From a03e50c9339a147aee3f8e8a4210a3bce5a74f5a Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Fri, 19 Apr 2024 00:20:46 +0200 Subject: [PATCH 01/23] Harden nginx ssl/tls config According to https://ssl-config.mozilla.org/ --- roles/authelia-and-nginx/templates/conf.j2 | 15 ++++---- roles/dokuwiki-and-nginx/templates/conf.j2 | 25 ++++++------ roles/element-and-nginx/templates/conf.j2 | 7 ++-- roles/gitlab-and-nginx/templates/conf.j2 | 44 ++++++++-------------- roles/hedgedoc-and-nginx/templates/conf.j2 | 21 ++++++----- roles/nginx/files/dhparam | 8 ++++ roles/nginx/files/ssl-hardening.conf | 18 +++++++++ roles/nginx/tasks/main.json | 16 ++++++++ roles/synapse-and-nginx/templates/conf.j2 | 13 ++++--- 9 files changed, 99 insertions(+), 68 deletions(-) create mode 100644 roles/nginx/files/dhparam create mode 100644 roles/nginx/files/ssl-hardening.conf diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index bd0cbeb..8649a39 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,21 +1,22 @@ server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:80; listen 80; - + return 301 https://$server_name$request_uri; } server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location / { ## Headers proxy_set_header Host $host; @@ -52,10 +53,10 @@ server { proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; - + proxy_pass http://localhost:9091; } - + location /api/verify { proxy_pass http://localhost:9091; } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index cd9c68d..90278d0 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -4,45 +4,44 @@ server { server_name {{var_dokuwiki_and_nginx_domain}}; return 301 https://$server_name$request_uri; } - + server { listen [::]:443 ssl; listen 443 ssl; - + server_name {{var_dokuwiki_and_nginx_domain}}; - + {% if var_dokuwiki_and_nginx_tls_enable %} ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; - ssl_session_timeout 5m; - ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; + include /etc/nginx/ssl-hardening.conf; {% endif %} - + # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; - + root {{var_dokuwiki_and_nginx_directory}}; index doku.php; - + #Remember to comment the below out when you're installing, and uncomment it when done. location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; } - + #Support for X-Accel-Redirect location ~ ^/data/ { internal; } - + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ { expires 365d; } - + location / { try_files $uri $uri/ @dokuwiki; } - + location @dokuwiki { # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; @@ -50,7 +49,7 @@ server { rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; } - + location ~ \.php$ { try_files $uri $uri/ /doku.php; include fastcgi_params; diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index 312df8b..cec8475 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -3,11 +3,12 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + server_name {{var_element_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + root {{var_element_and_nginx_path}}; } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index eabfcb9..c6430f6 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -32,12 +32,12 @@ map $http_referer $gitlab_ssl_filtered_http_referer { server { listen 80 default_server; listen [::]:80 ipv6only=on default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + return 301 https://$http_host$request_uri; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; } @@ -45,61 +45,47 @@ server { server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ipv6only=on ssl http2 default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; - - # ssl_stapling on; - # ssl_stapling_verify on; - # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; - # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired - # resolver_timeout 5s; - - # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - + include /etc/nginx/ssl-hardening.conf; + real_ip_header X-Real-IP; real_ip_recursive off; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - + location / { client_max_body_size 0; gzip off; - + proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; - + proxy_http_version 1.1; - + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab; - + # proxy_pass http://gitlab-workhorse; proxy_pass http://localhost:8080; } - + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; - + location ~ ^/(404|422|500|502|503)\.html$ { root /home/git/gitlab/public; internal; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 0760df4..19723d1 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -5,26 +5,27 @@ map $http_upgrade $connection_upgrade { server { server_name {{var_hedgedoc_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location / { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - + location /socket.io/ { proxy_pass http://localhost:3000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; diff --git a/roles/nginx/files/dhparam b/roles/nginx/files/dhparam new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/nginx/files/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx/files/ssl-hardening.conf b/roles/nginx/files/ssl-hardening.conf new file mode 100644 index 0000000..1d5f5f4 --- /dev/null +++ b/roles/nginx/files/ssl-hardening.conf @@ -0,0 +1,18 @@ +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /etc/nginx/dhparam; + +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; +ssl_prefer_server_ciphers off; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index c8e2b40..2d9e9ed 