Skip to content
This repository was archived by the owner on Oct 7, 2025. It is now read-only.
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/_Sidebar.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,13 @@
- [AWS Cloudwatch agent](/roles/debian/aws_cloudwatch_agent)
- [EFS client](/roles/debian/aws_efs_client)
- [AWS SSM agent](/roles/debian/aws_ssm_agent)
- [BASH options](/roles/debian/bash)
- [ce-deploy](/roles/debian/ce_deploy)
- [Extra packages](/roles/debian/ce_dev)
- [Automated patching](/roles/debian/ce_patcher)
- [ce-provision](/roles/debian/ce_provision)
- [ClamAV](/roles/debian/clamav)
- [CollectD](/roles/debian/collectd)
- [Docker CE](/roles/debian/docker_ce)
- [Docker Registry](/roles/debian/docker_registry)
- [Duplicity](/roles/debian/duplicity)
Expand Down Expand Up @@ -94,7 +96,9 @@
- [System](/roles/debian/system)
- [User Ansible](/roles/debian/user_ansible)
- [varnish_config](/roles/debian/varnish_config)
- [VIM options](/roles/debian/vim)
- [wazuh](/roles/debian/wazuh)
- [YACE](/roles/debian/yace_exporter)
- [Init role](/roles/_init)
- ["Meta" roles that group individual roles together.](/roles/_meta)
- [AWS account](/roles/_meta/aws_account)
Expand Down
2 changes: 2 additions & 0 deletions docs/roles/_init.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,14 @@ _venv_path: "/home/{{ _ce_provision_username }}/ce-python"
_venv_command: /usr/bin/python3 -m venv
_venv_install_username: "{{ _ce_provision_username }}"
_ce_ansible_timer_name: upgrade_ansible
_env_type: unspecified

# AWS variables - if you are using an AWS account, you can preset certain variables
# Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all
#_aws_profile: example # boto profile name
#_aws_region: eu-west-1
_aws_vpc_cidr_base: 10.0 # used to define internal IP range that is unique for every client
aws_admin_tools_enable: false # Set to true to include aws_admin_tools role.

