Anton Shestakov <av6@dwimlabs.net>, Sat, 25 Jun 2016 12:28:29 +0800
remove commented out CSP header (not used)
roles/nginx/tasks/main.yml
Permissions: -rw-r--r--
apt: pkg={{ item }} state=present - easy-rsa # for munin certificate auth - libwww-perl # for munin plugins - name: Disable default site file: path=/etc/nginx/sites-enabled/default state=absent - name: Add nginx status server copy: src=etc/nginx/sites-available/nginx_status dest=/etc/nginx/sites-available/nginx_status file: src=/etc/nginx/sites-available/nginx_status dest=/etc/nginx/sites-enabled/nginx_status state=link - name: Enable Nginx status server - name: Create a Diffie-Hellman key exchange parameters file {% if ansible_virtualization_type == "virtualbox" %}-dsaparam{% endif %} -out /etc/nginx/dh-2048.pem creates: /etc/nginx/dh-2048.pem - name: Extract information for HPKP header openssl rsa -in /etc/nginx/easy-rsa/keys/{{ item }} -outform der -pubout | openssl dgst -sha256 -binary - munin.{{ hostname }}.key failed_when: "'unable' in hpkpinfo.stderr" - name: Add munin.{{ hostname }} template: src=etc/nginx/sites-available/munin dest=/etc/nginx/sites-available/munin.{{ hostname }} - name: Enable munin.{{ hostname }} file: src=/etc/nginx/sites-available/munin.{{ hostname }} dest=/etc/nginx/sites-enabled/99munin.{{ hostname }} state=link - name: Enable extra Munin plugins file: src=/usr/share/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} state=link - name: Copy custom Nginx-related Munin plugins copy: src=etc/munin/plugins/{{ item }} dest=/etc/munin/plugins/{{ item }} mode=0755 - nginx_requests_by_vhost - name: Configure custom Munin plugins template: src=etc/munin/plugin-conf.d/{{ item }} dest=/etc/munin/plugin-conf.d/{{ item }} - nginx_requests_by_vhost - name: Monitor Nginx with Monit file: src=/etc/monit/monitrc.d/nginx dest=/etc/monit/conf.d/nginx state=link - name: Allow HTTP and HTTPS ufw: rule=allow name='{{ item }}'