932 Commits (master)
 

Author SHA1 Message Date
Alan Orth 67379fc2e4
host_vars/web22: WordPress 6.2 1 month ago
Alan Orth 73546967b6
Pipfile.lock: run pipenv update 1 month ago
Alan Orth 16b661efe1
Pipfile.lock: run pipenv update 2 months ago
Alan Orth fdb9a75489
roles/common: update tarsnap GPG key 2 months ago
Alan Orth 232d7a0348
host_vars/web22: WordPress 6.1.1 6 months ago
Alan Orth 6e4bb5bc34
host_vars/web21: use caddy 7 months ago
Alan Orth c840ffe018
roles/caddy: improve vhost template
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
7 months ago
Alan Orth 45c9d7ea0a
Pipfile.lock: run pipenv update 7 months ago
Alan Orth a62bc446e8
host_vars/web22: WordPress 6.1 7 months ago
Alan Orth 62a6a491db
host_vars/web23: use caddy 7 months ago
Alan Orth 4867d6da6a
Add basic caddy role 7 months ago
Alan Orth d9f7c7a93b
group_vars/web: set default webserver to nginx
While I'm still getting experience with caddy and adapting it to my
workloads.
7 months ago
Alan Orth bc8c030700
roles/common: update Tarsnap GPG key 7 months ago
Alan Orth f7598d8f1c
Pipfile.lock: run pipenv update 7 months ago
Alan Orth c353e84a84
site.yml: use fully-qualified modules 7 months ago
Alan Orth 99ca23f258
Pipfile.lock: run pipenv update 8 months ago
Alan Orth b663d27fd8
roles/common: rework firewall_Debian.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
9 months ago
Alan Orth 67c99dacf6
roles/common: rework firewall_Ubuntu.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
9 months ago
Alan Orth 4abf2b10e4
ansible.cfg: smart fact gathering 9 months ago
Alan Orth f5199264f9
ansible.cfg: disable SSH host key checking 9 months ago
Alan Orth b259f09cbd
roles/common: add SSH public key from other machine 9 months ago
Alan Orth f4b32e516b
roles/mariadb: use newer Ansible task syntax 9 months ago
Alan Orth fcb12ecee0
roles/mariadb: remove sources.list template 9 months ago
Alan Orth 5bc03ceacc
roles/mariadb: install packages in single transaction
Using a list we can install these in a single apt transaction. Also
use the newer task format.
9 months ago
Alan Orth c317429f6d
roles/mariadb: rework package signing key and repo 9 months ago
Alan Orth b512a7f765
roles/common: create /etc/apt/keyrings
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
9 months ago
Alan Orth e3a87d4f79
roles/mariadb: MariaDB 10.6
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
9 months ago
Alan Orth dec2d50fbc
host_vars/web22: WordPress 6.0.2 9 months ago
Alan Orth 34be0013b7
Remove Debian 10 support 9 months ago
Alan Orth 399585f4e7
roles: don't compare literal true and false
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
9 months ago
Alan Orth 0240897b1b
Remove Ubuntu 18.04 support 9 months ago
Alan Orth 1da0da53ec
roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
9 months ago
Alan Orth 677cc9f160
roles/php-fpm: fix truthy-ness in when 9 months ago
Alan Orth ffe7a872dd
roles: strict truthy values
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
9 months ago
Alan Orth 95d0005978
Add ansible-lint 9 months ago
Alan Orth 498766fdc4
Pipfile.lock: run pipenv update 9 months ago
Alan Orth fc0fcc5742 roles/common: fix unnamed blocks 9 months ago
Alan Orth 587bd6dcdd roles: use fully qualified module names 9 months ago
Alan Orth 92a4c72809
Pipfile.lock: run pipenv update 10 months ago
Alan Orth a2d61abba2
roles/mariadb: update mirror
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
10 months ago
Alan Orth d2a5a28809
Pipfile.lock: run pipenv update 10 months ago
Alan Orth 84c0589aee
host_vars/web22: WordPress 5.9.2 1 year ago
Alan Orth 2961578a54
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
1 year ago
Alan Orth 4d74f76b3c
Pipfile.lock: run pipenv update 1 year ago
Alan Orth 9e737466c5
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
1 year ago
Alan Orth 0ffb1b1a36
roles/common: use pyinotify backend for nginx fail2ban jail
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
1 year ago
Alan Orth 68f0b85eb3
Pipfile.lock: run pipenv update 1 year ago
Alan Orth ebbde530d2
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
1 year ago
Alan Orth ab47df6031
Use Python 3.10 with pipenv 1 year ago
Alan Orth de75b2ffb6
host_vars/web22: WordPress 5.8.2 2 years ago