660 Commits

Author SHA1 Message Date
88cb3a370e
Remove logic for Ubuntu 20.04 and Debian 11 2025-03-29 23:09:44 +03:00
027a43ddbe
roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
d8d9790d21
roles/nginx: enable nginx ssl_session_tickets
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
2025-03-29 22:35:56 +03:00
9a500ebc0d
roles/nginx: disable nginx ssl_prefer_server_ciphers
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
2025-03-29 22:34:41 +03:00
4bae942585
roles/nginx: add nginx ssl_ecdh_curve
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:37 +03:00
99866c0c90
roles/nginx: use one day for nginx ssl_session_timeout
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
2025-03-29 22:34:32 +03:00
0afb8a4493
roles/nginx: update nginx ssl_buffer_size
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
2025-03-29 22:34:27 +03:00
506695da31
roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
f67ed7762c
roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
014f4d9502
roles/nginx: add newline 2025-03-29 22:19:41 +03:00
22c16e1ed3
roles/caddy/templates: closer to supporting WordPress
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
2025-03-29 22:09:37 +03:00
5aa6a33e51
roles/php-fpm: set user and group based on webserver
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
2025-03-29 21:01:56 +03:00
7f9b06af9c
roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
84db337fea
roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
7b23f5f94f
roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
9830338be3
Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
e3eed26765
roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
cb79f7ef70
roles/common: minor change to firehol update script
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
2025-01-28 09:14:48 +03:00
bb14f05d2a
roles/common: use Ansible timezone module
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
2025-01-27 23:11:56 +03:00
5b1530fa91
roles/common: rework firewall
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
2025-01-27 23:05:45 +03:00
5312dc6bd5
roles/common: use common nftables task
Use a common nftables task on Debian and Ubuntu.
2025-01-27 23:05:38 +03:00
d6e060d3af
roles/common: simplify firewall tasks
Apply firewall tag to included tasks, then we don't need to use a
block.
2025-01-27 22:30:50 +03:00
b873af004a
roles/common: single firewall task include
Use one include from the main tasks file.
2025-01-27 22:28:27 +03:00
c31e447861
roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
6dc2ea36b6
roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
af71a9b5f8
roles/php-fpm: remove fmt strings
Ansible confuses them for jinja2 tokens.
2023-09-11 19:52:18 +03:00
4dd57803e2
roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
18d4245fc0
roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
20dbe61fe1
roles/mariadb: use MariaDB 10.11
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
2023-09-10 22:53:10 +03:00
06416a3b64
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
7a9a24ef5d
roles/common: rework fail2ban again
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
2023-08-23 22:15:24 +03:00
067adcd9f5
roles/common: rework fail2ban tasks
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
2023-08-23 21:59:28 +03:00
84d210cfab
roles/common: re-format handlers
Use the newer Ansible format.
2023-08-23 21:35:28 +03:00
17736a4f14
roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
b9e91c4a3d
roles/common: minor updates to tarsnap task
Use modern Ansible task format
2023-08-23 21:20:22 +03:00
51c95e5d4c
roles/common: update tarsnap task
Update tarsnap task to use apt signed-by for package signing keys
instead of adding keys directly to apt-key.
2023-08-23 21:18:27 +03:00
8dbec29d2a
roles/nginx: prepare letsencrypt task for Debian 12 2023-08-23 21:01:12 +03:00
d3bf3dab04
roles/php-fpm: add support for PHP 8.2
This is used in Debian 12.
2023-08-23 20:56:35 +03:00
e86ccc9979
roles/nginx: minor rework of apt key stuff 2023-08-22 21:33:19 +03:00
14d57fc477
roles/nginx: reformat main tasks 2023-08-10 22:44:47 +02:00
5c39f1abd8
roles/common: minor changes to Debian sshd_config files 2023-08-10 22:10:04 +02:00
6794eb0432
roles/common: default to disabling SSH passwords 2023-08-10 22:09:03 +02:00
b106f9d9e5
roles/common: ignore apt sources.list on Scaleway
While testing Debian 12 on Scaleway I noticed their apt sources.list
is in some weird format I've never seen before, so let's skip it on
those hosts.
2023-08-10 08:08:42 +02:00
d280859b0d
roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
bca1629d2f
Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
4fa82faf18
roles/common: adjust sshd_config for Debian 12
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
2023-08-09 21:27:19 +02:00
b8f0b4b1fb
roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
446d402778
roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
fdb9a75489
roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
c840ffe018
roles/caddy: improve vhost template
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
2022-11-13 18:54:03 +03:00