├── .gitignore ├── common ├── files │ ├── aliases.sh │ ├── gitconfig │ └── vimrc └── main.yml ├── composer.json ├── composer └── main.yml ├── dotdeb └── main.yml ├── duplicity ├── main.yml └── templates │ └── backup.sh.j2 ├── elasticsearch └── main.yml ├── fail2ban ├── files │ └── nginx-req-limit.conf ├── main.yml └── templates │ └── jail.local.j2 ├── jackrabbit └── main.yml ├── java └── main.yml ├── logwatch └── main.yml ├── lynis └── main.yml ├── memcached └── main.yml ├── mongodb └── main.yml ├── mysql ├── main.yml └── templates │ ├── my.cnf.j2 │ └── root │ └── my.cnf.j2 ├── newrelic └── main.yml ├── nginx ├── files │ ├── conf.d │ │ └── ssl.conf.j2 │ ├── scripts │ │ └── stopforumspam │ └── symfony2 ├── main.yml └── templates │ └── nginx.conf.j2 ├── nodejs └── main.yml ├── openssl └── main.yml ├── pecl ├── main.yml └── templates │ └── extension.ini.j2 ├── php5-cli └── main.yml ├── php5-fpm ├── files │ └── clear-opcode └── main.yml ├── php5-xcache └── main.yml ├── php5 ├── main.yml └── templates │ └── opcache.ini.j2 ├── postfix └── main.yml ├── redis └── main.yml ├── rkhunter └── main.yml ├── ssh └── main.yml ├── supervisor └── main.yml ├── twig-php ├── files │ └── twig.ini └── main.yml ├── ufw └── main.yml ├── unattended-upgrades ├── main.yml └── templates │ └── 10periodic.j2 └── varnish ├── files └── default.vcl └── main.yml /.gitignore: -------------------------------------------------------------------------------- 1 | tmp/ 2 | -------------------------------------------------------------------------------- /common/files/aliases.sh: -------------------------------------------------------------------------------- 1 | export LS_OPTIONS='--color=auto' 2 | eval "`dircolors`" 3 | alias ls='ls $LS_OPTIONS' 4 | alias ll='ls $LS_OPTIONS -l' 5 | alias l='ls $LS_OPTIONS -lA' 6 | -------------------------------------------------------------------------------- /common/files/gitconfig: -------------------------------------------------------------------------------- 1 | [core] 2 | editor = vim 3 | 4 | [color] 5 | branch = auto 6 | diff = auto 7 | interactive = auto 8 | status = auto 9 | 10 | [alias] 11 | br = branch 12 | ci = commit 13 | cl = clone 14 | co = checkout 15 | cp = cherry-pick 16 | dc = diff --cached 17 | diff = diff --color-words=. 18 | lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) 19 | st = status 20 | 21 | [status] 22 | showUntrackedFiles = all 23 | 24 | [help] 25 | autocorrect = 1 26 | -------------------------------------------------------------------------------- /common/files/vimrc: -------------------------------------------------------------------------------- 1 | syntax on 2 | 3 | set number 4 | set hlsearch 5 | set incsearch 6 | set smartcase 7 | set ignorecase 8 | 9 | set tabstop=4 shiftwidth=4 expandtab 10 | 11 | filetype plugin on 12 | filetype indent on 13 | -------------------------------------------------------------------------------- /common/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | timezone: UTC 6 | 7 | tasks: 8 | - name: common | install packages 9 | apt: pkg={{ item }} state=latest update_cache=yes 10 | with_items: 11 | - git 12 | - htop 13 | - vim 14 | - locales-all 15 | - python-pycurl 16 | - bash-completion 17 | - sudo 18 | - ntp 19 | - unzip 20 | tags: common 21 | 22 | - name: common | set hostname 23 | hostname: name={{ hostname }} 24 | when: hostname is defined 25 | tags: common 26 | 27 | - name: common | configure prompt 28 | lineinfile: dest=/etc/bash.bashrc regexp="^PS1=" line="PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '" backup=yes 29 | tags: common 30 | 31 | - name: common | copy bash config files 32 | copy: src=files/aliases.sh dest=/etc/profile.d/aliases.sh 33 | tags: common 34 | 35 | - name: common | set vim as default editor 36 | command: update-alternatives --set editor /usr/bin/vim.basic 37 | tags: common 38 | 39 | - name: common | configure vim 40 | copy: src=files/vimrc dest=/etc/vim/vimrc.local 41 | tags: common 42 | 43 | - name: common | configure git 44 | copy: src=files/gitconfig dest=/etc/gitconfig 45 | tags: common 46 | 47 | - name: common | configure timezone 48 | copy: content={{ timezone }} dest=/etc/timezone owner=root group=root mode=644 backup=yes 49 | notify: update timezone 50 | tags: common 51 | 52 | - name: common | configure localtime 53 | file: src=/usr/share/zoneinfo/{{ timezone }} dest=/etc/localtime owner=root group=root mode=644 state=link force=yes backup=yes 54 | tags: common 55 | 56 | handlers: 57 | - name: update timezone 58 | command: dpkg-reconfigure --frontend noninteractive tzdata 59 | -------------------------------------------------------------------------------- /composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "m4nu/ansible", 3 | "authors": [ 4 | { 5 | "name": "Emmanuel Vella", 6 | "email": "vella.emmanuel@gmail.com" 7 | } 8 | ], 9 | "require": { 10 | 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /composer/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | path: /usr/bin/composer 6 | 7 | tasks: 8 | - name: composer | install 9 | get_url: url=http://getcomposer.org/composer.phar dest={{ path }} owner=root group=root mode=0755 10 | tags: composer 11 | 12 | - name: composer | install update cron 13 | cron: name="update composer" user="root" special_time="weekly" job="{{ path }} self-update --quiet" 14 | tags: composer 15 | -------------------------------------------------------------------------------- /dotdeb/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | php_version: 5.3 6 | 7 | pre_tasks: 8 | - name: dotdeb | install requirements 9 | apt: pkg=python-pycurl state=latest update_cache=yes 10 | tags: dotdeb 11 | 12 | tasks: 13 | - name: dotdeb | add main repository 14 | apt_repository: repo='{{ item }}' update_cache=yes 15 | with_items: 16 | - deb http://packages.dotdeb.org wheezy all 17 | - deb-src http://packages.dotdeb.org wheezy all 18 | tags: dotdeb 19 | 20 | - name: dotdeb | add php 5.4 repository 21 | apt_repository: repo='{{ item }}' update_cache=yes 22 | with_items: 23 | - deb http://packages.dotdeb.org squeeze-php54 all 24 | - deb-src http://packages.dotdeb.org squeeze-php54 all 25 | when: php_version == 5.4 26 | tags: dotdeb 27 | 28 | - name: dotdeb | add php 5.5 repository 29 | apt_repository: repo='{{ item }}' update_cache=yes 30 | with_items: 31 | - deb http://packages.dotdeb.org wheezy-php55 all 32 | - deb-src http://packages.dotdeb.org wheezy-php55 all 33 | when: php_version == 5.5 34 | tags: dotdeb 35 | 36 | - name: dotdeb | install key 37 | apt_key: url=http://www.dotdeb.org/dotdeb.gpg 38 | tags: dotdeb 39 | -------------------------------------------------------------------------------- /duplicity/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | directories: [] 6 | mysql: false 7 | mongodb: false 8 | jackrabbit: false 9 | targets: [] 10 | tmp_dir: /var/backups 11 | executable: /usr/bin/backup 12 | full_time: 1W 13 | remove_time: 1M 14 | 15 | tasks: 16 | - name: duplicity | install 17 | apt: pkg={{ item }} state=latest update_cache=yes 18 | with_items: 19 | - duplicity 20 | - python-gobject-2 21 | tags: duplicity 22 | 23 | - name: duplicity | copy backup script 24 | template: src=templates/backup.sh.j2 dest={{ executable }} owner=root group=root mode=700 25 | tags: duplicity 26 | 27 | - name: duplicity | install cron 28 | cron: name="duplicity" user="root" minute="0" hour="6" job="nice -n 20 ionice -c3 {{ executable }} >> /var/log/duplicity.log" 29 | tags: duplicity 30 | -------------------------------------------------------------------------------- /duplicity/templates/backup.sh.j2: -------------------------------------------------------------------------------- 1 | {% set tmp_dir = tmp_dir ~ '/duplicity' %} 2 | #!