library: small fixes.

d4science-gcube/roles/mediawiki_setup/templates/nginx-mediawiki.j2: First attempt at a nginx ssl config.
This commit is contained in:
Andrea Dell'Amico 2015-06-14 23:39:13 +02:00
parent ea27bed983
commit d69a92292c
11 changed files with 52 additions and 27 deletions

View File

@ -1,4 +1,5 @@
---
- include: fail2ban.yml
when: is_trusty
when: ( is_trusty ) or ( is_debian8 )

View File

@ -40,4 +40,3 @@
#iptables_default_policy: REJECT
iptables_default_policy: ACCEPT
iptables_open_all_to_isti_nets: False

View File

@ -20,3 +20,6 @@
when: is_trusty
- name: Start the netfilter service
service: name=netfilter-persistent state=started
notify: Restart fail2ban

View File

@ -12,8 +12,7 @@
with_items:
- rules.v4
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
notify:
- Start the iptables service on Ubuntu < 12.04
notify: Start the iptables service on Ubuntu < 12.04
tags:
- iptables
- iptables_rules
@ -23,9 +22,21 @@
with_items:
- rules.v4
- rules.v6
when: ( is_not_ubuntu_less_than_precise ) or ( is_debian7)
notify:
- Start the iptables service
when:
- is_not_ubuntu_less_than_precise
- is_debian7
notify: Start the iptables service
tags:
- iptables
- iptables_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian8
notify: Start the netfilter service
tags:
- iptables
- iptables_rules

View File

@ -20,7 +20,7 @@
# ssh is always open. We use denyhosts to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if iptables_open_all_to_isti_nets %}
{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
# Permit all traffic from our networks
-A INPUT -s {{ network.isti }} -j ACCEPT
-A INPUT -s {{ network.nmis }} -j ACCEPT

View File

@ -103,11 +103,13 @@ has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution
is_debian: "'{{ ansible_distribution }}' == 'Debian'"
#is_debian7: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 7"
is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'"
is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'"
is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major_release'] }} == 6)"
is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5"
is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4"
is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6"
is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} <= 7"
is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} < 6"
is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)"

View File

@ -1,34 +1,35 @@
---
- name: install denyhosts on debian <=7 and ubuntu <= 12.04
apt: pkg={{ item }} state=installed
when: is_ubuntu_less_than_trusty
with_items:
- denyhosts
when: is_not_trusty
tags:
- denyhosts
when:
- is_debian_7_or_older
- is_ubuntu_less_than_trusty
tags: denyhosts
- name: ensure CM can access the VMs
action: |
lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18"
when: is_not_trusty
tags:
- denyhosts
when:
- is_debian_7_or_older
- is_ubuntu_less_than_trusty
tags: denyhosts
- name: ensure Monitoring can connect via ssh
action: |
lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23"
when: is_not_trusty
tags:
- denyhosts
- monitoring
when:
- is_debian_7_or_older
- is_ubuntu_less_than_trusty
tags: denyhosts
- name: Set the treshold for root on the denyhosts config file
lineinfile: |
name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5"
when: is_not_trusty
tags:
- denyhosts
notify:
- Restart denyhosts
when:
- is_debian_7_or_older
- is_ubuntu_less_than_trusty
notify: Restart denyhosts
tags: denyhosts

View File

@ -9,7 +9,9 @@
- include: disable-ipv6-old-servers.yml
when: disable_ipv6
- include: denyhost.yml
when: is_not_trusty
when:
- is_debian_7_or_older
- is_ubuntu_less_than_trusty
- include: munin.yml
when: configure_munin
- include: pubkeys.yml

View File

@ -45,6 +45,13 @@
tags:
- wheezy-backports
- name: Install the backports repository on debian 8
apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present
register: update_apt_cache
when: is_debian8
tags:
- wheezy-backports
- name: apt key for the internal ppa repository
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
when: is_ubuntu

View File

@ -3,7 +3,7 @@ varnish_version: 4.0
varnish_repo: True
varnish_repo_requirements:
- apt-transport-https
varnish_repo_url: "https://repo.varnish-cache.org/debian/ wheezy varnish-{{ varnish_version }}"
varnish_repo_url: "https://repo.varnish-cache.org/debian/ {{ ansible_distribution_release }} varnish-{{ varnish_version }}"
varnish_pkg_name: varnish
varnish_pkg_state: present
varnish_enabled: True

View File

@ -16,7 +16,6 @@ yii_framework_dir: '{{ yii_install_dir }}/yii-{{ yii_version }}'
yii_php_modules:
- php-xml-dtd
- php-xml-parser
- php-xml-serializer
- php5-imagick
- php5-memcache
- php5-xcache