Skip to content

Commit

Permalink
Merged master, fixed conflict in wordpress documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
graphiclunarkid committed Aug 11, 2016
2 parents 15dca70 + f67faa2 commit 51b8a4d
Show file tree
Hide file tree
Showing 98 changed files with 1,259 additions and 515 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
site.retry
site.yml
ansible_hosts
*.pyc
25 changes: 25 additions & 0 deletions doc/role-doc/antivirus.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Summary

## Description

This role installs and configure `chkrootkit`, and rootkit checker software. It
is configured to run daily and to send alerts by e-mail to the administrator.

This role is automatically included in the `common` role.

## Prerequired roles

- `base-packages`
- `base-config`

# Manual steps

# Configuration parameters (ansible variables)

## Mandatory parameters

None.

## Optional parameters

None.
3 changes: 2 additions & 1 deletion doc/role-doc/backupninja.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ backed-up directories is still static.

## Prerequired roles

- `common`
- `base-packages`
- `base-config`

# Manual steps to setup backup system

Expand Down
44 changes: 44 additions & 0 deletions doc/role-doc/base-config.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Summary

## Description

This role ensures that the `root` account in `/etc/aliases` forwards messages to
the e-mail address defined by the administrator (see below), and installs
`apticron` to notify of available package updates. It also installs `postfix` to
ensure the e-mail delivery of `apticron` alerts and configures it not to listen
on the network.

This role is automatically included in the `common` role.

## Prerequired roles

None.

# Manual steps

# Configuration parameters (ansible variables)

## Mandatory parameters

### `admin_email`

Email address of the administrator, where Cron messages and various security
alerts will be sent to.

### `base_force_postfix_master_cf`

Default: `False`

This variable decides whether the role is forced to install a postfix
configuration file `master.cf` that disables any network-listening daemon of
postfix, for security reasons. When left to the default (`False`), the role will
refrain from installing it if it detects that that file was previously installed
by the `virtualmail` role, in order to prevent the two roles from fighting for
the same file.

It is useful to set this to `True` if you used to use the `virtualmail` role but
are not using it anymore.

## Optional parameters

None.
39 changes: 39 additions & 0 deletions doc/role-doc/base-hardening.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Summary

## Description

This role hardens some system defaults:

- makes every new file created by any user accessible only by the given user, by
setting PAM's `umask` parameter to 077;
- allows only one user to connect using SSH: the user ansible uses to connect to
the host (it is possible to specify additional users - see below);
- prevents the superuser from connecting directly via SSH, unless it is used by
ansible to connect to the server;
- sets some `sysctl` parameters to values more advisable for security.

This role is automatically included in the `common` role.

## Prerequired roles

None.

# Manual steps

# Configuration parameters (ansible variables)

## Mandatory parameters

None.

## Optional parameters

### `ssh_additional_users`

This optional parameter must be an array of authorized users that will be
allowed to access your server using SSH. They will be added to the `AllowUsers`
directive of the SSH server configuration.

Example:

ssh_additional_users: [kheops, timmy]
24 changes: 24 additions & 0 deletions doc/role-doc/base-packages.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Summary

## Description

This role installs some base packages on the system and activates the
"backports" Debian repository. It also removes several unwanted packages.

This role is automatically included in the `common` role.

## Prerequired roles

None.

# Manual steps

# Configuration parameters (ansible variables)

## Mandatory parameters

None.

## Optional parameters

None.
4 changes: 4 additions & 0 deletions doc/role-doc/common.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ system: install essential packages and repositories, setting up a firewall using
It is strongly recommended to include this role in first position in any
Caislean installation.

This role only consists in including subroles that fulfill these tasks:
`base-packages`, `base-config`, `base-hardening`, `ufw` and `antivirus`. You may
want to rather select them individually for a finer tuning of your system.

## Prerequired roles

None.
Expand Down
3 changes: 2 additions & 1 deletion doc/role-doc/ldap-account-manager.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ This role is currently broken.

## Prerequired roles

- `common`
- `base-packages`
- `base-config`
- `openldap`
- `nginx`
- `php-fpm`
Expand Down
43 changes: 28 additions & 15 deletions doc/role-doc/letsencrypt.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@
## Description

This role configures nginx to use certificates issued by [Let's
Encrypt](https://letsencrypt.org/) instead
of self-signed certificates installed by Caislean's TLS role. The advantage is
that Let's Encrypt certificates are trusted by most browsers so visitors to
your website won't see an untrusted certificate warning.
Encrypt](https://letsencrypt.org/) instead of self-signed certificates
installed by Caislean's TLS role. The advantage is that Let's Encrypt
certificates are trusted by most browsers so visitors to your website won't see
an untrusted certificate warning.

## Notes

Expand All @@ -24,28 +24,41 @@ This role adds the "testing" repository to the remote machine. The role also
specifies apt preferences to make sure software is installed from the stable
repositories unless explicitly specified otherwise.

This role won't work unless `website_domain_name` resolves to the IP address of
the remote machine. This is because Let's Encrypt verifies that you control the
domain for which you're requesting a certificate by placing a file in your
webserver's webroot and then checking that it can access that file from the domain
in question.
This role won't work unless every domain listed in `websites` resolves to the
IP address of the remote machine. This is because Let's Encrypt verifies that
you control the domains for which you're requesting certificates by placing
files in each virtual host's webroot and then checking that it can access those
files from the domains in question.