# AWS tags
_aws_resource_name: "" # Name
Expand Down
1 change: 1 addition & 0 deletions docs/roles/aws/aws_acl.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ aws_acl:
region: "us-east-1"
tags: "{{ _aws_tags }}"
recreate: false # set to true to creating the ACL
default_action: "Allow" # Default action if no rules are triggered, can be Block
rules:
rate_limit:
value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
Expand Down
1 change: 1 addition & 0 deletions docs/roles/aws/aws_backup_validation.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Creates AWS Restore testing plan for EC2 and RDS, EventBridge rule that gets tri
---
aws_backup_validation:
s3_bucket: "codeenigma-{{ _aws_profile }}-general-storage-{{ _aws_region }}"
s3_bucket_prefix: "backup-validation" # Prefix used for storing backup validation info
name: "RestoreValidation"
description: "Restore validation is running every Sunday at 00:00AM, and validation reporting is triggered on Monday 00:00AM"
timeout: 60
Expand Down
1 change: 1 addition & 0 deletions docs/roles/aws/aws_cloudfront_distribution.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ aws_cloudfront_distribution:
cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required.
enabled: true
purge_existing: true # Set to false to append entries instead of replacing them.
web_acl: false # Set to true to create Web ACL for WAF.

```

Expand Down
6 changes: 6 additions & 0 deletions docs/roles/aws/aws_ec2_autoscale_cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,12 @@ aws_ec2_autoscale_cluster:
health_check_timeout: 5
health_check_healthy_count: 5
health_check_unhealthy_count: 2
## Target Group Stickiness. Disabled by default unless set otherwise. Uncomment if needed:
# target_group_stickiness_enabled: true
# target_group_stickiness_type: "lb_cookie" # Valid values are lb_cookie, app_cookie or source_ip.
# target_group_stickiness_app_cookie_name: "my_app_cookie"
# target_group_stickiness_app_cookie_duration: 86400
# target_group_stickiness_lb_cookie_duration: 86400
# ALB settings
create_elb: true # determines whether an ELB (currently, this is an ALB) is created as part of the ASG. This needs to be `true` in order to create a CloudFront distribution.
alb_idle_timeout: 60
Expand Down
9 changes: 7 additions & 2 deletions docs/roles/aws/aws_ec2_with_eip.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,13 @@ aws_ec2_with_eip:
force: false # Force a new EC2 machine to be created if a new AMI is packed.
instance_type: t3.micro
key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key.
ami_name: "{{ _domain_name }}" # The name of an AMI image to use. Image must exists in the same region.
ami_owner: self # Default to self-created image.
pubkey: "" # The contents of the controller's public key to place in authorized_keys on boot, usually handled by a lookup()
# See also the aws_ami role, generally these AMI variables will match
# Filter values available here - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html
ami_owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official
ami_virtualization_type: hvm
ami_root_device_type: ebs
ami_name_filter: "debian-12-amd64-*"
# vpc_subnet_id: subnet-xxx # One of vpc_subnet_id or vpc_name + vpc_subnet_profile is mandatory.
vpc_name: "{{ _infra_name }}"
vpc_subnet_profile: core # if you are looking up subnets we need a Profile tag to search against
Expand Down
4 changes: 4 additions & 0 deletions docs/roles/aws/aws_iam_role.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ aws_iam_role:
aws_profile: "{{ _aws_profile }}"
# Pass either names or ARNs for the role.
managed_policies: []
inline_policies:
name: "example_inline_polcy" # Name of inline policy
resource: "*"
action: []
# Which document policy to apply.
# Current options are 'ec2', 'ecs' or 'backup'
policy_document: ec2
Expand Down
2 changes: 2 additions & 0 deletions docs/roles/debian/ansible_galaxy.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ ansible_galaxy:
#venv_path: "/home/controller/ce-python"

username: controller
# To use the desired ansible.cfg from the working directory.
working_dir: "/home/{{ _ce_provision_username }}/ce-provision"
# File containing default roles and/or collections to install via Ansible Galaxy.
# Roles will be installed to the first path specified under roles_path in your ansible.cfg file.
# Collections will be installed to collections_path in your ansible.cfg file.
Expand Down
3 changes: 1 addition & 2 deletions docs/roles/debian/apt_unattended_upgrades.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,7 @@ apt_unattended_upgrades:
---
_apt_unattended_upgrades_default_origins:
- "origin=Debian,codename=${distro_codename},label=Debian"
- "origin=Debian,codename=${distro_codename},label=Debian-Security"

- "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"
apt_unattended_upgrades:
enable: true
# unattended-upgrades template vars.
Expand Down
9 changes: 9 additions & 0 deletions docs/roles/debian/bash.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# BASH options

Set system options for the Bourne Again shell.

<!--TOC-->
<!--ENDTOC-->

<!--ROLEVARS-->
<!--ENDROLEVARS-->
