...
 
Commits (2)
# This should be some e-mail address where technical messages may go.
admin_email: "michik@michik.net"
# The idea here is, that this email address should exist for every host if
# the services-base.yml playbook has been run.
admin_email: "admins@{{ inventory_hostname }}"
# Please feel free to add your favorite software you need absolutely everywhere
# here. However, please do not leave too much stuff nobody else might use or
# stuff that could be handy for an attacker.
apt_essential_packages:
- vim
- htop
# This is all the stuff we neither need nor want on our computers.
apt_unwanted_packages:
......
......@@ -6,6 +6,7 @@
# configuration of the new machine.
[hetzner]
sso.c3heaven.de
beta.c3heaven.de
# Monitoring host
......
......@@ -3,7 +3,7 @@
# nginx (much simpler that way).
acmetool_cert_domains:
- "{{ ansible_fqdn }}"
- "{{ inventory_hostname }}"
# This is the production environment. To use the staging environment, please
# override for the host(s) in question with the following URL:
......
- name: install acmetool
apt:
package: acmetool
update_cache: yes
cache_valid_time: 3600
state: present
- name: create acmetool conf and webroot directories
......
- name: install nginx
apt:
package: nginx
update_cache: yes
cache_valid_time: 3600
state: present
- name: enable nginx
......
......@@ -6,7 +6,7 @@ nginx_ssl_dhparam_bits: 4096
nginx_https_default_headers: null
nginx_https_sites:
- name: "{{ ansible_fqdn }}"
- name: "{{ inventory_hostname }}"
locations:
- location: "/"
config: |
......
......@@ -2,7 +2,6 @@
command: 'openssl dhparam -out "{{ nginx_ssl_dhparam }}" {{ nginx_ssl_dhparam_bits }}'
args:
creates: "{{ nginx_ssl_dhparam }}"
when: nginx_hmi_ssl_dhparam is not none
- name: configure the https sites
template:
......
postfix_alias_maps:
- "hash:/etc/aliases"
postfix_virtual_alias_domains: []
postfix_virtual_alias_maps: []
postfix_mailbox_size_limit: 0
postfix_message_size_limit: 102400000
postfix_tls_high_cipherlist: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
postfix_smtpd_tls_mandatory_protocols: "TLSv1.2"
postfix_ssl_dhparam: "/etc/postfix/dh_2048.pem"
postfix_ssl_dhparam_bits: 2048
opendkim_enabled: false
- name: restart postfix
systemd:
name: postfix
state: restarted
- name: newaliases
command: newaliases
dependencies:
- acmetool
- name: install postfix
apt:
package: postfix
update_cache: yes
cache_valid_time: 3600
state: present
- name: create dh parameters
command: 'openssl dhparam -out "{{ postfix_ssl_dhparam }}" {{ postfix_ssl_dhparam_bits }}'
args:
creates: "{{ postfix_ssl_dhparam }}"
- name: configure postfix
template:
src: "main.cf.j2"
dest: "/etc/postfix/main.cf"
notify: restart postfix
- name: load user info
include_vars:
file: "files/users/users.yml"
name: "user_info"
- name: create aliases
template:
src: "aliases.j2"
dest: "/etc/aliases"
notify: newaliases
# {{ ansible_managed }}
# admin email addresses from git
admins: {% for user in user_info.users if 'email_address' in user and 'wants_admin_emails' in user and user['wants_admin_emails'] %}{{ user['email_address'] }}{{ "," if not loop.last else '' }}{% endfor %}
# rfc 2142 and other role addresses
abuse: admins
noc: admins
security: admins
postmaster: admins
webmaster: admins
root: admins
# {{ ansible_managed }}
biff = no
compatibility_level = 2
myhostname = {{ inventory_hostname }}
mydestination = localhost, $myhostname
alias_database = hash:/etc/aliases
alias_maps = {{ postfix_alias_maps|join(', ') }}
{% if postfix_virtual_alias_domains %}virtual_alias_domains = {{ postfix_virtual_alias_domains|join(', ') }}{% endif %}
{% if postfix_virtual_alias_maps %}virtual_alias_maps = {{ postfix_virtual_alias_maps|join(', ') }}{% endif %}
inet_interfaces = all
inet_protocols = ipv6, ipv4
mailbox_size_limit = {{ postfix_mailbox_size_limit }}
message_size_limit = {{ postfix_message_size_limit }}
{% if opendkim_enabled %}non_smtpd_milters = inet:localhost:11332{% endif %}
tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname loves ESMTP
smtpd_tls_cert_file=/var/lib/acme/live/{{ inventory_hostname }}/fullchain
smtpd_tls_key_file=/var/lib/acme/live/{{ inventory_hostname }}/privkey
smtpd_tls_dh1024_param_file = {{ postfix_ssl_dhparam }}
smtpd_tls_eecdh_grade = ultra
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = {{ postfix_smtpd_tls_mandatory_protocols }}
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls=yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unauth_pipelining
smtpd_relay_restrictions =
permit_mynetworks,
reject_unauth_pipelining,
reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_pipelining
smtpd_data_restrictions =
permit_mynetworks,
reject_unauth_pipelining
......@@ -8,3 +8,4 @@
- nginx-http
- acmetool
- nginx-https
- postfix