Fix pip installation and SSH ciphers used

2018-12-11 18:16:46 +03:00 · 2018-12-11 18:16:46 +03:00 · cb35692e1a
parent 3b4e630408
commit cb35692e1a
2 changed files with 11 additions and 21 deletions
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -3,17 +3,10 @@
  package: name=nginx state=present
  tags: nginx

- name: Install Pip (Ubuntu)
+- name: Install Pip
  package:
-    name: "python3-pip"
+    name: "{{ (ansible_python_interpreter | default ('python')).split('/')[-1] }}-pip"
    state: present
-  when: ansible_os_family == "Debian"
-
- name: Install Pip (CentOS)
-  package:
-    name: "python-pip"
-    state: present
-  when: ansible_os_family == "RedHat"

 - name: Ensure OpenSSL dependencies are installed (Ubuntu)
  package:
@ -37,18 +30,11 @@
    - python-devel
  when: ansible_os_family == "RedHat"
  
- name: Install pyOpenSSL (Ubuntu).
+- name: Install pyOpenSSL
  pip:
-    executable: pip3
+    executable: "{{ ansible_pip | default('pip') }}"
    name: pyOpenSSL
    state: present
-  when: ansible_os_family == "Debian"
- 
- name: Install pyOpenSSL (Centos).                                                                      
-  pip:                                                                                                                                  
-    name: pyOpenSSL                                                                                                                     
-    state: present 
-  when: ansible_os_family == "RedHat" 

 - name: Create directory for nginx SSL certificates
  file: path=/etc/nginx/ssl state=directory mode=0755
@ -65,11 +51,15 @@
    size: 4096
  when: not cert_file_check.stat.exists

+- name: Get public IP
+  ipify_facts:
+  register: public_ip
+
 - name: Generate SSL certificate request
  openssl_csr:
    path: /etc/nginx/ssl/server.csr
    privatekey_path: /etc/nginx/ssl/server.key
-    common_name: "{{ ansible_host }}"
+    common_name: "{{ public_ip }}"
  when: not cert_file_check.stat.exists

 - name: Generate self-signed SSL certificate
--- a/roles/preconf/tasks/ssh.yml
+++ b/roles/preconf/tasks/ssh.yml
@ -4,8 +4,8 @@
    path: /etc/ssh/sshd_config
    insertafter: '^ServerKeyBits'
    content: |
-      Ciphers aes256-ctr,aes192-ctr,aes128-ctr
-      MACs hmac-sha1,hmac-ripemd160
+      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+      MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
  notify:
    - restart sshd