diff options
34 files changed, 462 insertions, 143 deletions
diff --git a/adze_extras/README.md b/adze_extras/README.md index 84d4eda..e1f8d0a 100644 --- a/adze_extras/README.md +++ b/adze_extras/README.md @@ -14,4 +14,41 @@ These are things i've manually configured on adze, not using ansible => copied all directory contents => easy! - installed docker (via apt) and docker-compose (via binary) -- miniflux (rss reader; used docker-compose) + => but as of 2022-09-13 this is broken +- miniflux (rss reader; golang) + => was previously in docker, now isn't + +--- + +trying to use podman, instead of docker, on debian bullseye/stable + +follow: https://thesynack.com/posts/docker-compose-podman/ + +didn't un-install docker, instead just installed 'podman' package (3.0+, in +debian bullseye/stable), then: + + sudo apt install podman runc + + sudo systemctl disable --now docker.service docker.socket + sudo systemctl enable --now podman.service podman.socket + +check that podman is working: + + sudo curl -v --unix-socket /run/podman/podman.sock http://localhost/_ping + +try a docker-compose thing: + + sudo DOCKER_HOST=unix:///run/podman/podman.sock docker-compose up -d + + +follow these + +for some reason, `dnsmasq-base` was required but not installed? + +couldn't figure out docker-compose + podman DNS stuff. gave up and hardcoded IP addresses; this will probably break. + +need to use `sudo` with podman (for now, at least) + +--- + +podman pull quay.io/hedgedoc/hedgedoc diff --git a/letsencrypt/archive3k.org b/letsencrypt/archive3k.org new file mode 100644 index 0000000..35e9787 --- /dev/null +++ b/letsencrypt/archive3k.org @@ -0,0 +1,11 @@ + + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --expand \ + --email webmaster@robocracy.org \ + --webroot -w /var/www/letsencrypt \ + -d archive3k.org \ + -d www.archive3k.org diff --git a/letsencrypt/bnewbold.net b/letsencrypt/bnewbold.net new file mode 100644 index 0000000..41b42c1 --- /dev/null +++ b/letsencrypt/bnewbold.net @@ -0,0 +1,15 @@ + + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --expand \ + --email webmaster@bnewbold.net \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.net -d www.bnewbold.net \ + -d goblin.bnewbold.net \ + -d know.bnewbold.net \ + -d static.bnewbold.net \ + -d feeds.bnewbold.net \ + -d git.bnewbold.net diff --git a/letsencrypt/bnewbold.the-nsa.org b/letsencrypt/bnewbold.the-nsa.org new file mode 100644 index 0000000..2e54c1c --- /dev/null +++ b/letsencrypt/bnewbold.the-nsa.org @@ -0,0 +1,11 @@ + +sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email bnewbold@the-nsa.org \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.the-nsa.org \ + -d files.bnewbold.the-nsa.org \ + -d modelthing.the-nsa.org \ + -d obscurity.bnewbold.the-nsa.org \ + -d repro.bnewbold.the-nsa.org diff --git a/letsencrypt/mail.the-nsa.org b/letsencrypt/mail.the-nsa.org new file mode 100644 index 0000000..6aee9f0 --- /dev/null +++ b/letsencrypt/mail.the-nsa.org @@ -0,0 +1,7 @@ + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email root@the-nsa.org \ + --standalone -d mail.the-nsa.org diff --git a/letsencrypt/rambutan b/letsencrypt/rambutan new file mode 100644 index 0000000..7530a89 --- /dev/null +++ b/letsencrypt/rambutan @@ -0,0 +1,11 @@ + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email root@rambutan.cc \ + --webroot -w /var/www/letsencrypt \ + -d rambutan.cc -d www.rambutan.cc \ + -d forums.rambutan.cc \ + -d staging.rambutan.cc \ + -d builds.rambutan.cc diff --git a/letsencrypt/robocracy b/letsencrypt/robocracy new file mode 100644 index 0000000..8abe91c --- /dev/null +++ b/letsencrypt/robocracy @@ -0,0 +1,18 @@ + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --expand \ + --email root@robocracy.org \ + --webroot -w /var/www/letsencrypt \ + -d robocracy.org -d www.robocracy.org \ + -d adze.robocracy.org -d