## Prerequired roles

- `common`
- `base-packages`
- `base-config`
- `tls`
- `nginx`

# Manual steps

# Configuration parameters (ansible variables)

## Mandatory parameters

### `website_domain_name`
### `websites`

A list of domain names for which Caislean should generate certificates. This is
the same list used by the `nginx` role when creating virtual hosts to serve.

Default:

websites:
- "{{ server_name }}.{{ domain_name }}"

Add or change lines to create new nginx virtual hosts and generate letsencrypt
certificates for them.

Example:

The domain name of the website you are serving from this machine (e.g.
example.com)
websites:
- "{{ domain_name }}"
- "www.example.com"

### `webmaster_email`

Expand Down
3 changes: 2 additions & 1 deletion doc/role-doc/mysql.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ need a MySQL server to run.

## Prerequired roles

- `common`
- `base-packages`
- `base-config`

# Manual steps

Expand Down
54 changes: 52 additions & 2 deletions doc/role-doc/nginx.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ includes:

## Prerequired roles

- `common`
- `base-packages`
- `base-config`
- `tls`

# Manual steps
Expand All @@ -30,6 +31,55 @@ The machine name of the administered server, e.g. "mycomputer".

The domain name, e.g. "mydomain.org".

### `websites`

Default: `[ name:` _server name_`.`_domain name_ `]`

A set of host names that your web server will serve content for. There can be
any number of names, but the default entry is mandatory, as otherwise this or
other roles will fail. The parameter `name` has to appear explicitly.

The role creates a folder `/var/www/<name>/` for every entry, and static content
in each of these directories will be served by nginx when your web server is
accessed with the corresponding host name. A folder `/etc/nginx/include/<name>/`
is also created for each entry, in which additional nginx configuration files
can be placed (for example to enable TLS for the given hostname or to set up a
PHP-enabled application in a specific subfolder).

A number of reverse proxies can be optionally configured for each host name by
specifying the parameter `reverse_proxy`, inside which the mandatory parameter
`target` must be set to the remote URL to proxy to and the optional parameter
`location` must be set to the local path where the proxying will be done (it is
set to `/` if left empty). Additional `nginx` options for this reverse proxy can
be specified under the parameter `options`, using a series of `option_name` and
`option_value` parameters.

The headers `X-Real-IP` and `X-Forwarded-For` are automatically added and do not
have to be add as options.

Example:

websites:
- name: "{{server_name}}.{{domain_name}}"
- name: www.otherdomain.com
- name: frontend.thirddomain.eu
reverse_proxy:
- target: 'http://backend.thirddomain.eu'
- target: 'http://specialbackend.thirddomain.eu'
location: '/specialbackend'
options:
- option_name: proxy_redirect
option_value: 'off'
- option_name: proxy_add_header
option_value: 'X-Forwarded-Proto $scheme'

## Optional parameters

None.
### `tls_additional_domains`

A set of additional domains for which nginx will also serve content in HTTPS.
These domains must be defined in the `websites` variable, or the role will fail
to execute. The default domain name must not be specified in this variable, as
TLS is enabled for it by default.

See the TLS role documentation for more information on this parameter.
44 changes: 43 additions & 1 deletion doc/role-doc/openldap.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ deprecated practice and should thus be changed in the future.

## Prerequired roles

- `common`
- `base-packages`
- `base-config`

# Manual steps: managing users in the LDAP database

Expand Down Expand Up @@ -82,10 +83,51 @@ To delete a user's account, simply remove their LDAP corresponding entry:

## Mandatory parameters

### `ldap_bind_addresses`

Default: `[ 127.0.0.1 ]`

Local IP addresses for the OpenLDAP server to listen on. By default we only
listen on the local interface (127.0.0.1). You can specify any number of IP
addresses assigned to your server. IPv6 addresses must go between square
brackets. You should be able to use special addresses `0.0.0.0` (IPv4) and `::`
(IPv6) to listen on all network interfaces.

Be careful if you bind public IP addresses: the LDAP protocol is not encrypted
and LDAP over TLS is not (yet) supported by Caislean. Binding non-loopback
addresses may still be useful on a local area network or on a virtual network
between virtual machines.

Example:

ldap_bind_addresses:
- 127.0.0.1
- '[::1]'

### `ldap_admin_pass`

The LDAP administrator password.

### `ldap_managed_domains`

Default: `[ domain: domain_name ]`

List of domain names managed in the LDAP directory. The role will create one
separate LDAP database for each of the domains. Optionally, use the parameter
`admin_pass` to set an administrator password specific of a given domain
(otherwise the password set in `ldap_admin_pass` will be used).

For any given domain `example.com`, the administrator account to which to
identify is `cn=admin,dc=example,dc=com`.

Example:

ldap_managed_domains:
- domain: "{{ domain_name }}"
- domain: additionaldomain.com
- domain: some_other_domain.org
admin_pass: specificadminpass

### `domain_name`

The domain name, e.g. "mydomain.org".
Expand Down
3 changes: 2 additions & 1 deletion doc/role-doc/openvpn.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ through the use of TLS certificates, or both.

## Prerequired roles

- `common`
- `base-packages`
- `base-config`
- `tls`
- `openldap` (only if using the LDAP authentication)

Expand Down
Loading

0 comments on commit 51b8a4d

Please sign in to comment.