alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
1,002 Commits 2 Branches 0 Tags
Commit Graph

1002 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alan Orth
027a43ddbe
roles/caddy: use default for encode 2025-03-29 22:49:30 +03:00
Alan Orth
bb30c3be20
host_vars/web22: update vhosts 2025-03-29 22:48:19 +03:00
Alan Orth
d8d9790d21
roles/nginx: enable nginx ssl_session_tickets 
This has apparently been supported since nginx 1.23.2 and is safe
to use the default (on) now.

See: https://github.com/mozilla/server-side-tls/issues/284
 2025-03-29 22:35:56 +03:00
Alan Orth
9a500ebc0d
roles/nginx: disable nginx ssl_prefer_server_ciphers 
This is apparently the default and recommended by Mozilla's server-
side SSL configurator also recommends. This lets the client choose
the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are
not currently known to be dangerous).
 2025-03-29 22:34:41 +03:00
Alan Orth
4bae942585
roles/nginx: add nginx ssl_ecdh_curve 
This seems to be new since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:37 +03:00
Alan Orth
99866c0c90
roles/nginx: use one day for nginx ssl_session_timeout 
This is a new default since I last looked at the Mozilla server-side
SSL configurator.
 2025-03-29 22:34:32 +03:00
Alan Orth
0afb8a4493
roles/nginx: update nginx ssl_buffer_size 
The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
 2025-03-29 22:34:27 +03:00
Alan Orth
506695da31
roles/nginx/defaults: update version comments 2025-03-29 22:24:49 +03:00
Alan Orth
f67ed7762c
roles/nginx: fix http2 syntax 2025-03-29 22:20:49 +03:00
Alan Orth
014f4d9502
roles/nginx: add newline 2025-03-29 22:19:41 +03:00
Alan Orth
22c16e1ed3
roles/caddy/templates: closer to supporting WordPress 
I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
 2025-03-29 22:09:37 +03:00
Alan Orth
5aa6a33e51
roles/php-fpm: set user and group based on webserver 
We use either caddy or nginx, which are conveniently named the same
as the Unix user and group.
 2025-03-29 21:01:56 +03:00
Alan Orth
7f9b06af9c
roles/nginx: smarter setting of document root 2025-03-29 19:34:53 +03:00
Alan Orth
84db337fea
roles/caddy: smarter setting of document root 2025-03-29 19:33:02 +03:00
Alan Orth
7b23f5f94f
roles/caddy: add missing tag 2025-03-29 19:16:03 +03:00
Alan Orth
9830338be3
Use one default root prefix for nginx and caddy 2025-03-29 19:15:56 +03:00
Alan Orth
e3eed26765
roles/caddy: update vhost template 2025-03-29 18:37:28 +03:00
Alan Orth
8b31c7e148
host_vars/web22: WordPress 6.7.2 2025-03-29 16:10:23 +03:00
Alan Orth
3ff8043aaf
Pipfile.lock: run pipenv update 2025-03-29 15:30:08 +03:00
Alan Orth
cb79f7ef70
roles/common: minor change to firehol update script 
They include bogons like 127.0.0.1 that should not be routed on the
public Internet, but this blocks local applications we proxy to.
 2025-01-28 09:14:48 +03:00
Alan Orth
bb14f05d2a
roles/common: use Ansible timezone module 
No need to use a command for that. The module does it better because
it doesn't register a change unless the timezone changes.
 2025-01-27 23:11:56 +03:00
Alan Orth
5b1530fa91
roles/common: rework firewall 
Use firehol instead of all the others. AbuseIPDB.com can't be upd-
ated automatically, Abuse.ch is no longer maintained, and Spamhaus
is already in firehol.
 2025-01-27 23:05:45 +03:00
Alan Orth
5312dc6bd5
roles/common: use common nftables task 
Use a common nftables task on Debian and Ubuntu.
 2025-01-27 23:05:38 +03:00
Alan Orth
d6e060d3af
roles/common: simplify firewall tasks 
Apply firewall tag to included tasks, then we don't need to use a
block.
 2025-01-27 22:30:50 +03:00
Alan Orth
b873af004a
roles/common: single firewall task include 
Use one include from the main tasks file.
 2025-01-27 22:28:27 +03:00
Alan Orth
7ea3ab46f8
host_vars/web22: WordPress 6.7.1 2025-01-27 21:48:16 +03:00
Alan Orth
0561bd5b52
Pipfile.lock: run pipenv update 2025-01-27 21:36:13 +03:00
Alan Orth
d62572f02c
Pipfile: python 3.13 2025-01-27 21:35:58 +03:00
Alan Orth
2ffe5e87d9
host_vars/web22: WordPress 6.6.2 2024-12-30 11:03:47 +03:00
Alan Orth
38d4f1a303
Pipfile.lock: run pipenv update 2024-12-30 11:03:35 +03:00
Alan Orth
ed8cb88038
host_vars/web22: WordPress 6.5.5 2024-06-25 08:18:22 +03:00
Alan Orth
c31e447861
roles/nginx: update signing key 2024-06-25 08:11:59 +03:00
Alan Orth
545684467c
host_vars/nomad03: remove 2024-06-05 20:35:29 +03:00
Alan Orth
24ae5eaab1
host_vars/web22: WordPress 6.5.3 2024-05-13 14:51:45 +03:00
Alan Orth
dac23f1427
Pipfile: use Python 3.12 2024-05-13 14:51:34 +03:00
Alan Orth
41fbc73dd1
host_vars/web22: WordPress 6.4.3 2024-03-20 20:28:13 +03:00
Alan Orth
fee794bcf0
Update Pipfile 2024-03-20 20:28:00 +03:00
Alan Orth
8bce1d8b1b
host_vars/web22: WordPress 6.4.1 2023-12-02 22:40:06 +03:00
Alan Orth
6dc2ea36b6
roles/nginx: fix path to php 8.2 socket 2023-09-11 19:55:24 +03:00
Alan Orth
af71a9b5f8
roles/php-fpm: remove fmt strings 
Ansible confuses them for jinja2 tokens.
 2023-09-11 19:52:18 +03:00
Alan Orth
4dd57803e2
roles/php-fpm: fix user/group for php 8.2 configs 2023-09-11 19:51:59 +03:00
Alan Orth
18d4245fc0
roles/common: fix tarsnap signing of apt repo 2023-09-11 19:37:49 +03:00
Alan Orth
1bddf3cccd
Pipfile.lock: run pipenv update 2023-09-11 18:52:25 +03:00
Alan Orth
20dbe61fe1
roles/mariadb: use MariaDB 10.11 
The server has already been updated from 10.6 to 10.11.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/
 2023-09-10 22:53:10 +03:00
Alan Orth
899e87321b
host_vars/web22: WordPress 6.3.1 2023-09-10 22:44:23 +03:00
Alan Orth
06416a3b64
roles: run ansible-lint --write 2023-08-23 22:22:51 +03:00
Alan Orth
7a9a24ef5d
roles/common: rework fail2ban again 
Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
 2023-08-23 22:15:24 +03:00
Alan Orth
067adcd9f5
roles/common: rework fail2ban tasks 
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
 2023-08-23 21:59:28 +03:00
Alan Orth
84d210cfab
roles/common: re-format handlers 
Use the newer Ansible format.
 2023-08-23 21:35:28 +03:00
Alan Orth
17736a4f14
roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00