/bin/bash 3 | 4 | targets=({% for target in targets %}'{{ target }}' {% endfor %}) 5 | 6 | begin () { 7 | text=$1 8 | printf "\n--- $text ---\n" 9 | } 10 | 11 | backup () { 12 | src=$1 13 | dest=$2 14 | 15 | for target in "${targets[@]}" 16 | do 17 | url=$target/{{ ansible_fqdn }}/$dest 18 | duplicity --full-if-older-than {{ full_time }} --tempdir {{ tmp_dir }} --exclude '**cache/**' --exclude '**log/**' --exclude '**logs/**' --exclude '**tmp/**' --exclude '**.lock**' $src $url 19 | duplicity remove-older-than {{ remove_time }} --force $url 20 | done 21 | } 22 | 23 | mkdir -p {{ tmp_dir }} 24 | chmod 700 {{ tmp_dir }} 25 | 26 | {% if directories %} 27 | # Directories 28 | {% for directory in directories %} 29 | backup '{{ directory }}' '{{ directory }}' 30 | {% endfor %} 31 | {% endif %} 32 | 33 | {%- if mysql %} 34 | {% set dest = '/mysql' %} 35 | {% set src = tmp_dir ~ dest -%} 36 | 37 | begin MySQL 38 | mkdir -p {{ src }} 39 | databases=`mysql --user=root -e "SHOW DATABASES;" | grep -Ev "(Database|information_schema|performance_schema)"` 40 | 41 | for db in $databases; do 42 | mysqldump -u root -h 127.0.0.1 --single-transaction --routines --triggers --events --ignore-table=mysql.event --add-drop-table --extended-insert --databases $db > "{{ src }}/$db.sql" 43 | done 44 | 45 | backup {{ src }} {{ dest }} 46 | {% endif %} 47 | 48 | {% if mongodb %} 49 | {% set dest = '/mongodb' %} 50 | {% set src = tmp_dir ~ dest -%} 51 | 52 | begin MongoDB 53 | mkdir -p {{ src }} 54 | mongodump --out {{ src }} 55 | 56 | backup {{ src }} {{ dest }} 57 | {% endif %} 58 | 59 | rm -rf {{ tmp_dir }} 60 | 61 | exit 0 62 | -------------------------------------------------------------------------------- /elasticsearch/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | vars: 5 | version: 1.7 6 | config: [] 7 | default_config: 8 | - { key: bootstrap.mlockall, value: "true" } 9 | 10 | tasks: 11 | - name: elasticsearch | add repository key 12 | apt_key: url=http://packages.elasticsearch.org/GPG-KEY-elasticsearch 13 | tags: elasticsearch 14 | 15 | - name: elasticsearch | add repository 16 | apt_repository: repo='deb http://packages.elastic.co/elasticsearch/{{ version }}/debian stable main' update_cache=yes 17 | tags: elasticsearch 18 | 19 | - name: elasticsearch | install 20 | apt: pkg=elasticsearch state=latest update_cache=yes 21 | tags: elasticsearch 22 | 23 | - name: elasticsearch | configure defaults 24 | lineinfile: dest=/etc/default/elasticsearch regexp="{{ item.key }}" line="{{ item.key }}={{ item.value }}" backup=yes 25 | with_items: 26 | - { key: ES_HEAP_SIZE, value: "{{ (ansible_memtotal_mb / 8) | int }}m" } 27 | - { key: MAX_LOCKED_MEMORY, value: unlimited } 28 | notify: restart elasticsearch 29 | tags: elasticsearch 30 | 31 | - name: elasticsearch | configure 32 | lineinfile: 'dest=/etc/elasticsearch/elasticsearch.yml regexp="{{ item.key }}" line="{{ item.key }}: {{ item.value }}" backup=yes' 33 | with_flattened: 34 | - default_config 35 | - config 36 | notify: restart elasticsearch 37 | tags: elasticsearch 38 | 39 | - name: elasticsearch | ensure service is running 40 | service: name=elasticsearch state=started enabled=yes 41 | tags: elasticsearch 42 | 43 | handlers: 44 | - name: restart elasticsearch 45 | service: name=elasticsearch state=restarted 46 | -------------------------------------------------------------------------------- /fail2ban/files/nginx-req-limit.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # supports: ngx_http_limit_req_module module 4 | 5 | [Definition] 6 | 7 | failregex = limiting requests, excess:.* by zone.*client: 8 | 9 | # Option: ignoreregex 10 | # Notes.: regex to ignore. If this regex matches, the line is ignored. 11 | # Values: TEXT 12 | # 13 | ignoreregex = 14 | -------------------------------------------------------------------------------- /fail2ban/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | - tmp_jail: tmp/jail.conf 6 | 7 | tasks: 8 | - name: fail2ban | install 9 | apt: pkg=fail2ban state=latest update_cache=yes 10 | tags: fail2ban 11 | 12 | - name: fail2ban | ensure service is running 13 | service: name=fail2ban state=started 14 | tags: fail2ban 15 | 16 | - name: fail2ban | copy nginx config file 17 | copy: src=files/nginx-req-limit.conf dest=/etc/fail2ban/filter.d/nginx-req-limit.conf owner=root group=root mode=0644 18 | notify: reload fail2ban 19 | tags: fail2ban 20 | 21 | - name: fail2ban | prepare jail config file 22 | fetch: src=/etc/fail2ban/jail.conf dest={{ tmp_jail }} flat=yes 23 | tags: fail2ban 24 | 25 | - name: fail2ban | copy jail config file 26 | template: src=templates/jail.local.j2 dest=/etc/fail2ban/jail.local 27 | notify: reload fail2ban 28 | tags: fail2ban 29 | 30 | handlers: 31 | - name: reload fail2ban 32 | service: name=fail2ban state=reloaded 33 | -------------------------------------------------------------------------------- /fail2ban/templates/jail.local.j2: -------------------------------------------------------------------------------- 1 | {% include tmp_jail %} 2 | 3 | [nginx-req-limit] 4 | 5 | enabled = true 6 | filter = nginx-req-limit 7 | action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] 8 | logpath = /var/log/nginx/*error.log 9 | findtime = 600 10 | bantime = 7200 11 | maxretry = 10 12 | -------------------------------------------------------------------------------- /jackrabbit/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | vars: 5 | version: 2.9.0 6 | base_dir: /usr/bin/jackrabbit 7 | jar: "jackrabbit-standalone-{{ version }}.jar" 8 | path: "{{ base_dir }}/{{ jar }}" 9 | host: 127.0.0.1 10 | port: 8080 11 | log_path: /var/log/jackrabbit 12 | startup_script_path: /etc/init.d/jackrabbit 13 | 14 | tasks: 15 | - name: jackrabbit | download and install 16 | file: path={{ base_dir }} state=directory owner=root group=root mode=0755 17 | tags: jackrabbit 18 | 19 | - get_url: url=http://www.eu.apache.org/dist/jackrabbit/{{ version }}/{{ jar }} dest={{ path }} owner=root group=root mode=0755 20 | tags: jackrabbit 21 | 22 | - name: jackrabbit | create symlink 23 | file: src={{ path }} dest={{ base_dir }}/jackrabbit.jar owner=root group=root state=link 24 | tags: jackrabbit 25 | 26 | - name: jackrabbit | install startup script 27 | get_url: url=https://raw2.github.com/sixty-nine/Jackrabbit-startup-script/master/jackrabbit.sh dest={{ startup_script_path }} owner=root group=root mode=0755 28 | tags: jackrabbit 29 | 30 | - name: jackrabbit | install startup script dependencies 31 | apt: pkg=curl state=latest 32 | tags: jackrabbit 33 | 34 | - name: jackrabbit | create log path 35 | file: path={{ log_path }} state=directory 36 | tags: jackrabbit 37 | 38 | - name: jackrabbit | configure startup script 39 | lineinfile: dest={{ startup_script_path }} regexp="{{ item.regexp }}" line="{{ item.line }}" 40 | with_items: 41 | - { regexp: "^BASEDIR=", line: "BASEDIR={{ base_dir }}" } 42 | - { regexp: "^JACKRABBIT_JAR=", line: "JACKRABBIT_JAR=$BASEDIR/{{ jar }}" } 43 | - { regexp: "^JACKRABBIT_HOST=", line: "JACKRABBIT_HOST={{ host }}" } 44 | - { regexp: "^JACKRABBIT_PORT=", line: "JACKRABBIT_PORT={{ port }}" } 45 | - { regexp: "^LOGFILE=", line: "LOGFILE={{ log_path }}/jackrabbit.log" } 46 | tags: jackrabbit 47 | 48 | - name: jackrabbit | remove startup script jmx config 49 | lineinfile: dest={{ startup_script_path }} insertafter="^LOGFILE=" line="MANAGEMENT=" 50 | tags: jackrabbit 51 | 52 | post_tasks: 53 | - name: jackrabbit | ensure service is running 54 | service: name=jackrabbit state=started enabled=yes 55 | tags: jackrabbit 56 | -------------------------------------------------------------------------------- /java/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | vars: 5 | version: 8 6 | 7 | tasks: 8 | - name: java | add repository 9 | apt_repository: repo="deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main" update_cache=yes 10 | tags: java 11 | 12 | - name: java | install repository 13 | apt_key: id=EEA14886 keyserver=keyserver.ubuntu.com 14 | tags: java 15 | 16 | - name: java | accept license 17 | debconf: name="oracle-java7-installer" question="shared/accepted-oracle-license-v1-1" value="true" vtype="select" 18 | tags: java 19 | 20 | - name: java | install 21 | apt: pkg=oracle-java{{ version }}-installer force=yes 22 | tags: java 23 | 24 | -------------------------------------------------------------------------------- /logwatch/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | tasks: 5 | - name: logwatch | install 6 | apt: pkg=logwatch state=latest update_cache=yes 7 | tags: logwatch 8 | 9 | - name: logwatch | configure 10 | lineinfile: dest=/usr/share/logwatch/default.conf/logwatch.conf regexp="Format = " line="Format = html" backup=yes 11 | tags: logwatch 12 | -------------------------------------------------------------------------------- /lynis/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | version: 1.3.9 6 | directory: "lynis-{{ version }}" 7 | archive: "{{ directory }}.tar.gz" 8 | dest: /etc/lynis 9 | cron: false 10 | 11 | tasks: 12 | - name: lynis | download 13 | get_url: url=http://cisofy.com/files/{{ archive }} dest=/tmp 14 | tags: lynis 15 | 16 | - name: lynis | extract 17 | command: tar zxf {{ archive }} chdir=/tmp creates={{ directory }} 18 | tags: lynis 19 | 20 | - name: lynis | install 21 | command: mv {{ directory }} {{ dest }} chdir=/tmp creates={{ dest }} 22 | tags: lynis 23 | 24 | - name: lynis | install cron job 25 | cron: name="lynis" user="root" special_time="daily" job="cd {{ dest }} && ./lynis -c --auditor "automated" --cronjob --quiet" 26 | when: cron 27 | tags: lynis 28 | -------------------------------------------------------------------------------- /memcached/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | tasks: 5 | - name: memcached | install 6 | apt: name=memcached state=latest update_cache=yes 7 | tags: memcached 8 | 9 | - name: memcached | ensure service is running 10 | service: name=memcached state=started 11 | tags: memcached 12 | -------------------------------------------------------------------------------- /mongodb/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | vars: 5 | version: 2.6 6 | old_version: "{{ version | version_compare('2.6', '<') }}" 7 | 8 | pre_tasks: 9 | - name: mongodb | install requirements 10 | apt: pkg=python-pycurl state=latest update_cache=yes 11 | tags: mongodb 12 | 13 | tasks: 14 | - name: mongodb | add repository 15 | apt_repository: repo='deb http://downloads-distro.mongodb.org/repo/debian-sysvinit dist 10gen' update_cache=yes 16 | tags: mongodb 17 | 18 | - name: mongodb | install key 19 | apt_key: id=7F0CEB10 url=http://docs.mongodb.org/10gen-gpg-key.asc 20 | tags: mongodb 21 | 22 | - name: mongodb | install 23 | apt: pkg=mongodb-{{ '10gen' if old_version | bool else 'org' }} state=latest update_cache=yes 24 | ignore_errors: true 25 | tags: mongodb 26 | 27 | - name: mongodb | create db directory 28 | file: dest=/data/db state=directory owner=mongodb group=mongodb 29 | tags: mongodb 30 | 31 | - name: mongodb | ensure service is running 32 | service: name={{ 'mongodb' if old_version | bool else 'mongod' }} state=started 33 | tags: mongodb 34 | -------------------------------------------------------------------------------- /mysql/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | vars: 5 | innodb_buffer_pool_size: 1G 6 | query_cache_type: 1 7 | query_cache_size: 128M 8 | max_connections: 151 9 | 10 | tasks: 11 | - name: mysql | install python-mysqldb 12 | apt: pkg=python-mysqldb state=latest update_cache=yes 13 | tags: mysql 14 | 15 | - name: mysql | install 16 | apt: pkg=mysql-server state=latest update_cache=yes 17 | tags: mysql 18 | 19 | - name: mysql | update root password for all root accounts from local servers 20 | mysql_user: name=root host={{ item }} password={{ mysql_root_password }} 21 | when: mysql_root_password is defined 22 | with_items: 23 | - $ansible_hostname 24 | - 127.0.0.1 25 | - ::1 26 | - localhost 27 | tags: mysql 28 | 29 | - name: mysql | copy .my.cnf file with root password credentials 30 | template: src=templates/root/my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 31 | when: mysql_root_password is defined 32 | tags: mysql 33 | 34 | - name: mysql | ensure anonymous users are not in the database 35 | mysql_user: name='' host={{ item }} state=absent 36 | with_items: 37 | - localhost 38 | - $inventory_hostname 39 | tags: mysql 40 | 41 | - name: mysql | remove the test database 42 | mysql_db: name=test state=absent 43 | tags: mysql 44 | 45 | - name: mysql | copy my.cnf config file 46 | template: src=templates/my.cnf.j2 dest=/etc/mysql/conf.d/my.cnf owner=root mode=644 47 | notify: restart mysql 48 | tags: mysql 49 | 50 | - name: mysql | ensure service is running 51 | service: name=mysql state=started 52 | tags: mysql 53 | 54 | - name: mysql | install optimize cron 55 | cron: name="mysql optimize" user="root" special_time="weekly" job="mysqloptimize --all-databases > /dev/null" 56 | tags: 57 | - crontab 58 | - mysql 59 | 60 | handlers: 61 | - name: restart mysql 62 | service: name=mysql state=restarted 63 | -------------------------------------------------------------------------------- /mysql/templates/my.cnf.j2: -------------------------------------------------------------------------------- 