mdk
/
infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: mdk:839f6a28d1428d24e165d92c5f0c6a4478050879
Branches Tags
mdk:main
...
compare: mdk:cb4ab025db1b6ed976ad87e4cebe24c8d3596a72
Branches Tags
mdk:main

6 Commits
839f6a28d1 ... cb4ab025db

Author SHA1 Message Date
Julien Palard cb4ab025db
Unused 2022-12-16 07:37:24 +01:00
Julien Palard 8ef160dffd
Too many errors on this feed. 2022-11-30 23:31:35 +01:00
Julien Palard b172b60e93
Unify nginx logs for readability of the directory. 2022-11-30 23:31:25 +01:00
Julien Palard 562ca983f6
Drop no longer needed CTFd. 2022-11-30 23:30:33 +01:00
Julien Palard dcb9d4441c
Bump rss2email. 2022-11-26 08:23:14 +01:00
Julien Palard c5f98533b7
Basic security headers. 2022-11-24 09:52:32 +01:00
8 changed files with 186 additions and 251 deletions
Show Stats Expand all files Collapse all files

1
cert_watch.yml
View File

@ -107,7 +107,6 @@
semantic.eno.do
cocoon.eno.do
api.eno.do
support.eno.do
munin.eno.do
convergence.eno.do
kibana.mslk.me

141
ctfd.yml
View File

@ -1,141 +0,0 @@
---
- hosts: ctfd
vars:
domain: ctf.eqy.fr
owner: ctfd
version: master
home: "/home/ctfd"
letsencrypt_email: julien@palard.fr
secret_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34396134346435343464653766663833643061666164323337646137636631643930326633333239
3433333563366461646665643739383466343465663733650a326533316138366336333231616162
62623562346561663936303861363863626336343437333164343063323533353432653766356334
6138343864666637660a383165356630363533376562323663353636373636613035636339626631
31643062353434333534333130636237396365633662343964666134333833373439363833323062
3032666163643162613766306437356438653538333163346531
tasks:
- name: Create user
user:
name: "{{ owner }}"
home: "{{ home }}"
- name: Clone ctfd
git:
repo: https://github.com/CTFd/CTFd
dest: "{{ home }}/CTFd/"
become: true
become_user: "{{ owner }}"
- name: Setup secret key
copy:
content: "{{ secret_key }}"
dest: "{{ home }}/CTFd/.ctfd_secret_key"
- name: Configure nginx
include_role: name=nginx
vars:
nginx_domain: "{{ domain }}"
nginx_certificates:
- "{{ domain }}"
nginx_owner: "{{ owner }}"
nginx_conf: |
server
{
listen 80;
server_name {{ domain }};
access_log /var/log/nginx/{{ domain }}-access.log;
error_log /var/log/nginx/{{ domain }}-error.log;
return 301 https://$host$request_uri;
}
server
{
listen 443 ssl;
server_name {{ domain }};
access_log /var/log/nginx/{{ domain }}-access.log;
error_log /var/log/nginx/{{ domain }}-error.log;
include snippets/letsencrypt-{{ domain }}.conf;
add_header X-Frame-Options DENY;
charset utf-8;
location /
{
proxy_pass http://unix:{{ home }}/ctfd.sock;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- name: Install requirements
pip:
requirements: "{{ home }}/CTFd/requirements.txt"
virtualenv_command: "/usr/bin/python3 -m venv"
virtualenv: "{{ home }}/venv/"
become: true
become_user: "{{ owner }}"
- name: Install MariaDB
# CTFd can run on SQLite but with migration issues
# See #1988.
package:
state: present
name:
- mariadb-server
- python3-pymysql
- name: MariaDB database
community.mysql.mysql_db:
name: ctfd
state: present
login_unix_socket: /run/mysqld/mysqld.sock
- name: MariaDB user
community.mysql.mysql_user:
state: present
name: ctfd
priv: 'ctfd.*:ALL'
login_unix_socket: /run/mysqld/mysqld.sock
- name: Configure CTFd to use MariaDB
lineinfile:
path: '/home/ctfd/CTFd/CTFd/config.ini'
regex: '^DATABASE_URL'
line: 'DATABASE_URL = mysql+pymysql://ctfd@/ctfd?unix_socket=/run/mysqld/mysqld.sock'
notify: Restart CTFd
- name: Configure systemd
copy:
dest: "/etc/systemd/system/{{ domain }}.service"
content: |
[Unit]
Description=CTFd ({{ domain }})
After=network.target
[Service]
PIDFile={{ home }}/gunicorn.pid
User={{ owner }}
Group={{ owner }}
RuntimeDirectory=pasteque
WorkingDirectory={{ home }}/CTFd/
ExecStart={{ home }}/venv/bin/gunicorn --worker-class gevent -w6 -t 120 --pid {{ home }}/gunicorn.pid \
--bind unix:{{ home }}/ctfd.sock wsgi:app
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
- name: Start CTFd
service: name="{{ domain }}" enabled=no state=stopped daemon_reload=yes
handlers:
- name: Restart CTFd
service: name=ctf.eqy.fr state=restarted

