Commit Graph

637 Commits

Author SHA1 Message Date
dd2f65947d
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

    $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
      confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
      -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
      -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-11-06 15:44:57 +02:00
f4b104953c
roles/common: Use correct Ansible version comparison
The major version is "16", not "16.04".
2020-07-27 14:23:58 +03:00
c9ea286fff
roles/mariadb: Simplify sources.list 2020-07-14 09:51:35 +03:00
b366b0af3d
roles/nginx: Update version comment 2020-07-14 09:48:12 +03:00
0c192e6c4a
roles/munin: Remove tomcat config
We don't use tomcat here.
2020-07-14 09:47:39 +03:00
f5b6fa74c6
roles/munin: Use systemd module instead of service
All hosts are running systemd.
2020-07-14 09:47:18 +03:00
dbb4dd7098
roles/php-fpm: Add missing Ubuntu 20.04 PHP-FPM task 2020-07-14 09:45:51 +03:00
72b8b193b5
Remove support for Debian 9 and Ubuntu 16.04 2020-07-14 09:45:33 +03:00
539f081d4d
roles/common: Remove storage-specific tweaks
We don't have any "storage" group. This was ported from somewhere
else and I didn't notice that code.
2020-07-14 09:10:07 +03:00
a1f110c8bc
Add PHP 7.4 FPM support 2020-07-13 23:25:32 +03:00
20ab27e1d2
roles/php-fpm: Fix 7.4 pool config 2020-07-13 23:25:09 +03:00
7f5499c307
roles/php-fpm: Import config changes for PHP 7.4 2020-07-13 22:37:12 +03:00
057e98ab47
roles/php-fpm: Import Ubuntu 20.04 PHP 7.4 FPM configs 2020-07-13 22:34:02 +03:00
5282154d7d
roles/common: Disable Canonical spam in MOTD 2020-06-25 21:12:00 +03:00
99b55403d3
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-21 16:31:09 +03:00
9abfe80245 roles/nginx: Add pre and post hooks for Let's Encrypt on Ubuntu 20.04
Certbot will run any executables in the pre and post directories
during certificate renewal.
2020-06-08 12:15:29 +03:00
0587841476 roles/nginx: Adjust certbot tasks
It seems that it is no longer recommended/supported to install the
standalone certbot-auto client on Ubuntu 20.04. We apparently need
to use the one provided by Ubuntu, which luckily includes a service
and timer to renew the certs.
2020-06-08 12:15:29 +03:00
40ac858d60 roles/common: Ignore errors removing snaps
If the snap binary doesn't even exist then it means we've probably
already run this playbook and removed all installed snaps as well.
2020-06-08 12:15:29 +03:00
ba3004ef2b roles/common: Don't run rc.local task on Ubuntu 20.04
We haven't actually used rc.local since Ubuntu 16.04. Now anything
that we need to run at boot we can do with systemd anyways.
2020-06-08 12:15:29 +03:00
ef6ce2335e roles/common: Remove systemd-journald drop-in
Older Ubuntus originally didn't use a persistent journal, which was
somewhat of a surprise when looking at logs after a few months. Now
this does not seem to be an issue since Ubuntu 18.04. As for CentOS
I do not use that distro here so I don't need to care.
2020-06-08 12:15:29 +03:00
6fcb1290fe roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04
By now the recommendations we were using as guidance are five years
old. The ciphers have not changed much since then.
2020-06-08 12:15:29 +03:00
5a58d93dfe roles/common: Import sshd_config for Ubuntu 20.04 2020-06-08 12:15:29 +03:00
870bdbfcc3 roles/common: Harden fail2ban service on Ubuntu 20.04 2020-06-08 12:15:29 +03:00
96f62a17d1 roles/common: Use nftables backend in firewalld on Ubuntu 20.04
The nftables backend should be more performant and flexible. I had
been planning to use it on Ubuntu 18.04 and Debian 10 as well, but
there were issues with the specific versions used in those distros.

See: https://firewalld.org/2018/07/nftables-backend
2020-06-08 12:15:29 +03:00
29bbc14068 roles/common: Remove ufw from Ubuntu systems
We never used this simple firewall utility and in at least one case
a user on the server tried to use it and messed up the rules I had
set via firewalld.
2020-06-08 12:15:29 +03:00
7288a85e72 roles/common: Remove snaps on Ubuntu 20.04
The list of pre-installed snaps and system packages is different on
Ubuntu 20.04 than it was in previous LTS releases.

