diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index 196459fcd..5286a3493 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -62,6 +62,7 @@ - [Docker Registry](/roles/debian/docker_registry) - [Duplicity](/roles/debian/duplicity) - [Firewall Config](/roles/debian/firewall_config) + - [Fluent-bit](/roles/debian/fluent-bit) - [Frontail](/roles/debian/frontail) - [Gitlab](/roles/debian/gitlab) - [Gitlab Runner](/roles/debian/gitlab_runner) diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md index 88fee112e..378720926 100644 --- a/docs/roles/aws/aws_ec2_with_eip.md +++ b/docs/roles/aws/aws_ec2_with_eip.md @@ -12,7 +12,7 @@ Creates a new EC2 instance at AWS with a static IP address. aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - hostname: "{{ _domain_name }}" # The hostname is used to check if the machine exists already. + hostname: "{{ _aws_resource_name }}" # The hostname is used to check if the machine exists already. force: false # Force a new EC2 machine to be created if a new AMI is packed. instance_type: t3.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. @@ -37,6 +37,7 @@ aws_ec2_with_eip: root_volume_delete_on_termination: true ebs_optimized: true security_groups: [] # list of security group names, converted to IDs by aws_security_groups role + public_ip: true # usually this needs to be true for cloud-init to work tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/docs/roles/aws/aws_vpc.md b/docs/roles/aws/aws_vpc.md index 57ef8041c..d9005630f 100644 --- a/docs/roles/aws/aws_vpc.md +++ b/docs/roles/aws/aws_vpc.md @@ -78,6 +78,7 @@ _common_security_groups: - 22 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 22. + rules_egress: [] web_open: name: web_open description: Allow all incoming web traffic on ports 80 and 443. @@ -88,6 +89,7 @@ _common_security_groups: - 443 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + rules_egress: [] mailpit_open: name: mailpit_open description: Allow all incoming traffic on port 8025 for Mailpit. @@ -97,6 +99,7 @@ _common_security_groups: - 8025 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 8025. + rules_egress: [] ftp_open: name: ftp_open description: Allow all incoming traffic on ports 20 and 21 for FTP. @@ -107,6 +110,7 @@ _common_security_groups: - 21 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + rules_egress: [] sftp_open: name: sftp_open description: Allow all incoming traffic on ports 989 and 990 for sFTP. @@ -117,6 +121,7 @@ _common_security_groups: - 990 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + rules_egress: [] ossec: name: ossec description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. @@ -127,6 +132,7 @@ _common_security_groups: - 1515 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + rules_egress: [] openvpn: name: openvpn description: Allow all incoming traffic on port 1194 for OpenVPN. @@ -136,6 +142,7 @@ _common_security_groups: - 1194 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on port 1194. + rules_egress: [] ``` diff --git a/docs/roles/debian/apt_unattended_upgrades.md b/docs/roles/debian/apt_unattended_upgrades.md index 3b6f93df0..da7390658 100644 --- a/docs/roles/debian/apt_unattended_upgrades.md +++ b/docs/roles/debian/apt_unattended_upgrades.md @@ -52,6 +52,7 @@ _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true + linotp: "false" # unattended-upgrades template vars. # booleans must be strings to avoid Jinja2 interpretting. origins: "{{ _apt_unattended_upgrades_default_origins }}" diff --git a/docs/roles/debian/fluent-bit.md b/docs/roles/debian/fluent-bit.md new file mode 100644 index 000000000..6a0ee2d3e --- /dev/null +++ b/docs/roles/debian/fluent-bit.md @@ -0,0 +1,64 @@ +# Fluent-bit + +## Description + +Deploy [Fluent-bit](https://github.com/fluent/fluent-bit) using ansible. + +### Requirements + +Role expects to be provided with the following information: +* `fluentbit_main_config` - the main Fluent-bit configuration + +### Example +Minimum Fluent-bit config that will send a test log, filter it, and output to stdout. + +```yaml +fluentbit_main_config: + service: + flush: 5 + log_level: info + +parsers: + - name: json + format: json + time_key: time + time_format: '%d/%b/%Y:%H:%M:%S %z' + + pipeline: + inputs: + - name: dummy + dummy: '{"endpoint":"localhost", "value":"something"}' + tag: dummy + filters: + - name: grep + match: '*' + logical_op: or + regex: + - value something + - value error + outputs: + - name: stdout + +``` + +For more details on setting up the Fluent-bit config, refer to official documentation: +https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bitexporter + + + + + +## Default variables +```yaml +--- +# Default variables for Fluent-bit role +fluent_bit_repo_key_url: https://packages.fluentbit.io/fluentbit.key +fluent_bit_key_location: /usr/share/keyrings/fluentbit-keyring.asc +fluent_bit_apt_source: "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.asc] https://packages.fluentbit.io/debian/{{ ansible_distribution_release }} {{ ansible_distribution_release }} main" +fluent_bit_startup_command: /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml + +fluent_bit_configuration: "" + +``` + + diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index 3bc52c4ff..15ccbe900 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -109,6 +109,7 @@ gitlab: redirect_http_to_https: "true" # must be enabled if you're using LetsEncrypt above redirect_http_to_https_port: 80 # must be 80 if you're using LetsEncrypt above custom_nginx_config: "" # include extra config, for example "include /etc/nginx/conf.d/example.conf;" + block_removed_ldap_users_on_calendar: "*-*-* 02:30:00" ``` diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 1eb74e189..4828099e1 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -26,8 +26,8 @@ nginx: worker_connections: 768 http: server_names_hash_bucket_size: 256 - access_log: /var/log/nginx-access.log - error_log: /var/log/nginx-error.log + access_log: /var/log/nginx/nginx-access.log + error_log: /var/log/nginx/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" sendfile: "on" keepalive_timeout: 65 diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index f32ff94b2..a2f458c19 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -2,6 +2,8 @@ Installs and configures the PHP-FPM flavour of FastCGI. +Note, for legacy reasons this role sets up PHP-FPM to use TCP/IP instead of a Unix socket by default. However, we *recommend* you change this by setting `unix_socket: true` unless you really need to run PHP-FPM over TCP/IP, as a Unix socket is much faster. If you do, be sure to set the `pool_group` variable to match your web server user, or the web server will be unable to interact with PHP. + @@ -13,17 +15,17 @@ php: # see php-common for default version fpm: # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php - unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" - tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" # this should always be the deploy user, usually deploy + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user, often www-data pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/docs/roles/debian/user_ansible.md b/docs/roles/debian/user_ansible.md index cccc424d5..692d53290 100644 --- a/docs/roles/debian/user_ansible.md +++ b/docs/roles/debian/user_ansible.md @@ -13,14 +13,15 @@ user_ansible: # This sets both username and main group. username: "{{ _user_ansible_username }}" home: "/home/{{ _user_ansible_username }}" - create: true # if you know the user already exists, set this to false to not create the user. + create: true # if you know the user already exists, set this to false to not create the user. create_home: true update_password: "always" + system_user: true # creates a system user - see useradd --system docs # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 - sudo_config: {} # an empty dictionary will skip creating a sudo config + sudo_config: {} # an empty dictionary will skip creating a sudo config # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. # entity_name: "{{ _user_ansible_username }}" # hosts: "ALL" diff --git a/roles/_meta/webserver/meta/main.yml b/roles/_meta/webserver/meta/main.yml index ea92145d0..20e081f58 100644 --- a/roles/_meta/webserver/meta/main.yml +++ b/roles/_meta/webserver/meta/main.yml @@ -8,4 +8,5 @@ dependencies: - role: debian/nodejs - role: debian/php-cli - role: debian/php-fpm + - role: debian/php_composer - role: debian/nginx diff --git a/roles/aws/aws_ec2_with_eip/README.md b/roles/aws/aws_ec2_with_eip/README.md index 88fee112e..378720926 100644 --- a/roles/aws/aws_ec2_with_eip/README.md +++ b/roles/aws/aws_ec2_with_eip/README.md @@ -12,7 +12,7 @@ Creates a new EC2 instance at AWS with a static IP address. aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - hostname: "{{ _domain_name }}" # The hostname is used to check if the machine exists already. + hostname: "{{ _aws_resource_name }}" # The hostname is used to check if the machine exists already. force: false # Force a new EC2 machine to be created if a new AMI is packed. instance_type: t3.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. @@ -37,6 +37,7 @@ aws_ec2_with_eip: root_volume_delete_on_termination: true ebs_optimized: true security_groups: [] # list of security group names, converted to IDs by aws_security_groups role + public_ip: true # usually this needs to be true for cloud-init to work tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/roles/aws/aws_vpc/README.md b/roles/aws/aws_vpc/README.md index 57ef8041c..d9005630f 100644 --- a/roles/aws/aws_vpc/README.md +++ b/roles/aws/aws_vpc/README.md @@ -78,6 +78,7 @@ _common_security_groups: - 22 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 22. + rules_egress: [] web_open: name: web_open description: Allow all incoming web traffic on ports 80 and 443. @@ -88,6 +89,7 @@ _common_security_groups: - 443 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + rules_egress: [] mailpit_open: name: mailpit_open description: Allow all incoming traffic on port 8025 for Mailpit. @@ -97,6 +99,7 @@ _common_security_groups: - 8025 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 8025. + rules_egress: [] ftp_open: name: ftp_open description: Allow all incoming traffic on ports 20 and 21 for FTP. @@ -107,6 +110,7 @@ _common_security_groups: - 21 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + rules_egress: [] sftp_open: name: sftp_open description: Allow all incoming traffic on ports 989 and 990 for sFTP. @@ -117,6 +121,7 @@ _common_security_groups: - 990 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + rules_egress: [] ossec: name: ossec description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. @@ -127,6 +132,7 @@ _common_security_groups: - 1515 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + rules_egress: [] openvpn: name: openvpn description: Allow all incoming traffic on port 1194 for OpenVPN. @@ -136,6 +142,7 @@ _common_security_groups: - 1194 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on port 