1 | [mysqld] 2 | innodb_buffer_pool_size = {{ innodb_buffer_pool_size }} 3 | query_cache_type = {{ query_cache_type }} 4 | query_cache_size = {{ query_cache_size }} 5 | max_connections = {{ max_connections }} 6 | -------------------------------------------------------------------------------- /mysql/templates/root/my.cnf.j2: -------------------------------------------------------------------------------- 1 | [client] 2 | user=root 3 | password={{ mysql_root_password }} 4 | -------------------------------------------------------------------------------- /newrelic/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | appname: "{{ ansible_fqdn }}" 6 | 7 | pre_tasks: 8 | - name: newrelic | install requirements 9 | apt: pkg=python-pycurl state=latest update_cache=yes 10 | tags: newrelic 11 | 12 | tasks: 13 | - name: newrelic | add repository key 14 | apt_key: url=https://download.newrelic.com/548C16BF.gpg 15 | tags: newrelic 16 | 17 | - name: newrelic | add repository 18 | apt_repository: repo='deb http://apt.newrelic.com/debian/ newrelic non-free' update_cache=yes 19 | tags: newrelic 20 | 21 | - name: newrelic | install 22 | apt: pkg=newrelic-php5 state=latest update_cache=yes 23 | tags: 24 | - newrelic 25 | - php5 26 | 27 | - name: newrelic | configure appname 28 | lineinfile: dest=/etc/php5/mods-available/newrelic.ini regexp="newrelic.appname = " line='newrelic.appname = "{{ appname }}"' backup=yes 29 | tags: newrelic 30 | 31 | - name: newrelic | configure license 32 | lineinfile: dest=/etc/php5/mods-available/newrelic.ini regexp="newrelic.license = " line='newrelic.license = "{{ newrelic_license }}"' backup=yes 33 | when: newrelic_license is defined 34 | tags: newrelic 35 | 36 | - name: newrelic | install server monitor 37 | apt: pkg=newrelic-sysmond state=latest update_cache=yes 38 | tags: 39 | - newrelic 40 | - php5 41 | 42 | - name: newrelic | configure server monitor license 43 | lineinfile: dest=/etc/newrelic/nrsysmond.cfg regexp="^license_key=" line="license_key={{ newrelic_license }}" backup=yes 44 | when: newrelic_license is defined 45 | tags: newrelic 46 | 47 | - name: newrelic | ensure server monitor is running 48 | service: name=newrelic-sysmond state=started 49 | tags: newrelic 50 | -------------------------------------------------------------------------------- /nginx/files/conf.d/ssl.conf.j2: -------------------------------------------------------------------------------- 1 | ssl_certificate /etc/nginx/conf/ssl-unified.crt; 2 | ssl_certificate_key /etc/nginx/conf/ssl.key; 3 | ssl_session_timeout 10m; 4 | ssl_session_cache shared:SSL:20m; 5 | 6 | ssl_dhparam {{ ssl_forward_secrecy_key_path }}; 7 | 8 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 9 | ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; 10 | ssl_prefer_server_ciphers on; 11 | 12 | ssl_stapling on; 13 | ssl_stapling_verify on; 14 | ssl_trusted_certificate /etc/nginx/conf/trusted.pem; 15 | 16 | resolver 8.8.4.4 8.8.8.8 valid=300s; 17 | resolver_timeout 10s; 18 | -------------------------------------------------------------------------------- /nginx/files/scripts/stopforumspam: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Block IPs based upon stopforumspam.com's block list. 3 | # Brett Profitt 4 | # Released under the GPL 3.0. 5 | # 6 | # ------------------------------------------------------------------------- 7 | # Bits of this file inspired by: 8 | # 9 | # Copyright (c) 2008 nixCraft project 10 | # This script is licensed under GNU GPL version 2.0 or above 11 | # ------------------------------------------------------------------------- 12 | # tmp file 13 | DIR="/tmp/stopforumspam.$$" 14 | ZIP_FILE="$DIR/ips.zip" 15 | 16 | # nginx config file - path to nginx drop conf file 17 | OUT="/etc/nginx/conf.d/stopforumspam.conf" 18 | 19 | URL='http://www.stopforumspam.com/downloads/bannedips.zip' 20 | 21 | # remove old file 22 | [[ -d $DIR ]] && /bin/rm -f $DIR 23 | 24 | # emply nginx deny file 25 | >$OUT 26 | 27 | mkdir $DIR 28 | cd $DIR 29 | 30 | # get database 31 | /usr/bin/wget --output-document=$ZIP_FILE "$URL" 32 | 33 | unzip $ZIP_FILE 34 | 35 | # format in nginx deny netblock; format 36 | # this includes 255.255.255.255, which nginx doesn't like, so 37 | # we need to parse that out 38 | cat bannedips.csv | sed 's/255\.255\.255\.255,//g' | sed -E 's/([0-9.]*),?/deny \1;\n/g' >>$OUT 39 | 40 | # reload nginx 41 | /bin/sync && /usr/sbin/nginx -s reload 42 | 43 | rm -rf $DIR 44 | -------------------------------------------------------------------------------- /nginx/files/symfony2: -------------------------------------------------------------------------------- 1 | if (-f $document_root/maintenance.html) { 2 | return 503; 3 | } 4 | 5 | error_page 503 @maintenance; 6 | location @maintenance { 7 | rewrite ^(.*)$ /maintenance.html last; 8 | break; 9 | } 10 | 11 | rewrite ^/app\.php/?(.*)$ /$1 permanent; 12 | 13 | location / { 14 | try_files $uri @rewriteapp; 15 | } 16 | 17 | location @rewriteapp { 18 | rewrite ^(.*)$ /app.php/$1 last; 19 | } 20 | 21 | location ~ ^/(app|app_dev|config)\.php(/|$) { 22 | include fastcgi_params; 23 | 24 | fastcgi_pass unix:/var/run/php5-fpm.sock; 25 | fastcgi_split_path_info ^(.+\.php)(/.*)$; 26 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 27 | fastcgi_param HTTPS $https; 28 | 29 | fastcgi_buffer_size 128k; 30 | fastcgi_buffers 4 256k; 31 | fastcgi_busy_buffers_size 256k; 32 | 33 | proxy_buffer_size 128k; 34 | proxy_buffers 4 256k; 35 | proxy_busy_buffers_size 256k; 36 | 37 | limit_conn conn_limit_per_ip {{ limit_per_ip }}; 38 | limit_req zone=req_limit_per_ip burst={{ limit_per_ip * 2 }} nodelay; 39 | } 40 | 41 | location ~ ^/media { 42 | try_files $uri @rewriteapp; 43 | 44 | add_header Cache-Control "public"; 45 | expires max; 46 | access_log /dev/null; 47 | } 48 | 49 | location ~* \.(jpg|jpeg|gif|png|svg|css|js|ico|ttf|otf|woff|mp3)$ { 50 | try_files $uri @rewriteapp; 51 | 52 | expires max; 53 | access_log /dev/null; 54 | } 55 | -------------------------------------------------------------------------------- /nginx/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | vars: 4 | ssl: false 5 | ssl_forward_secrecy_key_path: /etc/nginx/conf/dhparam.pem 6 | ssl_forward_secrecy_key_length: 2048 7 | upload_max_file_size: 2M 8 | large_client_header_buffers: 4 8k 9 | user: www-data 10 | vhosts: [] 11 | limit_per_ip: 5 12 | 13 | tasks: 14 | - name: nginx | add main repository 15 | apt_repository: repo='{{ item }}' update_cache=yes 16 | with_items: 17 | - deb http://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx 18 | - deb-src http://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx 19 | tags: nginx 20 | 21 | - name: nginx | install repository key 22 | apt_key: url=http://nginx.org/keys/nginx_signing.key 23 | tags: nginx 24 | 25 | - name: nginx | install 26 | apt: pkg=nginx state=latest update_cache=yes 27 | tags: nginx 28 | 29 | - name: nginx | copy config file 30 | template: src=templates/nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644 31 | notify: reload nginx 32 | tags: nginx 33 | 34 | - name: nginx | install openssl 35 | apt: pkg=openssl state=latest update_cache=yes 36 | when: ssl 37 | tags: nginx 38 | 39 | - name: nginx | generate ssl forward secrecy key 40 | command: openssl dhparam -out {{ ssl_forward_secrecy_key_path }} {{ ssl_forward_secrecy_key_length }} creates={{ ssl_forward_secrecy_key_path }} 41 | when: ssl 42 | tags: nginx 43 | 44 | - name: nginx | check ssl forward secrecy key 45 | file: path={{ ssl_forward_secrecy_key_path }} owner=root group=root mode=0600 46 | when: ssl 47 | tags: nginx 48 | 49 | - name: nginx | copy ssl config file 50 | template: src=files/conf.d/ssl.conf.j2 dest=/etc/nginx/conf.d/ssl.conf owner=root group=root mode=0644 51 | when: ssl 52 | notify: reload nginx 53 | tags: nginx 54 | 55 | - name: nginx | copy config files 56 | template: src={{ item }} dest=/etc/nginx/conf.d/ owner=root group=root mode=0644 57 | with_fileglob: 58 | - "{{ config_dir }}/*" 59 | notify: reload nginx 60 | tags: nginx 61 | 62 | - name: nginx | create scripts directory 63 | file: dest=/etc/nginx/scripts owner=www-data group=www-data state=directory 64 | tags: nginx 65 | 66 | - name: nginx | copy scripts files 67 | template: src={{ item }} dest=/etc/nginx/scripts/ owner=root group=root mode=0755 68 | with_fileglob: 69 | - "files/scripts/*" 70 | tags: nginx 71 | 72 | - cron: name="refresh stopspamforum" user="root" hour="0,8,16" minute="0" job="/etc/nginx/scripts/stopforumspam > /dev/null" 73 | tags: 74 | - nginx 75 | - crontab 76 | 77 | - name: nginx | disable default virtual host 78 | file: dest=/etc/nginx/sites-enabled/default state=absent 79 | notify: reload nginx 80 | tags: 81 | - nginx 82 | - vhost 83 | 84 | - name: nginx | copy virtual host 85 | template: src={{ vhosts_dir }}/{{ item.src }} dest=/etc/nginx/sites-available/{{ item.dest }} owner=root group=root mode=0644 86 | with_items: vhosts 87 | notify: reload nginx 88 | tags: 89 | - nginx 90 | - vhost 91 | 92 | - name: nginx | enable virtual host 93 | file: src=../sites-available/{{ item.dest }} dest=/etc/nginx/sites-enabled/{{ item.dest }} owner=root group=root state=link force=yes 94 | with_items: vhosts 95 | notify: reload nginx 96 | tags: 97 | - nginx 98 | - vhost 99 | 100 | - name: nginx | copy symfony2 config file 101 | copy: src=files/symfony2 dest=/etc/nginx/symfony2 owner=root group=root mode=0644 102 | notify: reload nginx 103 | tags: nginx 104 | 105 | - name: nginx | create /var/www directory 106 | file: dest=/var/www owner=www-data group=www-data state=directory 107 | tags: nginx 108 | 109 | - name: nginx | use bash for www-data 110 | command: chsh -s /bin/bash www-data 111 | tags: nginx 112 | 113 | - name: nginx | allow www-data to clear opcode 114 | lineinfile: "dest=/etc/sudoers state=present regexp='^www-data ALL=' line='www-data ALL= NOPASSWD: /etc/init.d/clear-opcode' validate='visudo -cf %s'" 115 | tags: nginx 116 | 117 | - name: nginx | ensure service is running 118 | service: name=nginx state=started 119 | tags: nginx 120 | 121 | handlers: 122 | - name: reload nginx 123 | service: name=nginx state=reloaded 124 | -------------------------------------------------------------------------------- /nginx/templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | user {% if vagrant is defined %}vagrant{% else %}{{ user }}{% endif %}; 2 | worker_processes auto; 3 | pid /run/nginx.pid; 4 | 5 | events { 6 | worker_connections 768; 7 | # multi_accept on; 8 | } 9 | 10 | http { 11 | ## 12 | # Basic Settings 13 | ## 14 | 15 | sendfile on; 16 | tcp_nopush on; 17 | tcp_nodelay on; 18 | keepalive_timeout 65; 19 | types_hash_max_size 2048; 20 | server_tokens off; 21 | client_max_body_size {{ upload_max_file_size }}; 22 | large_client_header_buffers {{ large_client_header_buffers }}; 23 | 24 | include /etc/nginx/mime.types; 25 | default_type application/octet-stream; 26 | 27 | ## 28 | # Logging Settings 29 | ## 30 | 31 | access_log /var/log/nginx/access.log; 32 | error_log /var/log/nginx/error.log; 33 | 34 | ## 35 | # Gzip Settings 36 | ## 37 | 38 | gzip on; 39 | gzip_disable "msie6"; 40 | 41 | gzip_vary off; 42 | gzip_proxied any; 43 | gzip_comp_level 6; 44 | gzip_buffers 16 8k; 45 | gzip_http_version 1.1; 46 | gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; 47 | 48 | ## 49 | # Limit per IP 50 | ## 51 | 52 | limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; 53 | limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate={{ limit_per_ip }}r/s; 54 | 55 | ## 56 | # Virtual Host Configs 57 | ## 58 | 59 | include /etc/nginx/conf.d/*.conf; 60 | include /etc/nginx/sites-enabled/*; 61 | } 62 | -------------------------------------------------------------------------------- /nodejs/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | node_version: "0.10.24" 6 | node_prefix: "node-v{{ node_version }}" 7 | node_tarball: "{{ node_prefix }}.tar.gz" 8 | node_path: "/usr/local" 9 | packages: [] 10 | 11 | tasks: 12 | - name: nodejs | check installation 13 | shell: /usr/bin/test "$(node -v 2> /dev/null)" = v{{ node_version }} 14 | register: wanted_version_installed 15 | ignore_errors: true 16 | tags: nodejs 17 | 18 | - name: nodejs | install prerequisite 19 | apt: pkg={{ item }} update_cache=yes 20 | with_items: 21 | - make 22 | - gcc 23 | - g++ 24 | when: wanted_version_installed.rc == 1 25 | tags: nodejs 26 | 27 | - name: nodejs | download 28 | get_url: url=http://nodejs.org/dist/v{{ node_version }}/{{ node_tarball }} dest=/tmp/ 29 | when: wanted_version_installed.rc == 1 30 | tags: nodejs 31 | 32 | - name: nodejs | extract 33 | command: tar zxf {{ node_tarball }} chdir=/tmp 34 | when: wanted_version_installed.rc == 1 35 | tags: nodejs 36 | 37 | - name: nodejs | configure 38 | shell: python ./configure --prefix={{ node_path }} chdir=/tmp/{{ node_prefix }} 39 | when: wanted_version_installed.rc == 1 40 | tags: nodejs 41 | 42 | - name: nodejs | compile 43 | shell: make chdir=/tmp/{{ node_prefix }}/ 44 | when: wanted_version_installed.rc == 1 45 | tags: nodejs 46 | 47 | - name: nodejs | install 48 | shell: make install chdir=/tmp/{{ node_prefix }}/ 49 | when: wanted_version_installed.rc == 1 50 | tags: nodejs 51 | 52 | - name: nodejs | add NODE_PATH environment variable 53 | lineinfile: dest=/etc/environment regexp='^export NODE_PATH=' line='export NODE_PATH=/usr/local/lib/node_modules' 54 | tags: nodejs 55 | 56 | - name: nodejs | install packages 57 | npm: name={{ item }} global=yes 58 | with_items: packages 59 | tags: nodejs 60 | -------------------------------------------------------------------------------- /openssl/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | name: default 6 | user: root 7 | group: "{{ user }}" 8 | directory: "/etc/openssl/{{ name }}" 9 | key_size: 512 10 | private_key: private.pem 11 | public_key: public.pem 12 | private_key_path: "{{ directory }}/{{ private_key }}" 13 | public_key_path: "{{ directory }}/{{ public_key }}" 