250b196bf8
roles/nginx: Add comment for sendfile option
...
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:27:56 +02:00
89bee2e6db
roles/nginx: Add comment for gzip_vary
...
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:25:57 +02:00
27a3ee9651
roles/nginx: Add cache control header for SVG images
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:17:40 +02:00
c6cc1f57bb
roles/nginx: Add image/svg+xml to gzip types
...
Google's PageSpeed Insights tool pointed out that the Genericons
in WordPress' Jetpack module could be compressed.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:16:23 +02:00
926cdf58cf
roles/nginx: keepalive_timeout is in seconds
...
See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:02:57 +02:00
b9a9d415f1
host_vars/web06: Add vars for new Piwik database
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 19:09:55 +02:00
6a3b8f0918
Update some bare variables in with_items loops to use Ansible 2.0 syntax
...
See: https://docs.ansible.com/ansible/porting_guide_2.0.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:53:07 +02:00
869d7f6c7e
roles/php5-fpm: Disable always_populate_raw_post_data
...
Deprecated in PHP 5.6 and causes problems with Piwik. I'm not sure
if WordPress needs this, but I did find some references in its code
to $HTTP_RAW_POST_DATA.
See: https://secure.php.net/manual/en/migration56.deprecated.php#migration56.deprecated.raw-post-data
See: https://www.bram.us/2014/10/26/php-5-6-automatically-populating-http_raw_post_data-is-deprecated-and-will-be-removed-in-a-future-version/
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:50:32 +02:00
c3dc5dc0aa
group_vars/all: Update TLS cipher suite to latest Mozilla "Intermediate" recommendations
...
See: https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-08 12:45:58 +02:00
7d61262a76
README.md: Update copyright to 2016
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-02-27 18:45:36 +02:00
94abbc3cd0
README.md: Update playbook invocation for ansible become
...
See: https://docs.ansible.com/ansible/become.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-02-09 16:43:08 +02:00
237bf50ac7
host_vars/web06: Update to WordPress 4.4.2
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-02-04 18:17:19 +02:00
ee0621fc20
web.yml: sudo -> become for Ansible 2.0
...
Some language changed in Ansible 2.0.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-01-12 22:55:58 +02:00
2da8876caa
host_vars/web06: Update to WordPress 4.4.1
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-01-07 12:37:36 +02:00
65d4c28396
README.md: Grammar
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:44:14 +02:00
43a7039dc9
roles/nginx: Remove "enable_https" config logic
...
Everything is HTTPS now, whether self-signed or otherwise, so it
doesn't make sense to have a config switch for this.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:38:53 +02:00
940b2720da
Rename nginx_* variables underneath nginx_vhosts
...
It's just deduplication, since it's already obvious that the dict
is for nginx-related vars:
- nginx_domain_name→domain_name
- nginx_domain_aliases→domain_aliases
- nginx_enable_https→enable_https
- nginx_enable_hsts→enable_hsts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:25:44 +02:00
41547defb9
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts
...
Everything is TLS now (whether self-signed or not), so it's pointless
to distinguish.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:14:47 +02:00
7b9536838c
roles/nginx: Move nginx tls_vhosts.yml to vhosts.yml
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:56:50 +02:00
dc5c09036c
Change pattern from nginx_tls_vhosts→nginx_vhosts
...
All hosts should have TLS now, whether self-signed "snakeoil" certs
or otherwise.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:54:18 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
...
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
86ee36da77
roles/nginx: Clean up template spacing
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:25:38 +02:00
a8005404f1
roles/nginx: Use more consistent naming for per-host nginx options
...
The `enable_https` option in host_vars becomes `nginx_enable_https`
to be more consistent with other nginx options used in host_vars.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:21:19 +02:00
1701937006
host_vars/web06: Update to WordPress 4.4
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 11:00:51 +02:00
178d633794
host_vars/web06: Add HSTS to englishbulgaria.net
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 22:42:41 +02:00
d80399d152
roles/php5-fpm: Increase memory allocation
...
I added another WordPress blog so I need more memory for caching
now. Eventually I wonder if I should deduplicate these somehow...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 21:08:34 +02:00
a9cabe693b
host_vars/web06: Add englishbulgaria.net
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:47:41 +02:00
805db6a9ef
roles/mariadb: Create utf8mb4 databases by default
...
This is better for supporting Unicode values in the database, see:
https://mathiasbynens.be/notes/mysql-utf8mb4
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:27:37 +02:00
a7094e0964
roles/nginx: Adjust spacing in template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:19:46 +02:00
98afeddbbf
roles/nginx: Allow using self-signed TLS certs with dev hosts
...
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:18:21 +02:00
4507e20155
roles/nginx: Change owner/group of WordPress folder to nginx after cloning
...
Otherwise stuff like theme and plugin installs won't work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 16:58:54 +02:00
60c37821d6
roles/nginx: Only use Linode DNS resolvers for OCSP if it's a linode host
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 17:40:32 +02:00
5f71991259
roles/common: Use httpredir.debian.org as default Debian mirror
...
Automatically uses the best mirror for your location, see:
http://httpredir.debian.org/demo.html
Should be much better than any hardcoded default for most hosts.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 09:34:16 +02:00
c0431d4247
Switch HTTPS vhosts to Let's Encrypt certificates
...
For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-07 20:53:39 +03:00
13a1889017
roles/mariadb: Upgrade to MariaDB 10.1
...
10.1 was marked as stable:
https://blog.mariadb.org/mariadb-10-1-is-stable-ga/
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-10-19 21:54:26 +01:00
229dd499dd
roles/php5-fpm: Remove default www pool
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 01:28:47 +03:00
cb67d6aa40
Rename 'use_https' to 'enable_https'
...
To be consistent with other similar variables.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:34:40 +03:00
7cb3adf11c
host_vars/web06: Move HSTS variable to host_vars
...
Moved out of role defaults, as it is really a per-vhost thing.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:31:01 +03:00
52dc0c357b
roles/nginx: Add HSTS check to vhost template
...
We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00
48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
...
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.
Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00
f098b114d3
README.md: Minor syntax cleanups
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-26 23:37:09 +03:00
295a9b4924
Remove references to Ubuntu for requirements
...
Now I am doing most of the work on Debian boxes.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-26 23:35:12 +03:00
f16b143eac
roles/munin: Update munin-node.conf template
...
We actually need to use /var/log/munin for munin-node on Debian
too, as that's what is created by the package manager during
installation.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-26 23:30:22 +03:00
24a3724dfe
roles/nginx: Remove spdy_headers_comp
...
It was deprecated when nginx added support for HTTP/2.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
a3e71e75d2
roles/nginx: SPDY -> HTTP/2
...
nginx 1.9.5 mainline adds support for HTTP/2 and deprecates SPDY.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-22 19:40:30 +03:00
110981d9c3
host_vars/web06: Update to WordPress 4.3.1
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-16 10:32:14 +03:00
973b37be4e
roles/common: Tweak sshd_config to match NSA Suite B recommendations
...
NSA stopped recommending AES-128 in August, 2015...
Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
I don't see why we shouldn't follow suit; maybe they know something
we don't!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 16:55:51 +03:00
5c0a7c2c72
group_vars/all: Update TLS cipher suite
...
Use latest Mozilla intermediate suite:
https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 15:11:57 +03:00
5a92694d5b
host_vars/web06: Remove list of ssh users
...
Only allow access by the provisioning user.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 12:25:24 +03:00
8b336352d7
roles/common: Only allow ssh access by provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 12:24:11 +03:00