diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index f6637bbc3..f22944d94 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -45,11 +45,13 @@ - [AWS Cloudwatch agent](/roles/debian/aws_cloudwatch_agent) - [EFS client](/roles/debian/aws_efs_client) - [AWS SSM agent](/roles/debian/aws_ssm_agent) + - [BASH options](/roles/debian/bash) - [ce-deploy](/roles/debian/ce_deploy) - [Extra packages](/roles/debian/ce_dev) - [Automated patching](/roles/debian/ce_patcher) - [ce-provision](/roles/debian/ce_provision) - [ClamAV](/roles/debian/clamav) + - [CollectD](/roles/debian/collectd) - [Docker CE](/roles/debian/docker_ce) - [Docker Registry](/roles/debian/docker_registry) - [Duplicity](/roles/debian/duplicity) @@ -94,7 +96,9 @@ - [System](/roles/debian/system) - [User Ansible](/roles/debian/user_ansible) - [varnish_config](/roles/debian/varnish_config) + - [VIM options](/roles/debian/vim) - [wazuh](/roles/debian/wazuh) + - [YACE](/roles/debian/yace_exporter) - [Init role](/roles/_init) - ["Meta" roles that group individual roles together.](/roles/_meta) - [AWS account](/roles/_meta/aws_account) diff --git a/docs/roles/_init.md b/docs/roles/_init.md index d8183a4c6..8b745dbb2 100644 --- a/docs/roles/_init.md +++ b/docs/roles/_init.md @@ -17,12 +17,14 @@ _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" _ce_ansible_timer_name: upgrade_ansible +_env_type: unspecified # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 _aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client +aws_admin_tools_enable: false # Set to true to include aws_admin_tools role. # AWS tags _aws_resource_name: "" # Name diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index 030a017ca..48e448b64 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -40,6 +40,7 @@ aws_acl: region: "us-east-1" tags: "{{ _aws_tags }}" recreate: false # set to true to creating the ACL + default_action: "Allow" # Default action if no rules are triggered, can be Block rules: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking diff --git a/docs/roles/aws/aws_backup_validation.md b/docs/roles/aws/aws_backup_validation.md index 1ca4f8487..4f33d6e20 100644 --- a/docs/roles/aws/aws_backup_validation.md +++ b/docs/roles/aws/aws_backup_validation.md @@ -11,6 +11,7 @@ Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets tri --- aws_backup_validation: s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" + s3_bucket_prefix: "backup-validation" # Prefix used for storing backup validation info name: "RestoreValidation" description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM" timeout: 60 diff --git a/docs/roles/aws/aws_cloudfront_distribution.md b/docs/roles/aws/aws_cloudfront_distribution.md index f45a01af6..e9baf31f6 100644 --- a/docs/roles/aws/aws_cloudfront_distribution.md +++ b/docs/roles/aws/aws_cloudfront_distribution.md @@ -69,6 +69,7 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. + web_acl: false # Set to true to create Web ACL for WAF. ``` diff --git a/docs/roles/aws/aws_ec2_autoscale_cluster.md b/docs/roles/aws/aws_ec2_autoscale_cluster.md index 1a030e1e5..ab85fb690 100644 --- a/docs/roles/aws/aws_ec2_autoscale_cluster.md +++ b/docs/roles/aws/aws_ec2_autoscale_cluster.md @@ -163,6 +163,12 @@ aws_ec2_autoscale_cluster: health_check_timeout: 5 health_check_healthy_count: 5 health_check_unhealthy_count: 2 + ## Target Group Stickiness. Disabled by default unless set otherwise. Uncomment if needed: + # target_group_stickiness_enabled: true + # target_group_stickiness_type: "lb_cookie" # Valid values are lb_cookie, app_cookie or source_ip. + # target_group_stickiness_app_cookie_name: "my_app_cookie" + # target_group_stickiness_app_cookie_duration: 86400 + # target_group_stickiness_lb_cookie_duration: 86400 # ALB settings create_elb: true # determines whether an ELB (currently, this is an ALB) is created as part of the ASG. This needs to be `true` in order to create a CloudFront distribution. alb_idle_timeout: 60 diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md index 11985ee47..88fee112e 100644 --- a/docs/roles/aws/aws_ec2_with_eip.md +++ b/docs/roles/aws/aws_ec2_with_eip.md @@ -16,8 +16,13 @@ aws_ec2_with_eip: force: false # Force a new EC2 machine to be created if a new AMI is packed. instance_type: t3.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. - ami_name: "{{ _domain_name }}" # The name of an AMI image to use. Image must exists in the same region. - ami_owner: self # Default to self-created image. + pubkey: "" # The contents of the controller's public key to place in authorized_keys on boot, usually handled by a lookup() + # See also the aws_ami role, generally these AMI variables will match + # Filter values available here - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html + ami_owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official + ami_virtualization_type: hvm + ami_root_device_type: ebs + ami_name_filter: "debian-12-amd64-*" # vpc_subnet_id: subnet-xxx # One of vpc_subnet_id or vpc_name + vpc_subnet_profile is mandatory. vpc_name: "{{ _infra_name }}" vpc_subnet_profile: core # if you are looking up subnets we need a Profile tag to search against diff --git a/docs/roles/aws/aws_iam_role.md b/docs/roles/aws/aws_iam_role.md index 768a845d2..338c454f9 100644 --- a/docs/roles/aws/aws_iam_role.md +++ b/docs/roles/aws/aws_iam_role.md @@ -13,6 +13,10 @@ aws_iam_role: aws_profile: "{{ _aws_profile }}" # Pass either names or ARNs for the role. managed_policies: [] + inline_policies: + name: "example_inline_polcy" # Name of inline policy + resource: "*" + action: [] # Which document policy to apply. # Current options are 'ec2', 'ecs' or 'backup' policy_document: ec2 diff --git a/docs/roles/debian/ansible_galaxy.md b/docs/roles/debian/ansible_galaxy.md index b4139d4b8..124ea9472 100644 --- a/docs/roles/debian/ansible_galaxy.md +++ b/docs/roles/debian/ansible_galaxy.md @@ -13,6 +13,8 @@ ansible_galaxy: #venv_path: "/home/controller/ce-python" username: controller + # To use the desired ansible.cfg from the working directory. + working_dir: "/home/{{ _ce_provision_username }}/ce-provision" # File containing default roles and/or collections to install via Ansible Galaxy. # Roles will be