14 | 15 | tasks: 16 | - name: openssl | install 17 | apt: pkg=openssl state=latest 18 | tags: openssl 19 | 20 | - name: openssl | create directory 21 | file: path={{ directory }} state=directory recurse=yes owner={{ user }} group={{ user }} mode=0755 22 | tags: openssl 23 | 24 | - name: openssl | create private key 25 | command: openssl genrsa -out {{ private_key_path }} {{ key_size }} creates={{ private_key_path }} 26 | tags: openssl 27 | 28 | - name: openssl | check private key 29 | file: path={{ private_key_path }} owner={{ user }} group={{ user }} mode=0600 30 | tags: openssl 31 | 32 | - name: openssl | create public key 33 | command: openssl rsa -in {{ private_key_path }} -pubout -out {{ public_key_path }} creates={{ public_key_path }} 34 | tags: openssl 35 | 36 | - name: openssl | check public key 37 | file: path={{ public_key_path }} owner={{ user }} group={{ group }} mode=0600 38 | tags: openssl 39 | -------------------------------------------------------------------------------- /pecl/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | extensions: [] 6 | 7 | tasks: 8 | - name: pecl | install 9 | apt: pkg={{ item }} state=latest update_cache=yes 10 | with_items: 11 | - php-pear 12 | - php5-dev 13 | tags: pecl 14 | 15 | - name: pecl | install extensions 16 | command: pecl install {{ item }} 17 | with_items: extensions 18 | register: pecl_result 19 | changed_when: "pecl_result.rc == 0" 20 | failed_when: "not (('already installed' in pecl_result.stdout) or ('install ok:' in pecl_result.stdout))" 21 | tags: pecl 22 | 23 | - name: pecl | create extensions ini files 24 | template: src=templates/extension.ini.j2 dest=/etc/php5/mods-available/{{ item }}.ini owner=root group=root mode=0644 25 | with_items: extensions 26 | tags: pecl 27 | 28 | - name: pecl | enable extensions 29 | command: php5enmod {{ item }} 30 | with_items: extensions 31 | tags: pecl 32 | -------------------------------------------------------------------------------- /pecl/templates/extension.ini.j2: -------------------------------------------------------------------------------- 1 | extension={{ item }}.so 2 | -------------------------------------------------------------------------------- /php5-cli/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | tasks: 5 | - name: php5-cli | install 6 | apt: pkg=php5-cli state=latest update_cache=yes 7 | tags: php5-cli 8 | 9 | - name: php5-cli | configure php.ini 10 | lineinfile: dest=/etc/php5/cli/php.ini regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 11 | with_items: 12 | - { regexp: "date.timezone", line: "date.timezone = 'UTC'" } 13 | - { regexp: "short_open_tag =", line: "short_open_tag = Off" } 14 | tags: php5-cli 15 | -------------------------------------------------------------------------------- /php5-fpm/files/clear-opcode: -------------------------------------------------------------------------------- 1 | ### BEGIN INIT INFO 2 | # Provides: clear-opcode 3 | # Required-Start: $remote_fs $syslog 4 | # Required-Stop: $remote_fs $syslog 5 | # Default-Start: 2 3 4 5 6 | # Default-Stop: 0 1 6 7 | # Short-Description: Clear php opcode 8 | # Description: Clear php opcode by restarting php5-fpm 9 | ### END INIT INFO 10 | 11 | service php5-fpm restart 12 | -------------------------------------------------------------------------------- /php5-fpm/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | vars: 4 | upload_max_file_size: 2M 5 | max_input_vars: 1000 6 | memory_limit: 64M 7 | listen_user: www-data 8 | listen_group: www-data 9 | 10 | tasks: 11 | - name: php5-fpm | install 12 | apt: pkg=php5-fpm state=latest update_cache=yes 13 | tags: php5-fpm 14 | 15 | - name: php5-fpm | configure php.ini 16 | lineinfile: dest=/etc/php5/fpm/php.ini regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 17 | with_items: 18 | - { regexp: "date.timezone", line: "date.timezone = 'UTC'" } 19 | - { regexp: "short_open_tag =", line: "short_open_tag = Off" } 20 | - { regexp: "expose_php =", line: "expose_php = Off" } 21 | - { regexp: "memory_limit =", line: "memory_limit = {{ memory_limit }}" } 22 | - { regexp: "display_errors =", line: "display_errors = Off" } 23 | - { regexp: "upload_max_filesize =", line: "upload_max_filesize = {{ upload_max_file_size }}" } 24 | - { regexp: "post_max_size =", line: "post_max_size = {{ upload_max_file_size }}" } 25 | - { regexp: "max_input_vars =", line: "max_input_vars = {{ max_input_vars }}" } 26 | notify: reload php5-fpm 27 | tags: php5-fpm 28 | 29 | - name: php5-fpm | copy clear-opcode script 30 | copy: src=files/clear-opcode dest=/etc/init.d/clear-opcode owner=root group=root mode=0755 31 | tags: php5-fpm 32 | 33 | - name: php5-fpm | update listen config 34 | lineinfile: dest=/etc/php5/fpm/pool.d/www.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 35 | with_items: 36 | - { regexp: "listen.owner =", line: "listen.owner = {{ listen_user }}" } 37 | - { regexp: "listen.group =", line: "listen.group = {{ listen_group }}" } 38 | - { regexp: "listen.mode =", line: "listen.mode = 0660" } 39 | notify: reload php5-fpm 40 | tags: php5-fpm 41 | 42 | - name: php5-fpm | update user and group 43 | lineinfile: dest=/etc/php5/fpm/pool.d/www.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 44 | with_items: 45 | - { regexp: "^user =", line: "user = vagrant" } 46 | - { regexp: "^group =", line: "group = vagrant" } 47 | when: vagrant is defined 48 | notify: reload php5-fpm 49 | tags: 50 | - php5-fpm 51 | - vagrant 52 | 53 | - name: php5-fpm | ensure service is running 54 | service: name=php5-fpm state=started 55 | tags: php5-fpm 56 | 57 | handlers: 58 | - name: reload php5-fpm 59 | service: name=php5-fpm state=reloaded 60 | -------------------------------------------------------------------------------- /php5-xcache/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | var_size: 32M 6 | 7 | tasks: 8 | - name: php5-xcache | install 9 | apt: name=php5-xcache state=latest update_cache=yes 10 | tags: php5-xcache 11 | 12 | - name: php5-xcache | configure 13 | lineinfile: dest=/etc/php5/mods-available/xcache.ini regexp="{{ item.key }}" line="{{ item.key }}={{ item.value }}" backup=yes 14 | with_items: 15 | - { key: "xcache.var_size", value: "{{ var_size }}" } 16 | - { key: "xcache.var_count", value: "{{ ansible_processor_cores }}" } 17 | tags: php5-xcache 18 | -------------------------------------------------------------------------------- /php5/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | extensions: [] 6 | 7 | tasks: 8 | - name: php5 | install 9 | apt: pkg={{ item }} state=latest update_cache=yes 10 | with_items: 11 | - php5-common 12 | - php5-cgi 13 | - php5 14 | tags: php5 15 | 16 | - name: php5 | install extensions 17 | apt: pkg={{ item }} state=latest update_cache=yes 18 | with_items: extensions 19 | tags: php5 20 | 21 | - name: php5 | configure opcache 22 | template: src=templates/opcache.ini.j2 dest=/etc/php5/mods-available/opcache.ini backup=yes 23 | tags: php5 24 | -------------------------------------------------------------------------------- /php5/templates/opcache.ini.j2: -------------------------------------------------------------------------------- 1 | ;configuration for php ZendOpcache module 2 | zend_extension=opcache.so 3 | opcache.validate_timestamps=0 4 | opcache.enable_file_override=0 5 | opcache.memory_consumption={{ (ansible_memtotal_mb / 64) | int }} 6 | opcache.interned_strings_buffer=16 7 | opcache.max_accelerated_files=8000 8 | opcache.fast_shutdown=1 9 | -------------------------------------------------------------------------------- /postfix/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | myhostname: "{{ ansible_fqdn }}" 6 | relayhost: "" 7 | inet_interfaces: loopback-only 8 | aliases: [] 9 | smtp_bind_address: "" 10 | inet_protocols: all 11 | 12 | tasks: 13 | - name: postfix | install 14 | apt: pkg=postfix state=latest update_cache=yes 15 | tags: postfix 16 | 17 | - name: postfix | configure 18 | lineinfile: dest=/etc/postfix/main.cf regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 19 | with_items: 20 | - { regexp: "^myorigin", line: "myorigin = /etc/mailname" } 21 | - { regexp: "^masquerade_domains", line: "masquerade_domains = {{ tld }}" } 22 | - { regexp: "^mydestination", line: "mydestination = " } 23 | - { regexp: "^relayhost", line: "relayhost = {{ relayhost }}" } 24 | - { regexp: "^inet_interfaces", line: "inet_interfaces = {{ inet_interfaces }}" } 25 | - { regexp: "^virtual_maps =", line: "virtual_maps = hash:/etc/aliases" } 26 | notify: reload postfix 27 | tags: postfix 28 | 29 | - name: postfix | configure 30 | lineinfile: dest=/etc/postfix/main.cf regexp="{{ item }}" backup=yes state=absent 31 | with_items: 32 | - "^myhostname" 33 | notify: reload postfix 34 | tags: postfix 35 | 36 | - name: postfix | configure 37 | lineinfile: dest=/etc/postfix/main.cf regexp="^inet_protocols=" line="inet_protocols={{ inet_protocols }}" backup=yes 38 | notify: restart postfix 39 | tags: postfix 40 | 41 | - name: postfix | setup aliases 42 | lineinfile: "dest=/etc/aliases regexp='^{{ item.user }}:' line='{{ item.user }}: {{ item.alias }}' backup=yes" 43 | with_items: aliases 44 | when: aliases > 0 45 | notify: newaliases 46 | tags: postfix 47 | 48 | - name: postfix | setup smtp bind address 49 | lineinfile: dest=/etc/postfix/master.cf regexp="^{{ item }}\s+unix" insertafter="^{{ item }}\s+unix" line="{{ item }} unix - - - - - smtp -o smtp_bind_address={{ smtp_bind_address }}" backup=yes 50 | with_items: 51 | - smtp 52 | - relay 53 | when: smtp_bind_address != "" 54 | notify: reload postfix 55 | tags: postfix 56 | 57 | - name: postfix | ensure service is running 58 | service: name=postfix state=started 59 | tags: postfix 60 | 61 | handlers: 62 | - name: newaliases 63 | command: newaliases 64 | 65 | - name: reload postfix 66 | service: name=postfix state=reloaded 67 | 68 | - name: restart postfix 69 | service: name=postfix state=restarted 70 | -------------------------------------------------------------------------------- /redis/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: db 3 | 4 | tasks: 5 | - name: redis | install 6 | apt: pkg=redis-server state=latest update_cache=yes 7 | tags: redis 8 | -------------------------------------------------------------------------------- /rkhunter/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | allow_ssh_root_user: without-password 6 | 7 | tasks: 8 | - name: rkhunter | install 9 | apt: pkg=rkhunter state=latest update_cache=yes 10 | tags: rkhunter 11 | 12 | - name: rkhunter | update 13 | command: rkhunter --propupd 14 | tags: rkhunter 15 | 16 | - name: rkhunter | configure 17 | lineinfile: dest=/etc/rkhunter.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 18 | with_items: 19 | - { regexp: ALLOW_SSH_ROOT_USER=, line: "ALLOW_SSH_ROOT_USER={{ allow_ssh_root_user }}" } 20 | - { regexp: ALLOWHIDDENDIR=\"/etc/.java\", line: ALLOWHIDDENDIR=\"/etc/.java\" } 21 | - { regexp: SCRIPTWHITELIST=/usr/bin/unhide.rb, line: SCRIPTWHITELIST=/usr/bin/unhide.rb } 22 | tags: rkhunter 23 | 24 | - name: rkhunter | configure cron 25 | lineinfile: dest=/etc/default/rkhunter regexp="^CRON_DAILY_RUN" line='CRON_DAILY_RUN="yes"' backup=yes 26 | tags: rkhunter 27 | -------------------------------------------------------------------------------- /ssh/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | vars: 5 | users: 6 | - root 7 | 8 | tasks: 9 | - name: ssh | authorize local public key 10 | authorized_key: user={{ item }} key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}" 11 | with_items: users 12 | tags: ssh 13 | 14 | - name: ssh | disallow root login 15 | action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin without-password" 16 | notify: reload ssh 17 | tags: ssh 18 | 19 | handlers: 20 | - name: reload ssh 21 | service: name=ssh state=reloaded 22 | -------------------------------------------------------------------------------- /supervisor/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | tasks: 5 | - name: supervisor | install requirements 6 | apt: pkg=python-setuptools state=latest update_cache=yes 7 | tags: supervisor 8 | 9 | - name: supervisor | install 10 | easy_install: name=supervisor 11 | tags: supervisor 12 | -------------------------------------------------------------------------------- /twig-php/files/twig.ini: -------------------------------------------------------------------------------- 1 | extension=twig.so 2 | -------------------------------------------------------------------------------- /twig-php/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | pre_tasks: 5 | - name: twig-php | install requirements 6 | apt: name={{ item }} state=latest update_cache=yes 7 | with_items: 8 | - gcc 9 | - php5-dev 10 | - git 11 | tags: twig-php 12 | 13 | tasks: 14 | - name: twig-php | download 15 | command: git clone https://github.com/fabpot/Twig.git chdir=/tmp creates=/tmp/Twig 16 | tags: twig-php 17 | 18 | - name: twig-php | install 19 | command: "{{ item }} chdir=/tmp/Twig/ext/twig creates=/usr/lib/php5/20121212/twig.so" 20 | with_items: 21 | - phpize 22 | - ./configure 23 | - make 24 | - make install 25 | tags: twig-php 26 | 27 | - name: twig-php | create twig.ini 28 | copy: src=files/twig.ini dest=/etc/php5/mods-available 29 | tags: twig-php 30 | 31 | - name: twig-php | enable extension 32 | command: php5enmod twig 33 | changed_when: false 34 | tags: twig-php 35 | -------------------------------------------------------------------------------- /ufw/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | vars: 5 | rules: 6 | - allow ssh/tcp 7 | ip: "{{ ansible_eth0.ipv4.address.split('.') }}" 8 | ip_prefix: "{{ ip[0] }}.{{ ip[1] }}.