4 changes: 3 additions & 1 deletion docs/roles/debian/ce_deploy.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ ce_deploy:

# Other ce-deploy settings.
aws_support: true # installs boto3
#uid: 1300 # optional
#gid: 1300 # optional
new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user
ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys
ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key
Expand All @@ -29,7 +31,7 @@ ce_deploy:
config_repository: ""
config_repository_branch: "master"
local_dir: "/home/{{ _ce_deploy.username }}/ce-deploy"
ce_provision_dir: "/home/controller/ce-provision"
ansible_collections_dir: "/home/{{ _ce_deploy.username }}/ce-deploy/galaxy/ansible_collections" # See ansible.cfg.
# List of additional groups to add the user to.
groups: []
# File containing default roles and collections to install via Ansible Galaxy.
Expand Down
2 changes: 1 addition & 1 deletion docs/roles/debian/clamav.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ clamav:
timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events
server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name.
log_location: /var/log/clamav
send_mail: false # Important: will not send any emails by default.
send_mail: false # Important - will not send any emails by default.
send_on_fail: true # Only sends emails on scan failure, will not email for successful scans.
report_recipient_email: mail@example.com
report_sender_email: admin@server.example.com
Expand Down
8 changes: 8 additions & 0 deletions docs/roles/debian/collectd.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# CollectD
This role provides the collectd server statistics daemon facilitating exporting of system stats to cloudwatch

<!--TOC-->
<!--ENDTOC-->

<!--ROLEVARS-->
<!--ENDROLEVARS-->
1 change: 1 addition & 0 deletions docs/roles/debian/gitlab.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ gitlab:
apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades
apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey
server_name: "gitlab.{{ _domain_name }}"
ssh_url: "" # custom SSH URL. Similar to https one if empty.
force_stop: true # whether to stop GitLab to reconfigure or not
# Add a record for GitLab in AWS Route 53
# If you use the aws_ec2_with_eip role to create your server this will not be necessary
Expand Down
45 changes: 26 additions & 19 deletions docs/roles/debian/gitlab_runner.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,29 @@ If you want to use AWS ECS with Fargate for orchestrating CI containers then set
gitlab_runner:
apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades
apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey
use_docker: false # set to true to install Docker and use the 'docker' executor
install_fargate: false
restart: true # set to false if you're applying settings to a server responsible for its own runners
username: "{{ ce_deploy.username }}"
docker_group: "docker"
runner_workingdir: "/home/{{ ce_deploy.username }}/build"
runner_config: "/etc/gitlab-runner/config.toml"
# see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs
fargate:
cluster: "my-cluster" # ECS cluster name
profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set
region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set
subnet: "subnet-abcdef123456" # subnet ID
security_group: "my-security-group" # SG name
task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest
public_ip: "false" # if your containers need a public IP assigning
version: "1.4.0" # Fargate platform version
metadata_dir: "/opt/gitlab-runner/metadata"
ssh_user: "root"
ssh_port: 22
##################################################
# @TODO - these variables are not currently used #
##################################################
concurrent_jobs: 10
check_interval: 0
session_timeout: 1800
Expand All @@ -40,25 +63,9 @@ gitlab_runner:
# run_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "run"]'
# cleanup_exec: "/opt/gitlab-runner/fargate"
# cleanup_args: '["--config", "/etc/gitlab-runner/fargate.toml", "custom", "cleanup"]'
install_fargate: false
restart: true # set to false if you're applying settings to a server responsible for its own runners
username: "{{ ce_deploy.username }}"
docker_group: "docker"
runner_workingdir: "/home/{{ ce_deploy.username }}/build"
runner_config: "/etc/gitlab-runner/config.toml"
# see https://gitlab.com/gitlab-org/ci-cd/custom-executor-drivers/fargate/-/tree/master/docs
fargate:
cluster: "my-cluster" # ECS cluster name
profile: "example" # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set
region: "eu-west-1" # AWS region name - can be substituted for "{{ _aws_region }}" if set
subnet: "subnet-abcdef123456" # subnet ID
security_group: "my-security-group" # SG name
task_definition: "my-task:1" # task definition in format name:revision, if revision is not provided ECS will use latest
public_ip: "false" # if your containers need a public IP assigning
version: "1.4.0" # Fargate platform version
metadata_dir: "/opt/gitlab-runner/metadata"
ssh_user: "root"
ssh_port: 22
##################################################
# End @TODO #
##################################################

