add:(nginx role)

2023-05-14 18:46:37 +02:00 · 2023-05-14 18:46:37 +02:00 · 27e6b5758a
parent 69cac4d4be
commit 27e6b5758a
15 changed files with 311 additions and 3 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -1,5 +1,12 @@
 ---

 root_password_hashed: "{{ vault_root_password_hashed }}"
-user_password_hashed: "{{ vault_root_user_hashed }}"
+user_password_hashed: "{{ vault_user_password_hashed }}"
 user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl05rLhOKK4M2pqp7xRbKzIYlnkLRvp61NLrP2E0fiU l01@L01"
+
+ansible_become_password: "toto" #FIXME
+ansible_become_user: "root"
+ansible_become_method: "sudo"
+
+nginx_cert_position: "/etc/ssl/dmz.pem"
+nginx_key_position: "/etc/ssl/dmz.key.pem"
--- a/playbooks/base.yml
+++ b/playbooks/base.yml
@ -2,12 +2,15 @@

 - name: Gather facts
  hosts: all
+  remote_user: root
  gather_facts: true
  tags:
    - always

 - name: Common
  hosts: all
+  vars_files:
+    - ../group_vars/all/vault.yml
  roles:
    - common
  tags:
--- a/playbooks/nginx.yml
+++ b/playbooks/nginx.yml
@ -0,0 +1,10 @@
+---
+
+- name: Nginx
+  hosts: all
+  vars_files:
+    - ../group_vars/all/vault.yml
+  roles:
+    - nginx
+  tags:
+    - nginx
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,13 +1,17 @@
 ---

 - name: Packages
+  remote_user: root
  ansible.builtin.import_tasks: packages.yml

 - name: Service account
+  remote_user: root
  ansible.builtin.import_tasks: user.yml

 - name: Root password
+  remote_user: ansible
  ansible.builtin.import_tasks: password.yml

 - name: Timezone
+  remote_user: ansible
  ansible.builtin.import_tasks: timezone.yml
--- a/roles/common/tasks/password.yml
+++ b/roles/common/tasks/password.yml
@ -1,6 +1,7 @@
 ---