1194. + rules_egress: [] ``` diff --git a/roles/debian/apt_unattended_upgrades/README.md b/roles/debian/apt_unattended_upgrades/README.md index 3b6f93df0..da7390658 100644 --- a/roles/debian/apt_unattended_upgrades/README.md +++ b/roles/debian/apt_unattended_upgrades/README.md @@ -52,6 +52,7 @@ _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true + linotp: "false" # unattended-upgrades template vars. # booleans must be strings to avoid Jinja2 interpretting. origins: "{{ _apt_unattended_upgrades_default_origins }}" diff --git a/roles/debian/fluent-bit/README.md b/roles/debian/fluent-bit/README.md index 92e1f1846..6a0ee2d3e 100644 --- a/roles/debian/fluent-bit/README.md +++ b/roles/debian/fluent-bit/README.md @@ -52,15 +52,13 @@ https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bitexp ```yaml --- # Default variables for Fluent-bit role -# Construct the download URL using the version variable. fluent_bit_repo_key_url: https://packages.fluentbit.io/fluentbit.key fluent_bit_key_location: /usr/share/keyrings/fluentbit-keyring.asc fluent_bit_apt_source: "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.asc] https://packages.fluentbit.io/debian/{{ ansible_distribution_release }} {{ ansible_distribution_release }} main" fluent_bit_startup_command: /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml -# fluent-bit configuration -fluentbit_main_config: {} -# Example config +fluent_bit_configuration: "" + ``` diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index 3bc52c4ff..15ccbe900 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -109,6 +109,7 @@ gitlab: redirect_http_to_https: "true" # must be enabled if you're using LetsEncrypt above redirect_http_to_https_port: 80 # must be 80 if you're using LetsEncrypt above custom_nginx_config: "" # include extra config, for example "include /etc/nginx/conf.d/example.conf;" + block_removed_ldap_users_on_calendar: "*-*-* 02:30:00" ``` diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 1eb74e189..4828099e1 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -26,8 +26,8 @@ nginx: worker_connections: 768 http: server_names_hash_bucket_size: 256 - access_log: /var/log/nginx-access.log - error_log: /var/log/nginx-error.log + access_log: /var/log/nginx/nginx-access.log + error_log: /var/log/nginx/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" sendfile: "on" keepalive_timeout: 65 diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 index bef81f556..a5ec1b506 100644 --- a/roles/debian/nginx/templates/vhost_letsencrypt.j2 +++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2 @@ -10,10 +10,10 @@ server { root /tmp; error_log {{ domain.error_log }} {{ domain.error_log_level }}; access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; - # Proxy for certbot (LetsEncrypt) {% if domain.ssl.web_server | default('standalone') == 'standalone' %} - location /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; - } + # Proxy for certbot (LetsEncrypt) + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; + } {% endif %} } diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index f32ff94b2..a2f458c19 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -2,6 +2,8 @@ Installs and configures the PHP-FPM flavour of FastCGI. +Note, for legacy reasons this role sets up PHP-FPM to use TCP/IP instead of a Unix socket by default. However, we *recommend* you change this by setting `unix_socket: true` unless you really need to run PHP-FPM over TCP/IP, as a Unix socket is much faster. If you do, be sure to set the `pool_group` variable to match your web server user, or the web server will be unable to interact with PHP. + @@ -13,17 +15,17 @@ php: # see php-common for default version fpm: # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php - unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" - tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" # this should always be the deploy user, usually deploy + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user, often www-data pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 7aec91483..e09869d9a 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -3,17 +3,17 @@ php: # see php-common for default version fpm: # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php - unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" - tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" # this should always be the deploy user, usually deploy + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user, often www-data pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/user_ansible/README.md b/roles/debian/user_ansible/README.md index cccc424d5..692d53290 100644 --- a/roles/debian/user_ansible/README.md +++ b/roles/debian/user_ansible/README.md @@ -13,14 +13,15 @@ user_ansible: # This sets both username and main group. username: "{{ _user_ansible_username }}" home: "/home/{{ _user_ansible_username }}" - create: true # if you know the user already exists, set this to false to not create the user. + create: true # if you know the user already exists, set this to false to not create the user. create_home: true update_password: "always" + system_user: true # creates a system user - see useradd --system docs # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 - sudo_config: {} # an empty dictionary will skip creating a sudo config + sudo_config: {} # an empty dictionary will skip creating a sudo config # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. # entity_name: "{{ _user_ansible_username }}" # hosts: "ALL"