misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

[task-406] nginx

Browse source
This commit is contained in:
fenris 2025-10-09 01:42:26 +02:00
parent 5d1b1908a5
commit fb931da668
4 changed files with 100 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
roles/nginx/cfg.schema.json Normal file
View file

@ -0,0 +1,28 @@
{
"nullable": false,
"type": "object",
"properties": {
"auto_reload_interval": {
"nullable": true,
"type": "integer",
"description": "in hours",
"default": null
},
"dhparam_size": {
"nullable": true,
"type": "integer",
"default": null
},
"improved_security": {
"nullable": false,
"type": "boolean",
"default": false
}
},
"additionalProperties": false,
"required": [
"auto_reload_interval",
"dhparam_size",
"improved_security"
]
}

6
roles/nginx/defaults/main.json
View file

@ -1,3 +1,7 @@
{ {
"var_nginx_auto_reload_interval": null "cfg_nginx_defaults": {
"auto_reload_interval": null,
"dhparam_size": null,
"improved_security": false
}
} }

33
roles/nginx/tasks/main.json
View file

@ -1,4 +1,11 @@
[ [
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_nginx"
}
},
{ {
"name": "install packages", "name": "install packages",
"become": true, "become": true,
@ -12,9 +19,10 @@
}, },
{ {
"name": "generate dhparams file", "name": "generate dhparams file",
"when": "cfg_nginx.dhparam_size != None",
"become": true, "become": true,
"ansible.builtin.command": { "ansible.builtin.command": {
"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" "cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
}, },
"args": { "args": {
"creates": "/etc/nginx/dhparam" "creates": "/etc/nginx/dhparam"
@ -23,13 +31,16 @@
{ {
"name": "place hardening config", "name": "place hardening config",
"become": true, "become": true,
"ansible.builtin.copy": { "ansible.builtin.template": {
"src": "ssl-hardening.conf", "src": "ssl-hardening.conf.j2",
"dest": "/etc/nginx/ssl-hardening.conf" "dest": "/etc/nginx/ssl-hardening.conf"
} }
}, },
{ {
"name": "ufw | check", "name": "ufw",
"block": [
{
"name": "check",
"become": true, "become": true,
"check_mode": true, "check_mode": true,
"community.general.ufw": { "community.general.ufw": {
@ -38,7 +49,7 @@
"register": "ufw_enable_check" "register": "ufw_enable_check"
}, },
{ {
"name": "ufw | allow port 80", "name": "allow port 80",
"when": "not ufw_enable_check.changed", "when": "not ufw_enable_check.changed",
"become": true, "become": true,
"community.general.ufw": { "community.general.ufw": {
@ -48,7 +59,7 @@
} }
}, },
{ {
"name": "ufw | allow port 443", "name": "allow port 443",
"when": "not ufw_enable_check.changed", "when": "not ufw_enable_check.changed",
"become": true, "become": true,
"community.general.ufw": { "community.general.ufw": {
@ -56,16 +67,18 @@
"port": "443", "port": "443",
"proto": "tcp" "proto": "tcp"
} }
}
]
}, },
{ {
"name": "auto reload", "name": "auto reload",
"when": "var_nginx_auto_reload_interval == None", "when": "cfg_nginx.auto_reload_interval == None",
"become": true, "become": true,
"ansible.builtin.cron": { "ansible.builtin.cron": {
"name": "nginx_auto_reload", "name": "nginx_auto_reload",
"disabled": true, "disabled": true,
"minute": "0", "minute": "0",
"hour": "*/{{var_nginx_auto_reload_interval | string}}", "hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
"day": "*", "day": "*",
"month": "*", "month": "*",
"weekday": "*", "weekday": "*",
@ -74,13 +87,13 @@
}, },
{ {
"name": "auto reload", "name": "auto reload",
"when": "var_nginx_auto_reload_interval != None", "when": "cfg_nginx.auto_reload_interval != None",
"become": true, "become": true,
"ansible.builtin.cron": { "ansible.builtin.cron": {
"name": "nginx_auto_reload", "name": "nginx_auto_reload",
"disabled": false, "disabled": false,
"minute": "0", "minute": "0",
"hour": "*/{{var_nginx_auto_reload_interval | string}}", "hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
"day": "*", "day": "*",
"month": "*", "month": "*",
"weekday": "*", "weekday": "*",

20
roles/nginx/templates/ssl-hardening.conf.j2 Normal file
View file

@ -0,0 +1,20 @@
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
{% if cfg_nginx.dhparam_size != None %}
ssl_dhparam /etc/nginx/dhparam;
{% endif %}
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;