--- - hosts: all tasks: - name: Create a login user user: name: mirror # generated with python3 -c "from passlib.hash import sha512_crypt; import getpass; hash=sha512_crypt.using(rounds=5000).hash(getpass.getpass());print(hash)" password: ' fill with a sha512 hash for your password' groups: # Empty by default, here we give it some groups - wheel state: present become: true - name: Install EPEL yum: name="https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm" state=present become: true - name: Install packages yum: name="{{ item }}" state=present become: true with_items: - certbot - cockpit - createrepo_c - fail2ban - fail2ban-server - firewalld - git - iptables - nginx - openssh-server - vim - name: Install python-firewall package: name=python-firewall when: ansible_python_version|version_compare('3', '<') become: true - name: Install python3-firewall package: name=python3-firewall when: ansible_python_version|version_compare('3', '>=') become: true - name: Enable and start firewalld service service: name: firewalld state: started enabled: yes become: true - name: Allow HTTPS (nginx) firewalld: service: https permanent: true state: enabled become: true - name: Allow HTTP (nginx) firewalld: service: http permanent: true state: enabled become: true - name: Allow SSH access firewalld: service: ssh permanent: true state: enabled become: true - name: Allow Cockpit firewalld: service: cockpit permanent: true state: enabled become: true - name: Enable nginx service systemd: name: nginx enabled: yes state: started become: true - name: Enable Cockpit service become: true systemd: name: cockpit enabled: yes state: started - name: Enable sshd (openssh-server) service become: true systemd: name: sshd enabled: yes state: started - name: Enable fail2ban service become: true systemd: name: fail2ban enabled: yes state: started - name: Reload Firewall command: firewall-cmd --reload become: true - name: Update packages command: yum update -y become: true - name: Add certbot autorenewal become: true cron: name: "Certbot autorenew" user: "root" minute: "*" hour: "7" day: "19" month: "*" weekday: "*" job: "certbot-3 -q renew" - name: Install nginx config become: true copy: dest: /etc/nginx/nginx.conf mode: 0644 owner: root group: root content: | # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http{ server { listen 80; server_name server FQDN; root /var/www/; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { autoindex on; autoindex_exact_size off; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } } - name: Create webserver directories become: true file: path: "{{ item }}" owner: root group: nginx mode: 0755 state: directory with_items: - /var/www/server_name/remix name/version/release/ - /var/www/server_name/remix name/ - /var/www/server_name/remix name/version/ - /var/www/server_name/remix name/version/release/ - /var/www/server_name/remix name/version/packages/ - /var/www/server_name/remix name/version/packages/source/ - /var/www/server_name/rewmix name/version/packages/x86_64/