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -9,6 +9,22 @@ ] } }, + { + "name": "place dhparams file", + "become": true, + "ansible.builtin.copy": { + "src": "dhparam", + "dest": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, { "name": "restart service", "become": true, diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index b9b94c6..a8ba62b 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -3,24 +3,25 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + ## For the federation port listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server; - + server_name {{var_synapse_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; - + include /etc/nginx/ssl-hardening.conf; + location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - + client_max_body_size 50M; - + proxy_http_version 1.1; } } From dcc52b04cc7fe77161220cf2fb4e38908767bcbd Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 13:11:26 +0200 Subject: [PATCH 02/23] Generate dhparams instead of using a checked in file --- roles/nginx/tasks/main.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 2d9e9ed..ca205e5 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -10,11 +10,10 @@ } }, { - "name": "place dhparams file", - "become": true, - "ansible.builtin.copy": { - "src": "dhparam", - "dest": "/etc/nginx/dhparam" + "name": "generate dhparams file", + "ansible.builtin.command": "openssl dhparam -out /etc/nginx/dhparam 4096", + "args": { + "creates": "/etc/nginx/dhparam" } }, { From 139ba7504a4adfd73367c8514a38296b9cd3acaa Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 15:23:38 +0200 Subject: [PATCH 03/23] Add system-basics role - set time zone - limit journal size - set vim as editor - limit ssh login to pubkey --- roles/system-basics/handlers/main.json | 17 +++++++++++++ roles/system-basics/tasks/main.json | 33 ++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 roles/system-basics/handlers/main.json create mode 100644 roles/system-basics/tasks/main.json diff --git a/roles/system-basics/handlers/main.json b/roles/system-basics/handlers/main.json new file mode 100644 index 0000000..1da98d3 --- /dev/null +++ b/roles/system-basics/handlers/main.json @@ -0,0 +1,17 @@ +[ + { + "name": "restart sshd", + "service": { + "name": "sshd", + "state": "restarted" + } + }, + { + "name": "restart journal", + "service": { + "name": "systemd-journald", + "state": "restarted", + "enabled": "yes" + } + } +] diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json new file mode 100644 index 0000000..1b87040 --- /dev/null +++ b/roles/system-basics/tasks/main.json @@ -0,0 +1,33 @@ +[ + { + "name": "Set timezone to Berlin", + "community.general.timezone": { + "name": "Europe/Berlin" + } + }, + { + "name": "Limit syslogs", + "lineinfile": { + "dest": "/etc/systemd/journald.conf", + "regexp": "^#?\\s*SystemMaxFileSize", + "line": "SystemMaxFileSize=2G" + }, + "notify": "restart journal" + }, + { + "name": "Set vim as default editor", + "alternatives": { + "name": "editor", + "path": "/usr/bin/vim.basic" + } + }, + { + "name": "Disable root login without key", + "lineinfile": { + "dest": "/etc/ssh/sshd_config", + "regexp": "^#?PermitRootLogin ", + "line": "PermitRootLogin without-password" + }, + "notify": "restart sshd" + } +] From fcad5b93547d48d9a897e9abdd371e19a8c27703 Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 15:24:38 +0200 Subject: [PATCH 04/23] Add unattended upgrades Enable unattended upgrades and triggers unattended reboots (23:55 after an upgrade which needs reboot). Attention: this is specific to debian-style linux systems (Debian, Ubuntu,...). --- .../unattended-upgrades/files/20auto-upgrades | 2 ++ roles/unattended-upgrades/tasks/main.json | 33 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 roles/unattended-upgrades/files/20auto-upgrades create mode 100644 roles/unattended-upgrades/tasks/main.json diff --git a/roles/unattended-upgrades/files/20auto-upgrades b/roles/unattended-upgrades/files/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/roles/unattended-upgrades/files/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended-upgrades/tasks/main.json new file mode 100644 index 0000000..7706bc3 --- /dev/null +++ b/roles/unattended-upgrades/tasks/main.json @@ -0,0 +1,33 @@ +[ + { + "name": "Allow unattended reboots (1)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", + "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" + } + }, + { + "name": "Allow unattended reboots (2)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", + "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" + } + }, + { + "name": "Allow more origins for updates", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", + "line": "\"${distro_id}:${distro_codename}-updates\";" + } + }, + { + "name": "Enable unattended upgrades", + "copy": { + "src": "20auto-upgrades", + "dest": "/etc/apt/apt.conf.d/20auto-upgrades" + } + } +] From 65b00c88400a774d0cbc40459c0d1e80bc31cbb4 Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Sat, 20 Apr 2024 17:08:39 +0200 Subject: [PATCH 05/23] Add ufw role - Enable ufw and by default deny incoming traffic - in other roles: if ufw (role) is enabled, then allow necessary ports --- roles/lighttpd/tasks/main.json | 26 +++++++++++++++++++++ roles/murmur/tasks/main.json | 17 ++++++++++++++ roles/nginx/tasks/main.json | 26 +++++++++++++++++++++ roles/proftpd/tasks/main.json | 26 +++++++++++++++++++++ roles/synapse/tasks/main.json | 17 ++++++++++++++ roles/ufw/tasks/main.json | 41 ++++++++++++++++++++++++++++++++++ 6 