See: https://www.kevin-custer.com/blog/disabling-snaps-in-ubuntu-20-04/
2020-06-08 12:15:29 +03:00
5242493b53
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-03 10:10:49 +03:00
ed2e0efd9c
roles/common: Actually remove annoying Ubuntu motd spam 2020-04-24 22:37:50 +03:00
4b5d17ef8c
roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00
03254d6aae
roles/common: Use normal tarsnap GPG packaging key 2020-03-16 18:03:53 +02:00
e169a3744a
roles/nginx: Fix munin.conf for nginx_status
This config stopped working a few years ago probably when hosts started
getting IPv6 and we need to allow ::1. Make sure we're only listening
on local loopback interfaces also.
2020-03-10 12:23:12 +02:00
2dc195b33c
Use version() instad of version_compare()
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
2020-03-09 15:20:51 +02:00
d78015c92c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
$ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2019-12-23 11:39:35 +02:00
e4c3376383
roles/common: Fix logic in enabling individual calls in firewalld 2019-12-10 13:45:00 +02:00
aa1dac8c30
roles: Fix syntax for testing booleans
ansible-lint told me not to test equality with booleans using literal
"True" and "False", but it Ansible complains if I use "is True" also.
It seems that I need to adjust the syntax slightly.
2019-11-26 11:19:22 +02:00
1c631739e7
roles: Fix issue raised by ansible-lint
[601] Don't compare to literal True/False
2019-11-21 22:55:39 +02:00
e1c7bbe096
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-13 11:35:14 +02:00
8edc68ca3c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy.
2019-11-04 10:12:17 +02:00
2631f76c6d
roles/common: Use iptables backend for firewalld on Debian
For some reason the nftables set support in firewalld doesn't seem
to be working. I see that sets (aka ipsets in nftables lingo) are
created, but they are empty. For now I will just leave these tasks
as they are to revert the behavior on current hosts (should do no
change on new installed, as the regexp won't match).
2019-10-26 19:34:25 +02:00
919fbbbcd9
roles/common: Make sure fail2ban is started 2019-10-26 17:14:28 +02:00
9f27cda97b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

I manually remove the IPv6 addresses and save them to a different
filr, then I add the XML formatting to files and run them through
tidy.
2019-10-26 17:09:18 +02:00
d8d8a01a5f
roles/common: Remove SSH rate limiting from firewalld
Rather than a simple rate limit, I'm now using fail2ban to ban IPs
that actually fail to login.
2019-10-26 16:41:42 +02:00
4710ee6f07
roles/common: Bump version checks to Ubuntu 16.04 2019-10-26 16:40:14 +02:00
9db104efa6
roles/common: Bump version checks to Debian 9 2019-10-26 16:37:27 +02:00
0605f70f2e
roles/common: Add support for fail2ban
This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
2019-10-26 16:36:07 +02:00
f3614d4ad4
roles/common: Remove buster-backports
I was using it to get iptables 1.8.3 to work around an issue with
firewalld, but I've solved that another way.
2019-10-18 22:56:52 +03:00
25e0fd3557
roles/common: Use individual calls with firewalld
Seems to work around an issue when firewalld is using the nftables
backend with iptables 1.8.2 on Debian 10. Alternatively I could go
back to using the iptables backend... hmm.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-10-18 22:49:29 +03:00
cac38af09b
roles/common: Use nftables firewalld backend on Debian 10
nftables is the iptables replacement. There is support for nftables
in firewalld since v0.6.0.

See: https://firewalld.org/2018/07/nftables-backend
2019-10-18 19:02:17 +03:00
7c0b458bc1
roles/common: Don't use iptables from buster-backports
This causes problems every time I re-run the Ansible tag because the
nightly apt security uses a different sources.list and the indexes
are then missing buster-backports. I could add a cache update to the
task, but actually I think the original bug I was trying to solve is
finally fixed, and I'm going to switch to nftables anyways.
2019-10-18 18:53:21 +03:00
1b0a6703b6
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-18 13:45:59 +03:00
6244530929
roles/common: Fix short name of abusers-ipv6 ipset 2019-10-17 22:04:00 +03:00
68ec9f0467
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-14 00:24:48 +03:00
a8efe97a02
roles/common: Update list of abusive IPv4 addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" -H "Accept: text/plain" | sort > /tmp/ips.txt

