moved ddns, partkeepr, hass to podman, selinux
This commit is contained in:
Bastian de Byl
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: install http dependencies
|
||||
become: true
|
||||
pacman:
|
||||
ansible.builtin.package:
|
||||
name: "{{ deps }}"
|
||||
state: present
|
||||
tags: deps
|
||||
|
||||
12
ansible/roles/http/tasks/firewall.yml
Normal file
12
ansible/roles/http/tasks/firewall.yml
Normal file
@@ -0,0 +1,12 @@
|
||||
---
|
||||
- name: set http/https firewall rules
|
||||
become: true
|
||||
ansible.posix.firewalld:
|
||||
service: "{{ item }}"
|
||||
permanent: true
|
||||
state: enabled
|
||||
with_items:
|
||||
- http
|
||||
- https
|
||||
notify: restart firewalld
|
||||
tags: firewall
|
||||
@@ -5,7 +5,7 @@
|
||||
src: templates/nginx/nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
owner: root
|
||||
group: http
|
||||
group: nginx
|
||||
mode: 0644
|
||||
notify: restart_nginx
|
||||
tags: http
|
||||
@@ -26,8 +26,8 @@
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: http
|
||||
group: http
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0755
|
||||
loop:
|
||||
- /srv/http
|
||||
@@ -38,8 +38,8 @@
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
path: /srv/http
|
||||
owner: http
|
||||
group: http
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0755
|
||||
recurse: true
|
||||
tags: http
|
||||
@@ -84,9 +84,3 @@
|
||||
- "{{ logs_server_name }}.conf"
|
||||
notify: restart_nginx
|
||||
tags: http
|
||||
|
||||
- name: validate nginx configurations
|
||||
become: true
|
||||
ansible.builtin.command: nginx -t
|
||||
changed_when: false
|
||||
tags: http
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
---
|
||||
- name: template nginx log rotation
|
||||
become: true
|
||||
ansible.builtin.template:
|
||||
src: logrotate/nginx.j2
|
||||
dest: /etc/logrotate.d/nginx
|
||||
mode: 0644
|
||||
tags:
|
||||
- http
|
||||
- logrotate
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
- import_tasks: deps.yml
|
||||
- import_tasks: security.yml
|
||||
- import_tasks: firewall.yml
|
||||
- import_tasks: modsec.yml
|
||||
- import_tasks: http.yml
|
||||
- import_tasks: https.yml
|
||||
- import_tasks: logrotate.yml
|
||||
- import_tasks: nginx.yml
|
||||
|
||||
33
ansible/roles/http/tasks/nginx.yml
Normal file
33
ansible/roles/http/tasks/nginx.yml
Normal file
@@ -0,0 +1,33 @@
|
||||
---
|
||||
- name: selinux context for nginx directories
|
||||
become: true
|
||||
community.general.sefcontext:
|
||||
target: "/etc/{{ item }}"
|
||||
setype: container_file_t
|
||||
state: present
|
||||
with_items:
|
||||
- "nginx(/.*)?"
|
||||
- "letsencrypt(/.*)?"
|
||||
notify: restorecon nginx
|
||||
tags: selinux
|
||||
|
||||
- name: create nginx modsecurity container
|
||||
community.general.docker_container:
|
||||
name: nginx
|
||||
image: owasp/modsecurity:nginx
|
||||
entrypoint: ["nginx", "-g", "daemon off;"]
|
||||
command_handling: correct
|
||||
recreate: true
|
||||
restart: true
|
||||
restart_policy: on-failure
|
||||
restart_retries: 3
|
||||
network_mode: host
|
||||
log_driver: syslog
|
||||
log_options:
|
||||
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
|
||||
syslog-facility: daemon
|
||||
tag: "docker/{{'{{'}}.Name{{'}}'}}"
|
||||
volumes:
|
||||
- /etc/nginx:/etc/nginx:ro
|
||||
- /etc/letsencrypt:/etc/letsencrypt:ro
|
||||
tags: nginx
|
||||
@@ -1,14 +0,0 @@
|
||||
---
|
||||
- name: touch nginx logs, enable jail
|
||||
become: true
|
||||
ansible.builtin.file:
|
||||
path: "/var/log/nginx/{{ item }}.log"
|
||||
state: touch
|
||||
mode: 0644
|
||||
loop:
|
||||
- access
|
||||
- error
|
||||
notify: restart_fail2ban
|
||||
tags:
|
||||
- http
|
||||
- security
|
||||
Reference in New Issue
Block a user