96
mdk.fr.yml Normal file
View File

@ -0,0 +1,96 @@
---
- hosts: mdk
vars:
letsencrypt_email: julien@palard.fr
tasks:
- name: Setup mdk.fr
include_role: name=nginx
vars:
nginx_domain: mdk.fr
nginx_certificates: [mdk.fr, www.mdk.fr, julien.palard.fr, mandark.fr, sizeof.fr, www.mandark.fr, www.sizeof.fr]
nginx_owner: mdk_fr
nginx_path: /var/www/mdk.fr/
nginx_public_deploy_key: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/8I1ecV8EutLc+Qx6Q8b2RhzXMl9n23LznNlw+MQtM mdk.fr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETtLGjVKqpQ4bQRh108Bi5vkc8omuEwZPEUbeysLfci formations
nginx_conf: |
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
server
{
listen 80;
server_name julien.palard.fr sizeof.fr www.sizeof.fr;
return 301 https://mdk.fr;
}
server
{
listen 80;
server_name mdk.fr www.mdk.fr mandark.fr www.mandark.fr;
return 301 https://mdk.fr$request_uri;
}
server
{
listen 443 ssl;
server_name julien.palard.fr sizeof.fr www.sizeof.fr;
include snippets/letsencrypt-mdk.fr.conf;
add_header X-Frame-Options "DENY";
return 301 https://mdk.fr;
}
server
{
listen 443 ssl;
server_name www.mdk.fr mandark.fr www.mandark.fr;
include snippets/letsencrypt-mdk.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
return 301 https://mdk.fr$request_uri;
}
server
{
listen 443 ssl;
charset utf-8;
server_name mdk.fr;
include snippets/letsencrypt-mdk.fr.conf;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header X-Frame-Options "DENY";
location /noindex/ {
autoindex off;
}
location /index/ {
autoindex on;
}
root /var/www/mdk.fr/;
index index.html;
}
- name: Keep nginx logs longer
copy:
dest: /etc/logrotate.d/nginx
content: |
/var/log/nginx/*.log {
size 10M
missingok
rotate 99
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}

4
roles/nginx/defaults/main.yml
View File

@ -9,8 +9,6 @@ nginx_conf: |
{
listen [::]:80; listen 80;
server_name {{ nginx_domain }};
access_log /var/log/nginx/{{ nginx_domain }}-access.log;
error_log /var/log/nginx/{{ nginx_domain }}-error.log;
return 301 https://$host$request_uri;
}
@ -20,8 +18,6 @@ nginx_conf: |
listen [::]:443 ssl; listen 443 ssl;
charset utf-8;
server_name {{ nginx_domain }};
access_log /var/log/nginx/{{ nginx_domain }}-access.log;
error_log /var/log/nginx/{{ nginx_domain }}-error.log;
include snippets/letsencrypt-{{ nginx_domain }}.conf;
root {{ nginx_path }};

20
roles/nginx/tasks/main.yml
View File

@ -71,6 +71,26 @@
- nginx
- ca-certificates
- name: Setup custom log format
copy:
dest: /etc/nginx/conf.d/logging.conf
owner: root
group: root
mode: 0644
content: |
log_format custom '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log custom;
error_log /var/log/nginx/error.log;
- name: Hide logging setup from nginx.conf
lineinfile:
regex: _log
state: absent
path: /etc/nginx/nginx.conf
backup: true
- name: Ensure certbot is not installed from Debian packages
package:
state: absent

4
roles/pasteque/templates/nginx.conf
View File

@ -2,8 +2,6 @@ server
{
listen 80;
server_name .{{ domain }};
access_log /var/log/nginx/{{ domain }}-access.log;
error_log /var/log/nginx/{{ domain }}-error.log;
return 301 https://$host$request_uri;
}
@ -11,8 +9,6 @@ server
{
listen 443 ssl;
server_name .{{ domain }};
access_log /var/log/nginx/{{ domain }}-access.log;
error_log /var/log/nginx/{{ domain }}-error.log;
include snippets/letsencrypt-{{ domain }}.conf;
add_header Content-Security-Policy "default-src 'self' code.jquery.com cdnjs.cloudflare.com stackpath.bootstrapcdn.com";

