2023-11-20 02:07:08 +01:00
|
|
|
[
|
2025-10-07 16:15:58 +02:00
|
|
|
{
|
|
|
|
|
"name": "show vars",
|
|
|
|
|
"ansible.builtin.debug": {
|
2025-10-07 16:22:00 +02:00
|
|
|
"var": "vars.cfg_nginx"
|
2025-10-07 16:15:58 +02:00
|
|
|
}
|
|
|
|
|
},
|
2023-11-20 02:07:08 +01:00
|
|
|
{
|
|
|
|
|
"name": "install packages",
|
|
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.apt": {
|
2024-03-20 00:05:42 +01:00
|
|
|
"update_cache": true,
|
2023-11-20 02:07:08 +01:00
|
|
|
"pkg": [
|
2024-04-24 19:33:35 +02:00
|
|
|
"nginx",
|
|
|
|
|
"openssl"
|
2023-11-20 02:07:08 +01:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
},
|
2024-04-19 00:20:46 +02:00
|
|
|
{
|
2024-04-20 13:11:26 +02:00
|
|
|
"name": "generate dhparams file",
|
2025-10-07 16:12:13 +02:00
|
|
|
"when": "cfg_nginx.improved_security",
|
2024-06-09 12:46:26 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.command": {
|
2025-10-07 16:07:09 +02:00
|
|
|
"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
|
2024-06-09 12:46:26 +02:00
|
|
|
},
|
2024-04-20 13:11:26 +02:00
|
|
|
"args": {
|
|
|
|
|
"creates": "/etc/nginx/dhparam"
|
2024-04-19 00:20:46 +02:00
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"name": "place hardening config",
|
2025-10-07 16:12:13 +02:00
|
|
|
"when": "cfg_nginx.improved_security",
|
2024-04-19 00:20:46 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.copy": {
|
|
|
|
|
"src": "ssl-hardening.conf",
|
|
|
|
|
"dest": "/etc/nginx/ssl-hardening.conf"
|
|
|
|
|
}
|
|
|
|
|
},
|
2024-04-20 17:08:39 +02:00
|
|
|
{
|
2024-06-01 17:56:28 +02:00
|
|
|
"name": "ufw | check",
|
|
|
|
|
"become": true,
|
2024-04-20 17:08:39 +02:00
|
|
|
"check_mode": true,
|
|
|
|
|
"community.general.ufw": {
|
2024-06-01 17:56:28 +02:00
|
|
|
"state": "enabled"
|
|
|
|
|
},
|
|
|
|
|
"register": "ufw_enable_check"
|
2024-04-20 17:08:39 +02:00
|
|
|
},
|
|
|
|
|
{
|
2024-06-01 17:56:28 +02:00
|
|
|
"name": "ufw | allow port 80",
|
|
|
|
|
"when": "not ufw_enable_check.changed",
|
|
|
|
|
"become": true,
|
2024-04-20 17:08:39 +02:00
|
|
|
"community.general.ufw": {
|
|
|
|
|
"rule": "allow",
|
|
|
|
|
"port": "80",
|
|
|
|
|
"proto": "tcp"
|
2024-06-01 17:56:28 +02:00
|
|
|
}
|
2024-04-20 17:08:39 +02:00
|
|
|
},
|
|
|
|
|
{
|
2024-06-01 17:56:28 +02:00
|
|
|
"name": "ufw | allow port 443",
|
|
|
|
|
"when": "not ufw_enable_check.changed",
|
|
|
|
|
"become": true,
|
2024-04-20 17:08:39 +02:00
|
|
|
"community.general.ufw": {
|
|
|
|
|
"rule": "allow",
|
|
|
|
|
"port": "443",
|
|
|
|
|
"proto": "tcp"
|
2024-06-01 17:56:28 +02:00
|
|
|
}
|
2024-04-20 17:08:39 +02:00
|
|
|
},
|
2024-06-09 11:01:34 +02:00
|
|
|
{
|
|
|
|
|
"name": "auto reload",
|
2025-10-07 16:12:13 +02:00
|
|
|
"when": "cfg_nginx.auto_reload_interval == None",
|
2024-06-09 11:01:34 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.cron": {
|
|
|
|
|
"name": "nginx_auto_reload",
|
|
|
|
|
"disabled": true,
|
|
|
|
|
"minute": "0",
|
2025-10-07 16:12:13 +02:00
|
|
|
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
|
2024-06-09 11:01:34 +02:00
|
|
|
"day": "*",
|
|
|
|
|
"month": "*",
|
|
|
|
|
"weekday": "*",
|
|
|
|
|
"job": "systemctl reload nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
2024-06-06 13:51:31 +02:00
|
|
|
{
|
|
|
|
|
"name": "auto reload",
|
2025-10-07 16:12:13 +02:00
|
|
|
"when": "cfg_nginx.auto_reload_interval != None",
|
2024-06-06 13:51:31 +02:00
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.cron": {
|
|
|
|
|
"name": "nginx_auto_reload",
|
|
|
|
|
"disabled": false,
|
|
|
|
|
"minute": "0",
|
2025-10-07 16:12:13 +02:00
|
|
|
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
|
2024-06-06 13:51:31 +02:00
|
|
|
"day": "*",
|
|
|
|
|
"month": "*",
|
|
|
|
|
"weekday": "*",
|
|
|
|
|
"job": "systemctl reload nginx"
|
|
|
|
|
}
|
|
|
|
|
},
|
2023-11-20 02:07:08 +01:00
|
|
|
{
|
|
|
|
|
"name": "restart service",
|
|
|
|
|
"become": true,
|
|
|
|
|
"ansible.builtin.systemd_service": {
|
|
|
|
|
"state": "restarted",
|
|
|
|
|
"name": "nginx"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
|