dav.robocracy.org + + # Add --dry-run to test... + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email root@robocracy.org \ + --webroot -w /var/www/letsencrypt \ + -d mail.robocracy.org diff --git a/playbooks/init_adze.yml b/playbooks/init_adze.yml index 8ca3bfe..9df9fcd 100644 --- a/playbooks/init_adze.yml +++ b/playbooks/init_adze.yml @@ -11,19 +11,15 @@ - admin_email: "root@robocracy.org" - main_user_name: bnewbold - hostname_fqdn: adze.robocracy.org - - mediagoblin_hostname: goblin.bnewbold.net - cgit_hostname: git.bnewbold.net - gitolite_hostname: git.bnewbold.net - - mediagoblin_email_sender: goblin@bnewbold.net - - mediagoblin_basedir: /srv/http/goblin.bnewbold.net roles: - - debian_stretch + - debian_bullseye - hostname - common - nginx - git - - mediagoblin - znc - mailserver @@ -41,10 +37,11 @@ with_file: - pubkeys/bnewbold.pub - name: Extra packages for this host - apt: name={{item}} state=installed - with_items: - - socat - - rsyslog + apt: + state: present + name: + - socat + - rsyslog post_tasks: - name: Sanity check that we have IPv4 connectivity diff --git a/playbooks/init_bnewbold_nsa.yml b/playbooks/init_bnewbold_nsa.yml index be66cc1..9529448 100644 --- a/playbooks/init_bnewbold_nsa.yml +++ b/playbooks/init_bnewbold_nsa.yml @@ -15,7 +15,7 @@ - hostname_fqdn: bnewbold.the-nsa.org roles: - - debian_jessie + - debian_stretch - hostname - common - nullmailer @@ -35,10 +35,11 @@ with_file: - pubkeys/bnewbold.pub - name: Extra packages for this host - apt: name={{item}} state=installed - with_items: - - socat - - rsyslog + apt: + state: present + name: + - socat + - rsyslog post_tasks: - name: Sanity check that we have IPv4 connectivity diff --git a/roles/common/tasks/extrapkg.yml b/roles/common/tasks/extrapkg.yml index 0836912..79e08cb 100644 --- a/roles/common/tasks/extrapkg.yml +++ b/roles/common/tasks/extrapkg.yml @@ -1,17 +1,17 @@ --- - name: Install extras that Everybody wants - apt: pkg={{ item }} state=installed - with_items: - - ack-grep - - alpine - - build-essential - - cowsay - - ctorrent - - figlet - - ipython - - ipython3 - - lynx - - manpages-dev + apt: + state: present + name: + - ack-grep + - alpine + - build-essential + - cowsay + - ctorrent + - figlet + - ipython3 + - lynx + - manpages-dev tags: - dependencies diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a4818b0..ec5ad7b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -11,58 +11,71 @@ - dependencies - name: Install necessities and nice-to-haves - apt: pkg={{ item }} state=installed - with_items: - - apt-transport-https - - apticron - - aptitude - - bzip2 - - ca-certificates - - curl - - debian-goodies - - dialog - - dnsutils - - etckeeper - # fail2ban in security - - file - - git - - htop - - iftop - - ifupdown - - iotop - - iproute - - iputils-ping - - isc-dhcp-client - - less - - libui-dialog-perl - - locales - - locales-all - - lsof - - lvm2 - - man-db - - manpages-dev - - molly-guard - - mosh - - mtr-tiny - - netbase - - netcat - - net-tools - - ngrep - - openssh-server - - openssl - - pv - - python - - python-software-properties - # rkhunter in security - - screen - - sudo - - tcpdump - - tree - - unzip - - unattended-upgrades - - util-linux - - vim-nox - - wget + apt: + state: present + name: + # fail2ban in security + # rkhunter in security + - apt-transport-https + - apticron + - aptitude + - bash-completion + - bzip2 + - ca-certificates + - curl + - debian-goodies + - dialog + - dnsutils + - dstat + - etckeeper + - fd-find + - file + - git + - htop + - httpie + - iftop + - ifupdown + - iotop + - iproute + - iputils-ping + - isc-dhcp-client + - jq + - less + - libui-dialog-perl + - lnav + - locales + - locales-all + - lsof + - lvm2 + - man-db + - manpages-dev + - molly-guard + - moreutils + - mosh + - mtr-tiny + - net-tools + - netbase + - netcat + - ngrep + - openssh-server + - openssl + - parallel + - pigz + - pv + - python3 + - python3-software-properties + - ripgrep + - screen + - sqlite3 + - sudo + - tcpdump + - tree + - unattended-upgrades + - unzip + - util-linux + - vim-nox + - wget + - zip tags: - dependencies diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index c1489fd..219cdb5 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -2,7 +2,7 @@ # Defines tasks applicable for NTP (Network Time Protocol) - name: Install ntp - apt: pkg=ntp state=installed + apt: name=ntp state=present tags: - dependencies diff --git a/roles/common/tasks/security.yml b/roles/common/tasks/security.yml index c00b941..df2f065 100644 --- a/roles/common/tasks/security.yml +++ b/roles/common/tasks/security.yml @@ -1,12 +1,13 @@ --- - name: Install security-related packages - apt: pkg={{ item }} state=installed - with_items: - - fail2ban - - whois - - lynis - - rkhunter - - debsums + apt: + state: present + name: + - fail2ban + - whois + - lynis + - rkhunter + - debsums tags: - dependencies diff --git a/roles/common/templates/etc_fail2ban_jail.local.j2 b/roles/common/templates/etc_fail2ban_jail.local.j2 index 35c161c..57e4dc2 100644 --- a/roles/common/templates/etc_fail2ban_jail.local.j2 +++ b/roles/common/templates/etc_fail2ban_jail.local.j2 @@ -8,7 +8,7 @@ banaction = iptables-multiport action = %(action_)s # JAILS -[ssh] +[sshd] enabled = true maxretry = 8 @@ -16,7 +16,7 @@ maxretry = 8 enabled = true banaction = iptables-allports -[ssh-ddos] +[sshd-ddos] enabled = true [postfix] diff --git a/roles/common/templates/root_gitconfig.j2 b/roles/common/templates/root_gitconfig.j2 index 90c7151..eeb8a44 100644 --- a/roles/common/templates/root_gitconfig.j2 +++ b/roles/common/templates/root_gitconfig.j2 @@ -1,5 +1,3 @@ - git config --global user.name "Your Name" - git config --global user.email you@example.com [user] name = root email = root@{{ hostname_fqdn }} diff --git a/roles/debian_bullseye/debian_bullseye_upgrade.txt b/roles/debian_bullseye/debian_bullseye_upgrade.txt new file mode 100644 index 0000000..ccdd8d0 --- /dev/null +++ b/roles/debian_bullseye/debian_bullseye_upgrade.txt @@ -0,0 +1,7 @@ + +config files that should probably be reviewed: +- sshd (openssh-server) +- dovecot SSL settings +- nginx SSL settings + +znc dropped the 'partyline' plugin diff --git a/roles/debian_bullseye/defaults/main.yml b/roles/debian_bullseye/defaults/main.yml new file mode 100644 index 0000000..3703452 --- /dev/null +++ b/roles/debian_bullseye/defaults/main.yml @@ -0,0 +1,2 @@ + +admin_email: "root" diff --git a/roles/debian_bullseye/tasks/main.yml b/roles/debian_bullseye/tasks/main.yml new file mode 100644 index 0000000..6ca1691 --- /dev/null +++ b/roles/debian_bullseye/tasks/main.yml @@ -0,0 +1,10 @@ + +- name: Configure sources.list for bullseye + template: src=etc_apt_sources_list.j2 dest=/etc/apt/sources.list + +- name: Enable automatic upgrades + template: src=etc_apt_apt_confd_20auto_upgrades.j2 dest=/etc/apt/apt.conf.d/20auto-upgrades + +- name: Configure unattended upgrades for bullseye + template: src=etc_apt_apt_confd_50unattended_upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades + diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 new file mode 100644 index 0000000..c75a5d7 --- /dev/null +++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_20auto_upgrades.