misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

[task-406] nginx

Browse source
This commit is contained in:
fenris 2025-10-09 01:42:26 +02:00
parent 5d1b1908a5
commit fb931da668
4 changed files with 100 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
roles/nginx/cfg.schema.json Normal file
View file

@ -0,0 +1,28 @@
{
"nullable": false,
"type": "object",
"properties": {
"auto_reload_interval": {
"nullable": true,
"type": "integer",
"description": "in hours",
"default": null
},
"dhparam_size": {
"nullable": true,
"type": "integer",
"default": null
},
"improved_security": {
"nullable": false,
"type": "boolean",
"default": false
}
},
"additionalProperties": false,
"required": [
"auto_reload_interval",
"dhparam_size",
"improved_security"
]
}

6
roles/nginx/defaults/main.json
View file

@ -1,3 +1,7 @@
{
"var_nginx_auto_reload_interval": null
"cfg_nginx_defaults": {
"auto_reload_interval": null,
"dhparam_size": null,
"improved_security": false
}
}

33
roles/nginx/tasks/main.json
View file

@ -1,4 +1,11 @@
[
{
"name": "show vars",
"when": "switch_show_vars",
"ansible.builtin.debug": {
"var": "vars.cfg_nginx"
}
},
{
"name": "install packages",
"become": true,
@ -12,9 +19,10 @@
},
{
"name": "generate dhparams file",
"when": "cfg_nginx.dhparam_size != None",
"become": true,
"ansible.builtin.command": {
"cmd": "openssl dhparam -out /etc/nginx/dhparam 4096"
"cmd": "openssl dhparam -out /etc/nginx/dhparam {{cfg_nginx.dhparam_size | string}}"
},
"args": {
"creates": "/etc/nginx/dhparam"
@ -23,13 +31,16 @@
{
"name": "place hardening config",
"become": true,
"ansible.builtin.copy": {
"src": "ssl-hardening.conf",
"ansible.builtin.template": {
"src": "ssl-hardening.conf.j2",
"dest": "/etc/nginx/ssl-hardening.conf"
}
},
{
"name": "ufw | check",
"name": "ufw",
"block": [
{
"name": "check",
"become": true,
"check_mode": true,
"community.general.ufw": {
@ -38,7 +49,7 @@
"register": "ufw_enable_check"
},
{
"name": "ufw | allow port 80",
"name": "allow port 80",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
@ -48,7 +59,7 @@
}
},
{
"name": "ufw | allow port 443",
"name": "allow port 443",
"when": "not ufw_enable_check.changed",
"become": true,
"community.general.ufw": {
@ -56,16 +67,18 @@
"port": "443",
"proto": "tcp"
}
}
]
},
{
"name": "auto reload",
"when": "var_nginx_auto_reload_interval == None",
"when": "cfg_nginx.auto_reload_interval == None",
"become": true,
"ansible.builtin.cron": {
"name": "nginx_auto_reload",
"disabled": true,
"minute": "0",
"hour": "*/{{var_nginx_auto_reload_interval | string}}",
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
"day": "*",
"month": "*",
"weekday": "*",
@ -74,13 +87,13 @@
},
{
"name": "auto reload",
"when": "var_nginx_auto_reload_interval != None",
"when": "cfg_nginx.auto_reload_interval != None",
"become": true,
"ansible.builtin.cron": {
"name": "nginx_auto_reload",
"disabled": false,
"minute": "0",
"hour": "*/{{var_nginx_auto_reload_interval | string}}",
"hour": "*/{{cfg_nginx.auto_reload_interval | string}}",
"day": "*",
"month": "*",
"weekday": "*",

20
roles/nginx/templates/ssl-hardening.conf.j2 Normal file
View file

@ -0,0 +1,20 @@
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
{% if cfg_nginx.dhparam_size != None %}
ssl_dhparam /etc/nginx/dhparam;
{% endif %}
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;