bdebyl
@@ -5,7 +5,7 @@
|
|||||||
path: /etc/ssh/sshd_config
|
path: /etc/ssh/sshd_config
|
||||||
regexp: "{{ item.re }}"
|
regexp: "{{ item.re }}"
|
||||||
line: "{{ item.li }}"
|
line: "{{ item.li }}"
|
||||||
with_items:
|
loop:
|
||||||
- {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'}
|
- {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'}
|
||||||
- {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'}
|
- {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'}
|
||||||
- {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'}
|
- {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'}
|
||||||
@@ -18,7 +18,7 @@
|
|||||||
src: files/fail2ban/jails/{{ item }}
|
src: files/fail2ban/jails/{{ item }}
|
||||||
dest: /etc/fail2ban/jail.d/{{ item }}
|
dest: /etc/fail2ban/jail.d/{{ item }}
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items: "{{ fail2ban_jails }}"
|
loop: "{{ fail2ban_jails }}"
|
||||||
notify: restart_fail2ban
|
notify: restart_fail2ban
|
||||||
tags: security
|
tags: security
|
||||||
|
|
||||||
|
|||||||
@@ -1,24 +1,24 @@
|
|||||||
user http;
|
user http;
|
||||||
worker_processes 1;
|
worker_processes 1;
|
||||||
|
|
||||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||||
|
|
||||||
error_log /var/log/nginx/error.log info;
|
error_log /var/log/nginx/error.log notice;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
include mime.types;
|
include mime.types;
|
||||||
|
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log main;
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|||||||
@@ -14,7 +14,7 @@
|
|||||||
path: "/etc/nginx/{{ item }}"
|
path: "/etc/nginx/{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
loop:
|
||||||
- sites-enabled
|
- sites-enabled
|
||||||
- sites-available
|
- sites-available
|
||||||
tags: http
|
tags: http
|
||||||
@@ -43,7 +43,7 @@
|
|||||||
src: "templates/nginx/sites/{{ item }}.j2"
|
src: "templates/nginx/sites/{{ item }}.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
loop:
|
||||||
- "{{ ci_server_name }}.http.conf"
|
- "{{ ci_server_name }}.http.conf"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: http
|
tags: http
|
||||||
@@ -54,7 +54,7 @@
|
|||||||
src: "/etc/nginx/sites-available/{{ item }}"
|
src: "/etc/nginx/sites-available/{{ item }}"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||||
state: link
|
state: link
|
||||||
with_items:
|
loop:
|
||||||
- "{{ ci_server_name }}.http.conf"
|
- "{{ ci_server_name }}.http.conf"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: http
|
tags: http
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
src: "templates/nginx/sites/{{ item }}.j2"
|
src: "templates/nginx/sites/{{ item }}.j2"
|
||||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
loop:
|
||||||
- "{{ ci_server_name }}.https.conf"
|
- "{{ ci_server_name }}.https.conf"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: https
|
tags: https
|
||||||
@@ -16,7 +16,7 @@
|
|||||||
src: "/etc/nginx/sites-available/{{ item }}"
|
src: "/etc/nginx/sites-available/{{ item }}"
|
||||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||||
state: link
|
state: link
|
||||||
with_items:
|
loop:
|
||||||
- "{{ ci_server_name }}.https.conf"
|
- "{{ ci_server_name }}.https.conf"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: https
|
tags: https
|
||||||
|
|||||||
@@ -7,7 +7,7 @@
|
|||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items:
|
loop:
|
||||||
- "{{ nginx_conf_path }}"
|
- "{{ nginx_conf_path }}"
|
||||||
- "{{ modsec_rules_path }}"
|
- "{{ modsec_rules_path }}"
|
||||||
tags: modsec
|
tags: modsec
|
||||||
@@ -28,7 +28,7 @@
|
|||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
update: false
|
update: false
|
||||||
version: "{{ item.ver }}"
|
version: "{{ item.ver }}"
|
||||||
with_items: "{{ modsec_git_urls }}"
|
loop: "{{ modsec_git_urls }}"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: modsec
|
tags: modsec
|
||||||
|
|
||||||
@@ -40,7 +40,7 @@
|
|||||||
state: link
|
state: link
|
||||||
force: true
|
force: true
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items: "{{ modsec_conf_links }}"
|
loop: "{{ modsec_conf_links }}"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: modsec
|
tags: modsec
|
||||||
|
|
||||||
@@ -52,7 +52,7 @@
|
|||||||
state: "{{ item.enabled | ternary('link', 'absent') }}"
|
state: "{{ item.enabled | ternary('link', 'absent') }}"
|
||||||
force: true
|
force: true
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items: "{{ crs_rule_links }}"
|
loop: "{{ crs_rule_links }}"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: modsec, modsec_rules
|
tags: modsec, modsec_rules
|
||||||
|
|
||||||
@@ -64,14 +64,14 @@
|
|||||||
state: link
|
state: link
|
||||||
force: true
|
force: true
|
||||||
mode: 0644
|
mode: 0644
|
||||||
with_items: "{{ crs_data_links }}"
|
loop: "{{ crs_data_links }}"
|
||||||
notify: restart_nginx
|
notify: restart_nginx
|
||||||
tags: modsec, modsec_rules
|
tags: modsec, modsec_rules
|
||||||
|
|
||||||
- name: whitelist local ip addresses
|
- name: whitelist local ip addresses
|
||||||
become: true
|
become: true
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: "{{ nginx_path }}/modsecurity.conf"
|
path: "{{ modsec_crs_before_rule_conf }}"
|
||||||
regexp: "{{ modsec_whitelist_local_re }}"
|
regexp: "{{ modsec_whitelist_local_re }}"
|
||||||
line: "{{ modsec_whitelist_local }}"
|
line: "{{ modsec_whitelist_local }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
cron:
|
cron:
|
||||||
name: certbot_renew
|
name: certbot_renew
|
||||||
special_time: weekly
|
special_time: weekly
|
||||||
job: |
|
job: >-
|
||||||
certbot renew --pre-hook "systemctl stop nginx" \
|
certbot renew --pre-hook "systemctl stop nginx"
|
||||||
--post-hook "systemctl start nginx"
|
--post-hook "systemctl start nginx"
|
||||||
tags: cron
|
tags: cron
|
||||||
|
|||||||
Reference in New Issue
Block a user