added https parts site, video site, fixed modsecurity

2022-04-12 01:15:51 -04:00
parent 232b28a647
commit 9fbe473e3c
22 changed files with 193 additions and 246 deletions
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -19,6 +19,18 @@
    - sites-available
  tags: http

+- name: ensure http/s directories exist
+  become: true
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: http
+    group: http
+  loop:
+    - /srv/http
+    - /srv/http/letsencrypt
+  tags: http
+
 - name: chown http user home
  become: true
  file:
@@ -39,6 +51,7 @@
    - "{{ pi_server_name }}.conf"
    - "{{ home_server_name }}.conf"
    - "{{ assistant_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
    - "{{ parts_server_name }}.conf"
  notify: restart_nginx
  tags: http
@@ -62,5 +75,11 @@
    - "{{ parts_server_name }}.conf"
    - "{{ home_server_name }}.conf"
    - "{{ assistant_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
  notify: restart_nginx
  tags: http
+
+- name: validate nginx configurations
+  become: true
+  shell: nginx -t
+  tags: http
--- a/ansible/roles/http/tasks/https.yml
+++ b/ansible/roles/http/tasks/https.yml
@@ -7,6 +7,7 @@
    mode: 0644
  loop:
    - "{{ ci_server_name }}.https.conf"
+    - "{{ parts_server_name }}.https.conf"
  notify: restart_nginx
  tags: https

@@ -18,5 +19,6 @@
    state: link
  loop:
    - "{{ ci_server_name }}.https.conf"
+    - "{{ parts_server_name }}.https.conf"
  notify: restart_nginx
  tags: https
--- a/ansible/roles/http/tasks/modsec.yml
+++ b/ansible/roles/http/tasks/modsec.yml
@@ -35,36 +35,37 @@

 - name: setup modsec and coreruleset configs
  become: true
-  file:
+  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    state: link
    force: true
    mode: 0644
+    remote_src: true
  loop: "{{ modsec_conf_links }}"
  notify: restart_nginx
  tags: modsec

 - name: setup coreruleset rules
  become: true
-  file:
+  copy:
    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
-    state: "{{ item.enabled | ternary('link', 'absent') }}"
    force: true
    mode: 0644
+    remote_src: true
+  when: item.enabled
  loop: "{{ crs_rule_links }}"
  notify: restart_nginx
  tags: modsec, modsec_rules

 - name: setup coreruleset data
  become: true
-  file:
+  copy:
    src: "{{ crs_rules_path }}/{{ item }}.data"
    dest: "{{ modsec_rules_path }}/{{ item }}.data"
-    state: link
    force: true
    mode: 0644
+    remote_src: true
  loop: "{{ crs_data_links }}"
  notify: restart_nginx
  tags: modsec, modsec_rules
--- a/ansible/roles/http/tasks/security.yml
+++ b/ansible/roles/http/tasks/security.yml
@@ -9,4 +9,6 @@
    - access
    - error
  notify: restart_fail2ban
-  tags: http, security
+  tags:
+    - http
+    - security