{{ ip[2] }}" 9 | ovh_hosts: 10 | - 213.186.50.98 # proxy.ovh.net 11 | - 37.187.231.251 12 | - 213.186.33.62 # a2.ovh.net 13 | - 92.222.184.0/24 14 | - 92.222.185.0/24 15 | - 92.222.186.0/24 16 | - 167.114.37.0/24 17 | - 213.186.45.4 # proxy.p19.ovh.net 18 | - 213.251.184.9 # proxy.rbx.ovh.net 19 | - 37.59.0.235 # proxy.sbg.ovh.net 20 | - 8.33.137.2 # proxy.bhs.ovh.net 21 | - 213.186.33.13 # ping.ovh.net 22 | - "{{ ip_prefix }}.249" 23 | - "{{ ip_prefix }}.250" 24 | - "{{ ip_prefix }}.251" 25 | 26 | tasks: 27 | - name: ufw | install 28 | apt: pkg=ufw state=latest update_cache=yes 29 | tags: ufw 30 | 31 | - name: ufw | reset 32 | command: ufw --force reset 33 | tags: ufw 34 | 35 | - name: ufw | allow ovh ping 36 | lineinfile: dest=/etc/ufw/before.rules regexp="{{ item }}" line="-A ufw-before-input -p icmp -s {{ item }} -j ACCEPT" insertafter="^# ok icmp codes" backup=yes 37 | with_items: ovh_hosts 38 | tags: ufw 39 | 40 | - name: ufw | disable ping 41 | lineinfile: dest=/etc/ufw/before.rules regexp="icmp-type {{ item }}" line="-A ufw-before-input -p icmp --icmp-type {{ item }} -j DROP" backup=yes 42 | with_items: 43 | - destination-unreachable 44 | - source-quench 45 | - time-exceeded 46 | - parameter-problem 47 | - echo-request 48 | tags: ufw 49 | 50 | - name: ufw | disable ipv6 ping 51 | lineinfile: dest=/etc/ufw/before6.rules regexp="icmpv6-type {{ item }}" line="-A ufw6-before-input -p icmpv6 --icmpv6-type {{ item }} -j DROP" backup=yes 52 | with_items: 53 | - destination-unreachable 54 | - packet-too-big 55 | - time-exceeded 56 | - parameter-problem 57 | - echo-request 58 | tags: ufw 59 | 60 | - name: ufw | configure 61 | command: ufw {{ item }} 62 | with_items: rules 63 | tags: ufw 64 | 65 | - name: ufw | enable 66 | command: ufw --force enable 67 | tags: ufw 68 | 69 | - name: ufw | ensure service is running 70 | service: name=ufw state=started 71 | tags: ufw 72 | -------------------------------------------------------------------------------- /unattended-upgrades/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: all 3 | 4 | tasks: 5 | - name: unattended-upgrades | install 6 | apt: pkg=unattended-upgrades state=latest update_cache=yes 7 | tags: unattended-upgrades 8 | 9 | - name: unattended-upgrades | copy config file 10 | template: src=templates/10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 11 | tags: unattended-upgrades 12 | 13 | - name: unattended-upgrades | configure 14 | lineinfile: dest=/etc/apt/apt.conf.d/50unattended-upgrades regexp="{{ item.regexp }}" line="{{ item.line }}" backup=yes 15 | with_items: 16 | - { regexp: 'Unattended-Upgrade::MailOnlyOnError', line: 'Unattended-Upgrade::MailOnlyOnError \"true\";' } 17 | tags: unattended-upgrades 18 | -------------------------------------------------------------------------------- /unattended-upgrades/templates/10periodic.j2: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Download-Upgradeable-Packages "1"; 3 | APT::Periodic::AutocleanInterval "7"; 4 | APT::Periodic::Unattended-Upgrade "1"; 5 | -------------------------------------------------------------------------------- /varnish/files/default.vcl: -------------------------------------------------------------------------------- 1 | # This is a basic VCL configuration file for varnish. See the vcl(7) 2 | # man page for details on VCL syntax and semantics. 3 | # 4 | # Default backend definition. Set this to point to your content 5 | # server. 6 | 7 | backend default { 8 | .host = "127.0.0.1"; 9 | .port = "8080"; 10 | } 11 | 12 | # Below is a commented-out copy of the default VCL logic. If you 13 | # redefine any of these subroutines, the built-in logic will be 14 | # appended to your code. 15 | sub vcl_recv { 16 | if (req.restarts == 0) { 17 | if (req.http.x-forwarded-for) { 18 | set req.http.X-Forwarded-For = 19 | req.http.X-Forwarded-For + ", " + client.ip; 20 | } else { 21 | set req.http.X-Forwarded-For = client.ip; 22 | } 23 | } 24 | if (req.request != "GET" && 25 | req.request != "HEAD" && 26 | req.request != "PUT" && 27 | req.request != "POST" && 28 | req.request != "TRACE" && 29 | req.request != "OPTIONS" && 30 | req.request != "DELETE") { 31 | /* Non-RFC2616 or CONNECT which is weird. */ 32 | return (pipe); 33 | } 34 | if (req.request != "GET" && req.request != "HEAD") { 35 | /* We only deal with GET and HEAD by default */ 36 | return (pass); 37 | } 38 | if (req.http.Authorization || req.http.Cookie) { 39 | /* Not cacheable by default */ 40 | return (pass); 41 | } 42 | return (lookup); 43 | } 44 | 45 | sub vcl_pipe { 46 | # Note that only the first request to the backend will have 47 | # X-Forwarded-For set. If you use X-Forwarded-For and want to 48 | # have it set for all requests, make sure to have: 49 | # set bereq.http.connection = "close"; 50 | # here. It is not set by default as it might break some broken web 51 | # applications, like IIS with NTLM authentication. 52 | return (pipe); 53 | } 54 | 55 | sub vcl_pass { 56 | return (pass); 57 | } 58 | 59 | sub vcl_hash { 60 | hash_data(req.url); 61 | if (req.http.host) { 62 | hash_data(req.http.host); 63 | } else { 64 | hash_data(server.ip); 65 | } 66 | return (hash); 67 | } 68 | 69 | sub vcl_hit { 70 | return (deliver); 71 | } 72 | 73 | sub vcl_miss { 74 | return (fetch); 75 | } 76 | 77 | sub vcl_fetch { 78 | if (beresp.ttl <= 0s || 79 | beresp.http.Set-Cookie || 80 | beresp.http.Vary == "*") { 81 | /* 82 | * Mark as "Hit-For-Pass" for the next 2 minutes 83 | */ 84 | set beresp.ttl = 120 s; 85 | return (hit_for_pass); 86 | } 87 | return (deliver); 88 | } 89 | 90 | sub vcl_deliver { 91 | return (deliver); 92 | } 93 | 94 | sub vcl_error { 95 | set obj.http.Content-Type = "text/html; charset=utf-8"; 96 | set obj.http.Retry-After = "5"; 97 | synthetic {" 98 | 99 | 101 | 102 | 103 | "} + obj.status + " " + obj.response + {" 104 | 105 | 106 |

Error "} + obj.status + " " + obj.response + {"

107 |

"} + obj.response + {"

108 |

Guru Meditation:

109 |

XID: "} + req.xid + {"

110 |
111 |

Varnish cache server

112 | 113 | 114 | "}; 115 | return (deliver); 116 | } 117 | 118 | sub vcl_init { 119 | return (ok); 120 | } 121 | 122 | sub vcl_fini { 123 | return (ok); 124 | } 125 | -------------------------------------------------------------------------------- /varnish/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: web 3 | 4 | pre_tasks: 5 | - name: varnish | install requirements 6 | apt: pkg=python-pycurl state=latest update_cache=yes 7 | tags: varnish 8 | 9 | tasks: 10 | - name: varnish | install key 11 | apt_key: url=http://repo.varnish-cache.org/debian/GPG-key.txt 12 | tags: varnish 13 | 14 | - name: varnish | add repository 15 | apt_repository: repo='deb http://repo.varnish-cache.org/debian/ wheezy varnish-3.0' update_cache=yes 16 | tags: varnish 17 | 18 | - name: varnish | install 19 | apt: pkg=varnish state=latest update_cache=yes 20 | notify: restart varnish 21 | tags: varnish 22 | 23 | - name: varnish | configure 24 | copy: src=files/default.vcl dest=/etc/varnish/default.vcl backup=yes 25 | notify: reload varnish 26 | tags: varnish 27 | 28 | handlers: 29 | - name: restart varnish 30 | service: name=varnish state=restarted 31 | 32 | - name: reload varnish 33 | service: name=varnish state=reloaded 34 | --------------------------------------------------------------------------------