Then I add the XML formatting to the file and run it through tidy.
2019-10-09 14:52:41 +03:00
d030827f12
roles/common: Relax SSH rate limit in firewalld
Now that I'm blocking ~10,000 malicious IPs from AbuseIPDB I feel
more comfortable using a more relaxed rate limit for SSH. A limit
of 12 per minute is about one every five seconds.
2019-10-06 18:27:45 +03:00
8b28a65bf0
roles/common/files/abusers-ipv4.xml: Top 10,000 abusers from abuseipdb
These are the top 10,000 abusers with 95% confidence from abuseipdb.
2019-10-05 23:56:24 +03:00
6ebf900960
roles/common: Add missing rules for abusers ipsets
I had forgotten to add these when porting these rules from another
repository.
2019-10-05 13:01:51 +03:00
ef3c5c200e
roles/common: Update list of abusive IPv4 addresses
I updated the list with a few dozen more hosts that we brute forcing
SSH but failed to even negotiate a connection because they are using
old ciphers. I will still block them because they attempted 100+ co-
nnections.
2019-10-05 12:46:06 +03:00
80df220602
roles/common: Restart firewalld instead of reload
I'm having problems with reload hanging on Debian 10 so I will just
revert to the older behavior of restarting.
2019-10-05 12:29:30 +03:00
c2a92269e4
roles/common: Add ipsets of abusive IPs to firewalld
This uses the ipsets feature of the Linux kernel to create lists of
IPs (though could be MACs, IP:port, etc) that we can block via the
existing firewalld zone we are already using. In my testing it works
on CentOS 7, Ubuntu 16.04, and Ubuntu 18.04.

The list of abusive IPs currently comes from HPC's systemd journal,
where I filtered for hosts that had attempted and failed to log in
over 100 times. The list is formatted with tidy, for example:

    $ tidy -xml -iq -m -w 0 roles/common/files/abusers-ipv4.xml

See: https://firewalld.org/2015/12/ipset-support
2019-10-05 12:28:30 +03:00
532b533516
roles/common: Update apt in firewall task
Otherwise the buster-backports source might not be available, as
the nightly security upates use a different apt sources.list.
2019-10-05 12:00:08 +03:00
eb7998fd12
roles/nginx: Fix hardcoded "stretch" release in sources
This was causing the stretch version to get installed on buster, w-
hich led to the cipher suite and ssl protocol support to behave st-
rangeley.
2019-09-15 16:03:17 +03:00
1ec6d07232
roles/nginx: Fix php7.3-fpm socket location on Debian 10 2019-09-15 15:55:42 +03:00
2740f050fc
roles/common: Increase ssh MaxAuthTries from 3 to 4
If a user has RSA, ECDSA, and ED25519 private keys present on their
system then the ssh client will offer all of these to the server
and they may not get a chance to try password auth before it fails.
2019-09-15 15:17:00 +03:00
cf16264f53
roles/common: Update sshd_config template for Debian 10
It seems I had imported the stock one from a default install, but I
never configured it.
2019-09-15 15:15:30 +03:00
cbdd779af0
roles/common: Remove lzop and lrzip from packages
zstd is a much better all-purpose compression utility.
2019-09-15 13:23:52 +03:00
4faeb79b5c
roles/common: Add zstd to base packages 2019-09-14 20:36:40 +03:00
a7231bcf5f
roles/mariadb: Remove login_unix_socket from .my.cnf
It is causing an error at client runtime.
2019-09-14 18:32:26 +03:00
43715dd392
roles/common: Use stable tarsnap 2019-09-13 22:14:49 +03:00
7551b803f6
roles/common: Use iptables 1.8.3 on Debian Buster
There is a bug in iptables 1.8.2 in Debian 10 "Buster" that causes
firewalld to fail when restoring rules. The bug has been fixed in
iptables 1.8.3, which is currently in buster-backports.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
2019-08-01 15:36:15 +03:00
b59f7c0702
roles/nginx: Update certbot dependencies for Debian 10
Taken after a clean Debian 10 install on Linode.
2019-07-23 18:38:33 +03:00
0bff851311
roles/php-fpm: Fix Ansible template parsing issue
Remove time formatting strings because Ansible errors when trying
to parse them, even though we are not using them!
2019-07-23 18:32:27 +03:00
2d98d70e02
Update nginx cipher suite and TLS protocols
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.

See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
2fadb9029a
roles/mariadb: Use Unix socket for MariaDB tasks
Otherwise Ansible fails due to PyMySQL using a TCP connection.

See: https://github.com/ansible/ansible/issues/47736
2019-07-23 17:26:23 +03:00
7d8457e5b3
roles/common: Remove old SSH public key 2019-07-23 16:07:39 +03:00
c148da73e7
roles/common: Use experimental Tarsnap on Debian buster
Tarsnap currently provides experimental packages for Debian Buster.

