/protocols sshd will bind to
|
||||
#ListenAddress ::
|
||||
#ListenAddress 0.0.0.0
|
||||
Protocol 2
|
||||
# HostKeys for protocol version 2
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|
||||
|
||||
#Privilege Separation is turned on for security
|
||||
UsePrivilegeSeparation yes
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
KeyRegenerationInterval 3600
|
||||
ServerKeyBits 1024
|
||||
|
||||
# Logging
|
||||
SyslogFacility AUTH
|
||||
LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
LoginGraceTime 120
|
||||
PermitRootLogin no
|
||||
StrictModes yes
|
||||
|
||||
RSAAuthentication yes
|
||||
PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
||||
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
||||
RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
HostbasedAuthentication no
|
||||
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
||||
#IgnoreUserKnownHosts yes
|
||||
|
||||
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Change to yes to enable challenge-response passwords (beware issues with
|
||||
# some PAM modules and threads)
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Change to no to disable tunnelled clear text passwords
|
||||
PasswordAuthentication yes
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosGetAFSToken no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
X11Forwarding yes
|
||||
X11DisplayOffset 10
|
||||
PrintMotd no
|
||||
PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
|
||||
#MaxStartups 10:30:60
|
||||
#Banner /etc/issue.net
|
||||
|
||||
# Allow client to pass locale environment variables
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
|
@ -0,0 +1 @@
|
|||
{{ timezone }}
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
deploy_user_name: ansible
|
||||
|
||||
apt_packages:
|
||||
- apt-transport-https
|
||||
- ntp
|
||||
- sudo
|
||||
- ufw
|
||||
- unzip
|
||||
- vim
|
||||
- htop
|
||||
- ca-certificates
|
||||
- unattended-upgrades
|
||||
- apt-listchanges
|
||||
|
||||
open_tcp_ports:
|
||||
- 22
|
||||
|
||||
timezone: Europe/Zurich
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- include: tasks/apt_install.yml
|
||||
- include: tasks/ufw_tcp.yml
|
||||
|
||||
- name: Configure Apache AllowOverride All
|
||||
replace:
|
||||
dest=/etc/apache2/apache2.conf
|
||||
regexp='(<[dD]irectory /var/www/>[^<]*)AllowOverride None'
|
||||
replace='\1AllowOverride All'
|
||||
|
||||
- name: Restart apache service
|
||||
service: name=apache2 state=restarted
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
apt_packages:
|
||||
- apache2
|
||||
- python3-django
|
||||
- mariadb-server
|
||||
- libapache2-mod-wsgi-py3
|
||||
|
||||
open_tcp_ports:
|
||||
- 80
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: Upgrade APT to the latest packages
|
||||
apt: upgrade=dist autoremove=yes
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Install packages
|
||||
apt: state=installed pkg={{ item }}
|
||||
with_items: "{{ apt_packages }}"
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Install backports packages
|
||||
apt: state=installed pkg={{ item }} default_release=jessie-backports
|
||||
with_items: "{{ apt_backport_packages }}"
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Install packages without depencies
|
||||
apt: state=installed pkg={{ item }} install_recommends=no
|
||||
with_items: "{{ apt_no_recommends_packages }}"
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: Update APT package cache
|
||||
apt:
|
||||
update_cache: yes
|
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: make sure that the .virtualenvs folder is present
|
||||
file: path="{{ item }}" state=directory owner=andreas group=andreas
|
||||
with_items:
|
||||
- "/home/{{ user_name }}/.virtualenvs"
|
||||
- "/home/{{ user_name }}/.virtualenvs/bin"
|
||||
become_user: "{{ user_name }}"
|
||||
|
||||
- name: Install pip3 packages
|
||||
pip: name={{ item }}
|
||||
virtualenv="/home/{{ user_name }}/.virtualenvs/{{ item }}"
|
||||
virtualenv_python=python3
|
||||
with_items: "{{ pip3_packages }}"
|
||||
become_user: "{{ user_name }}"
|
||||
|
||||
- name: Symlink packages binaries to ~/.virtualenvs/bin
|
||||
file: src="/home/{{ user_name }}/.virtualenvs/{{ item }}/bin/{{ item }}"
|
||||
dest="/home/{{ user_name }}/.virtualenvs/bin/{{ item }}"
|
||||
state=link
|
||||
with_items: "{{ pip3_packages }}"
|
||||
become_user: "{{ user_name }}"
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: Setup ufw
|
||||
ufw: state=enabled policy=deny
|
||||
|
||||
- name: Allow tcp traffic on defined ports
|
||||
ufw: rule=allow port={{ item }} proto=tcp
|
||||
with_items: "{{ open_tcp_ports }}"
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: Setup ufw
|
||||
ufw: state=enabled policy=deny
|
||||
|
||||
- name: Allow udp traffic on defined ports
|
||||
ufw: rule=allow port={{ item }} proto=udp
|
||||
with_items: "{{ open_udp_ports }}"
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- hosts: webtech.2li.local
|
||||
become: true
|
||||
roles:
|
||||
- common
|
||||
- web_AI-5
|
Loading…
Reference in New Issue