bdebyl
@@ -5,7 +5,7 @@
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: "{{ item.re }}"
|
||||
line: "{{ item.li }}"
|
||||
with_items:
|
||||
loop:
|
||||
- {re: '^[# ]*PasswordAuthentication ', li: 'PasswordAuthentication no'}
|
||||
- {re: '^[# ]*PermitEmptyPasswords ', li: 'PermitEmptyPasswords no'}
|
||||
- {re: '^[# ]*PermitRootLogin ', li: 'PermitRootLogin no'}
|
||||
@@ -18,7 +18,7 @@
|
||||
src: files/fail2ban/jails/{{ item }}
|
||||
dest: /etc/fail2ban/jail.d/{{ item }}
|
||||
mode: 0644
|
||||
with_items: "{{ fail2ban_jails }}"
|
||||
loop: "{{ fail2ban_jails }}"
|
||||
notify: restart_fail2ban
|
||||
tags: security
|
||||
|
||||
|
||||
@@ -1,24 +1,24 @@
|
||||
user http;
|
||||
worker_processes 1;
|
||||
worker_processes 1;
|
||||
|
||||
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
|
||||
error_log /var/log/nginx/error.log info;
|
||||
error_log /var/log/nginx/error.log notice;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
include mime.types;
|
||||
|
||||
default_type application/octet-stream;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
server_tokens off;
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
path: "/etc/nginx/{{ item }}"
|
||||
state: directory
|
||||
mode: 0644
|
||||
with_items:
|
||||
loop:
|
||||
- sites-enabled
|
||||
- sites-available
|
||||
tags: http
|
||||
@@ -43,7 +43,7 @@
|
||||
src: "templates/nginx/sites/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
loop:
|
||||
- "{{ ci_server_name }}.http.conf"
|
||||
notify: restart_nginx
|
||||
tags: http
|
||||
@@ -54,7 +54,7 @@
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
with_items:
|
||||
loop:
|
||||
- "{{ ci_server_name }}.http.conf"
|
||||
notify: restart_nginx
|
||||
tags: http
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
src: "templates/nginx/sites/{{ item }}.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ item }}"
|
||||
mode: 0644
|
||||
with_items:
|
||||
loop:
|
||||
- "{{ ci_server_name }}.https.conf"
|
||||
notify: restart_nginx
|
||||
tags: https
|
||||
@@ -16,7 +16,7 @@
|
||||
src: "/etc/nginx/sites-available/{{ item }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ item }}"
|
||||
state: link
|
||||
with_items:
|
||||
loop:
|
||||
- "{{ ci_server_name }}.https.conf"
|
||||
notify: restart_nginx
|
||||
tags: https
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
with_items:
|
||||
loop:
|
||||
- "{{ nginx_conf_path }}"
|
||||
- "{{ modsec_rules_path }}"
|
||||
tags: modsec
|
||||
@@ -28,7 +28,7 @@
|
||||
dest: "{{ item.dest }}"
|
||||
update: false
|
||||
version: "{{ item.ver }}"
|
||||
with_items: "{{ modsec_git_urls }}"
|
||||
loop: "{{ modsec_git_urls }}"
|
||||
notify: restart_nginx
|
||||
tags: modsec
|
||||
|
||||
@@ -40,7 +40,7 @@
|
||||
state: link
|
||||
force: true
|
||||
mode: 0644
|
||||
with_items: "{{ modsec_conf_links }}"
|
||||
loop: "{{ modsec_conf_links }}"
|
||||
notify: restart_nginx
|
||||
tags: modsec
|
||||
|
||||
@@ -52,7 +52,7 @@
|
||||
state: "{{ item.enabled | ternary('link', 'absent') }}"
|
||||
force: true
|
||||
mode: 0644
|
||||
with_items: "{{ crs_rule_links }}"
|
||||
loop: "{{ crs_rule_links }}"
|
||||
notify: restart_nginx
|
||||
tags: modsec, modsec_rules
|
||||
|
||||
@@ -64,14 +64,14 @@
|
||||
state: link
|
||||
force: true
|
||||
mode: 0644
|
||||
with_items: "{{ crs_data_links }}"
|
||||
loop: "{{ crs_data_links }}"
|
||||
notify: restart_nginx
|
||||
tags: modsec, modsec_rules
|
||||
|
||||
- name: whitelist local ip addresses
|
||||
become: true
|
||||
lineinfile:
|
||||
path: "{{ nginx_path }}/modsecurity.conf"
|
||||
path: "{{ modsec_crs_before_rule_conf }}"
|
||||
regexp: "{{ modsec_whitelist_local_re }}"
|
||||
line: "{{ modsec_whitelist_local }}"
|
||||
mode: 0644
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
cron:
|
||||
name: certbot_renew
|
||||
special_time: weekly
|
||||
job: |
|
||||
certbot renew --pre-hook "systemctl stop nginx" \
|
||||
--post-hook "systemctl start nginx"
|
||||
job: >-
|
||||
certbot renew --pre-hook "systemctl stop nginx"
|
||||
--post-hook "systemctl start nginx"
|
||||
tags: cron
|
||||
|
||||
Reference in New Issue
Block a user