Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updated playbooks #3

Merged
merged 1 commit into from
Dec 6, 2024
+539 −0
Merged

updated playbooks #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 138 additions & 0 deletions playbooks/sanjna_playbooks/apache_ssl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
---
- name: Install and configure Apache with SSL
hosts: all
become: yes
vars:
apache_port: 443
server_name: example.com
cert_dir: /etc/ssl/certs
key_dir: /etc/ssl/private
cert_name: apache_selfsigned

tasks:
- name: Update apt cache
apt:
update_cache: yes
when: ansible_os_family == "Debian"

- name: Install Apache and required modules
package:
name:
- apache2
- openssl
state: present

- name: Ensure SSL certificate directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ cert_dir }}"
- "{{ key_dir }}"

- name: Enable SSL and headers modules
apache2_module:
name: "{{ item }}"
state: present
loop:
- ssl
- headers
notify: Reload apache

- name: Check if SSL certificate exists
stat:
path: "{{ cert_dir }}/{{ cert_name }}.crt"
register: ssl_cert

- name: Generate self-signed SSL certificate
shell: |
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout {{ key_dir }}/{{ cert_name }}.key \
-out {{ cert_dir }}/{{ cert_name }}.crt \
-subj "/C=US/ST=State/L=City/O=Organization/OU=IT Department/CN={{ server_name }}"
when: not ssl_cert.stat.exists
notify: Reload apache

- name: Set SSL certificate permissions
file:
path: "{{ item.path }}"
owner: root
group: root
mode: "{{ item.mode }}"
loop:
- { path: "{{ cert_dir }}/{{ cert_name }}.crt", mode: '0644' }
- { path: "{{ key_dir }}/{{ cert_name }}.key", mode: '0600' }
when: not ssl_cert.stat.exists

- name: Create Apache SSL configuration
copy:
dest: /etc/apache2/sites-available/default-ssl.conf
content: |
<IfModule mod_ssl.c>
<VirtualHost *:{{ apache_port }}>
ServerAdmin webmaster@localhost
ServerName {{ server_name }}
DocumentRoot /var/www/html

SSLEngine on
SSLCertificateFile {{ cert_dir }}/{{ cert_name }}.crt
SSLCertificateKeyFile {{ key_dir }}/{{ cert_name }}.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# Modern SSL configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off

# HSTS (uncomment if you're sure)
# Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
</IfModule>
owner: root
group: root
mode: '0644'
notify: Reload apache

- name: Enable default SSL site
command: a2ensite default-ssl
notify: Reload apache

# Optional UFW configuration - only run if UFW is installed
- name: Check if UFW is installed
command: which ufw
register: ufw_check
ignore_errors: yes
changed_when: false

- name: Allow HTTPS through UFW firewall
community.general.ufw:
rule: allow
port: "{{ apache_port }}"
proto: tcp
when:
- ufw_check.rc == 0
- not ansible_virtualization_type in ['docker', 'container']

- name: Ensure Apache service is started and enabled
service:
name: apache2
state: started
enabled: yes

handlers:
- name: Reload apache
service:
name: apache2
state: reloaded
113 changes: 113 additions & 0 deletions playbooks/sanjna_playbooks/apache_ssl2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
---
- name: Install and configure Apache SSL server
hosts: all
become: yes
vars:
apache_port: "443"
server_name: "{{ server_name | default('example.com') }}"
ssl_cert_path: "/etc/ssl/certs/{{ server_name }}.crt"
ssl_key_path: "/etc/ssl/private/{{ server_name }}.key"

tasks:
# Step 1: Install Apache and SSL module
- name: Install Apache and SSL module
apt:
name:
- apache2
- ssl-cert
- ufw
state: present
update_cache: yes

# Step 2: Enable SSL module and default SSL site
- name: Enable SSL module
apache2_module:
name: ssl
state: present

- name: Enable default SSL site
apache2_site:
name: default-ssl
state: enabled

# Step 3: Create SSL directory for certificates
- name: Create SSL directory for certificates
file:
path: "/etc/ssl/private"
state: directory
mode: '0700'

# Step 4: Generate self-signed SSL certificate
- name: Generate self-signed SSL certificate
openssl_certificate:
path: "{{ ssl_cert_path }}"
privatekey_path: "{{ ssl_key_path }}"
common_name: "{{ server_name }}"
issuer: "Self-signed"
state: present
country_name: "US"
state_or_province_name: "California"
locality_name: "San Francisco"
organization_name: "Example Organization"
organizational_unit_name: "IT"
email_address: "[email protected]"
days: 365

