forked from usegalaxy-eu/infrastructure-playbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathftp.yml
106 lines (101 loc) · 3.74 KB
/
ftp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
---
- hosts: ftp
become: true
tasks:
vars_files:
- "secret_group_vars/ftp.yml"
- "secret_group_vars/all.yml"
vars:
proftpd_allow_download:
hostname: ftp.usegalaxy.eu
certbot_auto_renew: yes
certbot_auto_renew_user: root
certbot_auto_renew_hour: 17
certbot_auto_renew_minute: 28
certbot_environment: production #staging
certbot_domains:
- ftp.usegalaxy.eu
certbot_agree_tos: --agree-tos
certbot_admin_email: [email protected]
certbot_auto_renew_extra: "--webroot --webroot-path /var/www/html/"
apache_remove_default_vhost: true
apache_mods_enabled:
- rewrite
- ssl
- headers
- proxy
- proxy_http
apache_vhosts:
- servername: "ftp.usegalaxy.eu"
serveradmin: [email protected]
documentroot: "/var/www/html/"
extra_parameters: |
RewriteEngine on
RewriteCond %{SERVER_NAME} =ftp.usegalaxy.eu
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog ${APACHE_LOG_DIR}/ftp.usegalaxy.eu-error.log
CustomLog ${APACHE_LOG_DIR}/ftp.usegalaxy.eu-access.log combined
apache_vhosts_ssl:
- servername: "ftp.usegalaxy.eu"
serveradmin: [email protected]
documentroot: "/var/www/html/"
apache_ssl_protocol: "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
apache_ssl_cipher_suite: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
apache_allow_override: "All"
apache_options: "-Indexes +FollowSymLinks"
extra_parameters: |
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Allow https backend connections
SSLProxyEngine On
# Pass subdir first
ProxyPass /assets/ https://usegalaxy-eu.github.io/assets/
ProxyPassReverse /assets/ https://usegalaxy-eu.github.io/assets/
# Skip well-known dir for certbot renewal.
ProxyPass /.well-known/ !
# Then proxy the index page to a static ftp without header.
ProxyPass / https://usegalaxy-eu.github.io/ftp/index.html
ProxyPassReverse / https://usegalaxy-eu.github.io/ftp/index.html
certificate_file: "/etc/letsencrypt/live/ftp.usegalaxy.eu/cert.pem"
certificate_key_file: "/etc/letsencrypt/live/ftp.usegalaxy.eu/privkey.pem"
certificate_chain_file: "/etc/letsencrypt/live/ftp.usegalaxy.eu/chain.pem"
galaxy_ftp_upload_dir: /data/0/incoming/
galaxy_user: galaxy
proftpd_display_connect: |
UFR Galaxy FTP
proftpd_galaxy_auth: yes
proftpd_options:
- User: galaxy
- Group: galaxy
galaxy_db_schema: galaxy
proftpd_tls_cipher_suite: AES128+EECDH:AES128+EDH
proftpd_tls_protocol: TLSv1.2
proftpd_conf_ssl_certificate: /etc/letsencrypt/live/ftp.usegalaxy.eu/cert.pem
proftpd_conf_ssl_certificate_key: /etc/letsencrypt/live/ftp.usegalaxy.eu/privkey.pem
proftpd_conf_ssl_ca_certificate: /etc/letsencrypt/live/ftp.usegalaxy.eu/chain.pem
proftpd_virtualhosts:
- id: galaxy
address: ftp.usegalaxy.eu
options:
- ServerAdmin: [email protected]
- ServerName: UFR Galaxy FTP
- TransferLog: /var/log/proftpd/xfer/ftp.usegalaxy.eu
- MaxLoginAttempts: 3
- RequireValidShell: no
- AllowOverwrite: yes
roles:
- hostname
- hxr.certbot
- hxr.admin-tools
- geerlingguy.apache
- multinic
- galaxy
- galaxy-net
- autofs
- galaxyprojectdotorg.proftpd
- jnv.unattended-upgrades
- dj-wasabi.telegraf
- dev-sec.os-hardening
- dev-sec.ssh-hardening