2023-11-20 02:07:08 +01:00
|
|
|
[
|
2025-10-07 16:15:58 +02:00
|
|
|
{
|
|
|
|
|
"name": "show vars",
|
2025-10-07 16:54:04 +02:00
|
|
|
"when": "switch_debug",
|
2025-10-07 16:15:58 +02:00
|
|
|
"ansible.builtin.debug": {
|
2025-10-07 16:22:00 +02:00
|
|
|
"var": "vars.cfg_nginx"
|
2025-10-07 16:15:58 +02:00
|
|
|
}
|
|
|
|
|
},
|
2023-11-20 02:07:08 +01:00
|
|
|
{
|
|
|
|
|
"name": "install packages",
|
|
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.apt": {
|
2024-03-20 00:05:42 +01:00
|
|
|
"update_cache": true,
|
2023-11-20 02:07:08 +01:00
|
|
|
"pkg": [
|
2024-04-24 19:33:35 +02:00
|
|
|
"nginx",
|
|
|
|
|
"openssl"
|
2023-11-20 02:07:08 +01:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
2024-04-19 00:20:46 +02:00
|
|
|
{
|
2024-04-20 13:11:26 +02:00
|
|
|
"name": "generate dhparams file",
|
2025-10-07 16:41:07 +02:00
|
|
|
"when": "cfg_nginx.dhparam_size != None",
|
2024-06-09 12:46:26 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.command": {
|
2025-10-07 16:41:07 +02:00
|
|
|
"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
|
2024-06-09 12:46:26 +02:00
|
|
|
},
|
2024-04-20 13:11:26 +02:00
|
|
|
"args": {
|
|
|
|
|
"creates": "/etc/nginx/dhparam"
|
2024-04-19 00:20:46 +02:00
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "place hardening config",
|
|
|
|
|
"become": true,
|
2025-10-07 16:41:07 +02:00
|
|
|
"ansible.builtin.template": {
|
2025-10-07 16:41:57 +02:00
|
|
|
"src": "ssl-hardening.conf.j2",
|
2024-04-19 00:20:46 +02:00
|
|
|
"dest": "/etc/nginx/ssl-hardening.conf"
|
|
|
|
|
}
|
|
|
|
|
},
|
2024-04-20 17:08:39 +02:00
|
|
|
{
|
2025-10-07 16:24:43 +02:00
|
|
|
"name": "ufw",
|
|
|
|
|
"block": [
|
|
|
|
|
{
|
|
|
|
|
"name": "check",
|
|
|
|
|
"become": true,
|
|
|
|
|
"check_mode": true,
|
|
|
|
|
"community.general.ufw": {
|
|
|
|
|
"state": "enabled"
|
|
|
|
|
},
|
|
|
|
|
"register": "ufw_enable_check"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "allow port 80",
|
|
|
|
|
"when": "not ufw_enable_check.changed",
|
|
|
|
|
"become": true,
|
|
|
|
|
"community.general.ufw": {
|
|
|
|
|
"rule": "allow",
|
|
|
|
|
"port": "80",
|
|
|
|
|
"proto": "tcp"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "allow port 443",
|
|
|
|
|
"when": "not ufw_enable_check.changed",
|
|
|
|
|
"become": true,
|
|
|
|
|
"community.general.ufw": {
|
|
|
|
|
"rule": "allow",
|
|
|
|
|
"port": "443",
|
|
|
|
|
"proto": "tcp"
|
|
|
|
|
}
|
2025-10-07 16:47:45 +02:00
|
|
|
}
|
2025-10-07 16:24:43 +02:00
|
|
|
]
|
2024-04-20 17:08:39 +02:00
|
|
|
},
|
2024-06-09 11:01:34 +02:00
|
|
|
{
|
|
|
|
|
"name": "auto reload",
|
2025-10-07 16:12:13 +02:00
|
|
|
"when": "cfg_nginx.auto_reload_interval == None",
|
2024-06-09 11:01:34 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.cron": {
|
|
|
|
|
"name": "nginx_auto_reload",
|
|
|
|
|
"disabled": true,
|
|
|
|
|
"minute": "0",
|
2025-10-07 16:12:13 +02:00
|
|
|
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
|
2024-06-09 11:01:34 +02:00
|
|
|
"day": "*",
|
|
|
|
|
"month": "*",
|
|
|
|
|
"weekday": "*",
|
|
|
|
|
"job": "systemctl reload nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
2024-06-06 13:51:31 +02:00
|
|
|
{
|
|
|
|
|
"name": "auto reload",
|
2025-10-07 16:12:13 +02:00
|
|
|
"when": "cfg_nginx.auto_reload_interval != None",
|
2024-06-06 13:51:31 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.cron": {
|
|
|
|
|
"name": "nginx_auto_reload",
|
|
|
|
|
"disabled": false,
|
|
|
|
|
"minute": "0",
|
2025-10-07 16:12:13 +02:00
|
|
|
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
|
2024-06-06 13:51:31 +02:00
|
|
|
"day": "*",
|
|
|
|
|
"month": "*",
|
|
|
|
|
"weekday": "*",
|
|
|
|
|
"job": "systemctl reload nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
2023-11-20 02:07:08 +01:00
|
|
|
{
|
|
|
|
|
"name": "restart service",
|
|
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.systemd_service": {
|
|
|
|
|
"state": "restarted",
|
|
|
|
|
"name": "nginx"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
|