# Step 5: Create custom SSL virtual host configuration
- name: Create custom SSL virtual host configuration
copy:
dest: "/etc/apache2/sites-available/{{ server_name }}-ssl.conf"
content: |
<VirtualHost *:443>
ServerAdmin webmaster@{{ server_name }}
ServerName {{ server_name }}

DocumentRoot /var/www/html

SSLEngine on
SSLCertificateFile {{ ssl_cert_path }}
SSLCertificateKeyFile {{ ssl_key_path }}

<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
mode: '0644'
notify: Reload Apache

# Step 6: Enable the custom SSL site
- name: Enable the custom SSL site
apache2_site:
name: "{{ server_name }}-ssl"
state: enabled

# Step 7: Configure UFW firewall to allow HTTPS (port 443)
- name: Allow HTTPS through UFW
ufw:
rule: allow
port: "{{ apache_port }}"
proto: tcp

# Step 8: Ensure Apache is running and enabled
- name: Ensure Apache is running and enabled
service:
name: apache2
state: started
enabled: yes

- name: Wait for Apache to start
wait_for:
port: "{{ apache_port }}"
timeout: 30
state: started

handlers:
- name: Reload Apache
service:
name: apache2
state: reloaded
128 changes: 128 additions & 0 deletions playbooks/sanjna_playbooks/db_management.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
---
- name: Install and configure PostgreSQL
hosts: all
become: yes
vars:
postgres_user: "postgres"
postgres_password: "postgres_password"
postgres_db: "example_db"
locale: "en_US.UTF-8"
postgres_locale: "en_US.utf8"

tasks:
# Step 1: Install sudo
- name: Install sudo
apt:
name: sudo
state: present
update_cache: yes

# Step 2: Install required locales
- name: Ensure required locales are present
apt:
name:
- locales
- locales-all
state: present

# Step 3: Generate required locale
- name: Generate en_US.UTF-8 locale
locale_gen:
name: "{{ locale }}"
state: present

# Step 4: Install psycopg2 library for PostgreSQL
- name: Install psycopg2 library for PostgreSQL
apt:
name: python3-psycopg2
state: present

# Step 5: Install PostgreSQL
- name: Install PostgreSQL
apt:
name: postgresql
state: present

# Step 6: Ensure PostgreSQL is running
- name: Ensure PostgreSQL is running
service:
name: postgresql
state: started
enabled: yes

# Step 7: Wait for PostgreSQL to be ready
- name: Wait for PostgreSQL to be ready
wait_for:
port: 5432
timeout: 30

# Step 8: Set PostgreSQL user password
- name: Set PostgreSQL user password
become_user: postgres
postgresql_user:
name: "{{ postgres_user }}"
password: "{{ postgres_password }}"
role_attr_flags: LOGIN,SUPERUSER

# Step 9: Create PostgreSQL database with correct locale
- name: Create PostgreSQL database
become_user: postgres
postgresql_db:
name: "{{ postgres_db }}"
owner: "{{ postgres_user }}"
encoding: UTF8
lc_collate: "{{ postgres_locale }}"
lc_ctype: "{{ postgres_locale }}"
template: template0
state: present

# Step 10: Configure PostgreSQL to listen on all interfaces
- name: Update postgresql.conf to listen on all interfaces
lineinfile:
path: /etc/postgresql/13/main/postgresql.conf
regexp: '^#?listen_addresses\s*='
line: "listen_addresses = '*'"
notify: Restart PostgreSQL

# Step 11: Allow remote connections in pg_hba.conf
- name: Update pg_hba.conf to allow remote connections
blockinfile:
path: /etc/postgresql/13/main/pg_hba.conf
block: |
# Allow remote connections
host all all 0.0.0.0/0 md5
host all all ::/0 md5
notify: Restart PostgreSQL

# Step 12: Install UFW (optional)
- name: Check if UFW is installed
command: which ufw
register: ufw_check
ignore_errors: yes
changed_when: false

# Step 13: Configure firewall if UFW is present
- name: Configure UFW for PostgreSQL
block:
- name: Install UFW
apt:
name: ufw
state: present
when: ufw_check.rc != 0

- name: Allow PostgreSQL through UFW
community.general.ufw:
rule: allow
port: 5432
proto: tcp
when: not ansible_virtualization_type in ['docker', 'container']
ignore_errors: yes

handlers:
- name: Restart PostgreSQL
service:
name: postgresql
state: restarted

- name: Reload locale
command: update-locale LANG={{ locale }}
Loading