From 62c00bba0f4fdaeca96a9055b34d36b89cc8e34a Mon Sep 17 00:00:00 2001
From: Joshua Lusk <luskjh@gmail.com>
Date: Tue, 26 May 2026 09:09:48 -0400
Subject: add http playbook

---
 Makefile                                    |  4 ++
 README.md                                   |  1 +
 playbooks/bootstrap.yaml                    |  4 +-
 playbooks/files/nginx.conf                  | 83 +++++++++++++++++++++++++++++
 playbooks/http.yaml                         | 81 ++++++++++++++++++++++++++++
 playbooks/tasks/test_and_restart_nginx.yaml | 10 ++++
 playbooks/templates/nginx/http.conf.j2      | 16 ++++++
 playbooks/templates/ssh.socket.conf.j2      |  3 --
 playbooks/templates/ssh/hardening.conf.j2   |  4 ++
 playbooks/templates/ssh/listen.conf.j2      |  3 ++
 playbooks/templates/sshd_hardening.conf.j2  |  4 --
 11 files changed, 204 insertions(+), 9 deletions(-)
 create mode 100644 playbooks/files/nginx.conf
 create mode 100644 playbooks/http.yaml
 create mode 100644 playbooks/tasks/test_and_restart_nginx.yaml
 create mode 100644 playbooks/templates/nginx/http.conf.j2
 delete mode 100644 playbooks/templates/ssh.socket.conf.j2
 create mode 100644 playbooks/templates/ssh/hardening.conf.j2
 create mode 100644 playbooks/templates/ssh/listen.conf.j2
 delete mode 100644 playbooks/templates/sshd_hardening.conf.j2

diff --git a/Makefile b/Makefile
index 154808b..88a2f75 100644
--- a/Makefile
+++ b/Makefile
@@ -33,3 +33,7 @@ bootstrap:
 .PHONY: security
 security:
 	$(BIN)/ansible-playbook -e @vault.yaml playbooks/security.yaml
+
+.PHONY: http
+http:
+	$(BIN)/ansible-playbook -e @vault.yaml playbooks/http.yaml
diff --git a/README.md b/README.md
index e2dd777..9ad0779 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ _Listed in applicable order._
 | ----------------------- | ------------------ |
 | `bootstrap`<sup>*</sup> | Bootstrap access   |
 | `security`              | Security hardening |
+| `http`                  | Web server         |
 
 ### <sup>*</sup>Pre-bootstraped targets
 
diff --git a/playbooks/bootstrap.yaml b/playbooks/bootstrap.yaml
index 73da248..3f5f872 100644
--- a/playbooks/bootstrap.yaml
+++ b/playbooks/bootstrap.yaml
@@ -4,7 +4,7 @@
   tasks:
     - name: Configure ssh hardening
       ansible.builtin.template:
-        src: sshd_hardening.conf.j2
+        src: ssh/hardening.conf.j2
         dest: /etc/ssh/sshd_config.d/99-hardening.conf
         mode: "0644"
         backup: true
@@ -13,7 +13,7 @@
 