files changed, 153 insertions(+) create mode 100644 roles/ufw/tasks/main.json diff --git a/roles/lighttpd/tasks/main.json b/roles/lighttpd/tasks/main.json index 1b6af91..8e85d43 100644 --- a/roles/lighttpd/tasks/main.json +++ b/roles/lighttpd/tasks/main.json @@ -27,6 +27,32 @@ "dest": "/etc/lighttpd/conf-enabled/10-ssl-custom.conf" } }, + { + "name": "Check wether enabling UFW would be considered a changed", + "check_mode": true, + "community.general.ufw": { + "state": "enabled", + "register": "ufw_enable_check" + } + }, + { + "name": "Allow port 80 in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, + { + "name": "Allow port 443 in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, { "name": "restart service", "become": true, diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json index 7341ac8..b8303b2 100644 --- a/roles/murmur/tasks/main.json +++ b/roles/murmur/tasks/main.json @@ -25,6 +25,23 @@ "cmd": "murmurd -ini /etc/mumble-server.ini -supw {{var_murmur_admin_password}}" } }, + { + "name": "Check wether enabling UFW would be considered a changed", + "check_mode": true, + "community.general.ufw": { + "state": "enabled", + "register": "ufw_enable_check" + } + }, + { + "name": "Allow port in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "{{ var_murmur_port }}", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, { "name": "service", "become": true, diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index c8e2b40..39a68de 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -9,6 +9,32 @@ ] } }, + { + "name": "Check wether enabling UFW would be considered a changed", + "check_mode": true, + "community.general.ufw": { + "state": "enabled", + "register": "ufw_enable_check" + } + }, + { + "name": "Allow port 80 in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, + { + "name": "Allow port 443 in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, { "name": "restart service", "become": true, diff --git a/roles/proftpd/tasks/main.json b/roles/proftpd/tasks/main.json index d277bc0..53374a6 100644 --- a/roles/proftpd/tasks/main.json +++ b/roles/proftpd/tasks/main.json @@ -8,5 +8,31 @@ "proftpd-core" ] } + }, + { + "name": "Check wether enabling UFW would be considered a changed", + "check_mode": true, + "community.general.ufw": { + "state": "enabled", + "register": "ufw_enable_check" + } + }, + { + "name": "Allow FTP port 20 in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "20", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, + { + "name": "Allow FTP port 21 in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "21", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" } ] diff --git a/roles/synapse/tasks/main.json b/roles/synapse/tasks/main.json index fd44ce1..ef5c79c 100644 --- a/roles/synapse/tasks/main.json +++ b/roles/synapse/tasks/main.json @@ -58,6 +58,23 @@ "dest": "/etc/matrix-synapse/homeserver.yaml" } }, + { + "name": "Check wether enabling UFW would be considered a changed", + "check_mode": true, + "community.general.ufw": { + "state": "enabled", + "register": "ufw_enable_check" + } + }, + { + "name": "Allow matrix federation port in ufw", + "community.general.ufw": { + "rule": "allow", + "port": "8448", + "proto": "tcp" + }, + "when": "not ufw_enable_check.changed" + }, { "name": "restart service", "become": true, diff --git a/roles/ufw/tasks/main.json b/roles/ufw/tasks/main.json new file mode 100644 index 0000000..b3ed847 --- /dev/null +++ b/roles/ufw/tasks/main.json @@ -0,0 +1,41 @@ +[ + { + "name": "install ufw", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "ufw" + ] + } + }, + { + "name": "ufw deny incoming", + "ufw": { + "direction": "incoming", + "proto": "any", + "policy": "deny" + } + }, + { + "name": "ufw allow outgoing", + "ufw": { + "direction": "outgoing", + "proto": "any", + "policy": "allow" + } + }, + { + "name": "ufw allow and rate-limit ssh", + "ufw": { + "rule": "limit", + "name": "ssh" + } + }, + { + "name": "enable ufw service", + "ufw": { + "state": "enabled" + } + } +] From 882286e1a78cb78812299c27e1a41e48af4a8cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 24 Apr 2024 17:33:35 +0000 Subject: [PATCH 06/23] Apply 1 suggestion(s) to 1 file(s) --- roles/nginx/tasks/main.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index ca205e5..26f2739 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,7 +5,8 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx" + "nginx", + "openssl" ] } }, From e70ab02fed0fa6c3a987b36fd911f0982f25344f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 24 Apr 2024 17:38:11 +0000 Subject: [PATCH 07/23] Apply 6 suggestion(s) to 2 file(s) --- roles/system-basics/handlers/main.json | 6 +++--- roles/system-basics/tasks/main.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/system-basics/handlers/main.json b/roles/system-basics/handlers/main.json index 1da98d3..ba5eace 100644 --- a/roles/system-basics/handlers/main.json +++ b/roles/system-basics/handlers/main.json @@ -1,17 +1,17 @@ [ { "name": "restart sshd", - "service": { + "ansible.builtin.service": { "name": "sshd", "state": "restarted" } }, { "name": "restart journal", - "service": { + "ansible.builtin.service": { "name": "systemd-journald", "state": "restarted", - "enabled": "yes" + "enabled": true } } ] diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json index 1b87040..707b1f1 100644 --- a/roles/system-basics/tasks/main.json +++ b/roles/system-basics/tasks/main.json @@ -7,7 +7,7 @@ }, { "name": "Limit syslogs", - "lineinfile": { + "ansible.builtin.lineinfile": { "dest": "/etc/systemd/journald.conf", "regexp": "^#?