diff options
author | Matthieu Saulnier <fantom@fedoraproject.org> | 2019-02-17 17:00:40 +0100 |
---|---|---|
committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2019-02-17 17:00:40 +0100 |
commit | c3629a8be52a5a508a80887d1293e7fffb9c45be (patch) | |
tree | bcff459ca4cb30db6c572b1695e0d44d07941317 /roles | |
parent | 41eedacd2b2d0a25be93280555c53d28a7bc6060 (diff) | |
download | playbooks-ansible-c3629a8be52a5a508a80887d1293e7fffb9c45be.tar.gz playbooks-ansible-c3629a8be52a5a508a80887d1293e7fffb9c45be.tar.xz playbooks-ansible-c3629a8be52a5a508a80887d1293e7fffb9c45be.zip |
Minor changes:
remove meta which was false
add http header in caddyfile
update keys and certificates version
add authority certification informations in dns zone files
Diffstat (limited to 'roles')
-rw-r--r-- | roles/clients/tasks/pkgs.yml | 1 | ||||
-rw-r--r-- | roles/common/meta/main.yml | 1 | ||||
-rw-r--r-- | roles/common/meta/ssh.yml | 4 | ||||
-rw-r--r-- | roles/common/tasks/ca.yml | 11 | ||||
-rw-r--r-- | roles/common/tasks/ssh.yml | 4 | ||||
-rw-r--r-- | roles/dnsserver/files/admin.casperlefantom.net.zone | 3 | ||||
-rw-r--r-- | roles/dnsserver/files/casperlefantom.net.zone | 3 | ||||
-rw-r--r-- | roles/dnsserver/files/home.casperlefantom.net.zone | 3 | ||||
-rw-r--r-- | roles/proxy/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/proxy/templates/squid.conf.j2 | 2 | ||||
-rw-r--r-- | roles/reverseproxy/templates/Caddyfile.j2 | 6 | ||||
-rw-r--r-- | roles/reverseproxy/vars/main.yml | 1 |
12 files changed, 23 insertions, 18 deletions
diff --git a/roles/clients/tasks/pkgs.yml b/roles/clients/tasks/pkgs.yml index b807e7b..3670573 100644 --- a/roles/clients/tasks/pkgs.yml +++ b/roles/clients/tasks/pkgs.yml @@ -190,6 +190,7 @@ - mesa-vdpau-drivers - xvattr - lshw + - sslscan - name: Installation des paquets codecs package: diff --git a/roles/common/meta/main.yml b/roles/common/meta/main.yml deleted file mode 100644 index 0154c4f..0000000 --- a/roles/common/meta/main.yml +++ /dev/null @@ -1 +0,0 @@ -- import_tasks: ssh.yml diff --git a/roles/common/meta/ssh.yml b/roles/common/meta/ssh.yml deleted file mode 100644 index 0105595..0000000 --- a/roles/common/meta/ssh.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: restart sshd - service: - name: sshd - state: restarted diff --git a/roles/common/tasks/ca.yml b/roles/common/tasks/ca.yml index 72f1730..74bde08 100644 --- a/roles/common/tasks/ca.yml +++ b/roles/common/tasks/ca.yml @@ -3,15 +3,16 @@ src: root.pem dest: /etc/pki/ca-trust/source/anchors/root.pem mode: 0444 + register: cafile -- name: Installation de l'autorité de certification CACert - copy: - src: cacert.pem - dest: /etc/pki/ca-trust/source/anchors/cacert.pem - mode: 0444 +- name: Désinstallation de l'autorité de certification CACert + file: + path: /etc/pki/ca-trust/source/anchors/cacert.pem + state: absent - name: Mise à jour de la base de confiance CA command: /usr/bin/update-ca-trust + when: cafile is changed - name: Installation CA personnel pour applis serveur copy: diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml index ae301cd..a12bc7c 100644 --- a/roles/common/tasks/ssh.yml +++ b/roles/common/tasks/ssh.yml @@ -5,7 +5,7 @@ backrefs: yes regexp: "^PasswordAuthentication yes" line: "PasswordAuthentication no" - meta: restart sshd + # never restart ssh daemon during the run - name: Décommenter option par défaut lineinfile: @@ -14,7 +14,7 @@ backrefs: yes regexp: "^#PermitRootLogin yes" line: "PermitRootLogin yes" - meta: restart sshd + # never restart ssh daemon during the run - name: Ouverture du port ssh secondaire firewalld: diff --git a/roles/dnsserver/files/admin.casperlefantom.net.zone b/roles/dnsserver/files/admin.casperlefantom.net.zone index 72ce961..4bc8edb 100644 --- a/roles/dnsserver/files/admin.casperlefantom.net.zone +++ b/roles/dnsserver/files/admin.casperlefantom.net.zone @@ -1,6 +1,6 @@ $ttl 86400 admin.casperlefantom.net. IN SOA nse.admin.casperlefantom.net. hostmaster.casperlefantom.net. ( -2019012300 +2019021600 10800 3600 604800 @@ -14,6 +14,7 @@ admin.casperlefantom.net. IN SOA nse.admin.casperlefantom.net. hostmaster.casper @ IN A 82.247.103.117 @ IN AAAA 2a01:e35:2f76:7750::4 +@ IN CAA 128 issue "Matthieu Saulnier Root CA" lancaster IN A 82.247.103.117 lancaster IN AAAA 2a01:e35:2f76:7750::4 diff --git a/roles/dnsserver/files/casperlefantom.net.zone b/roles/dnsserver/files/casperlefantom.net.zone index 552ed5b..7cc8e3a 100644 --- a/roles/dnsserver/files/casperlefantom.net.zone +++ b/roles/dnsserver/files/casperlefantom.net.zone @@ -1,6 +1,6 @@ $ttl 86400 casperlefantom.net. IN SOA nse.casperlefantom.net. hostmaster.casperlefantom.net. ( -2019020500 ; serial number +2019021601 ; serial number 86400 ; refresh 3600 ; retry 1209600 ; expire @@ -32,6 +32,7 @@ admin IN NS nse.admin.casperlefantom.net. @ IN AAAA 2a00:c70:1:178:170:58:2:b50d @ IN AAAA 2a00:c70:1:109:238:2:40:bad @ IN TXT "v=spf1 mx mx:casperlefantom.net mx:jaysfoodventure.com ip4:82.247.103.117 ip6:2a01:e35:2f76:7750::4 -all" +@ IN CAA 128 issue "Let's Encrypt Authority X3" home IN A 192.168.0.25 diff --git a/roles/dnsserver/files/home.casperlefantom.net.zone b/roles/dnsserver/files/home.casperlefantom.net.zone index 85487df..38de36f 100644 --- a/roles/dnsserver/files/home.casperlefantom.net.zone +++ b/roles/dnsserver/files/home.casperlefantom.net.zone @@ -1,6 +1,6 @@ $ttl 86400 home.casperlefantom.net. IN SOA nsf.home.casperlefantom.net. hostmaster.casperlefantom.net. ( -2019020500 +2019021600 10800 3600 604800 @@ -16,6 +16,7 @@ home.casperlefantom.net. IN SOA nsf.home.casperlefantom.net. hostmaster.casperle @ IN A 192.168.0.25 @ IN A 10.42.0.52 @ IN AAAA 2a01:e35:2f76:7750::4 +@ IN CAA 128 issue "Matthieu Saulnier Root CA" nsa IN A 192.168.0.25 nsa IN A 10.42.0.52 diff --git a/roles/proxy/defaults/main.yml b/roles/proxy/defaults/main.yml index c46cced..422c194 100644 --- a/roles/proxy/defaults/main.yml +++ b/roles/proxy/defaults/main.yml @@ -2,7 +2,7 @@ localnet: 192.168.0.0 fwdport: 8200 revport: 80 revports: 443 -crtversion: 1 +crtversion: 2 maindomain: casperlefantom.net peers: - [ '9090', 'cockpit', 'vhost_cockpit', 'localhost', '127.0.0.1', 'no' ] diff --git a/roles/proxy/templates/squid.conf.j2 b/roles/proxy/templates/squid.conf.j2 index e1a7975..c16da3e 100644 --- a/roles/proxy/templates/squid.conf.j2 +++ b/roles/proxy/templates/squid.conf.j2 @@ -17,7 +17,7 @@ http_port {{ item }}:{{ revport }} accel ignore-cc https_port {{ item }}:{{ revports }} accel ignore-cc \ cert=/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt \ key=/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key \ - tls-dh=secp256k1:/etc/pki/tls/certs/dhparam-4096.pem \ + tls-dh=secp384r1:/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem \ crlfile=/etc/pki/tls/certs/crt-crl.pem \ cipher=HIGH:!aNULL:!MD5:!RC4 \ options=NO_SSLv3,CIPHER_SERVER_PREFERENCE \ diff --git a/roles/reverseproxy/templates/Caddyfile.j2 b/roles/reverseproxy/templates/Caddyfile.j2 index 335bd47..a54c55e 100644 --- a/roles/reverseproxy/templates/Caddyfile.j2 +++ b/roles/reverseproxy/templates/Caddyfile.j2 @@ -51,6 +51,12 @@ {{ item }} { tls {{ email }} gzip + header / { + Strict-Transport-Security "max-age=31536000;" + X-XSS-Protection "1; mode=block" + X-Content-Type-Options "nosniff" + X-Frame-Options "DENY" + } log {{ item }}_access.log { rotate_size 1 rotate_keep 10 diff --git a/roles/reverseproxy/vars/main.yml b/roles/reverseproxy/vars/main.yml index f1a99c0..2955b68 100644 --- a/roles/reverseproxy/vars/main.yml +++ b/roles/reverseproxy/vars/main.yml @@ -5,7 +5,6 @@ localnet: 192.168.0.0 publicstatic: - "{{ ansible_hostname }}.casperlefantom.net" - - jaysfoodventure.com publicredir: - www.casperlefantom.net - blog.casperlefantom.net |