initial ansible code

2022-10-09 21:41:56 +00:00
parent 4a64eab4a0
commit feaec34dd2
103 changed files with 4473 additions and 0 deletions
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  systemd:
+    name: nginx.service
+    state: reloaded
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+- name: Add Nginx GPG apt Key
+  apt_key:
+    url: https://nginx.org/keys/nginx_signing.key
+    keyring: /usr/share/keyrings/nginx-archive-keyring.gpg
+    state: present
+
+- name: Add Nginx Mainline Repository
+  apt_repository:
+    repo: "deb [arch={{ deb_architecture }} signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+          http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx"
+    state: present
+    update_cache: true
+
+- name: Install Nginx
+  apt:
+    name: nginx
+    state: latest
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Remove default.conf
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
+
+- name: Create global config folder
+  file:
+    path: "/etc/nginx/global"
+    mode: 0755
+    state: directory
+
+- name: Copy Nginx SSL Config
+  template:
+    dest: /etc/nginx/global/ssl.conf
+    src: ssl.conf.j2
+    mode: 0644
+  notify: reload nginx
+
+- name: Download pre-defined DHE group  # as recommended by IETF RFC 7919
+  get_url:
+    url: https://github.com/internetstandards/dhe_groups/raw/main/ffdhe4096.pem
+    dest: "{{ nginx_ssl_dhparam }}"
+  notify: reload nginx
--- a/roles/nginx/templates/ssl.conf.j2
+++ b/roles/nginx/templates/ssl.conf.j2
@@ -0,0 +1,17 @@
+## Managed by Ansible ##
+
+# Configure SSL
+    ssl_ciphers "{{ nginx_ssl_ciphers }}";
+    ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_prefer_server_ciphers off;
+    ssl_early_data on;
+    ssl_dhparam {{ nginx_ssl_dhparam }};
+# OCSP Stapling fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
+# SSL session handling
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_buffer_size 4k;
--- a/roles/nginx/vars/main.yml
+++ b/roles/nginx/vars/main.yml
@@ -0,0 +1,7 @@
+---
+
+nginx_ssl_ciphers: "ALL:!AES128:!CAMELLIA128:!CAMELLIA:!ARIA128:!RSA:!SEED:!aNULL:!eNULL:!EXPORT:\
+                    !DES:!RC4:!3DES:!MD5:!PSK:!DHE-RSA-AES256:!ECDHE-RSA-AES256-SHA384:\
+                    !DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:@STRENGTH"
+nginx_ssl_protocols: "TLSv1.2 TLSv1.3"
+nginx_ssl_dhparam: "/etc/ssl/dhparams.pem"