See: https://www.tarsnap.com/pkg-deb.html#experimental
2019-07-19 12:07:27 +03:00
e124cac945
roles/nginx: Adjust formatting of apt sources template 2019-07-08 18:44:21 +03:00
70e736bdc5
roles/nginx: Use buster builds
nginx.org has buster builds now.
2019-07-08 18:43:43 +03:00
ca293289aa
roles/nginx: Fix logic error in apt sources template 2019-07-07 17:59:00 +03:00
03e2abc4fb roles/common: Install gnupg2 on Debian
Needed by Ansible to add and verify apt package signing keys.
2019-07-07 15:52:25 +03:00
12b6f3aaa2
roles/common: Don't ignore errors on Tarsnap key add
It turns out that I had the wrong key ID so it's no wonder this was
failing...
2019-07-07 15:51:04 +03:00
704b02ce0a
roles/common: Fix tarsnap package key
For some reason the key ID I had here was wrong. According to the
Tarsnap website the key ID is 0x6D97F5A4CA38CF33.

ee: https://www.tarsnap.com/pkg-deb.html
2019-07-07 15:49:45 +03:00
709a947987
Merge branch 'debian10' 2019-07-06 21:43:41 +03:00
3b95730417
roles/common: Synchronize Debian package task with Ubuntu 2019-07-06 21:36:04 +03:00
10200e52ab
roles/common: Use a fact for base packages on Debian
This is safer and ends up being faster because all packages get in-
stalled in one apt transaction.
2019-07-06 21:31:59 +03:00
460c1df65b roles/php-fpm: Update for PHP 7.3 in Debian 10 2019-07-06 21:16:19 +03:00
5fe583541a roles/nginx: Set Let's Encrypt packages for Debian 10
Taken from the list of packages that the certbot-auto script wants
to bootstrap on a fresh Debian 10 "buster" install.
2019-07-06 21:16:19 +03:00
619f536cd8 roles/nginx: Use Debian 9 "stretch" builds on Debian 10 "buster"
There are no Debian 10 "buster" builds from nginx.org yet.
2019-07-06 21:16:19 +03:00
39622077cd roles/common: Use Debian 9 tarsnap packages
There are no tarsnap binaries for Debian 10 yet.
2019-07-06 21:16:19 +03:00
b79001f97a roles/common: Update security.sources.list for cron-apt
We need to make sure to get security updates for packages that are
not in main!
2019-07-06 21:16:19 +03:00
207296b1f8 roles/common: Update Debian security apt repository
See: https://www.debian.org/security/
2019-07-06 21:16:19 +03:00
1b4e9ae87c roles/common: Install Python 3 version of pycurl on Debian 10
Debian 10 comes with Python 2 and Python 3 (at least from the ISO),
so we should prefer the Python 3 version of pycurl. We'll see whet-
her cloud providers like Linode and Digital Ocean ship with Python
3 or not in their default image.
2019-07-06 21:16:19 +03:00
da4a6660fb roles/common: Update comment in tasks/ntp.yml 2019-07-06 21:16:19 +03:00
dd5662911e roles/common: Import sshd_config from Debian 10
OpenSSH version is 7.9p1-10.
2019-07-06 21:16:19 +03:00
4fb2d48e10
roles/mariadb: Install MariaDB 10.4
MariaDB 10.4 is now GA.

See: https://mariadb.com/kb/en/library/changes-improvements-in-mariadb-104/
See: https://mariadb.com/kb/en/library/upgrading-from-mariadb-103-to-mariadb-104/
2019-07-05 20:39:17 +03:00
dc2e14a6a3
roles/mariadb: Use python3-pymysql for Ansible
For Python 3 Ansible needs a different library to help with MySQL
tasks.
2019-05-08 09:15:47 +03:00
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
c5b5cda3d3
Smarter updating of apt index during playbook execution
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
bec79f18d1
roles/common: Ignore tarsnap key errors
Ansible errors on adding the tarsnap signing key because it is not
valid (expired a month ago). I contacted Colin Percival about this
on Twitter but he did not seem worried for some reason.
2019-03-13 12:36:47 +02:00
18ee583261
roles/common: Don't log brute force SSH attempts
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
2019-02-26 10:30:03 -08:00
329edaee87
roles/common: Rate limit SSH connections in firewalld
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.

See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
2019-01-28 14:09:18 +02:00
bbab45ae6f
Adjust ansible_managed to use comment filter
We don't need to comment the ansible_managed block manually.
2019-01-10 12:50:54 +02:00
9921a40c19
roles/common: Update comment 2018-12-20 10:31:18 +02:00
91356ab364
roles/common: Disable Canonical spam in MOTD 2018-12-20 10:27:52 +02:00
49cfbc4c47
roles/common: Add missing systemd-journald config
I apparently forgot to add this when I committed the systemd-journald
changes a few weeks ago.
2018-12-20 09:59:13 +02:00
96f14bdda7
roles/common: Remove blank line 2018-12-20 09:57:47 +02:00
6aed22b633
roles/common: Use one task to remove Ubuntu packages
I had previously been removing some packages for security reasons,
then removing others because they were annoying, and yet *others*
because they were annoying on newer Ubuntus only. It is easier to
just unify these tasks and remove them all in one go.