\\s*SystemMaxFileSize", "line": "SystemMaxFileSize=2G" @@ -16,14 +16,14 @@ }, { "name": "Set vim as default editor", - "alternatives": { + "community.general.alternatives": { "name": "editor", "path": "/usr/bin/vim.basic" } }, { "name": "Disable root login without key", - "lineinfile": { + "ansible.builtin.lineinfile": { "dest": "/etc/ssh/sshd_config", "regexp": "^#?PermitRootLogin ", "line": "PermitRootLogin without-password" From 389b171401bbef40b021e74e8c9249f172d2ca8b Mon Sep 17 00:00:00 2001 From: Marius Melzer Date: Wed, 24 Apr 2024 20:02:51 +0200 Subject: [PATCH 08/23] Apply review comments --- roles/system-basics/tasks/main.json | 9 ++++ roles/unattended-upgrades/tasks/main.json | 62 +++++++++++------------ 2 files changed, 40 insertions(+), 31 deletions(-) diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json index 707b1f1..08c35fe 100644 --- a/roles/system-basics/tasks/main.json +++ b/roles/system-basics/tasks/main.json @@ -14,6 +14,15 @@ }, "notify": "restart journal" }, + { + "name": "Install vim", + "become": true, + "ansible.builtin.apt": { + "pkg": [ + "vim" + ] + } + }, { "name": "Set vim as default editor", "community.general.alternatives": { diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended-upgrades/tasks/main.json index 7706bc3..4098ae9 100644 --- a/roles/unattended-upgrades/tasks/main.json +++ b/roles/unattended-upgrades/tasks/main.json @@ -1,33 +1,33 @@ [ - { - "name": "Allow unattended reboots (1)", - "lineinfile": { - "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", - "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", - "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" - } - }, - { - "name": "Allow unattended reboots (2)", - "lineinfile": { - "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", - "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", - "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" - } - }, - { - "name": "Allow more origins for updates", - "lineinfile": { - "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", - "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", - "line": "\"${distro_id}:${distro_codename}-updates\";" - } - }, - { - "name": "Enable unattended upgrades", - "copy": { - "src": "20auto-upgrades", - "dest": "/etc/apt/apt.conf.d/20auto-upgrades" - } - } + { + "name": "Allow unattended reboots (1)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", + "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" + } + }, + { + "name": "Allow unattended reboots (2)", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", + "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" + } + }, + { + "name": "Allow more origins for updates", + "lineinfile": { + "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", + "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", + "line": "\"${distro_id}:${distro_codename}-updates\";" + } + }, + { + "name": "Enable unattended upgrades", + "copy": { + "src": "20auto-upgrades", + "dest": "/etc/apt/apt.conf.d/20auto-upgrades" + } + } ] From 715d39716c6c903ee8bfdf7fbec9f96f05c22548 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:43:40 +0200 Subject: [PATCH 09/23] [fix] install required packages [fix] add missing become:true directives [mod] use fully qualified names for ansible tasks --- roles/unattended-upgrades/tasks/main.json | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended-upgrades/tasks/main.json index 4098ae9..014209d 100644 --- a/roles/unattended-upgrades/tasks/main.json +++ b/roles/unattended-upgrades/tasks/main.json @@ -1,7 +1,19 @@ [ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "unattended-upgrades", + "apt-listchanges" + ] + } + }, { "name": "Allow unattended reboots (1)", - "lineinfile": { + "become": true, + "ansible.builtin.lineinfile": { "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot ", "line": "Unattended-Upgrade::Automatic-Reboot \"true\";" @@ -9,7 +21,8 @@ }, { "name": "Allow unattended reboots (2)", - "lineinfile": { + "become": true, + "ansible.builtin.lineinfile": { "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", "regexp": "^(//)?Unattended-Upgrade::Automatic-Reboot-Time ", "line": "Unattended-Upgrade::Automatic-Reboot-Time \"23:55\";" @@ -17,7 +30,8 @@ }, { "name": "Allow more origins for updates", - "lineinfile": { + "become": true, + "ansible.builtin.lineinfile": { "dest": "/etc/apt/apt.conf.d/50unattended-upgrades", "regexp": "^(//\\s*)?\"\\$\\{distro_id\\}:\\$\\{distro_codename\\}-updates\";", "line": "\"${distro_id}:${distro_codename}-updates\";" @@ -25,7 +39,8 @@ }, { "name": "Enable unattended upgrades", - "copy": { + "become": true, + "ansible.builtin.copy": { "src": "20auto-upgrades", "dest": "/etc/apt/apt.conf.d/20auto-upgrades" } From 8d57e57df82096477ec666310545f7c9dc269f13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:44:51 +0200 Subject: [PATCH 10/23] [mod] role:unattended-upgrades renamed to unattended_upgrades --- .../files/20auto-upgrades | 0 .../{unattended-upgrades => unattended_upgrades}/tasks/main.