 - name: Set root password
+  become: Yes
  ansible.builtin.user:
    name: root
    password: "{{ root_password_hashed }}"
--- a/roles/common/tasks/user.yml
+++ b/roles/common/tasks/user.yml
@ -13,4 +13,4 @@
  authorized_key:
    user: ansible
    state: present
-    key: "{{ ssh_key }}"
+    key: "{{ user_ssh_key }}"
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@ -0,0 +1,13 @@
+---
+
+- name: Nginx_Reload
+  become: Yes
+  ansible.builtin.service:
+    name: nginx.service
+    state: reloaded
+
+- name: Nginx_Reload_Second
+  become: Yes
+  ansible.builtin.service:
+    name: nginx.service
+    state: reloaded
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -0,0 +1,5 @@
+---
+
+- name: Create NginX WebServer
+  remote_user: ansible
+  ansible.builtin.import_tasks: webserver.yml
--- a/roles/nginx/tasks/webserver.yml
+++ b/roles/nginx/tasks/webserver.yml
@ -0,0 +1,75 @@
+---
+- name: Install NginX
+  become: Yes
+  ansible.builtin.apt:
+    update_cache: true
+    state: latest
+    name:
+      - nginx
+      - nginx-extras
+
+- name: Import configuration
+  become: Yes
+  ansible.builtin.template:
+    src: "nginx.conf.j2"
+    dest: "/etc/nginx/nginx.conf"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Nginx_Reload
+
+
+- name: Import site available configuration
+  become: Yes
+  ansible.builtin.template:
+    src: "infra.conf.j2"
+    dest: "/etc/nginx/sites-available/infra.conf"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Import index page
+  become: Yes
+  ansible.builtin.template:
+    src: "index.html.j2"
+    dest: "/var/www/html/index.html"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Import tls certificate
+  become: Yes
+  ansible.builtin.template:
+    src: "dmz.pem"
+    dest: "{{ nginx_cert_position }}"
+    owner: root
+    group: root
+    mode: 0644
+
+
+- name: Import tls key
+  become: Yes
+  ansible.builtin.template:
+    src: "dmz.key.pem"
+    dest: "{{ nginx_key_position }}"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Disable default HTTP website
+  become: Yes
+  ansible.builtin.file:
+    path:  "/etc/nginx/sites-enabled/default"
+    state: absent
+
+- name: Enable NginX site
+  become: Yes
+  ansible.builtin.file:
+    src:  "/etc/nginx/sites-available/infra.conf"
+    dest: "/etc/nginx/sites-enabled/infra.conf"
+    owner: root
+    group: root
+    state: link
+  notify:
+    - Nginx_Reload_Second
--- a/roles/nginx/templates/dmz.key.pem
+++ b/roles/nginx/templates/dmz.key.pem
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjkuY/AAhdboi1
+rEGSSAK+1nE1LdWClZMvz0yWjbmI5AdJkU5CVyY5cY7HI6ILXqA+IZH+nhU9+/OO
+vp2/TBdvW4ln3YnB/kYAC7B9DDQWMvBHPSF5sb6vcE8mpN/dFITWxHIYEWVIF9I4
+A6yhR9sq4QTJ+In+9e8eq0JjqcTXMVbSvbFF5dAV1C6cH2xjK8h8xIv4gz8Us/ob
+j7+og8a89Z2riRUqzhZ5NUvup8+o0u9z6ggmkwD4Ox5jDAge/pPNIyXWkbhcQb9o
+7LMFDABnjp6PDIAJMjU4eymeaLcP9aGACvR5Ese/CSG1T3Ml6VyuoKW1HsblyLht
+WMZwB5FvAgMBAAECggEALNwtTCrgoGsfkB+BTjJ0mkzqeEitLSaDWtHR8dpFf272
+Nq1klpobEBb+LswtdUvKy69eQEOvlLPEDKpnTd768F3c1cDytmLbZMjP6sONh2cJ
+8aeoxhzCrI+zDWibQqENe28d0U74BWkPDLCpSAQSbfSPYSrKAcQGA9W5G+cj5lYf
+OGIFY09hLOxnnLSiZ5/5cbIr0/wpAi0rr/78M3rr/tdE2j8hYThPIhF7MUazImQ8
+BU/9uEt44RancmlO/+1M2EMGef9/3B3iBteVBEVXpNCF6Nn92UlBbnQFUhrzMYCf
+5CXdlujFstrvIUDvChwicJs8eYtT7BLwLA56O0185QKBgQDlu7kzZIpcgSMnWuq7
+rbpzsYH7MZviwUlPXA2cEfcsMWH4Z63GLpfKQT080j4RQHRHO2LnsQrB26ueAF1B
+WFRxKLWvuLbpWcSbpw1pVZrGwek8MtPTWA67G/OcJTB3q5UWdskBZ5dyiMeW99NE
+Q/xYNjPVLaSabxGmkhUPkWRMHQKBgQC2RrF1CaW8r9La/DydcsH/HmcrkdrrWBQp
+s8/uuZfFTK6iN4A+LiyttTjTg4kJj4MMuitQkYu7z1G6cJZqLX0xtfECE7bC2fwf
+cDxefVY1AjeffJcnaEarOA/xCBiwBVPpMatEczEo72bApA9h4TCZx0I0dJf06NkJ
+SDyuZBfl+wKBgQDA8bMP6McT/hmKOh+fVL+d312tnPKxtWhe0I9VnvkbEraXrGwU
+YJl3cud9p44daya9lLDyqozAWECAyQmJkigJigld9iMZRR2NJPZsm0sM11uOBZpG
+jFSC7WzinZFhUKg8X7NeDKTzutD2iFnVocvUQmGyD02JrvMCFPq/QnscOQKBgBX3
+awdpxDl7DvQpFbz7yXlPVqufhjx6fuOPse1ZHHtAhIM0IRZdRjEg99o1rdwjGW39
+OZ8aCzb1AypuyxG8ravB+2t+qLXOw12ejwfsHumAfOeRgj3TiUC1HuazTRZZbgVa
+YQN8xl3ijAWHP/tRwiOmKcpciruPHCjMNdPmaCLlAoGAN8ww8zlKR1r72vqfwzwZ
+3tO570kUCKMnvUxxIaLBwGXSp3aXzLgFhcSQtkLZtWf9BVC6bdNIJUkpeoHUPn8Z
+Q/6bk/h31zme9oys/bzcCx8D0mwNjsZvLrol6x0w0fo4CRSD0b3iMogCQntKvgV6
+o0gqK4CcEaUp8zmvCAVo9xk=
+-----END PRIVATE KEY-----
--- a/roles/nginx/templates/dmz.pem
+++ b/roles/nginx/templates/dmz.pem
