-
Notifications
You must be signed in to change notification settings - Fork 0
/
web.yml
186 lines (165 loc) · 4.32 KB
/
web.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
---
- name: Install web server
hosts: web
become: yes
gather_facts: yes
vars_files:
- web-vars.yml
vars:
php_config: "{{ web_domains | selectattr('php', 'defined') }}"
web_config: "{{ web_domains | selectattr('user', 'defined') }}"
db_config: "{{ web_domains | selectattr('db', 'defined') }}"
users: "{{ web_config | map(attribute='user') | unique }}"
tasks:
- name: Verify config
tags: always
verify_hosts:
unique_value:
- web_domains.name
- web_domains.db.name
- name: Create user home
tags: users
file:
path: "/var/www/users/{{ item }}"
state: directory
owner: root
group: root
with_items: "{{ users }}"
- name: Create groups
tags: users
group:
name: "{{ item }}"
with_items:
- "{{ users }}"
- sftp
- name: Create www-data group
tags: users
group:
name: www-data
system: yes
- name: Create www-data user
tags: users
user:
name: www-data
group: www-data
system: yes
- name: Create users
tags: users
no_log: yes
user:
name: "{{ item }}"
group: "{{ item }}"
groups:
- www-data
- sftp
# Update password only when we got access to it
password: "{{ omit if web_pass[item] is not defined else (web_pass[item] | password_hash) }}"
home: /var/www/users/{{ item }}
diff: no
ignore_errors: yes
with_items: "{{ users }}"
- name: Create user domain
tags: users
file:
state: directory
path: "/var/www/users/{{ item.user }}/{{ item.name }}"
owner: "{{ item.user }}"
group: "{{ item.user }}"
mode: '0755'
loop: "{{ web_config }}"
loop_control:
label: "{{ item.name }}"
- name: Create user tmp
tags: users
file:
state: directory
path: "/var/www/users/{{ item.user }}/tmp/{{ item.name }}"
owner: www-data
group: www-data
mode: '0777'
loop: "{{ web_config }}"
loop_control:
label: "{{ item.name }}"
- name: Set up MySQL
tags: mysql
no_log: yes
vars:
db: "{{ db_config + [web_phpmyadmin] }}"
users: "{{ db_pass | default([]) }}"
include_role:
name: mysql
- name: Set up PHP
tags: php
vars:
domains: "{{ php_config + [web_phpmyadmin] }}"
include_role:
name: php-fpm
- name: Set up Apache
tags: apache
vars:
domains: "{{ web_config }}"
include_role:
name: apache2
- name: Install phpmyadmin
package:
name: phpmyadmin
state: present
- name: Install goaccess
tags: goaccess
include_role:
name: goaccess
- name: Install statistics
tags: goaccess
copy:
src: statistics
dest: /var/www/users/www-data/
owner: www-data
group: www-data
- name: Set statistics permission
tags: goaccess
file:
path: /var/www/users/www-data/statistics/chkpassword
mode: '0755'
- name: Set fail.log permission
tags: goaccess
file:
state: touch
path: /var/www/users/www-data/statistics/fail.log
mode: '0666'
owner: www-data
group: www-data
- name: Secure down PAM
tags: security
# https://askubuntu.com/a/1404228
block:
- blockinfile:
path: /etc/pam.d/common-auth
block: "auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900"
insertafter: '# here are the per-package modules \(the "Primary" block\)'
marker: "# {mark} ANSIBLE MANAGED BLOCK INIT"
- vars:
line1: "auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900"
line2: "auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900"
blockinfile:
path: /etc/pam.d/common-auth
block: |
{{ line1 }}
{{ line2 }}
insertafter: "# here's the fallback if no module succeeds"
marker: "# {mark} ANSIBLE MANAGED BLOCK FALLBACK"
- blockinfile:
path: /etc/pam.d/common-account
block: "account required pam_faillock.so"
insertafter: '# end of pam-auth-update config'
- name: Install proxy
tags: proxy
become: yes
gather_facts: yes
hosts: webproxy
vars_files: web-vars.yml
vars:
proxies: "{{ web_domains | selectattr('proxy', 'defined') }}"
tasks:
- name: Create proxy
include_role:
name: proxy