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename roles/{unattended-upgrades => unattended_upgrades}/files/20auto-upgrades (100%) rename roles/{unattended-upgrades => unattended_upgrades}/tasks/main.json (100%) diff --git a/roles/unattended-upgrades/files/20auto-upgrades b/roles/unattended_upgrades/files/20auto-upgrades similarity index 100% rename from roles/unattended-upgrades/files/20auto-upgrades rename to roles/unattended_upgrades/files/20auto-upgrades diff --git a/roles/unattended-upgrades/tasks/main.json b/roles/unattended_upgrades/tasks/main.json similarity index 100% rename from roles/unattended-upgrades/tasks/main.json rename to roles/unattended_upgrades/tasks/main.json From 0e913099e67b47e9a4362d40e958fac1675ba72f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:47:20 +0200 Subject: [PATCH 11/23] [fix] role:system-basics:add missing become:true directives [mod] role:system-basisc:also install htop and tmux --- roles/system-basics/tasks/main.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/system-basics/tasks/main.json b/roles/system-basics/tasks/main.json index 08c35fe..11a8792 100644 --- a/roles/system-basics/tasks/main.json +++ b/roles/system-basics/tasks/main.json @@ -1,12 +1,14 @@ [ { "name": "Set timezone to Berlin", + "become": true, "community.general.timezone": { "name": "Europe/Berlin" } }, { "name": "Limit syslogs", + "become": true, "ansible.builtin.lineinfile": { "dest": "/etc/systemd/journald.conf", "regexp": "^#?\\s*SystemMaxFileSize", @@ -15,16 +17,19 @@ "notify": "restart journal" }, { - "name": "Install vim", + "name": "install packages", "become": true, "ansible.builtin.apt": { "pkg": [ - "vim" + "vim", + "htop", + "tmux" ] } }, { "name": "Set vim as default editor", + "become": true, "community.general.alternatives": { "name": "editor", "path": "/usr/bin/vim.basic" @@ -32,6 +37,7 @@ }, { "name": "Disable root login without key", + "become": true, "ansible.builtin.lineinfile": { "dest": "/etc/ssh/sshd_config", "regexp": "^#?PermitRootLogin ", From 434c90117317c9b9c5a8bd6e3fdadad355ee746a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:47:47 +0200 Subject: [PATCH 12/23] [mod] role:system-basics renamed to system_basics --- roles/{system-basics => system_basics}/handlers/main.json | 0 roles/{system-basics => system_basics}/tasks/main.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename roles/{system-basics => system_basics}/handlers/main.json (100%) rename roles/{system-basics => system_basics}/tasks/main.json (100%) diff --git a/roles/system-basics/handlers/main.json b/roles/system_basics/handlers/main.json similarity index 100% rename from roles/system-basics/handlers/main.json rename to roles/system_basics/handlers/main.json diff --git a/roles/system-basics/tasks/main.json b/roles/system_basics/tasks/main.json similarity index 100% rename from roles/system-basics/tasks/main.json rename to roles/system_basics/tasks/main.json From 2ac8c9c4c3a75b5e20f7fae4416885814b07a5fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 13:49:11 +0200 Subject: [PATCH 13/23] [fix] role:ufw:add missing become:true directives [mod] role:ufw:use fully qualified names for ansible tasks --- roles/ufw/tasks/main.json | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/ufw/tasks/main.json b/roles/ufw/tasks/main.json index b3ed847..003e4b6 100644 --- a/roles/ufw/tasks/main.json +++ b/roles/ufw/tasks/main.json @@ -11,7 +11,8 @@ }, { "name": "ufw deny incoming", - "ufw": { + "become": true, + "community.general.ufw": { "direction": "incoming", "proto": "any", "policy": "deny" @@ -19,7 +20,8 @@ }, { "name": "ufw allow outgoing", - "ufw": { + "become": true, + "community.general.ufw": { "direction": "outgoing", "proto": "any", "policy": "allow" @@ -27,14 +29,16 @@ }, { "name": "ufw allow and rate-limit ssh", - "ufw": { + "become": true, + "community.general.ufw": { "rule": "limit", "name": "ssh" } }, { "name": "enable ufw service", - "ufw": { + "become": true, + "community.general.ufw": { "state": "enabled" } } From c7c9e6895cd6df181707e023434b485967ed375b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 17:56:28 +0200 Subject: [PATCH 14/23] [fix] roles with ufw incocation --- roles/lighttpd/tasks/main.json | 23 +++++++++++++---------- roles/murmur/tasks/main.json | 18 ++++++++++-------- roles/nginx/tasks/main.json | 23 +++++++++++++---------- roles/proftpd/tasks/main.json | 23 +++++++++++++---------- roles/synapse/tasks/main.json | 16 +++++++++------- 5 files changed, 58 insertions(+), 45 deletions(-) diff --git a/roles/lighttpd/tasks/main.json b/roles/lighttpd/tasks/main.json index 8e85d43..d29fcdf 100644 --- a/roles/lighttpd/tasks/main.json +++ b/roles/lighttpd/tasks/main.json @@ -28,30 +28,33 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", "check_mode": true, + "become": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow port 80 in ufw", + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "80", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { - "name": "Allow port 443 in ufw", + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "443", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "restart service", diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json index b8303b2..1b9ed12 100644 --- a/roles/murmur/tasks/main.json +++ b/roles/murmur/tasks/main.json @@ -26,21 +26,23 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", "check_mode": true, + "become": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow port in ufw", + "name": "ufw | allow port", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", - "port": "{{ var_murmur_port }}", + "port": "{{var_murmur_port | string}}", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "service", diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 39a68de..2fe467c 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -10,30 +10,33 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", + "become": true, "check_mode": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow port 80 in ufw", + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "80", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { - "name": "Allow port 443 in ufw", + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "443", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "restart service", diff --git a/roles/proftpd/tasks/main.json b/roles/proftpd/tasks/main.json index 53374a6..e5bf9a0 100644 --- a/roles/proftpd/tasks/main.json +++ b/roles/proftpd/tasks/main.json @@ -10,29 +10,32 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", "check_mode": true, + "become": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow FTP port 20 in ufw", + "name": "ufw | allow port 20", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "20", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { - "name": "Allow FTP port 21 in ufw", + "name": "ufw | allow port 21", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "21", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } } ] diff --git a/roles/synapse/tasks/main.json b/roles/synapse/tasks/main.json index ef5c79c..63e0e78 100644 --- a/roles/synapse/tasks/main.json +++ b/roles/synapse/tasks/main.json @@ -59,21 +59,23 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", + "become": true, "check_mode": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow matrix federation port in ufw", + "name": "ufw | allow port", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "8448", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "restart service", From aeac7cceab06574c44fdd908e227d77a2809b055 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 18:14:21 +0200 Subject: [PATCH 15/23] [sty] roles:tls hardening:format --- roles/authelia-and-nginx/templates/conf.j2 | 14 +++++------ roles/dokuwiki-and-nginx/templates/conf.j2 | 22 ++++++++--------- roles/element-and-nginx/templates/conf.j2 | 6 ++--- roles/gitlab-and-nginx/templates/conf.j2 | 28 +++++++++++----------- roles/hedgedoc-and-nginx/templates/conf.j2 | 8 +++---- roles/nginx/files/dhparam | 8 ------- roles/synapse-and-nginx/templates/conf.j2 | 12 +++++----- 7 files changed, 45 insertions(+), 53 deletions(-) delete mode 100644 roles/nginx/files/dhparam diff --git a/roles/authelia-and-nginx/templates/conf.j2 b/roles/authelia-and-nginx/templates/conf.j2 index 8649a39..231a61d 100644 --- a/roles/authelia-and-nginx/templates/conf.j2 +++ b/roles/authelia-and-nginx/templates/conf.j2 @@ -1,22 +1,22 @@ server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:80; listen 80; - + return 301 https://$server_name$request_uri; } server { server_name {{var_authelia_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + location / { ## Headers proxy_set_header Host $host; @@ -53,10 +53,10 @@ server { proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; - + proxy_pass http://localhost:9091; } - + location /api/verify { proxy_pass http://localhost:9091; } diff --git a/roles/dokuwiki-and-nginx/templates/conf.j2 b/roles/dokuwiki-and-nginx/templates/conf.j2 index 90278d0..514ceab 100644 --- a/roles/dokuwiki-and-nginx/templates/conf.j2 +++ b/roles/dokuwiki-and-nginx/templates/conf.j2 @@ -4,44 +4,44 @@ server { server_name {{var_dokuwiki_and_nginx_domain}}; return 301 https://$server_name$request_uri; } - + server { listen [::]:443 ssl; listen 443 ssl; - + server_name {{var_dokuwiki_and_nginx_domain}}; - + {% if var_dokuwiki_and_nginx_tls_enable %} ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; {% endif %} - + # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; - + root {{var_dokuwiki_and_nginx_directory}}; index doku.php; - + #Remember to comment the below out when you're installing, and uncomment it when done. location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; } - + #Support for X-Accel-Redirect location ~ ^/data/ { internal; } - + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ { expires 365d; } - + location / { try_files $uri $uri/ @dokuwiki; } - + location @dokuwiki { # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; @@ -49,7 +49,7 @@ server { rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; } - + location ~ \.php$ { try_files $uri $uri/ /doku.php; include fastcgi_params; diff --git a/roles/element-and-nginx/templates/conf.j2 b/roles/element-and-nginx/templates/conf.j2 index cec8475..08330a6 100644 --- a/roles/element-and-nginx/templates/conf.j2 +++ b/roles/element-and-nginx/templates/conf.j2 @@ -3,12 +3,12 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + server_name {{var_element_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + root {{var_element_and_nginx_path}}; } diff --git a/roles/gitlab-and-nginx/templates/conf.j2 b/roles/gitlab-and-nginx/templates/conf.j2 index c6430f6..4208162 100644 --- a/roles/gitlab-and-nginx/templates/conf.j2 +++ b/roles/gitlab-and-nginx/templates/conf.j2 @@ -32,12 +32,12 @@ map $http_referer $gitlab_ssl_filtered_http_referer { server { listen 80 default_server; listen [::]:80 ipv6only=on default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + return 301 https://$http_host$request_uri; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; } @@ -45,47 +45,47 @@ server { server { listen 0.0.0.0:443 ssl http2; listen [::]:443 ipv6only=on ssl http2 default_server; - + server_name {{var_gitlab_and_nginx_domain}}; server_tokens off; - + ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + real_ip_header X-Real-IP; real_ip_recursive off; - + access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access; error_log /var/log/nginx/gitlab_error.log; - + location / { client_max_body_size 0; gzip off; - + proxy_read_timeout 300; proxy_connect_timeout 300; proxy_redirect off; - + proxy_http_version 1.1; - + proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_gitlab; - + # proxy_pass http://gitlab-workhorse; proxy_pass http://localhost:8080; } - + error_page 404 /404.html; error_page 422 /422.html; error_page 500 /500.html; error_page 502 /502.html; error_page 503 /503.html; - + location ~ ^/(404|422|500|502|503)\.html$ { root /home/git/gitlab/public; internal; diff --git a/roles/hedgedoc-and-nginx/templates/conf.j2 b/roles/hedgedoc-and-nginx/templates/conf.j2 index 19723d1..08e630c 100644 --- a/roles/hedgedoc-and-nginx/templates/conf.j2 +++ b/roles/hedgedoc-and-nginx/templates/conf.j2 @@ -5,14 +5,14 @@ map $http_upgrade $connection_upgrade { server { server_name {{var_hedgedoc_and_nginx_domain}}; - + listen [::]:443 ssl http2; listen 443 ssl http2; - + ssl_certificate /etc/ssl/certs/{{var_hedgedoc_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + location / { proxy_pass http://localhost:3000; proxy_set_header Host $host; @@ -20,7 +20,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } - + location /socket.io/ { proxy_pass http://localhost:3000; proxy_set_header Host $host; diff --git a/roles/nginx/files/dhparam b/roles/nginx/files/dhparam deleted file mode 100644 index 9b182b7..0000000 --- a/roles/nginx/files/dhparam +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS----- diff --git a/roles/synapse-and-nginx/templates/conf.j2 b/roles/synapse-and-nginx/templates/conf.j2 index a8ba62b..e59fb99 100644 --- a/roles/synapse-and-nginx/templates/conf.j2 +++ b/roles/synapse-and-nginx/templates/conf.j2 @@ -3,25 +3,25 @@ server { listen [::]:80; listen 443 ssl; listen [::]:443 ssl; - + ## For the federation port listen 8448 ssl http2 default_server; listen [::]:8448 ssl http2 default_server; - + server_name {{var_synapse_and_nginx_domain}}; - + ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem; ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem; include /etc/nginx/ssl-hardening.conf; - + location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; - + client_max_body_size 50M; - + proxy_http_version 1.1; } } From 8a0a4dd778ca756c20e23946baafc1812b8778f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Wed, 5 Jun 2024 20:00:23 +0200 Subject: [PATCH 16/23] [fix] role:authelia:vardef --- roles/authelia/vardef.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/vardef.json b/roles/authelia/vardef.json index 2e764e3..9b7d5bc 100644 --- a/roles/authelia/vardef.json +++ b/roles/authelia/vardef.json @@ -25,7 +25,7 @@ }, "domain": { "type": "string", - "mandatory": false, + "mandatory": false }, "redirect_url": { "type": "string", From 8b47912f4688279e1920f5b4ded419662788a985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 13:47:26 +0200 Subject: [PATCH 17/23] [res] --- roles/nginx/tasks/main.json | 65 ++++++++++++++++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index c8e2b40..62853db 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,10 +5,73 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx" + "nginx", + "openssl" ] } }, + { + "name": "generate dhparams file", + "become": true, + "ansible.builtin.command": { + "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" + }, + "args": { + "creates": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, + { + "name": "ufw | check", + "become": true, + "check_mode": true, + "community.general.ufw": { + "state": "enabled" + }, + "register": "ufw_enable_check" + }, + { + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + } + }, + { + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + } + }, + { + "name": "auto reload", + "when": "auto_reload_interval != None", + "become": true, + "ansible.builtin.cron": { + "name": "nginx_auto_reload", + "disabled": true, + "minute": "0", + "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "day": "*", + "month": "*", + "weekday": "*", + "job": "systemctl reload nginx" + } + }, { "name": "restart service", "become": true, From 9a886a2df9776b26d415ddd5f9c35129799e29d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 13:51:31 +0200 Subject: [PATCH 18/23] [fix] role:nginx --- roles/nginx/tasks/main.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 62853db..9748e6d 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -59,7 +59,7 @@ }, { "name": "auto reload", - "when": "auto_reload_interval != None", + "when": "var_nginx_auto_reload_interval == None", "become": true, "ansible.builtin.cron": { "name": "nginx_auto_reload", @@ -72,6 +72,21 @@ "job": "systemctl reload nginx" } }, + { + "name": "auto reload", + "when": "var_nginx_auto_reload_interval != None", + "become": true, + "ansible.builtin.cron": { + "name": "nginx_auto_reload", + "disabled": false, + "minute": "0", + "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "day": "*", + "month": "*", + "weekday": "*", + "job": "systemctl reload nginx" + } + }, { "name": "restart service", "become": true, From 888fdda75bd565d598936cee8c364eaee8488b5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 13:55:17 +0200 Subject: [PATCH 19/23] [fix] role:authelia --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 0f163af..e942e72 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -56,7 +56,7 @@ {% else %} "disable": true, {% endif %} - "custom_url": "{{password_reset_custom_url}}" + "custom_url": "{{var_authelia_password_reset_custom_url}}" }, "refresh_interval": "5m", "file": { From 