aboutsummaryrefslogtreecommitdiff
path: root/roles/ssh-nginx-multiplex
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ssh-nginx-multiplex')
-rw-r--r--roles/ssh-nginx-multiplex/handlers/main.yaml25
-rw-r--r--roles/ssh-nginx-multiplex/tasks/main.yaml1
-rw-r--r--roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml76
-rw-r--r--roles/ssh-nginx-multiplex/templates/index.html.j20
-rw-r--r--roles/ssh-nginx-multiplex/templates/nginx.conf.j257
-rw-r--r--roles/ssh-nginx-multiplex/templates/sslh.j23
6 files changed, 162 insertions, 0 deletions
diff --git a/roles/ssh-nginx-multiplex/handlers/main.yaml b/roles/ssh-nginx-multiplex/handlers/main.yaml
new file mode 100644
index 0000000..58c218b
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/handlers/main.yaml
@@ -0,0 +1,25 @@
+- name: enable ufw
+ ufw:
+ state: enabled
+ policy: deny
+
+- name: restart ufw
+ systemd:
+ name: ufw
+ state: restarted
+ enabled: true
+ when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: restart nginx
+ systemd:
+ name: nginx
+ state: restarted
+ enabled: true
+ when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: restart sslh
+ systemd:
+ name: sslh
+ state: restarted
+ enabled: true
+ when: ansible_facts['service_mgr'] == 'systemd'
diff --git a/roles/ssh-nginx-multiplex/tasks/main.yaml b/roles/ssh-nginx-multiplex/tasks/main.yaml
new file mode 100644
index 0000000..649b41b
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/tasks/main.yaml
@@ -0,0 +1 @@
+- import_tasks: tasks/ssh_nginx_setup.yaml
diff --git a/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml b/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml
new file mode 100644
index 0000000..beb0910
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/tasks/ssh_nginx_setup.yaml
@@ -0,0 +1,76 @@
+- block:
+ - name: install required packages
+ apt:
+ name:
+ - openssl
+ - nginx
+ - sslh
+ - ufw
+ state: present
+ update_cache: true
+
+ - name: deploy index.html
+ template:
+ src: index.html.j2
+ dest: /var/www/html/index.html
+ owner: www-data
+ group: www-data
+ mode: '0644'
+
+ - name: ensure /var/www/html directory permissions
+ file:
+ path: /var/www/html
+ state: directory
+ owner: www-data
+ group: www-data
+ mode: '0755'
+
+ - name: generate self-signed ssl certificate
+ command: >
+ openssl req -x509 -nodes -days 365 -newkey rsa:2048
+ -keyout /etc/ssl/private/nginx-selfsigned.key
+ -out /etc/ssl/certs/nginx-selfsigned.crt
+ -subj "/CN=localhost"
+ args:
+ creates: /etc/ssl/certs/nginx-selfsigned.crt
+
+ - name: deploy nginx.conf
+ template:
+ src: nginx.conf.j2
+ dest: /etc/nginx/nginx.conf
+ owner: root
+ group: root
+ mode: '0644'
+ notify: restart nginx
+
+ - name: deploy sslh config file
+ template:
+ src: sslh.j2
+ dest: /etc/default/sslh
+ owner: root
+ group: root
+ mode: '0644'
+ notify: restart sslh
+
+ - name: allow ssh port and enable ufw
+ ufw:
+ rule: allow
+ port: "{{ internal_sshd_port }}"
+ proto: tcp
+ notify:
+ - enable ufw
+ - restart ufw
+
+ - name: allow http port and enable ufw
+ ufw:
+ rule: allow
+ port: "{{ public_sslh_port }}"
+ proto: tcp
+ notify:
+ - enable ufw
+ - restart ufw
+
+ when:
+ - public_sslh_port is defined
+ - internal_nginx_port is defined
+ - internal_sshd_port is defined
diff --git a/roles/ssh-nginx-multiplex/templates/index.html.j2 b/roles/ssh-nginx-multiplex/templates/index.html.j2
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/templates/index.html.j2
diff --git a/roles/ssh-nginx-multiplex/templates/nginx.conf.j2 b/roles/ssh-nginx-multiplex/templates/nginx.conf.j2
new file mode 100644
index 0000000..a735338
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/templates/nginx.conf.j2
@@ -0,0 +1,57 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ server_tokens off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log warn;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers on;
+
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options DENY;
+ add_header X-XSS-Protection "1; mode=block";
+
+ server {
+ listen 127.0.0.1:{{ internal_nginx_port }} ssl default_server;
+ server_name _;
+
+ root /var/www/html;
+ index index.html;
+
+ ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers on;
+
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options DENY;
+ add_header X-XSS-Protection "1; mode=block";
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+
+ location ~ /\.(?!well-known) {
+ deny all;
+ }
+ }
+}
diff --git a/roles/ssh-nginx-multiplex/templates/sslh.j2 b/roles/ssh-nginx-multiplex/templates/sslh.j2
new file mode 100644
index 0000000..8820a74
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/templates/sslh.j2
@@ -0,0 +1,3 @@
+RUN=yes
+DAEMON=/usr/sbin/sslh
+DAEMON_OPTS="--user sslh --listen 0.0.0.0:{{ public_sslh_port }} --ssh 127.0.0.1:{{ internal_sshd_port }} --http 127.0.0.1:{{ internal_nginx_port }}"
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 02:50:07 +0000