```

Expand Down
8 changes: 4 additions & 4 deletions docs/roles/debian/gpg_key.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ Generates a passwordless GPG key for a given user or users.
---
gpg_key_servers:
- hkps://keyserver.ubuntu.com
- hkps://pgp.mit.edu
- hkps://keys.openpgp.org
#- hkps://keys.openpgp.org # removed key servers from defaults due to reliability issues
#- hkps://pgp.mit.edu
gpg_key:
- username: example # Must exist already on the server.
publish: false # Whether to publish to HKS public servers.
- username: example # Must exist already on the server
publish: false # Whether to publish to HKS public servers
key_type: "RSA"
key_length: 4096
email: example@example.com
Expand Down
3 changes: 2 additions & 1 deletion docs/roles/debian/jenkins.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ ldap_client:
bindpw: ""

jenkins:
apt_signed_by: https://pkg.jenkins.io/debian/jenkins.io.key
apt_signed_by: https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
server_name: "jenkins.{{ _domain_name }}"
ssl_handling: "ssl_selfsigned"
listen_http_port: -1
Expand All @@ -38,6 +38,7 @@ jenkins:
mailto: "admins@example.com"
# daily key renewal execution with systemd timer
on_calendar: "*-*-* 02:15:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events
apt_origin_jenkins: "origin=jenkins.io"

```

Expand Down
14 changes: 14 additions & 0 deletions docs/roles/debian/nginx.md
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,8 @@ nginx:
cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\""
proxy_host: localhost
proxy_port: 8443
# Set a custom port for Let's Encrypt to bind to during the initial certificate run
# vhost_letsencrypt_port: []
# You can inject custom directives into the main nginx.conf file here by providing them as a list of strings.
#custom_directives: []
# Group prefix. Useful for grouping by environments.
Expand All @@ -139,6 +141,18 @@ nginx:
php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.', '') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock"
ratelimitingcrawlers: false
client_max_body_size: "700M"
# drupal_fallback: []
# Default location behavior for nginx
# If no custom location behavior is defined, this will be used:
# nginx_location_behavior: ['try_files @rewrite /index.php?$query_string;']

# Uncomment and customize the following lines if you want to use custom location behavior:
# custom_nginx_location_behavior:
# - 'index index.php index.html;'
# - 'expires max;'
# - 'set $boost_cache_path "/cache/normal/$host";'
# - 'set $boost_cache_file "${boost_cache_path}${uri}_.html";'
# - 'try_files $boost_cache_file $uri $uri/ @drupal;'
fastcgi_read_timeout: 60
recreate_vhosts: true # handle vhosts with ansible, if 'true' then clean up 'sites-enabled' dir and run domain.yml.
vhost_backup_location: "/home/{{ _ce_provision_username }}" # see _init for _ce_provision_username
Expand Down
6 changes: 4 additions & 2 deletions docs/roles/debian/nodejs.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@ Installs NodeJS from official repos.
---
nodejs:
# Used by apt_unattended_upgrades
apt_origin_nodejs: "origin=Node Source,codename=nodistro,label=Node Source" # nodejs repo
apt_origin_nodejs: "origin=. nodistro,codename=nodistro,label=. nodistro" # nodejs repo
apt_origin_nodejs_old: "origin=Node Source,codename=${distro_codename},label=Node Source" # nodejs repo
apt_signed_by_nodejs: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
apt_origin_yarn: "origin=yarn,codename=stable,label=yarn-stable" # yarn repo
apt_signed_by_yarn: https://dl.yarnpkg.com/debian/pubkey.gpg
version: 18.x # LTS - see https://nodejs.dev/en/about/releases/
version: 22.x # LTS - see https://nodejs.dev/en/about/releases/
start_corepack: false # corepack is shipped with nodejs and enables a core set of packages
npm_packages: []
#npm_packages:
# - name: coffee-script # required
Expand Down
15 changes: 14 additions & 1 deletion docs/roles/debian/openvpn.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,15 @@ openvpn:
# - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4
# - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true
push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y"
# Provide a path to a directory, such as /etc/openvpn/client, to configure a directory where OpenVPN can look up default client configs.
# See --client-config-dir in the manual - https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/
# You can use a 'DEFAULT' file in the specified directory as an include or provide client-specific config, such as managed push routes.
client_config_dir: "" # specify to set own config directory. If not set the default is /etc/openvpn/ccd.
push_routes_elb: [] # list of DNS names for resolve and update openvpn 'push routes' with changing IP addresses.
# - myloadbalancer.example.com
# - example-elb.example.com
push_routes_elb_path: "/etc/openvpn/ccd/DEFAULT" # path to the file with the updatable routes
client_config_push_routes: false # if you are providing push routes in your client config, set this to true to remove the default ones
# PAM and LDAP authentication
pam:
enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian
Expand All @@ -46,7 +55,9 @@ openvpn:
lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups
login_attribute: uid # the LDAP attribute to check the OpenVPN username against
group_base: "" # e.g. ou=Groups,dc=example,dc=com
group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com
group_dn: [] # restrict to specific groups:
# - cn=admins,ou=Groups,dc=example,dc=com
# - cn=developers,ou=Groups,dc=example,dc=com
group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against
ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}"
ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}"
Expand All @@ -60,6 +71,8 @@ openvpn:
port_choice: "1" # 1 = use default 1194, 3 means use a random port
protocol_choice: "1" # 1 = udp, 2 = tcp
dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327
# dns1: "10.8.0.1" # if openvpn.dns="13" (i.e. custom), specify the DNS server for the "push dhcp-option DNS"
# dns2: "" # (optional) if openvpn.dns="13" (i.e. custom), specify the second DNS server
compression_enabled: "n"
compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0
test_username: example # this will be used to create a client config in the `script_install_path` location
Expand Down
5 changes: 4 additions & 1 deletion docs/roles/debian/packer.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ Role to install Hashicorp's Packer binary.
```yaml
---
packer:
version: "1.9.1" # see https://releases.hashicorp.com/packer/
version: "1.11.2" # see https://releases.hashicorp.com/packer/
plugins:
- github.com/hashicorp/amazon
- github.com/hashicorp/ansible

```

Expand Down
1 change: 1 addition & 0 deletions docs/roles/debian/php-cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ php:
memory_consumption: 128
max_accelerated_files: 2000
validate_timestamps: 1
interned_strings_buffer: 8

```

Expand Down
4 changes: 4 additions & 0 deletions docs/roles/debian/php-fpm.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,11 @@ php:
memory_consumption: 128
max_accelerated_files: 2000
validate_timestamps: 1
interned_strings_buffer: 8
clear_env: "yes"
# Cloudwatch log settings.
log_group_prefix: ""
log_stream_name: example

```

Expand Down
1 change: 1 addition & 0 deletions docs/roles/debian/postfix.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ Full TLS SMTP support is optional by enabling SSL.
---

postfix:
disable_syslog: true
hostname: "{{ ansible_fqdn }}" # if you set this to something else you may have to create PTR records to avoid bouncing
dest_hosts: "mail.host1.com,mail.host2.com"
disable_vrfy: "no" # leave as 'no' for Postfix config, not a YAML boolean
Expand Down
1 change: 1 addition & 0 deletions docs/roles/debian/rkhunter.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ rkhunter:
allow_ssh_root_user: "{{ sshd.PermitRootLogin | default('prohibit-password') }}"
disable_tests: "suspscan hidden_procs deleted_files packet_cap_apps apps os_specific"
os_package_manager: "NONE" # PKGMGR=NONE is default for Debian, set it to what you need.
portpathwhitelist: []
scriptwhitelist:
- /bin/egrep
- /bin/fgrep
Expand Down
Loading
Loading