2023-07-16 17:28:34 +05:30
|
|
|
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
|
|
---
|
|
|
|
- name: Configure loadbalancers
|
|
|
|
hosts: bullseye_loadbalance
|
2023-07-20 13:44:36 +05:30
|
|
|
remote_user: atm
|
|
|
|
become: true
|
|
|
|
pre_tasks:
|
|
|
|
- name: Install nginx
|
|
|
|
become: true
|
2023-07-16 17:28:34 +05:30
|
|
|
ansible.builtin.apt:
|
|
|
|
update_cache: true
|
|
|
|
pkg:
|
|
|
|
- nginx
|
|
|
|
- ca-certificates
|
|
|
|
|
2023-07-20 13:44:36 +05:30
|
|
|
collections:
|
|
|
|
- devsec.hardening
|
|
|
|
roles:
|
|
|
|
- dev-sec.nginx-hardening
|
|
|
|
|
|
|
|
tasks:
|
2023-07-16 17:28:34 +05:30
|
|
|
- name: Add user atm to docker group
|
|
|
|
ansible.builtin.user:
|
|
|
|
name: atm
|
|
|
|
groups: users,admin
|
|
|
|
|
|
|
|
- name: Set logging
|
|
|
|
community.general.ufw:
|
|
|
|
logging: "on"
|
|
|
|
|
|
|
|
- name: Allow port 22 and enable UFW
|
|
|
|
community.general.ufw:
|
|
|
|
state: enabled
|
|
|
|
rule: allow
|
|
|
|
proto: tcp
|
|
|
|
port: "22"
|
|
|
|
|
|
|
|
- name: Allow port 80
|
|
|
|
community.general.ufw:
|
|
|
|
state: enabled
|
|
|
|
proto: tcp
|
|
|
|
rule: allow
|
|
|
|
port: "80"
|
|
|
|
|
|
|
|
- name: Allow port 443
|
|
|
|
community.general.ufw:
|
|
|
|
state: enabled
|
|
|
|
proto: tcp
|
|
|
|
rule: allow
|
|
|
|
port: "443"
|
|
|
|
|
|
|
|
- name: Enable and start ufw service
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: ufw
|
|
|
|
enabled: true
|
|
|
|
state: started
|
|
|
|
|
|
|
|
- name: Copy the Nginx config file and restart nginx
|
|
|
|
ansible.builtin.copy:
|
|
|
|
src: ./assets/nginx.cfg
|
2023-07-20 13:44:36 +05:30
|
|
|
dest: /etc/nginx/sites-available/libreddit
|
2023-07-16 17:28:34 +05:30
|
|
|
|
|
|
|
- name: Create symlink
|
|
|
|
ansible.builtin.file:
|
2023-07-20 13:44:36 +05:30
|
|
|
src: /etc/nginx/sites-available/libreddit
|
|
|
|
dest: /etc/nginx/sites-enabled/libreddit
|
2023-07-16 17:28:34 +05:30
|
|
|
state: link
|
|
|
|
|
|
|
|
- name: Enable and start nginx service
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: nginx
|
|
|
|
enabled: true
|
|
|
|
state: started
|
|
|
|
|
|
|
|
- name: Enable and start nginx service
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: nginx
|
|
|
|
enabled: true
|
|
|
|
state: restarted
|