64
rss2email.yml
View File

@ -19,9 +19,11 @@
owner: mdk
group: mdk
mode: 0644
backup: true
content: |
[DEFAULT]
from = user@rss2email.invalid
user-agent = rss2email/__VERSION__ (__URL__)
use-8bit = False
force-from = False
use-publisher-email = False
@ -29,6 +31,7 @@
to = julien@palard.fr
proxy =
feed-timeout = 60
same-server-fetch-interval = 0
active = True
digest = False
date-header = False
@ -36,10 +39,12 @@
bonus-header =
trust-guid = True
trust-link = False
reply-changes = False
encodings = US-ASCII, ISO-8859-1, UTF-8, BIG5, ISO-2022-JP
post-process =
digest-post-process =
html-mail = True
multipart-html = False
use-css = False
css = h1 {
font: 18pt Georgia, "Times New Roman";
@ -79,15 +84,18 @@
}
unicode-snob = False
links-after-each-paragraph = False
inline-links = True
wrap-links = True
body-width = 0
email-protocol = sendmail
sendmail = /usr/sbin/sendmail
sendmail_config =
smtp-auth = False
smtp-username = username
smtp-password = password
smtp-server = smtp.yourisp.net:25
smtp-port = 465
smtp-ssl = False
smtp-ssl-protocol = TLSv1
imap-auth = False
imap-username = username
imap-password = password
@ -95,6 +103,8 @@
imap-port = 143
imap-ssl = False
imap-mailbox = INBOX
maildir-path = ~/Maildir
maildir-mailbox = INBOX
verbose = warning
[feed.Agarri-Sécurité-informatique-offensive]
@ -107,10 +117,10 @@
url = https://framablog.org/feed/
[feed.hackndo]
url = http://beta.hackndo.com/feed.xml
url = https://beta.hackndo.com/feed.xml
[feed.Hurricane-Labs]
url = https://www.hurricanelabs.com/feed.rss
url = https://hurricanelabs.com/feed/
[feed.Incidents-du-réseau-Framasoft]
url = https://status.framasoft.org/atom
@ -124,9 +134,6 @@
[feed.SSTIC---Blog]
url = https://blog.sstic.org/index.xml
[feed.top-scoring-links-cybersecurity]
url = https://www.reddit.com/r/cybersecurity/top/.rss?t=month
[feed.top-scoring-links-hacking]
url = https://www.reddit.com/r/hacking/top/.rss?t=month
@ -141,3 +148,48 @@
[feed.linuxfr]
url = https://linuxfr.org/news.atom
[feed.grisebouille]
url = https://grisebouille.net/feed.rss
[feed.mypy]
url = https://mypy-lang.blogspot.com/feeds/posts/default
[feed.weekly-osm-fr]
url = https://weeklyosm.eu/fr/feed
[feed.tenthousandmeters]
url = https://tenthousandmeters.com/feeds/all.atom.xml
[feed.vstinner]
url = https://vstinner.github.io/feeds/all.atom.xml
[feed.discourse]
url = https://blog.discourse.org/feed.xml/
[feed.LoOPS]
url = https://reseau-loops.github.io/feed.xml
[feed.mobian]
url = https://blog.mobian.org/index.xml
[feed.signal-spam]
url = https://signal-spam.fr/feed/
[feed.reflets]
url = https://reflets.info/feeds/public
[feed.mastodon]
url = https://blog.joinmastodon.org/index.xml
[feed.gitea-open-letter]
url = https://gitea-open-letter.coding.social/updates/atom.xml
[feed.emacs-doctor]
url = https://www.emacs-doctor.com/feed.xml
[feed.Pidgin]
url = https://pidgin.im/post/index.xml
[feed.communs-numeriques]
url = https://communs.numerique.gouv.fr/feed/feed.xml

