yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.
It should make it easier to change how the certificates is issued.
Ex: If we want to switch to ECDSA certificates in the future or replace
certbot with something else.
The discovery script now uses a regex and no longer cares where exactly
accounting is enabled. Follow systemd upstream by enabling it by
default.
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Disable firewall because python2 module is not avaible and the tasks
fail which makes the playbooks fail and leads to handlers not being run.
https://github.com/ansible/ansible/issues/24855
Signed-off-by: Florian Pritz <bluewind@xinu.at>
To correctly be safe for CVE-2016-1247, we need all nginx log dirs
to be owned by both user and group root. Also, since nginx childs
runs as http user, the directories permissions must be 0755, so the
http user can descent into it. Since the logrotate will create the
log files as http:log, the nginx childs will be able to write to the
logs, but will not be able to create files inside those dirs, fully
preventing CVE-2016-1247.
CVE-2016-1247 is a symlink attack on the log dir of nginx since a
reopening of the logs (triggered by logrotate) opens the logs as nginx
instead of root. logrotate creates the proper log files already so
nginx doesn't need write permissions to those directories.
Signed-off-by: Florian Pritz <bluewind@xinu.at>