installed to the first path specified under roles_path in your ansible.cfg file. # Collections will be installed to collections_path in your ansible.cfg file. diff --git a/docs/roles/debian/apt_unattended_upgrades.md b/docs/roles/debian/apt_unattended_upgrades.md index 45df42615..3b6f93df0 100644 --- a/docs/roles/debian/apt_unattended_upgrades.md +++ b/docs/roles/debian/apt_unattended_upgrades.md @@ -49,8 +49,7 @@ apt_unattended_upgrades: --- _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename},label=Debian" - - "origin=Debian,codename=${distro_codename},label=Debian-Security" - + - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true # unattended-upgrades template vars. diff --git a/docs/roles/debian/bash.md b/docs/roles/debian/bash.md new file mode 100644 index 000000000..71f64b1f5 --- /dev/null +++ b/docs/roles/debian/bash.md @@ -0,0 +1,9 @@ +# BASH options + +Set system options for the Bourne Again shell. + + + + + + diff --git a/docs/roles/debian/ce_deploy.md b/docs/roles/debian/ce_deploy.md index 51083b275..747338808 100644 --- a/docs/roles/debian/ce_deploy.md +++ b/docs/roles/debian/ce_deploy.md @@ -19,6 +19,8 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 + #uid: 1300 # optional + #gid: 1300 # optional new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key @@ -29,7 +31,7 @@ ce_deploy: config_repository: "" config_repository_branch: "master" local_dir: "/home/{{ _ce_deploy.username }}/ce-deploy" - ce_provision_dir: "/home/controller/ce-provision" + ansible_collections_dir: "/home/{{ _ce_deploy.username }}/ce-deploy/galaxy/ansible_collections" # See ansible.cfg. # List of additional groups to add the user to. groups: [] # File containing default roles and collections to install via Ansible Galaxy. diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index f99ff364e..244f53f04 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -27,7 +27,7 @@ clamav: timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. log_location: /var/log/clamav - send_mail: false # Important: will not send any emails by default. + send_mail: false # Important - will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com report_sender_email: admin@server.example.com diff --git a/docs/roles/debian/collectd.md b/docs/roles/debian/collectd.md new file mode 100644 index 000000000..7df3038f2 --- /dev/null +++ b/docs/roles/debian/collectd.md @@ -0,0 +1,8 @@ +# CollectD +This role provides the collectd server statistics daemon facilitating exporting of system stats to cloudwatch + + + + + + diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index de9001f30..3bc52c4ff 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -24,6 +24,7 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + ssh_url: "" # custom SSH URL. Similar to https one if empty. force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary diff --git a/docs/roles/debian/gitlab_runner.md b/docs/roles/debian/gitlab_runner.md index 7311c5bf0..12f64fa2d 100644 --- a/docs/roles/debian/gitlab_runner.md +++ b/docs/roles/debian/gitlab_runner.md @@ -14,6 +14,29 @@ If you want to use AWS ECS with Fargate for orchestrating CI containers then set gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey + use_docker: false # set to true to install Docker and use the 'docker' executor + install_fargate: false + restart: true # set to false if you're applying settings to a server responsible for its own runners + username: "{{ ce_deploy.username }}" + docker_group: "docker" + runner_workingdir: "/home/{{ ce_deploy.username }}/build" + runner_config: "/etc/gitlab-runner/config.toml" + # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs + fargate: + cluster: "my-cluster" # ECS cluster name + profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set + subnet: "subnet-abcdef123456" # subnet ID + security_group: "my-security-group" # SG name + task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest + public_ip: "false" # if your containers need a public IP assigning + version: "1.4.0" # Fargate platform version + metadata_dir: "/opt/gitlab-runner/metadata" + ssh_user: "root" + ssh_port: 22 + ################################################## + # @TODO - these variables are not currently used # + ################################################## concurrent_jobs: 10 check_interval: 0 session_timeout: 1800 @@ -40,25 +63,9 @@ gitlab_runner: # run_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "run"]' # cleanup_exec: "/opt/gitlab-runner/fargate" # cleanup_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "cleanup"]' - install_fargate: false - restart: true # set to false if you're applying settings to a server responsible for its own runners - username: "{{ ce_deploy.username }}" - docker_group: "docker" - runner_workingdir: "/home/{{ ce_deploy.username }}/build" - runner_config: "/etc/gitlab-runner/config.toml" - # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs - fargate: - cluster: "my-cluster" # ECS cluster name - profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set - region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set - subnet: "subnet-abcdef123456" # subnet ID - security_group: "my-security-group" # SG name - task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest - public_ip: "false" # if your containers need a public IP assigning - version: "1.4.0" # Fargate platform version - metadata_dir: "/opt/gitlab-runner/metadata" - ssh_user: "root" - ssh_port: 22 + ################################################## + # End @TODO # + ################################################## ``` diff --git a/docs/roles/debian/gpg_key.md b/docs/roles/debian/gpg_key.md index 4bac2216c..4a9515941 100644 --- a/docs/roles/debian/gpg_key.md +++ b/docs/roles/debian/gpg_key.md @@ -9,11 +9,11 @@ Generates a passwordless GPG key for a given user or users. --- gpg_key_servers: - hkps://keyserver.ubuntu.com - - hkps://pgp.mit.edu - - hkps://keys.openpgp.org + #- hkps://keys.openpgp.org # removed key servers from defaults due to reliability issues + #- hkps://pgp.mit.edu gpg_key: - - username: example # Must exist already on the server. - publish: false # Whether to publish to HKS public servers. + - username: example # Must exist already on the server + publish: false # Whether to publish to HKS public servers key_type: "RSA" key_length: 4096 email: example@example.com diff --git a/docs/roles/debian/jenkins.md b/docs/roles/debian/jenkins.md index 4fca080e8..3c528c0d5 100644 --- a/docs/roles/debian/jenkins.md +++ b/docs/roles/debian/jenkins.md @@ -15,7 +15,7 @@ ldap_client: bindpw: "" jenkins: - apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key + apt_signed_by: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key server_name: "jenkins.