On older Ubuntus where some packages don't exist the task will just
succeed because the package is absent anyways.
2018-12-20 09:54:46 +02:00
a15faabe32
roles/common: Update apt cache only if it's older than 1 hour 2018-12-20 09:40:10 +02:00
aeaa96b753
roles/common: Remove s3cmd from Ubuntu packages
I'm using tarsnap for backups so I don't need Amazon S3 stuff.
2018-12-20 09:38:51 +02:00
67172138a1
roles/common: Fix typo 2018-12-20 09:38:10 +02:00
400926821c
roles/common: Only update apt index if cache is older than 1 hour 2018-12-20 09:37:44 +02:00
281689e506
roles/common: Use an Ansible fact for Ubuntu packages 2018-12-20 09:36:43 +02:00
46bbb06527
roles/common: Remove more annoying packages on Ubuntu
Ubuntu 16.04 and up install a bunch of their technologies that I'm
not using, like lxc, lxd, and snaps.
2018-12-20 09:31:58 +02:00
691deb4fa7
roles/common: Use a persistent systemd journal
The default systemd journal configuration on CentOS 7 and Ubuntu
16.04 does not keep journal logs for multiple boots. This limits
the usefulness of the journal entirely (for example, try to see
sshd logs from even two or three months ago!).

Changing the storage to "persistent" makes systemd keep the logs
on disk in /var/log/journal for up to 2% of the partition size.
2018-12-07 23:46:18 +02:00
da615fb368
roles/mariadb: Update my.cnf template
Sync from upstream's provided my.cnf.
2018-07-29 16:43:56 +03:00
b47f66512d
roles/mariadb: Use MariaDB 10.3
Also disables the fetching of i386 packages because the mirror does
not appear to have them anymore (and I wasn't using them anyways).
2018-07-29 16:23:24 +03:00
963bf65099
roles/common: Limit number of SSH authentication attempts
The default in later OpenSSH is 6, which seems too high. If you can't
get your password correct after 3 tries then I think you need help.

Eventually I'd like an easy way to enable blocking of repeated login
attempts at the firewall level. I think it's possible in firewalld.
2018-07-23 13:14:54 +03:00
f22b6af273
roles/common: Change mode of SSH public key 2018-05-30 08:32:11 -07:00
37a88f676b
roles/common: Add new SSH public key for aorth 2018-05-30 07:48:38 -07:00
131420be17
roles/common: Add task to copy tarsnaprc
One less thing to do manually after server provisioning, and there is
nothing sensitive in here anyways.
2018-05-20 12:51:02 +03:00
c29d37c159
roles/mariadb: Use German mirror 2018-05-20 12:05:35 +03:00
314a33d37c
Use official MariaDB builds for Ubuntu bionic
We had been using the Ubuntu 17.10 "artful" builds for Ubuntu 18.04
"bionic" but there are now official bionic builds.
2018-05-19 23:12:35 +03:00
2837de4e3f
roles/php-fpm: Update defaults
From latest PHP 7.2 on Ubuntu 18.04's php.ini-production.
2018-05-15 00:00:27 +03:00
70abcb2051
roles/php-fpm: Import new php.ini-production
From latest Ubuntu 18.04 PHP 7.2 package.
2018-05-14 23:58:45 +03:00
1a9033dece
roles/common: Use bionic tarsnap builds on Ubuntu 18.04
Tarsnap finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
2018-05-09 00:05:42 +03:00
42fcd933a8
roles/nginx: Fix Jinja2 logic in apt sources template 2018-05-08 23:53:47 +03:00
3f0c45d504
roles/nginx: Force amd64 builds on apt sources
Avoids the following error in apt:

Skipping acquire of configured file 'nginx/binary-i386/Packages' as repository 'https://nginx.org/packages/ubuntu bionic InRelease' doesn't support architecture 'i386'
2018-05-08 23:41:25 +03:00
f5fbc4b8f1
roles/nginx: Use bionic builds on Ubuntu 18.04
NGINX finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
2018-05-08 23:39:59 +03:00
0a39051a95
roles/nginx: Allow custom resolvers for TLS stapling
Allows to specify custom DNS resolvers for TLS stapling, with a default
of Cloudflare's public DNS servers.
2018-04-30 18:04:17 +03:00
bda95b6a1c
roles/nginx: Default to Cloudflare public DNS for TLS stapling
No need to give Google even more data or free advertising by using
this as the default! In practice I always use the DNS servers from
the VPS provider anyways.
2018-04-30 17:51:59 +03:00
7aed78016c
roles/php-fpm: Use set_fact to set packages
Instead of looping over a list of items to install, we can actually
just give a list directly to the apt module. This allows the module
to install all packages in one transaction, which is faster as well
as slightly safer for some dependency resolution scenarios.
2018-04-29 16:10:53 +03:00
45517a1421
roles/php-fpm: Remove "packages" tag
This tag is no longer reachable after switching to the new dynamic
includes in Ansible 2.4 and 2.5. Anyways, I've been questioning my
decision to add the "packages" tag to any task that uses the apt
module.
2018-04-29 16:04:47 +03:00
434fe59a63
roles/php-fpm: Use blocks to tag children of dynamic tasks
When using dynamic includes, child tasks do not inherit tags from their
parents. You must tag the parent and each child task separately, or use
a block to group children and then apply a tag to a block.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-29 16:04:03 +03:00
6208d1518c
roles/nginx: Use set_fact to set certbot dependencies
Instead of looping over a list of items to install, we can actually
just give a list directly to the apt module. This allows the module
to install all packages in one transaction, which is faster as well
as slightly safer for some dependency resolution scenarios.
2018-04-26 19:48:05 +03:00
baa5890d6d
roles/nginx: Add name to Let's Encrypt task
All tasks should have names, even if they are just including other
tasks.
2018-04-26 17:12:22 +03:00
fa5db39674
roles/nginx: Move WordPress tasks to separate file
Because of the shift from static imports to dynamic includes these
tags will never be reached unless they have their own task that is
tagged at the top-level (dynamic includes don't pass their tags to
their children).
2018-04-26 17:09:09 +03:00
0f512a5bf7
roles/common: Use blocks to tag children of dynamic tasks
When using dynamic includes, child tasks do not inherit tags from their
parents. You must tag the parent and each child task separately, or use
a block to group children and then apply a tag to a block.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-26 16:58:35 +03:00
7d950ade99
roles: Remove unreachable "packages" tags
After reörganizing for dynamic includes these tags will never be reached
because the children of dynamic includes do not inherit tags from their
parents as they did with static imports.
2018-04-26 16:31:06 +03:00
1738507ee9
roles/nginx: Use dynamic includes for Let's Encrypt
As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed
to introduce the notion of static imports and dynamic includes. If the
tasks doing the import is using variable interpolation or conditionals
then the task should be dynamic. This results in quicker playbook runs
due to less importing of unneccessary tasks.

One side effect of this is that child tasks of dynamic includes do not
inherit their parents' tags so you must tag them explicitly or a block.

Also, I had to move the letsencrypt tasks to the main task file so the
tags were available (due to dynamic tasks not inheriting tags).
2018-04-26 11:00:47 +03:00
2da7f39bb4
roles/nginx: Use dynamic includes for tasks
As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed
to introduce the notion of static imports and dynamic includes. If the
tasks doing the import is using variable interpolation or conditionals
then the task should be dynamic. This results in quicker playbook runs
due to less importing of unneccessary tasks.

One side effect of this is that child tasks of dynamic includes do not
inherit their parents' tags so you must tag them explicitly or a block.
2018-04-26 10:45:01 +03:00
c608331e3c
roles/nginx: Rename Let's Encrypt dependency lists 2018-04-26 08:26:58 +03:00
e50f413f5e
roles/nginx: Use dynamic include_tasks for Let's Encrypt
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 20:03:32 +03:00
ebda406de3
roles/nginx: Separate Debian 9 "stretch" Let's Encrypt deps
Instead of iterating over fifteen packages with a loop that does fifteen
separate apt transactions, it is better to give the apt module a list so
it can install them all in one transaction. This is both quicker and te-
chnically more safe for dependency resolution.
2018-04-25 20:02:42 +03:00
f427350feb
roles/nginx: Separate Ubuntu 16.04 "Xenial" Let's Encrypt deps
Instead of iterating over fifteen packages with a loop that does fifteen
separate apt transactions, it is better to give the apt module a list so
it can install them all in one transaction. This is both quicker and te-
chnically more safe for dependency resolution.
2018-04-25 20:01:39 +03:00
12711afac9
roles/nginx: Add dependencies for certbot on Ubuntu 18.04
Taken from running the Let's Encrypt certbot-auto client on a freshly
installed Ubuntu 18.04 system.
2018-04-25 19:40:33 +03:00
ab27caf877
roles/common: Use dynamic include_tasks for firewall
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 18:58:31 +03:00
a044fd2f55
roles/common: Add missing vim modelines 2018-04-25 18:55:22 +03:00
8b660dcfbe
roles/common: Use dynamic include_tasks for packages
Basically, when using conditionals or variables in your tasks you should
use include_tasks instead of import_tasks. The down side is that you now
need to tag all included tasks individually or with a block, unlike when
using static imports (tags are applied to all imported child tasks).