8084f3367669559a0f1e25f0ae48aa176c2f379d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 14:46:44 +0200 Subject: [PATCH 20/23] [fix] role:authelia --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index e942e72..475cda4 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -128,7 +128,7 @@ "cookies": [ { "domain": "{{var_authelia_session_domain}}", - "authelia_url": "{{var_authelia_domain}}", + "authelia_url": "https://{{var_authelia_domain}}/", "default_redirection_url": "{{var_authelia_redirect_url}}" } ] From 958630599dce5fa25e2b5acd83244904701b5f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 14:50:15 +0200 Subject: [PATCH 21/23] [fix] role:nginx --- roles/nginx/defaults/main.json | 2 +- roles/nginx/tasks/main.json.orig | 86 ++++++++++++++++++++++++++++++++ roles/nginx/vardef.json | 8 +++ 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 roles/nginx/tasks/main.json.orig create mode 100644 roles/nginx/vardef.json diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index bfd870e..997702e 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,3 +1,3 @@ { + "var_nginx_auto_reload_interval": null } - diff --git a/roles/nginx/tasks/main.json.orig b/roles/nginx/tasks/main.json.orig new file mode 100644 index 0000000..3941ce5 --- /dev/null +++ b/roles/nginx/tasks/main.json.orig @@ -0,0 +1,86 @@ +[ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "nginx" + ] + } + }, + { +<<<<<<< HEAD +======= + "name": "generate dhparams file", + "become": true, + "ansible.builtin.command": { + "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" + }, + "args": { + "creates": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, + { + "name": "ufw | check", + "become": true, + "check_mode": true, + "community.general.ufw": { + "state": "enabled" + }, + "register": "ufw_enable_check" + }, + { + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + } + }, + { + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + } + }, + { + "name": "auto reload", + "when": "auto_reload_interval != None", + "become": true, + "ansible.builtin.cron": { + "name": "nginx_auto_reload", + "disabled": true, + "minute": "0", + "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "day": "*", + "month": "*", + "weekday": "*", + "job": "systemctl reload nginx" + } + }, + { +>>>>>>> f55f317 ([fix] role:nginx) + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] + diff --git a/roles/nginx/vardef.json b/roles/nginx/vardef.json new file mode 100644 index 0000000..c03ddc6 --- /dev/null +++ b/roles/nginx/vardef.json @@ -0,0 +1,8 @@ +{ + "auto_reload_interval": { + "description": "in hours", + "nullable": true, + "type": "integer", + "mandatory": false + } +} From a47662cdaa45a7e629f622a70764d0c525811924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 14:51:10 +0200 Subject: [PATCH 22/23] [fix] role:nginx --- roles/nginx/tasks/main.json | 65 +------------------------------------ 1 file changed, 1 insertion(+), 64 deletions(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 9748e6d..0ef3b0e 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,73 +5,10 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx", - "openssl" + "nginx" ] } }, - { - "name": "generate dhparams file", - "become": true, - "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" - }, - "args": { - "creates": "/etc/nginx/dhparam" - } - }, - { - "name": "place hardening config", - "become": true, - "ansible.builtin.copy": { - "src": "ssl-hardening.conf", - "dest": "/etc/nginx/ssl-hardening.conf" - } - }, - { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } - }, - { - "name": "auto reload", - "when": "var_nginx_auto_reload_interval == None", - "become": true, - "ansible.builtin.cron": { - "name": "nginx_auto_reload", - "disabled": true, - "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", - "day": "*", - "month": "*", - "weekday": "*", - "job": "systemctl reload nginx" - } - }, { "name": "auto reload", "when": "var_nginx_auto_reload_interval != None", From 46e239133dd859b5ccbf33fc250b5f3cee323d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 9 Jun 2024 11:02:04 +0200 Subject: [PATCH 23/23] [res] --- roles/nginx/tasks/main.json.orig | 86 -------------------------------- 1 file changed, 86 deletions(-) delete mode 100644 roles/nginx/tasks/main.json.orig diff --git a/roles/nginx/tasks/main.json.orig b/roles/nginx/tasks/main.json.orig deleted file mode 100644 index 3941ce5..0000000 --- a/roles/nginx/tasks/main.json.orig +++ /dev/null @@ -1,86 +0,0 @@ -[ - { - "name": "install packages", - "become": true, - "ansible.builtin.apt": { - "update_cache": true, - "pkg": [ - "nginx" - ] - } - }, - { -<<<<<<< HEAD -======= - "name": "generate dhparams file", - "become": true, - "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" - }, - "args": { - "creates": "/etc/nginx/dhparam" - } - }, - { - "name": "place hardening config", - "become": true, - "ansible.builtin.copy": { - "src": "ssl-hardening.conf", - "dest": "/etc/nginx/ssl-hardening.conf" - } - }, - { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } - }, - { - "name": "auto reload", - "when": "auto_reload_interval != None", - "become": true, - "ansible.builtin.cron": { - "name": "nginx_auto_reload", - "disabled": true, - "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", - "day": "*", - "month": "*", - "weekday": "*", - "job": "systemctl reload nginx" - } - }, - { ->>>>>>> f55f317 ([fix] role:nginx) - "name": "restart service", - "become": true, - "ansible.builtin.systemd_service": { - "state": "restarted", - "name": "nginx" - } - } -] -