{{ _domain_name }}" ssl_handling: "ssl_selfsigned" listen_http_port: -1 @@ -38,6 +38,7 @@ jenkins: mailto: "admins@example.com" # daily key renewal execution with systemd timer on_calendar: "*-*-* 02:15:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + apt_origin_jenkins: "origin=jenkins.io" ``` diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 5a1131c5b..1eb74e189 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -129,6 +129,8 @@ nginx: cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" proxy_host: localhost proxy_port: 8443 + # Set a custom port for Let's Encrypt to bind to during the initial certificate run + # vhost_letsencrypt_port: [] # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. @@ -139,6 +141,18 @@ nginx: php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" + # drupal_fallback: [] + # Default location behavior for nginx + # If no custom location behavior is defined, this will be used: + # nginx_location_behavior: ['try_files @rewrite /index.php?$query_string;'] + + # Uncomment and customize the following lines if you want to use custom location behavior: + # custom_nginx_location_behavior: + # - 'index index.php index.html;' + # - 'expires max;' + # - 'set $boost_cache_path "/cache/normal/$host";' + # - 'set $boost_cache_file "${boost_cache_path}${uri}_.html";' + # - 'try_files $boost_cache_file $uri $uri/ @drupal;' fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. vhost_backup_location: "/home/{{ _ce_provision_username }}" # see _init for _ce_provision_username diff --git a/docs/roles/debian/nodejs.md b/docs/roles/debian/nodejs.md index 0e4624ee1..e8a6ca07e 100644 --- a/docs/roles/debian/nodejs.md +++ b/docs/roles/debian/nodejs.md @@ -8,11 +8,13 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo + apt_origin_nodejs_old: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg - version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ + version: 22.x # LTS - see https://nodejs.dev/en/about/releases/ + start_corepack: false # corepack is shipped with nodejs and enables a core set of packages npm_packages: [] #npm_packages: # - name: coffee-script # required diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 7acf4980b..a51ca7deb 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -33,6 +33,15 @@ openvpn: # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # Provide a path to a directory, such as /etc/openvpn/client, to configure a directory where OpenVPN can look up default client configs. + # See --client-config-dir in the manual - https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/ + # You can use a 'DEFAULT' file in the specified directory as an include or provide client-specific config, such as managed push routes. + client_config_dir: "" # specify to set own config directory. If not set the default is /etc/openvpn/ccd. + push_routes_elb: [] # list of DNS names for resolve and update openvpn 'push routes' with changing IP addresses. + # - myloadbalancer.example.com + # - example-elb.example.com + push_routes_elb_path: "/etc/openvpn/ccd/DEFAULT" # path to the file with the updatable routes + client_config_push_routes: false # if you are providing push routes in your client config, set this to true to remove the default ones # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian @@ -46,7 +55,9 @@ openvpn: lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups login_attribute: uid # the LDAP attribute to check the OpenVPN username against group_base: "" # e.g. ou=Groups,dc=example,dc=com - group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com + group_dn: [] # restrict to specific groups: + # - cn=admins,ou=Groups,dc=example,dc=com + # - cn=developers,ou=Groups,dc=example,dc=com group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" @@ -60,6 +71,8 @@ openvpn: port_choice: "1" # 1 = use default 1194, 3 means use a random port protocol_choice: "1" # 1 = udp, 2 = tcp dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + # dns1: "10.8.0.1" # if openvpn.dns="13" (i.e. custom), specify the DNS server for the "push dhcp-option DNS" + # dns2: "" # (optional) if openvpn.dns="13" (i.e. custom), specify the second DNS server compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 test_username: example # this will be used to create a client config in the `script_install_path` location diff --git a/docs/roles/debian/packer.md b/docs/roles/debian/packer.md index 5e1144c3e..7e99e6173 100644 --- a/docs/roles/debian/packer.md +++ b/docs/roles/debian/packer.md @@ -9,7 +9,10 @@ Role to install Hashicorp's Packer binary. ```yaml --- packer: - version: "1.9.1" # see https://releases.hashicorp.com/packer/ + version: "1.11.2" # see https://releases.hashicorp.com/packer/ + plugins: + - github.com/hashicorp/amazon + - github.com/hashicorp/ansible ``` diff --git a/docs/roles/debian/php-cli.md b/docs/roles/debian/php-cli.md index d8a9c8636..aff0d33ab 100644 --- a/docs/roles/debian/php-cli.md +++ b/docs/roles/debian/php-cli.md @@ -39,6 +39,7 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + interned_strings_buffer: 8 ``` diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index 443ffbf87..f32ff94b2 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -64,7 +64,11 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + interned_strings_buffer: 8 clear_env: "yes" + # Cloudwatch log settings. + log_group_prefix: "" + log_stream_name: example ``` diff --git a/docs/roles/debian/postfix.md b/docs/roles/debian/postfix.md index 7f24ebb64..76d07506a 100644 --- a/docs/roles/debian/postfix.md +++ b/docs/roles/debian/postfix.md @@ -12,6 +12,7 @@ Full TLS SMTP support is optional by enabling SSL. --- postfix: + disable_syslog: true hostname: "{{ ansible_fqdn }}" # if you set this to something else you may have to create PTR records to avoid bouncing dest_hosts: "mail.host1.com,mail.host2.com" disable_vrfy: "no" # leave as 'no' for Postfix config, not a YAML boolean diff --git a/docs/roles/debian/rkhunter.md b/docs/roles/debian/rkhunter.md index 9dea50dcb..d54224e42 100644 --- a/docs/roles/debian/rkhunter.md +++ b/docs/roles/debian/rkhunter.md @@ -22,6 +22,7 @@ rkhunter: allow_ssh_root_user: "{{ sshd.PermitRootLogin | default('prohibit-password') }}" disable_tests: "suspscan hidden_procs deleted_files packet_cap_apps apps os_specific" os_package_manager: "NONE" # PKGMGR=NONE is default for Debian, set it to what you need. + portpathwhitelist: [] scriptwhitelist: - /bin/egrep - /bin/fgrep diff --git a/docs/roles/debian/ssl.md b/docs/roles/debian/ssl.md index 2ead29797..129a9ea0c 100644 --- a/docs/roles/debian/ssl.md +++ b/docs/roles/debian/ssl.md @@ -42,8 +42,10 @@ nginx: reload_command: reload reload: - nginx - on_calendar: "Mon *-*-* 04:00:00" ``` +Variable "on_calendar" is no longer in use since we have 1 general cron to renew all domains + +"web_server" can be standalone and webroot, differnce is that webroot wont start webserver to validate SSL, while standalone requires port on which webserver will be running in order to validate cert so we need the "http_01_port" for standalone option As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context. @@ -90,7 +92,9 @@ ssl: certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events on_calendar: "Mon *-*-* 04:00:00" - web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! + web_server: standalone + # values are standalone, webroot, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! + # webroot unlike standalone, won't start webserver with certain port # For "letsencrypt" handling, a list of service to stop while creating the certificate. # This is because we need port 80 to be free. diff --git a/docs/roles/debian/system.md b/docs/roles/debian/system.md index 859989ea9..a94cd458d 100644 --- a/docs/roles/debian/system.md +++ b/docs/roles/debian/system.md @@ -4,6 +4,7 @@ Currently, the following entities can be managed with the role: - Force IPv4 (noipv6) - Force Static IP configuration for Hetzner Cloud systems (nohetznerdhcp) +- Enable data collection for sysstat diff --git a/docs/roles/debian/user_ansible.md b/docs/roles/debian/user_ansible.md index 5693b08e5..cccc424d5 100644 --- a/docs/roles/debian/user_ansible.md +++ b/docs/roles/debian/user_ansible.md @@ -20,10 +20,14 @@ user_ansible: # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 - # Local username of the deploy user. - utility_host: "localhost" - utility_username: "{{ _user_ansible_username }}" - sudoer: false + sudo_config: {} # an empty dictionary will skip creating a sudo config + # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. + # entity_name: "{{ _user_ansible_username }}" + # hosts: "ALL" + # operators: "(ALL)" + # tags: "NOPASSWD:" + # commands: "ALL" + # filename: "{{ _user_ansible_username }}" # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/docs/roles/debian/varnish_config.md b/docs/roles/debian/varnish_config.md index 59483d046..f556d951b 100644 --- a/docs/roles/debian/varnish_config.md +++ b/docs/roles/debian/varnish_config.md @@ -23,6 +23,10 @@ This behaviour allows you to manage different Varnish templates for different ap --- # Defaults file for varnish_config, other variables exist from importing geerlingguy.varnish and can be overriden +limit_memlock: 82000 +limit_core: infinity +tasks_max: infinity +varnish_storage: "malloc,{{ ansible_facts.memtotal_mb // 10 }}M" varnish_config: # List of IPs that are allowed to ask for content purge. allowed_purge_IP: [] @@ -39,6 +43,7 @@ varnish_config: upstream_proxies: [] # Provide an alternative filename if you are providing a template. template_filename: default.vcl + # Varnish systemd overrides to make varnish consistent even after upgrades ``` diff --git a/docs/roles/debian/vim.md b/docs/roles/debian/vim.md new file mode 100644 index 000000000..4b3b1138a --- /dev/null +++ b/docs/roles/debian/vim.md @@ -0,0 +1,9 @@ +# VIM options + +Set system options for vi/vim. + + + + + + diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md index 9329a403c..c8096f702 100644 --- a/docs/roles/debian/wazuh.md +++ b/docs/roles/debian/wazuh.md @@ -90,6 +90,7 @@ wazuh: wazuh_manager_mailto: - admin@example.net wazuh_manager_email_smtp_server: localhost + wazuh_manager_email_notification: "no" wazuh_manager_email_from: wazuh@example.net wazuh_manager_email_maxperhour: 12 wazuh_manager_email_queue_size: 131072 diff --git a/docs/roles/debian/yace_exporter.md b/docs/roles/debian/yace_exporter.md new file mode 100644 index 000000000..504ba4e2a --- /dev/null +++ b/docs/roles/debian/yace_exporter.md @@ -0,0 +1,149 @@ +# YACE + +## Description + +Deploy [YACE - yet another cloudwatch exporter](https://github.com/prometheus-community/yet-another-cloudwatch-exporter) using ansible. + +### Requirements + +Role expects to be provided with the following information: +* `yace_exporter_configuration` - the actual YACE configuration +* `yace_exporter_iam_configuration` - a JSON formatted IAM policy + +### Example +Minimum YACE config that will fetch EC2 CPU usage, with a minimum IAM policy required for that. + +```yaml +yace_exporter_configuration: + apiVersion: v1alpha1 + discovery: + jobs: + - type: AWS/EC2 + regions: + - eu-west-1 + metrics: + - name: CPUUtilization + statistics: + - Average + period: 300 + length: 300 +``` + +```yaml + yace_exporter_iam_configuration: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "tag:GetResources", + "cloudwatch:GetMetricData", + "cloudwatch:GetMetricStatistics", + "cloudwatch:ListMetrics", + "ec2:DescribeSpotFleetRequests" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + ``` + +For more details on setting up the YACE exporter config, refer to: +https://github.com/prometheus-community/yet-another-cloudwatch-exporter + + + + + +## Default variables +```yaml +--- +# Default variables for YACE Exporter role +yace_exporter_version: "0.62.1" # Adjust as needed +# Construct the download URL using the version