@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFTCCAv2gAwIBAgIBEDANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJGUjEc
+MBoGA1UEAwwTQUNfRVBJVEFGX1JBQ0lORV9WMTEPMA0GA1UECgwGRVBJVEFGMRsw
+GQYDVQQHDBJMZSBLcmVtbGluIEJpY2V0cmUwHhcNMjMwNTEyMjI1OTEwWhcNMjUw
+NjMwMjI1OTEwWjBrMQswCQYDVQQGEwJGUjEPMA0GA1UECgwGRVBJVEFGMRswGQYD
+VQQHDBJMZSBLcmVtbGluIEJpY2V0cmUxIDAeBgNVBAsMF0VQSVRBRiBTaWduIENl
+cnRpZmljYXRlMQwwCgYDVQQDDANkbXowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCjkuY/AAhdboi1rEGSSAK+1nE1LdWClZMvz0yWjbmI5AdJkU5CVyY5
+cY7HI6ILXqA+IZH+nhU9+/OOvp2/TBdvW4ln3YnB/kYAC7B9DDQWMvBHPSF5sb6v
+cE8mpN/dFITWxHIYEWVIF9I4A6yhR9sq4QTJ+In+9e8eq0JjqcTXMVbSvbFF5dAV
+1C6cH2xjK8h8xIv4gz8Us/obj7+og8a89Z2riRUqzhZ5NUvup8+o0u9z6ggmkwD4
+Ox5jDAge/pPNIyXWkbhcQb9o7LMFDABnjp6PDIAJMjU4eymeaLcP9aGACvR5Ese/
+CSG1T3Ml6VyuoKW1HsblyLhtWMZwB5FvAgMBAAGjgdUwgdIwCQYDVR0TBAIwADAR
+BglghkgBhvhCAQEEBAMCBaAwKAYJYIZIAYb4QgENBBsWGUVQSVRBRiBDbGllbnQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFG6M26jI5xHRwKlhSQSQAapc2q+ZMB8GA1Ud
+IwQYMBaAFCqTfSK25zDtX3W26zJfF2l/fZ70MA4GA1UdDwEB/wQEAwIF4DAdBgNV
+HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOMTcyLjE5LjEw
+Ni4yNTYwDQYJKoZIhvcNAQELBQADggIBAAkyvWEauEk1+MS0MbQx5Rqwzd8rpjI5
+vYo+jEyiB+L0GBilZplOIoP7Vw14yv/4+cEhJENiueRcjC8Dh5hbPtWDu1qj7Iu9
+TBzFPWTInA5t/bec06q7fqk4e4HCtaQ4w79b7ADMgFxYscEVXEhdvc8QVkMx5MeI
+grNnwlYatei5KOZQ79MCDnGKRUmaPfU5pOQohNnddzMPGIeDIpZNPqBdUeOArqjZ
+LoJQ1XVSwPm3H7D2fRf76Hz3bz0z5q0PU79MAH5cj1CqVbjZlJAtQZger3R0kxer
+BmFcjudsDiJ1IbIprlwc21vEfcneNe6sx/USUdK0jQWy1U/YEwzl2em1GySjk8z6
+O2Fv/IDtT7c2X4zE6uyD+2GQQhE81IL0apK1v+djQejWcnE9fqjZDXccgjJbaenT
+TvW09+eMsDCZqh1YK0kN55V/5GACM4MVQlFOREJaJx3U0PSrix5eWMfCY5qVM8mo
+8FVtwQvabqHk9o3t57Ty9lYMMMKcfHzXeItkzUu30xx+YnorC8mXYLszP34IqlK/
+UqswyIVaDgV97ZB5NwQFXey2Wr1sQKp+T1CVSMywyYeuM9PzcX96nMdMIfRP99rV
+5EKt/5QmO6uU/HjrVypWE3BTuX6QdNjrJyUdMqV55PGD89ZETSDXQH0oUKwFHzbv
+Es9BkLnW0kXi
+-----END CERTIFICATE-----
--- a/roles/nginx/templates/index.html.j2
+++ b/roles/nginx/templates/index.html.j2
@ -0,0 +1 @@
+TOP GUN
--- a/roles/nginx/templates/infra.conf.j2
+++ b/roles/nginx/templates/infra.conf.j2
@ -0,0 +1,68 @@
+# On fait ses configurations pour cacher l'utilisation dans les headers d'un serveur nginx
+server_tokens off;          # version dans les headers
+more_set_headers 'Server';  # header Server
+
+add_header X-XSS-Protection "1: mode=block" always; # XSS
+add_header X-Frame_Options "SAMEORIGIN" always;     # clickjacking
+add_header Permission-Policy "";
+add_header Content-Security-Policy "default-src 'self';" always;    # CSRF
+add_header X-Content-Type-Options "nosniff" always; # sniffing
+
+# HTTP requests redirected to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+
+    return 301 https://$host$request_uri;
+}
+
+# reverse-proxy to Apache -> 10000
+server {
+    listen 443 ssl;             # IPv4, on écoute sur le port HTTPS (443)
+    listen [::]:443;            # IPv6
+
+    # server_name wiki.salo.pe;   # Ce serveur répond au host 'wiki.salo.pe'
+
+    location /blog/ { 
+        proxy_pass http://localhost:10000/; # Redirect localhost port 8080
+    }
+
+    ssl_certificate {{ nginx_cert_position }};
+    ssl_certificate_key {{ nginx_key_position }};
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+
+    # OCSP Response
+    ssl_stapling on;            
+    ssl_stapling_verify on;
+
+    # MITM
+    add_header Strict-Transport-Security "max-age=63072000" always;
+}
+
+
+# web HTTPS
+server {
+    listen 443 ssl;
+    listen [::]:443;
+
+#    server_name grosse.salo.pe;
+
+    root /var/www/html;
+    index index.html;
+
+    error_page 404 /;
+
+    ssl_certificate {{ nginx_cert_position }};
+    ssl_certificate_key {{ nginx_key_position }};
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+}
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -0,0 +1,63 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	root /var/www/html;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	# Error logs maximum verbose as possible
+	error_log /var/log/nginx/error.log notice;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
--- a/simple-ansible-inventory.py
+++ b/simple-ansible-inventory.py
@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3

 import logging
 import os