73fd06fe3a
roles/common: remove cron-apt
...
Use unattended-upgrades instead. It has sane defaults on Debian at
least (I haven't checked Ubuntu).
2025-04-07 09:51:09 +03:00
88cb3a370e
Remove logic for Ubuntu 20.04 and Debian 11
2025-03-29 23:09:44 +03:00
027a43ddbe
roles/caddy: use default for encode
2025-03-29 22:49:30 +03:00
d8d9790d21
roles/nginx: enable nginx ssl_session_tickets
...
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.
See: https://github.com/mozilla/server-side-tls/issues/284
2025-03-29 22:35:56 +03:00
9a500ebc0d
roles/nginx: disable nginx ssl_prefer_server_ciphers
...
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
2025-03-29 22:34:41 +03:00
4bae942585
roles/nginx: add nginx ssl_ecdh_curve
...
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:37 +03:00
99866c0c90
roles/nginx: use one day for nginx ssl_session_timeout
...
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:32 +03:00
0afb8a4493
roles/nginx: update nginx ssl_buffer_size
...
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).
See: https://github.com/igrigorik/istlsfastyet.com/issues/63
2025-03-29 22:34:27 +03:00
506695da31
roles/nginx/defaults: update version comments
2025-03-29 22:24:49 +03:00
f67ed7762c
roles/nginx: fix http2 syntax
2025-03-29 22:20:49 +03:00
014f4d9502
roles/nginx: add newline
2025-03-29 22:19:41 +03:00
22c16e1ed3
roles/caddy/templates: closer to supporting WordPress
...
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.
This discussion has some tips, but it is four years old and hasn't
changed since I last looked.
See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
2025-03-29 22:09:37 +03:00
5aa6a33e51
roles/php-fpm: set user and group based on webserver
...
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
2025-03-29 21:01:56 +03:00
7f9b06af9c
roles/nginx: smarter setting of document root
2025-03-29 19:34:53 +03:00
84db337fea
roles/caddy: smarter setting of document root
2025-03-29 19:33:02 +03:00
7b23f5f94f
roles/caddy: add missing tag
2025-03-29 19:16:03 +03:00
9830338be3
Use one default root prefix for nginx and caddy
2025-03-29 19:15:56 +03:00
e3eed26765
roles/caddy: update vhost template
2025-03-29 18:37:28 +03:00
cb79f7ef70
roles/common: minor change to firehol update script
...
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
2025-01-28 09:14:48 +03:00
bb14f05d2a
roles/common: use Ansible timezone module
...
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
2025-01-27 23:11:56 +03:00
5b1530fa91
roles/common: rework firewall
...
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
2025-01-27 23:05:45 +03:00
5312dc6bd5
roles/common: use common nftables task
...
Use a common nftables task on Debian and Ubuntu.
2025-01-27 23:05:38 +03:00
d6e060d3af
roles/common: simplify firewall tasks
...
Apply firewall tag to included tasks, then we don't need to use a
block.
2025-01-27 22:30:50 +03:00
b873af004a
roles/common: single firewall task include
...
Use one include from the main tasks file.
2025-01-27 22:28:27 +03:00
c31e447861
roles/nginx: update signing key
2024-06-25 08:11:59 +03:00
6dc2ea36b6
roles/nginx: fix path to php 8.2 socket
2023-09-11 19:55:24 +03:00
af71a9b5f8
roles/php-fpm: remove fmt strings
...
Ansible confuses them for jinja2 tokens.
2023-09-11 19:52:18 +03:00
4dd57803e2
roles/php-fpm: fix user/group for php 8.2 configs
2023-09-11 19:51:59 +03:00
18d4245fc0
roles/common: fix tarsnap signing of apt repo
2023-09-11 19:37:49 +03:00
20dbe61fe1
roles/mariadb: use MariaDB 10.11
...
The server has already been updated from 10.6 to 10.11.
See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
2023-09-10 22:53:10 +03:00
06416a3b64
roles: run ansible-lint --write
2023-08-23 22:22:51 +03:00
7a9a24ef5d
roles/common: rework fail2ban again
...
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
2023-08-23 22:15:24 +03:00
067adcd9f5
roles/common: rework fail2ban tasks
...
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
2023-08-23 21:59:28 +03:00
84d210cfab
roles/common: re-format handlers
...
Use the newer Ansible format.
2023-08-23 21:35:28 +03:00
17736a4f14
roles/common: run ansible-lint --write
2023-08-23 21:33:22 +03:00
b9e91c4a3d
roles/common: minor updates to tarsnap task
...
Use modern Ansible task format
2023-08-23 21:20:22 +03:00
51c95e5d4c
roles/common: update tarsnap task
...
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
2023-08-23 21:18:27 +03:00
8dbec29d2a
roles/nginx: prepare letsencrypt task for Debian 12
2023-08-23 21:01:12 +03:00
d3bf3dab04
roles/php-fpm: add support for PHP 8.2
...
This is used in Debian 12.
2023-08-23 20:56:35 +03:00
e86ccc9979
roles/nginx: minor rework of apt key stuff
2023-08-22 21:33:19 +03:00
14d57fc477
roles/nginx: reformat main tasks
2023-08-10 22:44:47 +02:00
5c39f1abd8
roles/common: minor changes to Debian sshd_config files
2023-08-10 22:10:04 +02:00
6794eb0432
roles/common: default to disabling SSH passwords
2023-08-10 22:09:03 +02:00
b106f9d9e5
roles/common: ignore apt sources.list on Scaleway
...
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
2023-08-10 08:08:42 +02:00
d280859b0d
roles/common: minor updates to Debian 11 sshd_config
2023-08-09 21:55:04 +02:00
bca1629d2f
Minor comment updates for Debian 12
2023-08-09 21:51:53 +02:00
4fa82faf18
roles/common: adjust sshd_config for Debian 12
...
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
2023-08-09 21:27:19 +02:00
b8f0b4b1fb
roles/common: add vanilla sshd_config for Debian 12
2023-08-09 21:16:50 +02:00
446d402778
roles: minor fix to Debian version comparisons
2023-07-27 18:48:07 +03:00
fdb9a75489
roles/common: update tarsnap GPG key
2023-04-14 10:09:11 -07:00