variable. +yace_exporter_download_url: "https://github.com/prometheus-community/yet-another-cloudwatch-exporter/releases/download/v{{ yace_exporter_version }}/yet-another-cloudwatch-exporter-{{ yace_exporter_version }}.linux-amd64.tar.gz" + +# Directories and file locations +yace_exporter_install_dir: "/usr/local/bin" +yace_exporter_system_user: "yace-exporter" +yace_exporter_system_group: "yace-exporter" +# Service runtime options +yace_exporter_listen_address: "0.0.0.0:9105" +yace_exporter_service_name: "yace_exporter" + +# YACE configuration +yace_exporter_configuration: {} +# Example config +# yace_exporter_configuration: +# apiVersion: v1alpha1 +# discovery: +# jobs: +# - type: AWS/EC2 +# roles: +# - roleArn: "arn:aws:iam::$ACCOUNT_ID:role/YaceExporterRole" +# regions: +# - eu-west-1 +# metrics: +# - name: CPUUtilization +# statistics: +# - Average +# period: 300 +# length: 300 +# - type: AWS/RDS +# roles: +# - roleArn: "arn:aws:iam::$ACCOUNT_ID:role/YaceExporterRole" +# regions: +# - eu-west-1 +# searchTags: +# - key: Ansible +# value: managed +# metrics: +# - name: CPUUtilization +# statistics: +# - Average +# period: 300 +# length: 300 +# - name: DatabaseConnections +# statistics: +# - Average +# - Sum +# period: 300 +# length: 300 +# dimensionNameRequirements: +# - DBInstanceIdentifier + + # Server IAM policy to allow YACE service to pull metrics +yace_exporter_iam_configuration: {} +# Example iam config that grants full permissions +# yace_exporter_iam_configuration: | +# { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Action": [ +# "tag:GetResources", +# "cloudwatch:GetMetricData", +# "cloudwatch:GetMetricStatistics", +# "cloudwatch:ListMetrics", +# "apigateway:GET", +# "aps:ListWorkspaces", +# "autoscaling:DescribeAutoScalingGroups", +# "dms:DescribeReplicationInstances", +# "dms:DescribeReplicationTasks", +# "ec2:DescribeTransitGatewayAttachments", +# "ec2:DescribeSpotFleetRequests", +# "shield:ListProtections", +# "storagegateway:ListGateways", +# "storagegateway:ListTagsForResource", +# "iam:ListAccountAliases" +# ], +# "Effect": "Allow", +# "Resource": "*" +# } +# ] +# } + +``` + + diff --git a/roles/_init/README.md b/roles/_init/README.md index d8183a4c6..8b745dbb2 100644 --- a/roles/_init/README.md +++ b/roles/_init/README.md @@ -17,12 +17,14 @@ _venv_path: "/home/{{ _ce_provision_username }}/ce-python" _venv_command: /usr/bin/python3 -m venv _venv_install_username: "{{ _ce_provision_username }}" _ce_ansible_timer_name: upgrade_ansible +_env_type: unspecified # AWS variables - if you are using an AWS account, you can preset certain variables # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all #_aws_profile: example # boto profile name #_aws_region: eu-west-1 _aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client +aws_admin_tools_enable: false # Set to true to include aws_admin_tools role. # AWS tags _aws_resource_name: "" # Name diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index de013688e..48e448b64 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -40,6 +40,7 @@ aws_acl: region: "us-east-1" tags: "{{ _aws_tags }}" recreate: false # set to true to creating the ACL + default_action: "Allow" # Default action if no rules are triggered, can be Block rules: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking @@ -133,4 +134,5 @@ aws_acl: priority: 13 ``` + diff --git a/roles/aws/aws_backup_validation/README.md b/roles/aws/aws_backup_validation/README.md index 1ca4f8487..4f33d6e20 100644 --- a/roles/aws/aws_backup_validation/README.md +++ b/roles/aws/aws_backup_validation/README.md @@ -11,6 +11,7 @@ Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets tri --- aws_backup_validation: s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}" + s3_bucket_prefix: "backup-validation" # Prefix used for storing backup validation info name: "RestoreValidation" description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM" timeout: 60 diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md index f45a01af6..e9baf31f6 100644 --- a/roles/aws/aws_cloudfront_distribution/README.md +++ b/roles/aws/aws_cloudfront_distribution/README.md @@ -69,6 +69,7 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. + web_acl: false # Set to true to create Web ACL for WAF. ``` diff --git a/roles/aws/aws_ec2_autoscale_cluster/README.md b/roles/aws/aws_ec2_autoscale_cluster/README.md index 1a030e1e5..ab85fb690 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/README.md +++ b/roles/aws/aws_ec2_autoscale_cluster/README.md @@ -163,6 +163,12 @@ aws_ec2_autoscale_cluster: health_check_timeout: 5 health_check_healthy_count: 5 health_check_unhealthy_count: 2 + ## Target Group Stickiness. Disabled by default unless set otherwise. Uncomment if needed: + # target_group_stickiness_enabled: true + # target_group_stickiness_type: "lb_cookie" # Valid values are lb_cookie, app_cookie or source_ip. + # target_group_stickiness_app_cookie_name: "my_app_cookie" + # target_group_stickiness_app_cookie_duration: 86400 + # target_group_stickiness_lb_cookie_duration: 86400 # ALB settings create_elb: true # determines whether an ELB (currently, this is an ALB) is created as part of the ASG. This needs to be `true` in order to create a CloudFront distribution. alb_idle_timeout: 60 diff --git a/roles/aws/aws_iam_role/README.md b/roles/aws/aws_iam_role/README.md index 768a845d2..338c454f9 100644 --- a/roles/aws/aws_iam_role/README.md +++ b/roles/aws/aws_iam_role/README.md @@ -13,6 +13,10 @@ aws_iam_role: aws_profile: "{{ _aws_profile }}" # Pass either names or ARNs for the role. managed_policies: [] + inline_policies: + name: "example_inline_polcy" # Name of inline policy + resource: "*" + action: [] # Which document policy to apply. # Current options are 'ec2', 'ecs' or 'backup' policy_document: ec2 diff --git a/roles/debian/ansible_galaxy/README.md b/roles/debian/ansible_galaxy/README.md index b4139d4b8..124ea9472 100644 --- a/roles/debian/ansible_galaxy/README.md +++ b/roles/debian/ansible_galaxy/README.md @@ -13,6 +13,8 @@ ansible_galaxy: #venv_path: "/home/controller/ce-python" username: controller + # To use the desired ansible.cfg from the working directory. + working_dir: "/home/{{ _ce_provision_username }}/ce-provision" # File containing default roles and/or collections to install via Ansible Galaxy. # Roles will be installed to the first path specified under roles_path in your ansible.cfg file. # Collections will be installed to collections_path in your ansible.cfg file. diff --git a/roles/debian/apt_unattended_upgrades/README.md b/roles/debian/apt_unattended_upgrades/README.md index 45df42615..3b6f93df0 100644 --- a/roles/debian/apt_unattended_upgrades/README.md +++ b/roles/debian/apt_unattended_upgrades/README.md @@ -49,8 +49,7 @@ apt_unattended_upgrades: --- _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename},label=Debian" - - "origin=Debian,codename=${distro_codename},label=Debian-Security" - + - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true # unattended-upgrades template vars. diff --git a/roles/debian/ce_deploy/README.md b/roles/debian/ce_deploy/README.md index 51083b275..747338808 100644 --- a/roles/debian/ce_deploy/README.md +++ b/roles/debian/ce_deploy/README.md @@ -19,6 +19,8 @@ ce_deploy: # Other ce-deploy settings. aws_support: true # installs boto3 + #uid: 1300 # optional + #gid: 1300 # optional new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key @@ -29,7 +31,7 @@ ce_deploy: config_repository: "" config_repository_branch: "master" local_dir: "/home/{{ _ce_deploy.username }}/ce-deploy" - ce_provision_dir: "/home/controller/ce-provision" + ansible_collections_dir: "/home/{{ _ce_deploy.username }}/ce-deploy/galaxy/ansible_collections" # See ansible.cfg. # List of additional groups to add the user to. groups: [] # File containing default roles and collections to install via Ansible Galaxy. diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index f99ff364e..244f53f04 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -27,7 +27,7 @@ clamav: timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. log_location: /var/log/clamav - send_mail: false # Important: will not send any emails by default. + send_mail: false # Important - will not send any emails by default. send_on_fail: true # Only sends emails on scan failure, will not email for successful scans. report_recipient_email: mail@example.com report_sender_email: admin@server.example.com diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index de9001f30..3bc52c4ff 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -24,6 +24,7 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + ssh_url: "" # custom SSH URL. Similar to https one if empty. force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary diff --git a/roles/debian/gitlab_runner/README.md b/roles/debian/gitlab_runner/README.md index 7311c5bf0..12f64fa2d 100644 --- a/roles/debian/gitlab_runner/README.md +++ b/roles/debian/gitlab_runner/README.md @@ -14,6 +14,29 @@ If you want to use AWS ECS with Fargate for orchestrating CI containers then set gitlab_runner: apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey + use_docker: false # set to true to install Docker and use the 'docker' executor + install_fargate: false + restart: true # set to false if you're applying settings to a server responsible for its own runners + username: "{{ ce_deploy.username }}" + docker_group: "docker" + runner_workingdir: "/home/{{ ce_deploy.username }}/build" + runner_config: "/etc/gitlab-runner/config.toml" + # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs + fargate: + cluster: "my-cluster" # ECS cluster name + profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set + region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set + subnet: "subnet-abcdef123456" # subnet ID + security_group: "my-security-group" # SG name + task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest + public_ip: "false" # if your containers need a public IP assigning + version: "1.4.0" # Fargate platform version + metadata_dir: "/opt/gitlab-runner/metadata" + ssh_user: "root" + ssh_port: 22 + ################################################## + # @TODO - these variables are not currently used # + ################################################## concurrent_jobs: 10 check_interval: 0 session_timeout: 1800 @@ -40,25 +63,9 @@ gitlab_runner: # run_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "run"]' # cleanup_exec: "/opt/gitlab-runner/fargate" # cleanup_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "cleanup"]' - install_fargate: false - restart: true # set to false if you're applying settings to a server responsible for its own runners - username: "{{ ce_deploy.username }}" - docker_group: "docker" - runner_workingdir: "/home/{{ ce_deploy.username }}/build" - runner_config: "/etc/gitlab-runner/config.toml" - # see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs - fargate: - cluster: "my-cluster" # ECS cluster name - profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set - region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set - subnet: "subnet-abcdef123456" # subnet ID - security_group: "my-security-group" # SG name - task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest - public_ip: "false" # if your containers need a public IP assigning - version: "1.4.0" # Fargate platform version - metadata_dir: "/opt/gitlab-runner/metadata" - ssh_user: "root" - ssh_port: 22 + ################################################## + # End @TODO # + ################################################## ``` diff --git a/roles/debian/gpg_key/README.md b/roles/debian/gpg_key/README.md index 4bac2216c..4a9515941 100644 --- a/roles/debian/gpg_key/README.md +++ b/roles/debian/gpg_key/README.md @@ -9,11 +9,11 @@ Generates a passwordless GPG key for a given user or users. --- gpg_key_servers: - hkps://keyserver.ubuntu.com - - hkps://pgp.mit.edu - - hkps://keys.openpgp.org + #- hkps://keys.openpgp.org # removed key servers from defaults due to reliability issues + #- hkps://pgp.mit.edu gpg_key: - - username: example # Must exist already on the server. - publish: false # Whether to publish to HKS public servers. + - username: example # Must exist already on the server + publish: false # Whether to publish to HKS public servers key_type: "RSA" key_length: 4096 email: example@example.com diff --git a/roles/debian/jenkins/README.md b/roles/debian/jenkins/README.md index 4fca080e8..3c528c0d5 100644 --- a/roles/debian/jenkins/README.md +++ b/roles/debian/jenkins/README.md @@ -15,7 +15,7 @@ ldap_client: bindpw: "" jenkins: - apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key + apt_signed_by: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key server_name: "jenkins.