8:a4ee025a8854
Anton Shestakov <av6@dwimlabs.net>, Sat, 25 Jun 2016 12:29:01 +0800
add more security headers

next change 9:72c6ce33de6f
previous change 5:5c3d359316e0

roles/nginx/tasks/main.yml

Permissions: -rw-r--r--

Other formats: Feeds:
---
- name: Install packages
apt: pkg={{ item }} state=present
with_items:
- easy-rsa # for munin certificate auth
- nginx-full
- libwww-perl # for munin plugins
tags: [packages, inert]
- name: Disable default site
file: path=/etc/nginx/sites-enabled/default state=absent
notify:
- restart nginx
- name: Add nginx status server
copy: src=etc/nginx/sites-available/nginx_status dest=/etc/nginx/sites-available/nginx_status
notify:
- restart nginx
file: src=/etc/nginx/sites-available/nginx_status dest=/etc/nginx/sites-enabled/nginx_status state=link
- name: Enable Nginx status server
notify:
- restart nginx
- include: easy-rsa.yml
- name: Create a Diffie-Hellman key exchange parameters file
command: >
openssl dhparam
{% if ansible_virtualization_type == "virtualbox" %}-dsaparam{% endif %}
-out /etc/nginx/dh-2048.pem
2048
args:
creates: /etc/nginx/dh-2048.pem
notify:
- restart nginx
- name: Extract information for HPKP header
shell: >
openssl rsa -in /etc/nginx/easy-rsa/keys/{{ item }} -outform der -pubout
| openssl dgst -sha256 -binary
| openssl enc -base64
with_items:
- munin.{{ hostname }}.key
- ca.key
register: hpkpinfo
changed_when: false
failed_when: "'unable' in hpkpinfo.stderr"
always_run: yes
tags: [munin]
- name: Add munin.{{ hostname }}
template: src=etc/nginx/sites-available/munin dest=/etc/nginx/sites-available/munin.{{ hostname }}
notify:
- restart nginx
tags: [munin]
- name: Enable munin.{{ hostname }}
file: src=/etc/nginx/sites-available/munin.{{ hostname }} dest=/etc/nginx/sites-enabled/99munin.{{ hostname }} state=link
notify:
- restart nginx
tags: [munin]
- name: Enable extra Munin plugins
file: src=/usr/share/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} state=link
with_items:
- nginx_request
- nginx_status
notify:
- restart munin-node
tags: [munin]
- name: Copy custom Nginx-related Munin plugins
copy: src=etc/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} mode=0755
with_items:
- nginx_requests_by_vhost
notify:
- restart munin-node
tags: [munin]
- name: Configure custom Munin plugins
template: src=etc/munin/plugin-conf.d/{{ item }} dest=/etc/munin/plugin-conf.d/{{ item }}
with_items:
- nginx_requests_by_vhost
notify:
- restart munin-node
tags: [munin]
- name: Monitor Nginx with Monit
file: src=/etc/monit/monitrc.d/nginx dest=/etc/monit/conf.d/nginx state=link
notify:
- reload monit
tags: [monit]
- name: Allow HTTP and HTTPS
ufw: rule=allow name='{{ item }}'
with_items:
- Nginx HTTP
- Nginx HTTPS
tags: [ufw]
...