├── ansible_basics ├── roles │ └── common │ │ ├── handlers │ │ └── main.yml │ │ ├── tasks │ │ └── main.yml │ │ └── templates │ │ └── sshdconfig.jinja2 ├── site.yml ├── group_vars │ └── all ├── hosts └── README.md ├── README.md └── config_files ├── monitoring ├── monit_site_config_example.cfg └── monitrc └── webservers └── nginx_site_conf_ssl_http2.conf /ansible_basics/roles/common/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # restart that sshd, dude! 3 | - name: restart sshd 4 | service: name=ssh state=restarted 5 | -------------------------------------------------------------------------------- /ansible_basics/site.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Show off some basic Ansible features 3 | hosts: testhosts 4 | user: root 5 | # remote_user: user 6 | # sudo: yes 7 | 8 | roles: 9 | - common 10 | -------------------------------------------------------------------------------- /ansible_basics/group_vars/all: -------------------------------------------------------------------------------- 1 | # variables that are visible from all roles 2 | 3 | # ssh configuration file 4 | sshd_port: 443 5 | sshd_permitrootlogin: yes 6 | sshd_pubkeyauth: yes 7 | sshd_passwdauth: yes 8 | 9 | 10 | -------------------------------------------------------------------------------- /ansible_basics/hosts: -------------------------------------------------------------------------------- 1 | [testhosts] 2 | 3 | # this is my example LXC container 4 | 10.0.3.152 5 | 6 | ################### 7 | # mail.example.com 8 | 9 | # [webservers] 10 | # foo.example.com 11 | # bar.example.com 12 | 13 | # [dbservers] 14 | # one.example.com 15 | # two.example.com 16 | # three.example.com 17 | 18 | -------------------------------------------------------------------------------- /ansible_basics/README.md: -------------------------------------------------------------------------------- 1 | # Ansible basics 2 | 3 | Code snippets from the original [Ansible Whirlwind Tour](https://www.youtube.com/watch?v=fYd_KQpfBs8&lc=z13fh3tippewzzrax04ccnainyivhh2iuzc0k "Ansible Tutorial on YouTube") video. 4 | 5 | *Note:* This is not a 'production' playbook; it's designed to show off some features and serve as a learning aid. 6 | 7 | Enjoy! 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tutorialinux Resources 2 | 3 | Assorted configuration files, project files, and other stuff from the tutorialinux YouTube channel and website. 4 | 5 | [YouTube](https://www.youtube.com/channel/UCvA_wgsX6eFAOXI8Rbg_WiQ/playlists) 6 | 7 | [Official Website](https://tutorialinux.com/) 8 | 9 | Udemy Course: [Hands-On Linux: Self-Hosted WordPress for Linux Beginners](https://www.udemy.com/hands-on-linux-self-hosted-wordpress-for-linux-beginners/?couponCode=SYSADMIN7W) 10 | 11 | 12 | -------------------------------------------------------------------------------- /config_files/monitoring/monit_site_config_example.cfg: -------------------------------------------------------------------------------- 1 | # Individual site configuration file for monit 2 | ## This file should be inside /etc/monit/monit.d/ -- usually you'll want a separate file for each website, so you can add this to your automation/configuration-management scripts 3 | 4 | 5 | ## EXAMPLE: 6 | # check tutorialinux site, as an example 7 | #check host tutorialinux with address tutorialinux.com 8 | # if failed port 443 protocol https for 2 cycles then alert 9 | ############################################################## 10 | 11 | # Site monitoring fragment for yourdomainname.com 12 | check host yourdomainname.com with address yourdomainname.com 13 | if failed port 80 protocol http for 2 cycles then alert 14 | 15 | check file nginx_error.log with path /var/log/nginx_error.log 16 | if size > 15 MB then exec "/usr/local/sbin/logrotate -f /var/log/nginx_error.log" 17 | 18 | 19 | -------------------------------------------------------------------------------- /ansible_basics/roles/common/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Update package lists 3 | apt: update_cache=yes 4 | 5 | - name: Install tmux 6 | apt: name=tmux state=present 7 | 8 | - name: Install zsh 9 | apt: name=zsh state=present 10 | 11 | - name: Install openssh 12 | apt: name=openssh-server state=present 13 | 14 | 15 | 16 | - name: Install several packages at once (python dev) 17 | apt: name={{ item }} state=present 18 | with_items: 19 | - python # silly -- already installed 20 | - python-dev 21 | - python-virtualenv 22 | 23 | - name: Create the 'dave' user 24 | user: name=dave shell=/bin/bash 25 | #user: name=dave shell=/bin/bash groups=admins,developers append=yes 26 | 27 | - name: Set zsh as the default shell for dave 28 | command: /usr/bin/chsh -s /usr/bin/zsh dave 29 | 30 | 31 | - name: Copy configuration for sshd 32 | template: src=sshdconfig.jinja2 dest=/etc/ssh/sshd_config 33 | notify: restart sshd 34 | -------------------------------------------------------------------------------- /config_files/webservers/nginx_site_conf_ssl_http2.conf: -------------------------------------------------------------------------------- 1 | # Example nginx config file 2 | # 3 | 4 | server { 5 | listen 1.2.3.4:80; 6 | server_name www.example.com example.com; 7 | location / { 8 | rewrite ^/(.*)$ https://example.com/$1 permanent; 9 | } 10 | 11 | location /.well-known/acme-challenge/ { 12 | alias /home/letsencrypt/challenges/; 13 | } 14 | } 15 | 16 | server { 17 | listen 1.2.3.4:443 ssl; 18 | server_name www.example.com; 19 | 20 | ssl_certificate /home/letsencrypt/example.com.chain.crt; 21 | ssl_certificate_key /home/letsencrypt/example.com.key; 22 | rewrite ^/(.*)$ https://example.com/$1 permanent; 23 | } 24 | 25 | server { 26 | listen 1.2.3.4:443 ssl http2; 27 | server_name example.com; 28 | gzip on; 29 | 30 | ssl_certificate /home/letsencrypt/example.com.chain.crt; 31 | ssl_certificate_key /home/letsencrypt/example.com.key; 32 | 33 | error_log /var/www/example.com/error_log error; 34 | 35 | index index.php index.html index.htm; 36 | root /var/www/example.com/public_html/; 37 | 38 | location / { 39 | try_files $uri $uri/ /index.php?q=$uri&$args; 40 | } 41 | 42 | # redirect server error pages to the static page /50x.html 43 | error_page 500 502 503 504 /50x.html; 44 | location = /50x.html { 45 | root /usr/local/www/nginx-dist; 46 | } 47 | 48 | # HSTS 49 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; 50 | } 51 | 52 | 53 | 54 | ## Additional Stuff Here 55 | # - PHP/fastcgi 56 | # - redirects 57 | # - static files 58 | # - etc. 59 | 60 | -------------------------------------------------------------------------------- /config_files/monitoring/monitrc: -------------------------------------------------------------------------------- 1 | # Main monit configuration file 2 | ## On most Linux distributions, this lives at /etc/monit/monitrc, although your distro may vary 3 | ## On FreeBSD this is at /usr/local/etc/monitrc 4 | 5 | ## Note: this monitrc file *must* have permissions set to 600, else monit complains 6 | 7 | # Run a check every 30 seconds, log to a file 8 | set daemon 30 9 | set logfile /var/log/monit.log 10 | 11 | # Our monit web dashboard configuration 12 | set httpd 13 | port 2812 14 | use address localhost # only accept connection from localhost 15 | # allow localhost # allow localhost to connect to the server 16 | allow yourusername:yourchosenpasswordshouldbedifficulttoguess 17 | 18 | 19 | # check database service 20 | check host localmysql with address 127.0.0.1 21 | if failed ping then alert 22 | if failed port 3306 protocol mysql then alert 23 | 24 | 25 | # nginx 26 | check process nginx with pidfile /var/run/nginx.pid 27 | start program = "/etc/init.d/nginx start" 28 | stop program = "/etc/init.d/nginx stop" 29 | group www-data 30 | 31 | 32 | # php-fpm 33 | ## Depending on your version of Unix or Linux, this path could be different. If you're unsure, just do a 'ls -alh /var/run/' 34 | 35 | check process phpfpm with pidfile /var/run/php-fpm.pid 36 | if cpu > 50% for 2 cycles then alert 37 | # if total cpu > 60% for 5 cycles then restart 38 | if memory > 300 MB then alert 39 | # if total memory > 500 MB then restart 40 | 41 | 42 | 43 | 44 | # include files for individual sites 45 | ## this path is for Ubuntu -- it can change, depending on which Linux/Unix OS you're using 46 | include /etc/monit/monit.d/* 47 | 48 | -------------------------------------------------------------------------------- /ansible_basics/roles/common/templates/sshdconfig.jinja2: -------------------------------------------------------------------------------- 1 | # Package generated configuration file 2 | # See the sshd_config(5) manpage for details 3 | 4 | # What ports, IPs and protocols we listen for 5 | Port {{ sshd_port }} 6 | 7 | # Use these options to restrict which interfaces/protocols sshd will bind to 8 | #ListenAddress :: 9 | #ListenAddress 0.0.0.0 10 | Protocol 2 11 | # HostKeys for protocol version 2 12 | HostKey /etc/ssh/ssh_host_rsa_key 13 | HostKey /etc/ssh/ssh_host_dsa_key 14 | HostKey /etc/ssh/ssh_host_ecdsa_key 15 | HostKey /etc/ssh/ssh_host_ed25519_key 16 | #Privilege Separation is turned on for security 17 | UsePrivilegeSeparation yes 18 | 19 | # Lifetime and size of ephemeral version 1 server key 20 | KeyRegenerationInterval 3600 21 | ServerKeyBits 1024 22 | 23 | # Logging 24 | SyslogFacility AUTH 25 | LogLevel INFO 26 | 27 | # Authentication: 28 | LoginGraceTime 120 29 | PermitRootLogin {{ sshd_permitrootlogin }} 30 | StrictModes yes 31 | 32 | RSAAuthentication yes 33 | PubkeyAuthentication {{ sshd_pubkeyauth }} 34 | #AuthorizedKeysFile %h/.ssh/authorized_keys 35 | 36 | # Don't read the user's ~/.rhosts and ~/.shosts files 37 | IgnoreRhosts yes 38 | # For this to work you will also need host keys in /etc/ssh_known_hosts 39 | RhostsRSAAuthentication no 40 | # similar for protocol version 2 41 | HostbasedAuthentication no 42 | # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication 43 | #IgnoreUserKnownHosts yes 44 | 45 | # To enable empty passwords, change to yes (NOT RECOMMENDED) 46 | PermitEmptyPasswords no 47 | 48 | # Change to yes to enable challenge-response passwords (beware issues with 49 | # some PAM modules and threads) 50 | ChallengeResponseAuthentication no 51 | 52 | # Change to no to disable tunnelled clear text passwords 53 | PasswordAuthentication {{ sshd_passwdauth }} 54 | 55 | # Kerberos options 56 | #KerberosAuthentication no 57 | #KerberosGetAFSToken no 58 | #KerberosOrLocalPasswd yes 59 | #KerberosTicketCleanup yes 60 | 61 | # GSSAPI options 62 | #GSSAPIAuthentication no 63 | #GSSAPICleanupCredentials yes 64 | 65 | X11Forwarding yes 66 | X11DisplayOffset 10 67 | PrintMotd no 68 | PrintLastLog yes 69 | TCPKeepAlive yes 70 | #UseLogin no 71 | 72 | #MaxStartups 10:30:60 73 | #Banner /etc/issue.net 74 | 75 | # Allow client to pass locale environment variables 76 | AcceptEnv LANG LC_* 77 | 78 | Subsystem sftp /usr/lib/openssh/sftp-server 79 | 80 | # Set this to 'yes' to enable PAM authentication, account processing, 81 | # and session processing. If this is enabled, PAM authentication will 82 | # be allowed through the ChallengeResponseAuthentication and 83 | # PasswordAuthentication. Depending on your PAM configuration, 84 | # PAM authentication via ChallengeResponseAuthentication may bypass 85 | # the setting of "PermitRootLogin without-password". 86 | # If you just want the PAM account and session checks to run without 87 | # PAM authentication, then enable this but set PasswordAuthentication 88 | # and ChallengeResponseAuthentication to 'no'. 89 | UsePAM yes --------------------------------------------------------------------------------