{{ _domain_name }}" ssl_handling: "ssl_selfsigned" listen_http_port: -1 @@ -38,6 +38,7 @@ jenkins: mailto: "admins@example.com" # daily key renewal execution with systemd timer on_calendar: "*-*-* 02:15:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events + apt_origin_jenkins: "origin=jenkins.io" ``` diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 5a1131c5b..1eb74e189 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -129,6 +129,8 @@ nginx: cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" proxy_host: localhost proxy_port: 8443 + # Set a custom port for Let's Encrypt to bind to during the initial certificate run + # vhost_letsencrypt_port: [] # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. @@ -139,6 +141,18 @@ nginx: php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" + # drupal_fallback: [] + # Default location behavior for nginx + # If no custom location behavior is defined, this will be used: + # nginx_location_behavior: ['try_files @rewrite /index.php?$query_string;'] + + # Uncomment and customize the following lines if you want to use custom location behavior: + # custom_nginx_location_behavior: + # - 'index index.php index.html;' + # - 'expires max;' + # - 'set $boost_cache_path "/cache/normal/$host";' + # - 'set $boost_cache_file "${boost_cache_path}${uri}_.html";' + # - 'try_files $boost_cache_file $uri $uri/ @drupal;' fastcgi_read_timeout: 60 recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml. vhost_backup_location: "/home/{{ _ce_provision_username }}" # see _init for _ce_provision_username diff --git a/roles/debian/nodejs/README.md b/roles/debian/nodejs/README.md index 0e4624ee1..e8a6ca07e 100644 --- a/roles/debian/nodejs/README.md +++ b/roles/debian/nodejs/README.md @@ -8,11 +8,13 @@ Installs NodeJS from official repos. --- nodejs: # Used by apt_unattended_upgrades - apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo + apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo + apt_origin_nodejs_old: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg - version: 18.x # LTS - see https://nodejs.dev/en/about/releases/ + version: 22.x # LTS - see https://nodejs.dev/en/about/releases/ + start_corepack: false # corepack is shipped with nodejs and enables a core set of packages npm_packages: [] #npm_packages: # - name: coffee-script # required diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 7acf4980b..a51ca7deb 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -33,6 +33,15 @@ openvpn: # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4 # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y" + # Provide a path to a directory, such as /etc/openvpn/client, to configure a directory where OpenVPN can look up default client configs. + # See --client-config-dir in the manual - https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/ + # You can use a 'DEFAULT' file in the specified directory as an include or provide client-specific config, such as managed push routes. + client_config_dir: "" # specify to set own config directory. If not set the default is /etc/openvpn/ccd. + push_routes_elb: [] # list of DNS names for resolve and update openvpn 'push routes' with changing IP addresses. + # - myloadbalancer.example.com + # - example-elb.example.com + push_routes_elb_path: "/etc/openvpn/ccd/DEFAULT" # path to the file with the updatable routes + client_config_push_routes: false # if you are providing push routes in your client config, set this to true to remove the default ones # PAM and LDAP authentication pam: enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian @@ -46,7 +55,9 @@ openvpn: lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups login_attribute: uid # the LDAP attribute to check the OpenVPN username against group_base: "" # e.g. ou=Groups,dc=example,dc=com - group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com + group_dn: [] # restrict to specific groups: + # - cn=admins,ou=Groups,dc=example,dc=com + # - cn=developers,ou=Groups,dc=example,dc=com group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}" ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}" @@ -60,6 +71,8 @@ openvpn: port_choice: "1" # 1 = use default 1194, 3 means use a random port protocol_choice: "1" # 1 = udp, 2 = tcp dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327 + # dns1: "10.8.0.1" # if openvpn.dns="13" (i.e. custom), specify the DNS server for the "push dhcp-option DNS" + # dns2: "" # (optional) if openvpn.dns="13" (i.e. custom), specify the second DNS server compression_enabled: "n" compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0 test_username: example # this will be used to create a client config in the `script_install_path` location diff --git a/roles/debian/packer/README.md b/roles/debian/packer/README.md index 5e1144c3e..7e99e6173 100644 --- a/roles/debian/packer/README.md +++ b/roles/debian/packer/README.md @@ -9,7 +9,10 @@ Role to install Hashicorp's Packer binary. ```yaml --- packer: - version: "1.9.1" # see https://releases.hashicorp.com/packer/ + version: "1.11.2" # see https://releases.hashicorp.com/packer/ + plugins: + - github.com/hashicorp/amazon + - github.com/hashicorp/ansible ``` diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index ea0df8f5a..f32ff94b2 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -66,6 +66,9 @@ php: validate_timestamps: 1 interned_strings_buffer: 8 clear_env: "yes" + # Cloudwatch log settings. + log_group_prefix: "" + log_stream_name: example ``` diff --git a/roles/debian/postfix/README.md b/roles/debian/postfix/README.md index 7f24ebb64..76d07506a 100644 --- a/roles/debian/postfix/README.md +++ b/roles/debian/postfix/README.md @@ -12,6 +12,7 @@ Full TLS SMTP support is optional by enabling SSL. --- postfix: + disable_syslog: true hostname: "{{ ansible_fqdn }}" # if you set this to something else you may have to create PTR