moved ddns, partkeepr, hass to podman, selinux

2022-04-30 03:44:55 -04:00
parent b228012d5a
commit cb2001357f
61 changed files with 481 additions and 307 deletions
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -1,6 +1,4 @@
 ---
-deps: [certbot, nginx, nginx-mod-modsecurity]
-
 ci_server_name: ci.bdebyl.net
 pi_server_name: pi.bdebyl.net
 assistant_server_name: assistant.bdebyl.net
--- a/ansible/roles/http/handlers/main.yml
+++ b/ansible/roles/http/handlers/main.yml
@@ -1,6 +1,17 @@
 ---
 - name: restart_nginx
+  become: true
+  ansible.builtin.command: docker restart nginx
+
+- name: restart firewalld
  become: true
  ansible.builtin.service:
-    name: nginx
+    name: firewalld
    state: restarted
+
+- name: restorecon nginx
+  become: true
+  ansible.builtin.command: restorecon -irv /etc/{{ item }}
+  with_items:
+    - nginx
+    - letsencrypt
--- a/ansible/roles/http/tasks/deps.yml
+++ b/ansible/roles/http/tasks/deps.yml
@@ -1,7 +1,7 @@
 ---
 - name: install http dependencies
  become: true
-  pacman:
+  ansible.builtin.package:
    name: "{{ deps }}"
    state: present
  tags: deps
--- a/ansible/roles/http/tasks/firewall.yml
+++ b/ansible/roles/http/tasks/firewall.yml
@@ -0,0 +1,12 @@
+---
+- name: set http/https firewall rules
+  become: true
+  ansible.posix.firewalld:
+    service: "{{ item }}"
+    permanent: true
+    state: enabled
+  with_items:
+    - http
+    - https
+  notify: restart firewalld
+  tags: firewall
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -5,7 +5,7 @@
    src: templates/nginx/nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    owner: root
-    group: http
+    group: nginx
    mode: 0644
  notify: restart_nginx
  tags: http
@@ -26,8 +26,8 @@
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
-    owner: http
-    group: http
+    owner: nginx
+    group: nginx
    mode: 0755
  loop:
    - /srv/http
@@ -38,8 +38,8 @@
  become: true
  ansible.builtin.file:
    path: /srv/http
-    owner: http
-    group: http
+    owner: nginx
+    group: nginx
    mode: 0755
    recurse: true
  tags: http
@@ -84,9 +84,3 @@
    - "{{ logs_server_name }}.conf"
  notify: restart_nginx
  tags: http
-
- name: validate nginx configurations
-  become: true
-  ansible.builtin.command: nginx -t
-  changed_when: false
-  tags: http
--- a/ansible/roles/http/tasks/logrotate.yml
+++ b/ansible/roles/http/tasks/logrotate.yml
@@ -1,10 +0,0 @@
---
- name: template nginx log rotation
-  become: true
-  ansible.builtin.template:
-    src: logrotate/nginx.j2
-    dest: /etc/logrotate.d/nginx
-    mode: 0644
-  tags:
-    - http
-    - logrotate
--- a/ansible/roles/http/tasks/main.yml
+++ b/ansible/roles/http/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - import_tasks: deps.yml
- import_tasks: security.yml
+- import_tasks: firewall.yml
 - import_tasks: modsec.yml
 - import_tasks: http.yml
 - import_tasks: https.yml
- import_tasks: logrotate.yml
+- import_tasks: nginx.yml
--- a/ansible/roles/http/tasks/nginx.yml
+++ b/ansible/roles/http/tasks/nginx.yml
@@ -0,0 +1,33 @@
+---
+- name: selinux context for nginx directories
+  become: true
+  community.general.sefcontext:
+    target: "/etc/{{ item }}"
+    setype: container_file_t
+    state: present
+  with_items:
+    - "nginx(/.*)?"
+    - "letsencrypt(/.*)?"
+  notify: restorecon nginx
+  tags: selinux
+
+- name: create nginx modsecurity container
+  community.general.docker_container:
+    name: nginx
+    image: owasp/modsecurity:nginx
+    entrypoint: ["nginx", "-g", "daemon off;"]
+    command_handling: correct
+    recreate: true
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    network_mode: host
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}}.Name{{'}}'}}"
+    volumes:
+      - /etc/nginx:/etc/nginx:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+  tags: nginx
--- a/ansible/roles/http/tasks/security.yml
+++ b/ansible/roles/http/tasks/security.yml
@@ -1,14 +0,0 @@
---
- name: touch nginx logs, enable jail
-  become: true
-  ansible.builtin.file:
-    path: "/var/log/nginx/{{ item }}.log"
-    state: touch
-    mode: 0644
-  loop:
-    - access
-    - error
-  notify: restart_fail2ban
-  tags:
-    - http
-    - security
--- a/ansible/roles/http/templates/nginx/nginx.conf.j2
+++ b/ansible/roles/http/templates/nginx/nginx.conf.j2
@@ -1,4 +1,4 @@
-user http;
+user nginx;
 worker_processes 1;

 load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
@@ -1,6 +1,5 @@
 server {
 	listen 80;
-	listen [::]:80;
 	server_name {{ ci_server_name }};

 	location /.well-known {
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -12,13 +12,12 @@ server {
  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;

  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
  server_name {{ ci_server_name }};

  ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
-  ssl_dhparam             /etc/ssl/certs/dhparam.pem;
+  ssl_dhparam             ssl/dhparam.pem;

  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
--- a/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2
@@ -10,7 +10,7 @@ server {
  listen 80 default_server;
  server_name {{ home_server_name }};
  if ($whitelisted = 1) {
-    return 302 http://pi.bdebyl.net;
+    return 302 http://192.168.1.12;
  }

  if ($whitelisted = 0) {
--- a/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
@@ -12,6 +12,7 @@ server {
  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;

  listen 80;
+  listen [::]:80;
  server_name {{ logs_server_name }};

  location / {
--- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2
@@ -8,7 +8,6 @@ server {
  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;

  listen 80;
-  listen [::]:80;
  server_name {{ parts_server_name }};

 	location /.well-known {
--- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
@@ -14,13 +14,12 @@ server {
  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;

  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
  server_name {{ parts_server_name }};

  ssl_certificate         /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
  ssl_certificate_key     /etc/letsencrypt/live/{{ parts_server_name }}/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
-  ssl_dhparam             /etc/ssl/certs/dhparam.pem;
+  ssl_dhparam             ssl/dhparam.pem;

  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
--- a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -9,7 +9,6 @@ server {
  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;

 	listen 80;
-	listen [::]:80;

 	root /srv/http/pihole;
 	server_name {{ pi_server_name }};