I would actually like to reduce this task to a single one that uses the
host's ansible_distribution variable, but Ansible 2.5.1 currently gives
the following error: ansible_distribution is undefined.
2018-04-25 18:46:28 +03:00
9445541f51
roles/common: Always use security.ubuntu.com
Vanilla Ubuntu (and Debian actually) defaults to using the official
mirror for security updates rather than country or regional mirrors.

Also, for what it's worth, Ubuntu mirrors didn't always sync these
security archives. I'd prefer to stay closer to vanilla Ubuntu but
also it kinda makes sense to get security updates from the official
source than a mirror (in case of delay or errors).
2018-04-25 18:09:11 +03:00
832573acc5
roles/common: Remove comments from sources.list
I want this file to be more like what comes from the stock Ubuntu.
2018-04-25 18:07:55 +03:00
a7eb04a152
Import OS-specific vars from task in common role
We stopped being able to do dynamic includes from the playbooks around
Ansible 2.4.0.0 if I recall correctly. Instead we can create a task to
include the variables and make it always run by using the special tag.

For now the Debian and Ubuntu vars files are the same, but I will keep
them separate so that it is more flexible in the future.
2018-04-25 18:04:29 +03:00
f3403cc79a
roles/common: Remove Ubuntu partner repo from apt sources
I haven't used this in years, and it looks to only be proprietary things
like Adobe, Skype, etc.
2018-04-25 17:49:38 +03:00
913f59ced6
group_vars/dspace: Update comment for nginx branch
NGINX 1.14.0 was released and is the current "stable" version. The
next "mainline" version should be 1.15.0.

See: https://nginx.org/en/CHANGES-1.14
2018-04-18 16:58:33 +03:00
1a870db3af Fix a few more Jinja2 filters used as tests
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-05 12:17:26 +03:00
632aa1cf14 Fix a few more Jinja2 filters used as tests
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-05 12:17:26 +03:00
d1ba60e15d Use version_compare to test for Ubuntu 18.04 "bionic"
It just feels more correct, plus I usually forget the release code
name from time to time.
2018-04-05 12:17:26 +03:00
ed607aab68 roles/nginx: Use correct php-fpm socket on Ubuntu 18.04 2018-04-05 12:17:26 +03:00
3396a98aad roles/php-fpm: Update note 2018-04-05 12:17:26 +03:00
9f3ab01d48 roles/php-fpm: Use include instead of import for tasks
These tasks are conditional and mutually exclusive due to the "when"
clause. Using import_tasks means that these are imported before the
playbook execution and then skipped during evaluation of the test.

It makes sense in this case to use include_tasks so that the tasks
are only imported during playbook execution if the condition is met.
2018-04-05 12:17:26 +03:00
7fc13d6331 roles/php-fpm: Improve task for Ubuntu 16.04 and Debian 9 2018-04-05 12:17:26 +03:00
9675542f7d roles/php-fpm: Support php-fpm 7.2 on Ubuntu 18.04
Adds a separate handler for the php-fpm7.2 service and cleans up the
pool config file to remove some content that causes Jinja2 to choke.
2018-04-05 12:17:26 +03:00
975a4d3f28 roles/php-fpm: Import php-fpm 7.2 configs
From vanilla Ubuntu 18.04, diffed against current 7.0 templates.
2018-04-05 12:17:26 +03:00
28ba62a8a6 roles/common: Remove sysv-rc-conf from Ubuntu packages
I haven't used this in years and it apparently doesn't exist in Ubuntu
18.04 anyways.
2018-04-05 12:17:25 +03:00
5c3553e684 roles/nginx: Use Ubuntu 17.10's packages on Ubuntu 18.04
There are no nginx packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
2018-04-05 12:17:25 +03:00
6c093801c4 roles/mariadb: Use Ubuntu 17.10's packages on Ubuntu 18.04
There are no mariadb packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
2018-04-05 12:17:25 +03:00
c5bebf0336 roles/common: Use Ubuntu 17.10's tarsnap packages on Ubuntu 18.04
There are no tarsnap packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
2018-04-05 12:17:25 +03:00
10668ed706 roles/common: Update comment in ntp task 2018-04-05 12:17:25 +03:00
19414041e7 roles/common: Add sshd config for Ubuntu 18.04
From the default sshd_config with some cipher settings from the Debian
9 template.
2018-04-05 12:17:25 +03:00
ab2961be61 roles/common: Update Tarsnap GPG key
See: https://www.tarsnap.com/pkg-deb.html
2018-04-05 12:17:25 +03:00
57120308dc
Update with_items loops to use new-ish "loop" keyword
Ansible 2.4 and 2.5 are moving away from specialized loop functions
and the old syntax will eventually be deprecated and removed. I did
not change the with_fileglob loops because I'm not sure about their
syntax yet.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
2018-04-02 15:52:51 +03:00
fbf61c8e61
roles/munin: Don't use loop when installing one package 2018-04-02 15:51:29 +03:00
ffee9250ee
Use new syntax for Jinja2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-02 15:37:37 +03:00
d155898bb1
Use new syntax for Jinj2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-03-21 21:17:21 +02:00
52b4efd3b0
roles/common: Use HTTPS for tarsnap package mirror 2018-03-17 11:51:45 +02:00
948058151a
roles/common: Fix issues raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-12-29 20:11:55 +02:00
a5e6513be3
roles/dspace: Update gzip_types formatting
From the H5BP project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2017-11-14 12:44:56 +02:00
97aca2cad2
roles/nginx: Remove Internet Explorer 6 gzip disable
I have zero idea if we have IE6 clients any more, but according to the
H5BP community IE6 actually did support gzip and only represents 0.1%
of Internet traffic in 2015 (!) anyways.

