73fd06fe3a
roles/common: remove cron-apt
...
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
2025-04-07 09:51:09 +03:00
88cb3a370e
Remove logic for Ubuntu 20.04 and Debian 11
2025-03-29 23:09:44 +03:00
027a43ddbe
roles/caddy: use default for encode
2025-03-29 22:49:30 +03:00
bb30c3be20
host_vars/web22: update vhosts
2025-03-29 22:48:19 +03:00
d8d9790d21
roles/nginx: enable nginx ssl_session_tickets
...
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.
See: https://github.com/mozilla/server-side-tls/issues/284
2025-03-29 22:35:56 +03:00
9a500ebc0d
roles/nginx: disable nginx ssl_prefer_server_ciphers
...
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
2025-03-29 22:34:41 +03:00
4bae942585
roles/nginx: add nginx ssl_ecdh_curve
...
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:37 +03:00
99866c0c90
roles/nginx: use one day for nginx ssl_session_timeout
...
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:32 +03:00
0afb8a4493
roles/nginx: update nginx ssl_buffer_size
...
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).
See: https://github.com/igrigorik/istlsfastyet.com/issues/63
2025-03-29 22:34:27 +03:00
506695da31
roles/nginx/defaults: update version comments
2025-03-29 22:24:49 +03:00
f67ed7762c
roles/nginx: fix http2 syntax
2025-03-29 22:20:49 +03:00
014f4d9502
roles/nginx: add newline
2025-03-29 22:19:41 +03:00
22c16e1ed3
roles/caddy/templates: closer to supporting WordPress
...
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.
This discussion has some tips, but it is four years old and hasn't
changed since I last looked.
See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
2025-03-29 22:09:37 +03:00
5aa6a33e51
roles/php-fpm: set user and group based on webserver
...
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
2025-03-29 21:01:56 +03:00
7f9b06af9c
roles/nginx: smarter setting of document root
2025-03-29 19:34:53 +03:00
84db337fea
roles/caddy: smarter setting of document root
2025-03-29 19:33:02 +03:00
7b23f5f94f
roles/caddy: add missing tag
2025-03-29 19:16:03 +03:00
9830338be3
Use one default root prefix for nginx and caddy
2025-03-29 19:15:56 +03:00
e3eed26765
roles/caddy: update vhost template
2025-03-29 18:37:28 +03:00
8b31c7e148
host_vars/web22: WordPress 6.7.2
2025-03-29 16:10:23 +03:00
3ff8043aaf
Pipfile.lock: run pipenv update
2025-03-29 15:30:08 +03:00
cb79f7ef70
roles/common: minor change to firehol update script
...
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
2025-01-28 09:14:48 +03:00
bb14f05d2a
roles/common: use Ansible timezone module
...
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
2025-01-27 23:11:56 +03:00
5b1530fa91
roles/common: rework firewall
...
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
2025-01-27 23:05:45 +03:00
5312dc6bd5
roles/common: use common nftables task
...
Use a common nftables task on Debian and Ubuntu.
2025-01-27 23:05:38 +03:00
d6e060d3af
roles/common: simplify firewall tasks
...
Apply firewall tag to included tasks, then we don't need to use a
block.
2025-01-27 22:30:50 +03:00
b873af004a
roles/common: single firewall task include
...
Use one include from the main tasks file.
2025-01-27 22:28:27 +03:00
7ea3ab46f8
host_vars/web22: WordPress 6.7.1
2025-01-27 21:48:16 +03:00
0561bd5b52
Pipfile.lock: run pipenv update
2025-01-27 21:36:13 +03:00
d62572f02c
Pipfile: python 3.13
2025-01-27 21:35:58 +03:00
2ffe5e87d9
host_vars/web22: WordPress 6.6.2
2024-12-30 11:03:47 +03:00
38d4f1a303
Pipfile.lock: run pipenv update
2024-12-30 11:03:35 +03:00
ed8cb88038
host_vars/web22: WordPress 6.5.5
2024-06-25 08:18:22 +03:00
c31e447861
roles/nginx: update signing key
2024-06-25 08:11:59 +03:00
545684467c
host_vars/nomad03: remove
2024-06-05 20:35:29 +03:00
24ae5eaab1
host_vars/web22: WordPress 6.5.3
2024-05-13 14:51:45 +03:00
dac23f1427
Pipfile: use Python 3.12
2024-05-13 14:51:34 +03:00
41fbc73dd1
host_vars/web22: WordPress 6.4.3
2024-03-20 20:28:13 +03:00
fee794bcf0
Update Pipfile
2024-03-20 20:28:00 +03:00
8bce1d8b1b
host_vars/web22: WordPress 6.4.1
2023-12-02 22:40:06 +03:00
6dc2ea36b6
roles/nginx: fix path to php 8.2 socket
2023-09-11 19:55:24 +03:00
af71a9b5f8
roles/php-fpm: remove fmt strings
...
Ansible confuses them for jinja2 tokens.
2023-09-11 19:52:18 +03:00
4dd57803e2
roles/php-fpm: fix user/group for php 8.2 configs
2023-09-11 19:51:59 +03:00
18d4245fc0
roles/common: fix tarsnap signing of apt repo
2023-09-11 19:37:49 +03:00
1bddf3cccd
Pipfile.lock: run pipenv update
2023-09-11 18:52:25 +03:00
20dbe61fe1
roles/mariadb: use MariaDB 10.11
...
The server has already been updated from 10.6 to 10.11.
See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
2023-09-10 22:53:10 +03:00
899e87321b
host_vars/web22: WordPress 6.3.1
2023-09-10 22:44:23 +03:00
06416a3b64
roles: run ansible-lint --write
2023-08-23 22:22:51 +03:00
7a9a24ef5d
roles/common: rework fail2ban again
...
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
2023-08-23 22:15:24 +03:00
067adcd9f5
roles/common: rework fail2ban tasks
...
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
2023-08-23 21:59:28 +03:00
