noticket Changes from redeploy to new server

ansible/roles/common/defaults/main.yml

@@ -1,12 +1,21 @@
 ---
 deps: [
+  cronie,
   docker,
-  git,
   fail2ban,
-  python-docker
+  git,
+  python-docker,
+  tmux,
+  weechat
 ]
 
 fail2ban_jails: [
   sshd.local,
   nginx.local
 ]
+
+services:
+  - docker
+  - fail2ban
+  - iptables
+  - nginx

ansible/roles/common/tasks/main.yml

@@ -1,3 +1,4 @@
 ---
 - import_tasks: deps.yml
 - import_tasks: security.yml
+- import_tasks: service.yml

ansible/roles/common/tasks/service.yml

@@ -0,0 +1,9 @@
+---
+- name: ensure desired services are started and enabled
+  become: true
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop: "{{ services }}"
+  tags: security, service

ansible/roles/http/tasks/http.yml

@@ -28,15 +28,6 @@
     recurse: true
   tags: http
 
-- name: touch nginx logs, enable jail
-  become: true
-  file:
-    path: "/var/log/nginx/error.log"
-    state: file
-    mode: 0644
-  notify: restart_fail2ban
-  tags: http, security
-
 - name: template nginx http sites-available
   become: true
   template:

ansible/roles/http/tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 - import_tasks: deps.yml
+- import_tasks: security.yml
 - import_tasks: modsec.yml
 - import_tasks: http.yml
 - import_tasks: https.yml

ansible/roles/http/tasks/security.yml

@@ -0,0 +1,12 @@
+---
+- name: touch nginx logs, enable jail
+  become: true
+  file:
+    path: "/var/log/nginx/{{ item }}.log"
+    state: touch
+    mode: 0644
+  loop:
+    - access
+    - error
+  notify: restart_fail2ban
+  tags: http, security

ansible/roles/ssl/tasks/certbot.yml

@@ -2,7 +2,7 @@
 - name: generate openssl dhparam for nginx
   become: true
   command: |
-    openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 2048
+    openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
   args:
     creates: /etc/ssl/certs/dhparam.pem
   tags: ssl