ansible-personal

Author	SHA1	Message	Date
Alan Orth	29f7a76545	roles/nginx: Update location regex for PHP scripts Just use the same one as the Nginx wiki and some other resources. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:40:38 +03:00
Alan Orth	55fddf03b3	Remove provisioning user management It's just too tricky to manage this. Ubuntu / RedHat preseeds and kickstarts can create the user and add it to groups, but only when we control the initial boot environment (ie not on Linode, Digital Ocean, etc), so let's just say we assume this user exists and can get root with sudo by the some we are running ansible on it. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-20 15:06:45 +03:00
Alan Orth	6b528ecc92	roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts Ansible's union thing only works on sets and lists, here we have a dict. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 19:41:48 +03:00
Alan Orth	b93da27fde	roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:49:39 +03:00
Alan Orth	d8b6222527	host_vars/web05: Re-organize variables for wordpress_version logic Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:42:47 +03:00
Alan Orth	0b90bad6a9	roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-10 23:04:28 +03:00
Alan Orth	4ea152bf51	roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 13:05:42 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	c3bc6d949d	roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-23 12:26:24 +03:00
Alan Orth	171798c76d	roles/common: Add DSA/ECDSA cleanup to ssh tasks We don't want to support these signature algorithms! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-20 16:31:37 +03:00
Alan Orth	0d2763fb59	roles/common: Remove ECDSA SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:49 +03:00
Alan Orth	d7dd81bc84	roles/common: Add ED25519 SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:21 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	3b6c9745ab	roles/common: Add provisioning user to sudoers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-05 08:24:13 +03:00
Alan Orth	36a3bbf36d	vars/Ubuntu.yml: Remove apt_mirror It's better to just use Ubuntu's defaults, and then override on a per-host basis. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:54:22 +03:00
Alan Orth	0f5b088c08	roles/common: Add createhome:yes to provisioning user task Need to make sure the user gets created on a fresh install, like on Amazon EC2 or OpenStack images where the first user is `ubuntu' and you can't assume `provisioning' is already created. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:24:53 +03:00
Alan Orth	f219cf23fe	Move Debian.yml vars to Ubuntu.yml I was using ansible_os_family to get settings for Debian-family hosts, but this doesn't work so well when you have an apt_mirror which is only Debian or Ubuntu, for example. I don't have any Debian hosts here, but anyways, it's better this way so I can be more flexible in the future. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 01:51:37 +03:00
Alan Orth	55b1362f54	host_vars/web05: Bump WordPress version to 4.1 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 00:43:53 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	d04293a664	roles/nginx: Set nginx state to 'latest' in apt This way we can upgrade nginx simply by running the nginx tags. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-02 18:48:11 +03:00
Alan Orth	1073b8e1b6	host_vars/web05: Add mosh ports to iptables Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-21 00:29:08 +01:00
Alan Orth	956fbefc1a	roles/nginx: Switch to nginx mainline (1.7) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 01:02:44 +03:00
Alan Orth	3f5634110a	roles/nginx: Add comment about try_files for serving static files from disk Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:41:07 +03:00
Alan Orth	c870044584	roles/nginx: Adjust Cache-Control headers Use "public" with "max-age" instead of Expires, as "max-age" is always preferred if it's present. Note: setting "public" doesn't make the resource "more cacheable", but it is just more explicit. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:29:53 +03:00
Alan Orth	b71269e6cb	host_vars/web05: Add TLS keys back The other method wasn't as clever as I had thought, as I couldn't get it to work again! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-27 21:19:53 +03:00
Alan Orth	08a920d0cb	Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file" This reverts commit `59b9bd70b8`. Might not be so ingenious. Can't get this to work anymore...	2014-10-27 21:16:43 +03:00
Alan Orth	54993d6d6b	Update tls cipher suite with latest string from Mozilla TLS guide https://wiki.mozilla.org/Security/Server_Side_TLS states" Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-25 12:36:19 +03:00
Alan Orth	c3f5e27642	roles/common: Add ECDSA public key for noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:25:48 +03:00
Alan Orth	a265e48a9f	roles/common: Remove RSA public key Both client and server support ed25519, so there's no need to even have the RSA key here. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:23:01 +03:00
Alan Orth	b89e51d270	host_vars/web05: Remove TLS keys from host_vars Now they live in one file, vars/tls_keys.yml. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:43:17 +03:00
Alan Orth	59b9bd70b8	roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file This is kinda crazy, but makes the host_vars much easier to read. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:42:44 +03:00
Alan Orth	7ad41df199	Add host_var file for web05 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:03:56 +03:00
Alan Orth	e24a987d3b	vars/Debian.yml: Update apt mirror to Linode one Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 14:20:37 +03:00
Alan Orth	5e0da37542	roles/common: Remove task which removes irqbalance Prevailing wisdom is actually that this can help virtual hosts, especially when the VM guest has multiple CPUs. See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:31:23 +03:00
Alan Orth	1ee7b385bf	roles/common: Rename SSH keys Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:19:32 +03:00
Alan Orth	1e2193efc9	roles/common: Add functionality to copy user keys to provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:13:45 +03:00
Alan Orth	614f90a058	web.yml: Modify to incorporate provisioning user stuff Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:12:32 +03:00
Alan Orth	c53dd18181	roles/common: Add role to manage provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:11:44 +03:00
Alan Orth	42b893b2a7	roles/nginx: Add expires to static files Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-10 11:05:42 +03:00
Alan Orth	81a98596e3	Downgrade TLS configuration to Mozilla's "intermediate" spec From looking at the list of clients who would be allowed to connect when using the "modern" spec, I think I'd be doing more harm than good to use that config right now... https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 21:09:18 +03:00
Alan Orth	d06ddf8a81	roles/nginx: Update TLS vhost task for Ansible > 1.7.1 Seems there is some YAML sublety that causes this syntax to insert double spaces on the destination file... using native YAML hashes are a workaround, see GitHub issues: https://github.com/ansible/ansible/issues/9067 https://github.com/ansible/ansible/issues/9172 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:57:24 +03:00
Alan Orth	ad8a704470	Update TLS configuration to Mozilla's "modern" spec Details, see: - https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines - https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:56:08 +03:00
Alan Orth	ad90f7f0fb	roles/nginx: Use HSTS for https vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-06 10:46:04 +03:00

... 3 4 5 6 7

301 Commits