107
static_websites.yml
View File

@ -4,76 +4,6 @@
vars:
letsencrypt_email: julien@palard.fr
tasks:
- name: Setup mdk.fr
include_role: name=nginx
vars:
nginx_domain: mdk.fr
nginx_certificates: [mdk.fr, www.mdk.fr, julien.palard.fr, mandark.fr, sizeof.fr, www.mandark.fr, www.sizeof.fr]
nginx_owner: mdk_fr
nginx_path: /var/www/mdk.fr/
nginx_public_deploy_key: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/8I1ecV8EutLc+Qx6Q8b2RhzXMl9n23LznNlw+MQtM mdk.fr
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETtLGjVKqpQ4bQRh108Bi5vkc8omuEwZPEUbeysLfci formations
nginx_conf: |
server
{
listen 80;
server_name julien.palard.fr sizeof.fr www.sizeof.fr;
access_log /var/log/nginx/redirects-access.log;
error_log /var/log/nginx/redirects-error.log;
return 301 https://mdk.fr;
}
server
{
listen 80;
server_name mdk.fr www.mdk.fr mandark.fr www.mandark.fr;
access_log /var/log/nginx/redirects-access.log;
error_log /var/log/nginx/redirects-error.log;
return 301 https://mdk.fr$request_uri;
}
server
{
listen 443 ssl;
server_name julien.palard.fr sizeof.fr www.sizeof.fr;
access_log /var/log/nginx/redirects-access.log;
error_log /var/log/nginx/redirects-error.log;
include snippets/letsencrypt-mdk.fr.conf;
return 301 https://mdk.fr;
}
server
{
listen 443 ssl;
server_name www.mdk.fr mandark.fr www.mandark.fr;
access_log /var/log/nginx/redirects-access.log;
error_log /var/log/nginx/redirects-error.log;
include snippets/letsencrypt-mdk.fr.conf;
return 301 https://mdk.fr$request_uri;
}
server
{
listen 443 ssl;
charset utf-8;
server_name mdk.fr;
access_log /var/log/nginx/mdk.fr-access.log;
error_log /var/log/nginx/mdk.fr-error.log;
include snippets/letsencrypt-mdk.fr.conf;
location /noindex/ {
autoindex off;
}
location /index/ {
autoindex on;
}
root /var/www/mdk.fr/;
index index.html;
}
- name: Setup palard.fr
include_role: name=nginx
vars:
@ -84,8 +14,6 @@
{
listen 80;
server_name palard.fr www.palard.fr;
access_log /var/log/nginx/palard.fr-access.log;
error_log /var/log/nginx/palard.fr-error.log;
return 301 https://$host$request_uri;
}
@ -94,9 +22,9 @@
listen 443 ssl;
charset utf-8;
server_name palard.fr www.palard.fr;
access_log /var/log/nginx/palard.fr-access.log;
error_log /var/log/nginx/palard.fr-error.log;
include snippets/letsencrypt-palard.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
root /var/www/palard.fr/;
}
@ -165,8 +93,6 @@
{
listen 80;
server_name le-poitevin.fr;
access_log /var/log/nginx/le-poitevin.fr-access.log;
error_log /var/log/nginx/le-poitevin.fr-error.log;
return 301 https://$host$request_uri;
}
@ -174,8 +100,6 @@
{
listen 80;
server_name www.le-poitevin.fr;
access_log /var/log/nginx/le-poitevin.fr-access.log;
error_log /var/log/nginx/le-poitevin.fr-error.log;
return 301 https://le-poitevin.fr$request_uri;
}
@ -183,9 +107,9 @@
{
listen 443 ssl;
server_name le-poitevin.fr;
access_log /var/log/nginx/le-poitevin.fr-access.log;
error_log /var/log/nginx/le-poitevin.fr-error.log;
include snippets/letsencrypt-le-poitevin.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
root /var/www/le-poitevin.fr/;
index index.html;
}
@ -194,9 +118,9 @@
{
listen 443 ssl;
server_name www.le-poitevin.fr;
access_log /var/log/nginx/le-poitevin.fr-access.log;
error_log /var/log/nginx/le-poitevin.fr-error.log;
include snippets/letsencrypt-le-poitevin.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
return 301 https://le-poitevin.fr$request_uri;
}
@ -214,9 +138,6 @@
{
listen 80;
server_name codeenseine.fr;
access_log /var/log/nginx/codeenseine.fr-access.log;
error_log /var/log/nginx/codeenseine.fr-error.log;
return 301 https://$host$request_uri;
}
@ -225,9 +146,9 @@
listen 443 ssl;
charset utf-8;
server_name codeenseine.fr;
access_log /var/log/nginx/codeenseine.fr-access.log;
error_log /var/log/nginx/codeenseine.fr-error.log;
include snippets/letsencrypt-codeenseine.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
root /var/www/codeenseine.fr/;
index index.html;
@ -237,8 +158,6 @@
{
listen 80;
server_name www.codeenseine.fr;
access_log /var/log/nginx/codeenseine.fr-access.log;
error_log /var/log/nginx/codeenseine.fr-error.log;
return 301 https://codeenseine.fr$request_uri;
}
@ -246,9 +165,9 @@
{
listen 443 ssl;
server_name www.codeenseine.fr;
access_log /var/log/nginx/codeenseine.fr-access.log;
error_log /var/log/nginx/codeenseine.fr-error.log;
include snippets/letsencrypt-codeenseine.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
return 301 https://codeenseine.fr$request_uri;
}
@ -263,8 +182,6 @@
{
listen 80;
server_name matrix.palard.fr;
access_log /var/log/nginx/matrix.palard.fr-access.log;
error_log /var/log/nginx/matrix.palard.fr-error.log;
return 301 https://$host$request_uri;
}
@ -272,9 +189,9 @@
{
listen 443 ssl;
server_name matrix.palard.fr;
access_log /var/log/nginx/matrix.palard.fr-access.log;
error_log /var/log/nginx/matrix.palard.fr-error.log;
include snippets/letsencrypt-matrix.palard.fr.conf;
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
location /
{