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 new file mode 100644 index 0000000..967abb1 --- /dev/null +++ b/roles/debian_bullseye/templates/etc_apt_apt_confd_50unattended_upgrades.j2 @@ -0,0 +1,94 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +// +// {{ ansible_managed }} +// +// Lines below have the format format is "keyword=value,...". A +// package will be upgraded only if the values in its metadata match +// all the supplied keywords in a line. (In other words, omitted +// keywords are wild cards.) The keywords originate from the Release +// file, but several aliases are accepted. The accepted keywords are: +// a,archive,suite (eg, "stable") +// c,component (eg, "main", "crontrib", "non-free") +// l,label (eg, "Debian", "Debian-Security") +// o,origin (eg, "Debian", "Unofficial Multimedia Packages") +// n,codename (eg, "bullseye", "bullseye-updates") +// site (eg, "http.debian.net") +// The available values on the system are printed by the command +// "apt-cache policy", and can be debugged by running +// "unattended-upgrades -d" and looking at the log file. +// +// Within lines unattended-upgrades allows 2 macros whose values are +// derived from /etc/debian_version: +// ${distro_id} Installed origin. +// ${distro_codename} Installed codename (eg, "bullseye") +Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). + "o=Debian,n=bullseye"; + "o=Debian,n=bullseye-updates"; +// "o=Debian,n=bullseye-proposed-updates"; + "o=Debian,n=bullseye,l=Debian-Security"; + + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). +// "o=Debian,a=stable"; +// "o=Debian,a=stable-updates"; +// "o=Debian,a=proposed-updates"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { + "vim"; + "libc6"; + "libc6-dev"; + "libc6-i686"; +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +//Unattended-Upgrade::AutoFixInterruptedDpkg "false"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "true"; + +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +//Unattended-Upgrade::InstallOnShutdown "true"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +Unattended-Upgrade::Mail "{{ admin_email }}"; + +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +Unattended-Upgrade::MailOnlyOnError "true"; + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "false"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; diff --git a/roles/debian_bullseye/templates/etc_apt_sources_list.j2 b/roles/debian_bullseye/templates/etc_apt_sources_list.j2 new file mode 100644 index 0000000..b0644bb --- /dev/null +++ b/roles/debian_bullseye/templates/etc_apt_sources_list.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +deb http://http.debian.net/debian/ bullseye main +deb-src http://http.debian.net/debian/ bullseye main + +deb http://security.debian.org/debian-security bullseye-security main +deb-src http://security.debian.org/debian-security bullseye-security main + +# bullseye-updates, previously known as 'volatile' +deb http://http.debian.net/debian/ bullseye-updates main +deb-src http://http.debian.net/debian/ bullseye-updates main + +# bullseye-backports, previously on backports.debian.org +deb http://http.debian.net/debian/ bullseye-backports main +deb-src http://http.debian.net/debian/ bullseye-backports main diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 9d3f2db..40c5af7 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -1,10 +1,11 @@ - name: Install cgit package and deps (fcgi stuff) - apt: pkg={{ item }} state=installed - with_items: - - cgit - - fcgiwrap - - spawn-fcgi + apt: + state: present + name: + - cgit + - fcgiwrap + - spawn-fcgi tags: - dependencies diff --git a/roles/git/tasks/git-daemon.yml b/roles/git/tasks/git-daemon.yml index 793275c..b604401 100644 --- a/roles/git/tasks/git-daemon.yml +++ b/roles/git/tasks/git-daemon.yml @@ -1,8 +1,6 @@ - name: Install git-daemon-sysvinit package - apt: pkg={{ item }} state=installed - with_items: - - git-daemon-sysvinit + apt: name=git-daemon-sysvinit state=present tags: - dependencies diff --git a/roles/git/tasks/gitolite.yml b/roles/git/tasks/gitolite.yml index 09a6ac8..f926560 100644 --- a/roles/git/tasks/gitolite.yml +++ b/roles/git/tasks/gitolite.yml @@ -8,7 +8,7 @@ user: name=www-data groups=git append=yes - name: Install gitolite3 package - apt: pkg=gitolite3 state=installed + apt: name=gitolite3 state=present tags: - dependencies diff --git a/roles/git/templates/etc_nginx_sites-available_cgit.j2 b/roles/git/templates/etc_nginx_sites-available_cgit.j2 index 903d38c..8efe3a7 100644 --- a/roles/git/templates/etc_nginx_sites-available_cgit.j2 +++ b/roles/git/templates/etc_nginx_sites-available_cgit.j2 @@ -4,7 +4,25 @@ server { listen 80; listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ cgit_hostname }}; + + ssl_certificate /etc/letsencrypt/live/bnewbold.