Kapisi/roles/WebServer/tasks/main.yml

---

 - name: Install components
   become: yes
   package:
     name: "{{ item }}"
     state: present
   loop:
     - nginx
     - libmodsecurity
     - nginx-mod-modsecurity
     - php
     - php-fpm

 - name: Config directories
   become: yes
   file:
     path: "{{ item }}"
     state: directory
     owner: http
     group: http
     mode: 0750
   loop:
     - /usr/share/webapps/aninix
     - /var/lib/letsencrypt
     - /etc/nginx/conf
     - /etc/nginx/conf.d
     - /etc/modsecurity
     - /var/log/modsec
     - /var/log/modsec/tmp
     - /var/log/modsec/data
     - /var/log/modsec/audit
     - /var/log/modsec/uploads

 - name: Copy PHP config
   become: yes
   copy:
     src: php.ini
     dest: /etc/php/php.ini
     owner: root
     group: root
     mode: 0755

 - name: Copy conf.d
   become: yes
   copy:
     src: "conf.d/{{ inventory_hostname }}/"
     dest: /etc/nginx/conf.d/
     owner: http
     group: http
     mode: 0660
     directory_mode: 0770
     follow: true
   register: confd

 - name: Copy conf
   become: yes
   copy:
     src: conf/
     dest: /etc/nginx/conf/
     owner: http
     group: http
     mode: 0660
     follow: true
   register: conf

 - name: Copy conf
   become: yes
   copy:
     src: apps/
     dest: /usr/share/webapps/aninix
     owner: http
     group: http
     mode: 0660
     follow: true

 - name: Nginx pidfile
   become: yes
   ignore_errors: true
   file:
     path: /run/nginx.pid
     state: touch
     owner: http
     group: http
     mode: 0640

 - name: Nginx log folder
   become: yes
   file:
     path: /var/log/nginx
     state: directory
     owner: http
     group: http
     mode: 0750

 - name: Populate security config
   become: yes
   template:
     src: conf/sec.conf.j2
     dest: /etc/nginx/conf/sec.conf
     owner: http
     group: http
     mode: 0660
   register: secconf

 - name: Clone OWASP-CRS
   ignore_errors: true
   become: yes
   git:
     repo: https://github.com/coreruleset/coreruleset.git
     update: yes
     force: yes
     single_branch: yes
     dest: /usr/share/owasp-modsecurity-crs
     umask: "0022"

 - name: Modsecurity config
   become: yes
   register: modsecconf
   copy:
     dest: /etc/modsecurity/main.conf
     src: modsec.conf
     owner: http
     group: http
     mode: 0750
     validate: /usr/bin/modsec-rules-check %s

 - name: Modsecurity logrotate
   become: yes
   copy:
     dest: /etc/logrotate.d/modsecurity
     src: logrotate.modsec.conf
     owner: root
     group: root
     mode: 0644

 - name: Copy conf
   become: yes
   copy:
     src: nginx.conf
     dest: /etc/nginx/nginx.conf
     owner: http
     group: http
     mode: 0660
     follow: true
     #validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues
   register: baseconf

 - name: Ensure service is started
   become: yes
   when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed
   service:
     name: "{{ item }}"
     enabled: yes
     state: restarted
   loop:
     - php-fpm
     - nginx
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`---`
Adding minor webapps to WebServer tracking 2024-01-12 13:06:58 -06:00
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`- name: Install components`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`become: yes`
			`package:`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`name: "{{ item }}"`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`state: present`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`loop:`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`- nginx`
			`- libmodsecurity`
			`- nginx-mod-modsecurity`
			`- php`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`- php-fpm`

Adding minor webapps to WebServer tracking 2024-01-12 13:06:58 -06:00			`- name: Config directories`
			`become: yes`
			`file:`
			`path: "{{ item }}"`
			`state: directory`
			`owner: http`
			`group: http`
			`mode: 0750`
			`loop:`
			`- /usr/share/webapps/aninix`
AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00			`- /var/lib/letsencrypt`
Adding minor webapps to WebServer tracking 2024-01-12 13:06:58 -06:00			`- /etc/nginx/conf`
			`- /etc/nginx/conf.d`
			`- /etc/modsecurity`
			`- /var/log/modsec`
			`- /var/log/modsec/tmp`
			`- /var/log/modsec/data`
			`- /var/log/modsec/audit`
			`- /var/log/modsec/uploads`

Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`- name: Copy PHP config`
			`become: yes`
			`copy:`
			`src: php.ini`
			`dest: /etc/php/php.ini`
			`owner: root`
			`group: root`
			`mode: 0755`

Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`- name: Copy conf.d`
			`become: yes`
			`copy:`
catchup 2023-10-08 12:28:14 -05:00			`src: "conf.d/{{ inventory_hostname }}/"`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`dest: /etc/nginx/conf.d/`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`owner: http`
			`group: http`
			`mode: 0660`
			`directory_mode: 0770`
catchup 2023-10-08 12:28:14 -05:00			`follow: true`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`register: confd`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`- name: Copy conf`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`become: yes`
			`copy:`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`src: conf/`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`dest: /etc/nginx/conf/`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`owner: http`
			`group: http`
			`mode: 0660`
catchup 2023-10-08 12:28:14 -05:00			`follow: true`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`register: conf`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
Adding minor webapps to WebServer tracking 2024-01-12 13:06:58 -06:00			`- name: Copy conf`
			`become: yes`
			`copy:`
			`src: apps/`
			`dest: /usr/share/webapps/aninix`
			`owner: http`
			`group: http`
			`mode: 0660`
			`follow: true`

Removing duplicate resource 2024-01-12 16:17:55 -06:00			`- name: Nginx pidfile`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`become: yes`
			`ignore_errors: true`
			`file:`
			`path: /run/nginx.pid`
Catching up with automation 2024-04-01 00:47:05 -05:00			`state: touch`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`owner: http`
			`group: http`
			`mode: 0640`

			`- name: Nginx log folder`
			`become: yes`
			`file:`
			`path: /var/log/nginx`
			`state: directory`
			`owner: http`
			`group: http`
			`mode: 0750`

Catching up Webserver config 2022-12-18 22:21:39 -06:00			`- name: Populate security config`
			`become: yes`
			`template:`
catchup 2023-10-08 12:28:14 -05:00			`src: conf/sec.conf.j2`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`dest: /etc/nginx/conf/sec.conf`
Catching up Webserver config 2022-12-18 22:21:39 -06:00			`owner: http`
			`group: http`
			`mode: 0660`
catchup 2023-10-08 12:28:14 -05:00			`register: secconf`
Catching up Webserver config 2022-12-18 22:21:39 -06:00
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`- name: Clone OWASP-CRS`
			`ignore_errors: true`
			`become: yes`
			`git:`
			`repo: https://github.com/coreruleset/coreruleset.git`
			`update: yes`
			`force: yes`
			`single_branch: yes`
			`dest: /usr/share/owasp-modsecurity-crs`
			`umask: "0022"`
Catching up Webserver config 2022-12-18 22:21:39 -06:00
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`- name: Modsecurity config`
			`become: yes`
			`register: modsecconf`
			`copy:`
			`dest: /etc/modsecurity/main.conf`
			`src: modsec.conf`
			`owner: http`
			`group: http`
			`mode: 0750`
			`validate: /usr/bin/modsec-rules-check %s`

			`- name: Modsecurity logrotate`
			`become: yes`
			`copy:`
			`dest: /etc/logrotate.d/modsecurity`
			`src: logrotate.modsec.conf`
			`owner: root`
			`group: root`
			`mode: 0644`

			`- name: Copy conf`
			`become: yes`
			`copy:`
			`src: nginx.conf`
			`dest: /etc/nginx/nginx.conf`
			`owner: http`
			`group: http`
			`mode: 0660`
			`follow: true`
			`#validate: nginx -t -p /etc/nginx -c %s # Commented due to base pathing issues`
			`register: baseconf`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
			`- name: Ensure service is started`
			`become: yes`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`when: conf.changed or confd.changed or secconf.changed or baseconf.changed or modsecconf.changed`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`service:`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`name: "{{ item }}"`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`enabled: yes`
			`state: restarted`
Updating WebServer deployment 2022-09-15 14:23:34 -05:00			`loop:`
			`- php-fpm`
Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00			`- nginx`