     - name: Configure ssh socket port
       ansible.builtin.template:
-        src: ssh.socket.conf.j2
+        src: ssh/listen.conf.j2
         dest: /etc/systemd/system/ssh.socket.d/10-listen.conf
         mode: "0644"
         backup: true
diff --git a/playbooks/files/nginx.conf b/playbooks/files/nginx.conf
new file mode 100644
index 0000000..6e7d27f
--- /dev/null
+++ b/playbooks/files/nginx.conf
@@ -0,0 +1,83 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+        worker_connections 768;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log /var/log/nginx/access.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+
+        gzip_vary on; # <- uncommented
+        gzip_proxied any; # <- uncommented
+        gzip_comp_level 6; # <- uncommented
+        gzip_buffers 16 8k; # <- uncommented
+        gzip_http_version 1.1; # <- uncommented
+        gzip_types text/plain text/css application/json application/javascript image/avif text/xml application/xml application/xml+rss text/javascript; # <- uncommented
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+#
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}
diff --git a/playbooks/http.yaml b/playbooks/http.yaml
new file mode 100644
index 0000000..3c43e2f
--- /dev/null
+++ b/playbooks/http.yaml
@@ -0,0 +1,81 @@
+- name: Web server
+  hosts: hollyhock
+  become: true
+  tasks:
+    - name: Install nginx
+      ansible.builtin.apt:
+        name: nginx
+        state: present
+        update_cache: true
+
+    - name: Start and enable nginx
+      ansible.builtin.systemd:
+        name: nginx
+        state: started
+        enabled: true
+
+    - name: Configure nginx
+      ansible.builtin.copy:
+        src: nginx.conf
+        dest: /etc/nginx/nginx.conf
+        mode: "0644"
+        backup: true
+      notify: Test and restart nginx
+
+    - name: Create log directories
+      ansible.builtin.file:
+        path: "/var/log/nginx/{{ item.name }}"
+        state: directory
+        owner: "{{ nginx_user }}"
+        group: "{{ nginx_log_group }}"
+        mode: "0755"
+      loop: "{{ sites }}"
+
+    - name: Copy initial http-only sites
+      ansible.builtin.template:
+        src: nginx/http.conf.j2
+        dest: "/etc/nginx/sites-available/{{ item.name }}-http"
+        mode: "0644"
+      loop: "{{ sites }}"
+      notify: Test and restart nginx
+
+    - name: Check if initial https sites have been enabled
+      ansible.builtin.stat:
+        path: "/etc/nginx/sites-enabled/{{ item.name }}-https"
+      register: https_sites
+      loop: "{{ sites }}"
+
+    - name: Check if final sites have been enabled
+      ansible.builtin.stat:
+        path: "/etc/nginx/sites-enabled/{{ item.name }}"
+      register: final_sites
+      loop: "{{ sites }}"
+
+    - name: Enable initial http-only sites
+      ansible.builtin.file:
+        src: "/etc/nginx/sites-available/{{ item.name }}-http"
+        dest: "/etc/nginx/sites-enabled/{{ item.name }}-http"
+        state: link
+      loop: "{{ sites }}"
+      loop_control:
+        index_var: index
+      when:
+        - not https_sites.results[index].stat.exists
+        - not final_sites.results[index].stat.exists
+      notify: Test and restart nginx
+
+    - name: Disable default nginx site
+      ansible.builtin.file:
+        path: /etc/nginx/sites-enabled/default
+        state: absent
+      notify: Test and restart nginx
+
+    - name: Allow http traffic through firewall
+      community.general.ufw:
+        rule: allow
+        port: 80
+        proto: tcp
+
+  handlers:
+    - name: Test and restart nginx
+      ansible.builtin.include_tasks: tasks/test_and_restart_nginx.yaml
diff --git a/playbooks/tasks/test_and_restart_nginx.yaml b/playbooks/tasks/test_and_restart_nginx.yaml
new file mode 100644
index 0000000..626db1d
--- /dev/null
+++ b/playbooks/tasks/test_and_restart_nginx.yaml
@@ -0,0 +1,10 @@
+- name: Test nginx configuration
+  ansible.builtin.command: nginx -t
+  register: nginx_config_test
+  changed_when: false
+
+- name: Restart nginx
+  ansible.builtin.systemd:
+    name: nginx
+    state: restarted
+  when: nginx_config_test.rc == 0
diff --git a/playbooks/templates/nginx/http.conf.j2 b/playbooks/templates/nginx/http.conf.j2
new file mode 100644
index 0000000..3657d35
--- /dev/null
+++ b/playbooks/templates/nginx/http.conf.j2
@@ -0,0 +1,16 @@
+server {
+    server_name {{ item.domains | join(' ') }};
+
+    listen 80;
+    listen [::]:80;
+
+    root /var/www/html;
+    index index.nginx-debian.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    access_log /var/log/nginx/{{ item.name }}/access.log;
+    error_log /var/log/nginx/{{ item.name }}/error.log;
+}
diff --git a/playbooks/templates/ssh.socket.conf.j2 b/playbooks/templates/ssh.socket.conf.j2
deleted file mode 100644
index 48c68dd..0000000
--- a/playbooks/templates/ssh.socket.conf.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-[Socket]
-ListenStream=
-ListenStream={{ ssh_port }}
diff --git a/playbooks/templates/ssh/hardening.conf.j2 b/playbooks/templates/ssh/hardening.conf.j2
new file mode 100644
index 0000000..77815bd
--- /dev/null
+++ b/playbooks/templates/ssh/hardening.conf.j2
@@ -0,0 +1,4 @@
+Port {{ ssh_port }}
+PasswordAuthentication no
+KbdInteractiveAuthentication no
+PermitRootLogin no
diff --git a/playbooks/templates/ssh/listen.conf.j2 b/playbooks/templates/ssh/listen.conf.j2
new file mode 100644
index 0000000..48c68dd
--- /dev/null
+++ b/playbooks/templates/ssh/listen.conf.j2
@@ -0,0 +1,3 @@
+[Socket]
+ListenStream=
+ListenStream={{ ssh_port }}
diff --git a/playbooks/templates/sshd_hardening.conf.j2 b/playbooks/templates/sshd_hardening.conf.j2
deleted file mode 100644
index 77815bd..0000000
--- a/playbooks/templates/sshd_hardening.conf.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-Port {{ ssh_port }}
-PasswordAuthentication no
-KbdInteractiveAuthentication no
-PermitRootLogin no
-- 
cgit v1.2.3