See: https://github.com/h5bp/server-configs-nginx/issues/125
2017-11-14 12:43:02 +02:00
92fe57a4da
Revert "Revert "roles/common: Use static imports for tasks""
This reverts commit 63c5477f85.

I'm actually still seeing this problem on Ansible 2.4.0.0 with Python
2.7.14.
2017-11-05 01:51:49 +02:00
36d6360eeb
roles/common: Fix error in conditional 2017-11-05 01:41:38 +02:00
fec081d40a
roles/common: Use deb.debian.org instead of httpredir
Seems to be the evolution of httpredir.
2017-11-05 01:31:16 +02:00
d15c9851db
roles/nginx: Use https for apt repository 2017-11-05 01:30:49 +02:00
55b464e8f7
roles/common: Add apt-transport-https to base packages
Allows fetching debian repositories over HTTPS.
2017-11-05 01:29:00 +02:00
1882ba612f
roles/munin: Remove ansible_os_family checks
We only run Debian family distributions now so there is no need to check
this case.
2017-11-05 01:20:20 +02:00
547d808aea
roles/common: Remove ansible_os_family checks
We're only supporting Debian family now so there's no point to check
this variable now.
2017-11-05 01:19:28 +02:00
e43d8924e8
roles/munin: Remove ansible_os_family checks
First of all, there is no ansible_os_family Ubuntu! Second, we are only
supporting Debian-based systems here so there is no need to check this.
2017-11-05 01:17:01 +02:00
5f8820bf9f
roles/common: Remove Ubuntu 14.04 logic
We're only supporting Ubuntu 16.04 now.
2017-11-05 01:11:37 +02:00
7fd6127d29
roles/common: Remove check for CentOS in sshd task
I'm not supporting CentOS here so we don't need to check this.
2017-11-05 01:01:37 +02:00
f76fc64afa
roles/common: Remove unused sshd_config templates
We're not supporting Ubuntu 14.04 or 15.04 anymore so we don't need
these templates.
2017-11-05 00:59:19 +02:00
77a3b1cff7
roles/common: Remove Debian 8 sshd_config template 2017-11-05 00:58:03 +02:00
b0524d2a2e
Remove references to Debian 8
I don't need or want to support Debian 8 anymore so I can remove all
references to it in comments and code.
2017-11-05 00:54:53 +02:00
b87f2e2fb0
roles/common: Use command module instead of shell
You should only use the "shell" module when you need shell functions
like flow control and redirects. Also, the "command" module is safer
because it is not affected by the user's environment.
2017-11-05 00:49:03 +02:00
58598f470c
roles/mariadb: Remove start/enable task
After installation the mariadb service is started and enabled, so we
don't need to do that explicitly.
2017-11-05 00:28:07 +02:00
9b4f662bc5 roles/nginx: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
2d6819986f roles/munin: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
0d694d44c8 roles/php-fpm: Update comment about Debian 9 2017-11-05 00:27:44 +02:00
51183617b8 roles/php-fpm: Reload service instead of restarting
No need to bounce the service for most config changes when we can just
tell the daemon to reload gracefully.
2017-11-05 00:27:44 +02:00
2a230ceff4 roles/php-fpm: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
7aafa1553b roles/mariadb: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
b6a54ca4d1 roles/common: Reload firewalld instead of restart
There is no need to bounce the service, just reload it.
2017-11-05 00:27:44 +02:00
0a92f3ae8f roles/common: Use systemd module instead of "service"
This was new in Ansible 2.2 but I didn't notice until now. All of our
servers are running distributions with systemd so let's just use this.
2017-11-05 00:27:44 +02:00
0e409792ca
roles/mariadb: Update comment with link to MySQL module docs 2017-11-05 00:26:32 +02:00