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/bnewbold.net/privkey.pem; + + add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; + add_header X-Frame-Options "SAMEORIGIN"; # 'always' if nginx > 1.7.5 + add_header X-Content-Type-Options "nosniff"; # 'always' if nginx > 1.7.5 + add_header X-Xss-Protection "1"; + # Enable STS with one year period (breaks http; optional) + #add_header Strict-Transport-Security "max-age=31557600; includeSubDomains"; + + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + root /srv/http/cgit; location / { @@ -21,5 +39,11 @@ server { include "fastcgi_params"; } + + # Let's Encrypt SSL Certs + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + autoindex off; + } } diff --git a/roles/mailserver/tasks/dovecot.yml b/roles/mailserver/tasks/dovecot.yml index 9d2c20e..ca62b96 100644 --- a/roles/mailserver/tasks/dovecot.yml +++ b/roles/mailserver/tasks/dovecot.yml @@ -1,10 +1,12 @@ - name: Install Dovecot and related packages - apt: pkg={{ item }} update_cache=yes state=installed - with_items: - - dovecot-core - - dovecot-imapd - - dovecot-lmtpd - - dovecot-antispam + apt: + update_cache: yes + state: present + name: + - dovecot-core + - dovecot-imapd + - dovecot-lmtpd + - dovecot-antispam tags: - dependencies diff --git a/roles/mailserver/tasks/postfix.yml b/roles/mailserver/tasks/postfix.yml index a36acd6..7b02cf4 100644 --- a/roles/mailserver/tasks/postfix.yml +++ b/roles/mailserver/tasks/postfix.yml @@ -1,10 +1,11 @@ - name: Install Postfix and related packages - apt: pkg={{ item }} state=installed - with_items: - - libsasl2-modules - - postfix - - postfix-pcre - - sasl2-bin + apt: + state: present + name: + - libsasl2-modules + - postfix + - postfix-pcre + - sasl2-bin tags: - dependencies diff --git a/roles/mailserver/tasks/rspamd.yml b/roles/mailserver/tasks/rspamd.yml index 4d870a8..c00bf72 100644 --- a/roles/mailserver/tasks/rspamd.yml +++ b/roles/mailserver/tasks/rspamd.yml @@ -26,9 +26,7 @@ - dependencies - name: Install Rspamd and Redis - apt: pkg={{ item }} state=installed update_cache=yes - with_items: - - rspamd + apt: pkg=rspamd state=installed update_cache=yes tags: - dependencies diff --git a/roles/mediagoblin/tasks/mediagoblin.yml b/roles/mediagoblin/tasks/mediagoblin.yml index ff092e6..12252e1 100644 --- a/roles/mediagoblin/tasks/mediagoblin.yml +++ b/roles/mediagoblin/tasks/mediagoblin.yml @@ -1,16 +1,17 @@ - name: Install mediagoblin dependencies - apt: name={{item}} state=installed - with_items: - - python3-dev - - python3-lxml - - python3-pil - - python3-virtualenv - - python3-babel - - python3-pip - - virtualenv - - automake - - npm # XXX: really? UGH - - nodejs-legacy + apt: + state: present + name: + - python3-dev + - python3-lxml + - python3-pil + - python3-virtualenv + - python3-babel + - python3-pip + - virtualenv + - automake + - npm # XXX: really? UGH + - nodejs-legacy tags: - dependencies diff --git a/roles/nginx/HOWTO_letsencrypt.txt b/roles/nginx/HOWTO_letsencrypt.txt index ada7075..7b658ec 100644 --- a/roles/nginx/HOWTO_letsencrypt.txt +++ b/roles/nginx/HOWTO_letsencrypt.txt @@ -39,6 +39,32 @@ cert), do something like this: -d static.bnewbold.net \ -d git.bnewbold.net + sudo certbot certonly \ + --non-interactive \ + --agree-tos \ + --email webmaster@robocracy.org \ + --webroot -w /var/www/letsencrypt \ + -d robocracy.org -d www.robocracy.org \ + -d adze.robocracy.org \ + -d dav.robocracy.org \ + -d pad.robocracy.org \ + -d pierre-menard.robocracy.org --expand + + sudo letsencrypt certonly \ + --non-interactive \ + --agree-tos \ + --email bnewbold@the-nsa.org \ + --webroot -w /var/www/letsencrypt \ + -d bnewbold.the-nsa.org \ + -d files.bnewbold.the-nsa.org \ + -d hashbase.bnewbold.the-nsa.org \ + -d modelthing.the-nsa.org \ + -d obscurity.bnewbold.the-nsa.org \ + -d repro.bnewbold.the-nsa.org \ + -d perf.bnewbold.the-nsa.org --expand + + # formerly: very-flat.com + The above will yield a cert at the following path (presumably path has the first domain name): diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt index 1834e93..777665b 100644 --- a/roles/nginx/HOWTO_new_site.txt +++ b/roles/nginx/HOWTO_new_site.txt @@ -21,6 +21,11 @@ For a reverse proxied website: listen [::]:80; server_name <example.com>; + location = /favicon.ico { + access_log off; + log_not_found off; + } + location /theme_static/ { alias /some/static/files/dir/theme_static/; } @@ -35,19 +40,32 @@ For a reverse proxied website: For SSL stuff, add this to the body: - listen 443 ssl spdy; - listen [::]:443 ssl spdy; + listen 443 ssl http2; + listen [::]:443 ssl http2; ssl_certificate /etc/letsencrypt/live/<cert-name>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<cert-name>/privkey.pem; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; + #add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"; add_header X-Frame-Options "SAMEORIGIN"; # 'always' if nginx > 1.7.5 add_header X-Content-Type-Options "nosniff"; # 'always' if nginx > 1.7.5 add_header X-Xss-Protection "1"; # Enable STS with one year period (breaks http; optional) #add_header Strict-Transport-Security "max-age=31557600; includeSubDomains"; + + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + + # Let's Encrypt SSL Certs + location /.well-known/acme-challenge/ { + root /var/www/letsencrypt; + autoindex off; + } + + If your site is going to have inline Javascript (pretty common), you might need to swith the Content-Security-Policy line to: diff --git a/roles/nginx/templates/etc_nginx_nginx.conf.j2 b/roles/nginx/templates/etc_nginx_nginx.conf.j2 index 03e1a6c..7c99d7e 100644 --- a/roles/nginx/templates/etc_nginx_nginx.conf.j2 +++ b/roles/nginx/templates/etc_nginx_nginx.conf.j2 @@ -1,8 +1,9 @@ -{{ ansible_managed }} +# {{ ansible_managed }} user www-data; -worker_processes 4; +worker_processes auto; pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; @@ -22,7 +23,7 @@ http { types_hash_max_size 2048; # server_tokens off; - # server_names_hash_bucket_size 64; + server_names_hash_bucket_size 256; # server_name_in_redirect off; include /etc/nginx/mime.types; @@ -32,7 +33,7 @@ http { # SSL Settings ## - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:128m; diff --git a/roles/nullmailer/tasks/main.yml b/roles/nullmailer/tasks/main.yml index d694173..b22cda3 100644 --- a/roles/nullmailer/tasks/main.yml +++ b/roles/nullmailer/tasks/main.yml @@ -1,9 +1,10 @@ --- - name: Install nullmailer and mailx - apt: name={{ item }} state=installed - with_items: - - nullmailer - - heirloom-mailx + apt: + state: present + name: + - nullmailer + - heirloom-mailx tags: - dependencies diff --git a/roles/znc/tasks/znc.yml b/roles/znc/tasks/znc.yml index ecb6103..a320041 100644 --- a/roles/znc/tasks/znc.yml +++ b/roles/znc/tasks/znc.yml @@ -2,15 +2,11 @@ - name: Install znc (jessie-backports) when: (ansible_distribution == "Debian" and ansible_distribution_major_version == "8") - apt: pkg={{ item }} state=installed repo=jessie-backports - with_items: - - znc + apt: name=znc state=present repo=jessie-backports - name: Install znc (non-jessie) when: not (ansible_distribution == "Debian" and ansible_distribution_major_version == "8") - apt: pkg={{ item }} state=installed - with_items: - - znc + apt: name=znc state=present - name: Create znc group group: name=znc state=present |