records to avoid bouncing dest_hosts: "mail.host1.com,mail.host2.com" disable_vrfy: "no" # leave as 'no' for Postfix config, not a YAML boolean diff --git a/roles/debian/rkhunter/README.md b/roles/debian/rkhunter/README.md index 9dea50dcb..d54224e42 100644 --- a/roles/debian/rkhunter/README.md +++ b/roles/debian/rkhunter/README.md @@ -22,6 +22,7 @@ rkhunter: allow_ssh_root_user: "{{ sshd.PermitRootLogin | default('prohibit-password') }}" disable_tests: "suspscan hidden_procs deleted_files packet_cap_apps apps os_specific" os_package_manager: "NONE" # PKGMGR=NONE is default for Debian, set it to what you need. + portpathwhitelist: [] scriptwhitelist: - /bin/egrep - /bin/fgrep diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md index 80499025e..129a9ea0c 100644 --- a/roles/debian/ssl/README.md +++ b/roles/debian/ssl/README.md @@ -92,7 +92,9 @@ ssl: certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events on_calendar: "Mon *-*-* 04:00:00" - web_server: standalone # values are standalone, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! + web_server: standalone + # values are standalone, webroot, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts! + # webroot unlike standalone, won't start webserver with certain port # For "letsencrypt" handling, a list of service to stop while creating the certificate. # This is because we need port 80 to be free. diff --git a/roles/debian/user_ansible/README.md b/roles/debian/user_ansible/README.md index 5693b08e5..cccc424d5 100644 --- a/roles/debian/user_ansible/README.md +++ b/roles/debian/user_ansible/README.md @@ -20,10 +20,14 @@ user_ansible: # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 - # Local username of the deploy user. - utility_host: "localhost" - utility_username: "{{ _user_ansible_username }}" - sudoer: false + sudo_config: {} # an empty dictionary will skip creating a sudo config + # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. + # entity_name: "{{ _user_ansible_username }}" + # hosts: "ALL" + # operators: "(ALL)" + # tags: "NOPASSWD:" + # commands: "ALL" + # filename: "{{ _user_ansible_username }}" # List of additional groups to add the user to. groups: [] # List of SSH pub keys to authorize. These must be provided as strings (content of the pub key). diff --git a/roles/debian/varnish_config/README.md b/roles/debian/varnish_config/README.md index 59483d046..f556d951b 100644 --- a/roles/debian/varnish_config/README.md +++ b/roles/debian/varnish_config/README.md @@ -23,6 +23,10 @@ This behaviour allows you to manage different Varnish templates for different ap --- # Defaults file for varnish_config, other variables exist from importing geerlingguy.varnish and can be overriden +limit_memlock: 82000 +limit_core: infinity +tasks_max: infinity +varnish_storage: "malloc,{{ ansible_facts.memtotal_mb // 10 }}M" varnish_config: # List of IPs that are allowed to ask for content purge. allowed_purge_IP: [] @@ -39,6 +43,7 @@ varnish_config: upstream_proxies: [] # Provide an alternative filename if you are providing a template. template_filename: default.vcl + # Varnish systemd overrides to make varnish consistent even after upgrades ``` diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md index 9329a403c..c8096f702 100644 --- a/roles/debian/wazuh/README.md +++ b/roles/debian/wazuh/README.md @@ -90,6 +90,7 @@ wazuh: wazuh_manager_mailto: - admin@example.net wazuh_manager_email_smtp_server: localhost + wazuh_manager_email_notification: "no" wazuh_manager_email_from: wazuh@example.net wazuh_manager_email_maxperhour: 12 wazuh_manager_email_queue_size: 131072 diff --git a/roles/debian/yace_exporter/README.md b/roles/debian/yace_exporter/README.md index 73c6241a4..504ba4e2a 100644 --- a/roles/debian/yace_exporter/README.md +++ b/roles/debian/yace_exporter/README.md @@ -56,4 +56,94 @@ https://github.com/prometheus-community/yet-another-cloudwatch-exporter +## Default variables +```yaml +--- +# Default variables for YACE Exporter role +yace_exporter_version: "0.62.1" # Adjust as needed +# Construct the download URL using the version variable. +yace_exporter_download_url: "https://github.com/prometheus-community/yet-another-cloudwatch-exporter/releases/download/v{{ yace_exporter_version }}/yet-another-cloudwatch-exporter-{{ yace_exporter_version }}.linux-amd64.tar.gz" + +# Directories and file locations +yace_exporter_install_dir: "/usr/local/bin" +yace_exporter_system_user: "yace-exporter" +yace_exporter_system_group: "yace-exporter" +# Service runtime options +yace_exporter_listen_address: "0.0.0.0:9105" +yace_exporter_service_name: "yace_exporter" + +# YACE configuration +yace_exporter_configuration: {} +# Example config +# yace_exporter_configuration: +# apiVersion: v1alpha1 +# discovery: +# jobs: +# - type: AWS/EC2 +# roles: +# - roleArn: "arn:aws:iam::$ACCOUNT_ID:role/YaceExporterRole" +# regions: +# - eu-west-1 +# metrics: +# - name: CPUUtilization +# statistics: +# - Average +# period: 300 +# length: 300 +# - type: AWS/RDS +# roles: +# - roleArn: "arn:aws:iam::$ACCOUNT_ID:role/YaceExporterRole" +# regions: +# - eu-west-1 +# searchTags: +# - key: Ansible +# value: managed +# metrics: +# - name: CPUUtilization +# statistics: +# - Average +# period: 300 +# length: 300 +# - name: DatabaseConnections +# statistics: +# - Average +# - Sum +# period: 300 +# length: 300 +# dimensionNameRequirements: +# - DBInstanceIdentifier + + # Server IAM policy to allow YACE service to pull metrics +yace_exporter_iam_configuration: {} +# Example iam config that grants full permissions +# yace_exporter_iam_configuration: | +# { +# "Version": "2012-10-17", +# "Statement": [ +# { +# "Action": [ +# "tag:GetResources", +# "cloudwatch:GetMetricData", +# "cloudwatch:GetMetricStatistics", +# "cloudwatch:ListMetrics", +# "apigateway:GET", +# "aps:ListWorkspaces", +# "autoscaling:DescribeAutoScalingGroups", +# "dms:DescribeReplicationInstances", +# "dms:DescribeReplicationTasks", +# "ec2:DescribeTransitGatewayAttachments", +# "ec2:DescribeSpotFleetRequests", +# "shield:ListProtections", +# "storagegateway:ListGateways", +# "storagegateway:ListTagsForResource", +# "iam:ListAccountAliases" +# ], +# "Effect": "Allow", +# "Resource": "*" +# } +# ] +# } + +``` +