Commit Graph

171 Commits

Author SHA1 Message Date
12711afac9
roles/nginx: Add dependencies for certbot on Ubuntu 18.04
Taken from running the Let's Encrypt certbot-auto client on a freshly
installed Ubuntu 18.04 system.
2018-04-25 19:40:33 +03:00
913f59ced6
group_vars/dspace: Update comment for nginx branch
NGINX 1.14.0 was released and is the current "stable" version. The
next "mainline" version should be 1.15.0.

See: https://nginx.org/en/CHANGES-1.14
2018-04-18 16:58:33 +03:00
632aa1cf14 Fix a few more Jinja2 filters used as tests
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-05 12:17:26 +03:00
d1ba60e15d Use version_compare to test for Ubuntu 18.04 "bionic"
It just feels more correct, plus I usually forget the release code
name from time to time.
2018-04-05 12:17:26 +03:00
ed607aab68 roles/nginx: Use correct php-fpm socket on Ubuntu 18.04 2018-04-05 12:17:26 +03:00
5c3553e684 roles/nginx: Use Ubuntu 17.10's packages on Ubuntu 18.04
There are no nginx packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
2018-04-05 12:17:25 +03:00
57120308dc
Update with_items loops to use new-ish "loop" keyword
Ansible 2.4 and 2.5 are moving away from specialized loop functions
and the old syntax will eventually be deprecated and removed. I did
not change the with_fileglob loops because I'm not sure about their
syntax yet.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
2018-04-02 15:52:51 +03:00
ffee9250ee
Use new syntax for Jinja2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-02 15:37:37 +03:00
d155898bb1
Use new syntax for Jinj2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-03-21 21:17:21 +02:00
a5e6513be3
roles/dspace: Update gzip_types formatting
From the H5BP project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2017-11-14 12:44:56 +02:00
97aca2cad2
roles/nginx: Remove Internet Explorer 6 gzip disable
I have zero idea if we have IE6 clients any more, but according to the
H5BP community IE6 actually did support gzip and only represents 0.1%
of Internet traffic in 2015 (!) anyways.

See: https://github.com/h5bp/server-configs-nginx/issues/125
2017-11-14 12:43:02 +02:00
d15c9851db
roles/nginx: Use https for apt repository 2017-11-05 01:30:49 +02:00
9b4f662bc5 roles/nginx: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
73e6d0b7ed
roles/nginx: Fix issue raised by ansible-lint
[ANSIBLE0006] systemctl used in place of systemd module

Also, move the functionality of the changed check to the systemd task,
because it has the ability to simply daemon-reload itself now.
2017-10-31 23:18:15 +02:00
e86e2c081b
roles/nginx: Use 'present' instead of 'latest' to install nginx
Raised by the following rule in ansible-lint:

[ANSIBLE0010] Package installs should not use latest
2017-10-03 15:04:54 +03:00
5281d41445
Add names to include tasks
Raised by ansible-lint in the following rule:

[ANSIBLE0011] All tasks should be named
2017-10-03 15:03:09 +03:00
16a9ebf97f
Adjust playbooks for Ansible 2.4 import changes
Ansible 2.4 changes the way includes work. Now you have to use "import"
for playbooks and tasks that are static, and "include" for those that
are dynamic (ie, those that use variables, loops, etc).

See: http://docs.ansible.com/ansible/devel/playbooks_reuse_includes.html
2017-09-21 21:30:47 +03:00
d518bc51a4
Use nginx user instead of www-data on Debian 9
Using www-data was a temporary measure while I was waiting for the
official nginx.org packages to be released for Debian 9 and we had
to use Debian's own nginx package.
2017-06-19 18:36:13 +03:00
b2d3984c5a
roles/nginx: Fix PHP-FPM socket location on Debian 9
Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we
can make use of that here.
2017-06-18 11:04:30 +03:00
4ff2ac1737
roles/nginx: Update comment about nginx versions
Version 1.12.x is now stable and 1.13.x is now mainline.

See: https://www.nginx.com/blog/nginx-1-12-1-13-released/
2017-04-14 16:07:33 +03:00
a7a6fa38c9
roles/nginx: Official builds for Debian Stretch
Now that there are official nginx.org builds for Debian 9 we don't
need to use Debian's own nginx packages.
2017-04-14 16:06:32 +03:00
5b51fcedc2
roles/nginx: Sort packages for Let's Encrypt deps on Ubuntu 2017-02-16 18:16:09 +02:00
a6f0d5f7d3
roles/nginx: Add package deps for Let's Encrypt on Debian 9
Taken from running certbot-auto on a clean Debian 9 installation.
2017-02-16 18:15:06 +02:00
e13ef95f70
roles/nginx: Update nginx.conf.j2
This is to accomodate Debian's 9 nginx package, as it provides a
different system user/group than nginx.org's packages.
2017-01-30 15:45:50 +02:00
6de385021d
roles/nginx: Updates to accomodate Debian 9 (stretch)
There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).
2017-01-30 15:43:03 +02:00
50536af990
Use Ansible's version_compare instead of doing math on strings
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
2016-12-20 15:04:47 +02:00
d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
2016-11-20 17:25:01 +02:00
30a5744812
roles/nginx: Decrease gzip_min_length from 860 to 256
There was some knowledge floating around that 860 bytes was the
optimal size, I think it was from an Akamai engineer or something,
but the HTML 5 Boilerplate server configs use 256 bytes, and I
actually have HTML content that is less than 860 bytes, so I guess
I could benefit from compressing it. gzip compression is costly
for the compression side, but very quick for the client, so this
is a good thing.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:46:34 +02:00
c1cecd4cbf
roles/nginx: Update comment for gzip_comp_level
From the HTML 5 Boilerplate server configs, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:32:39 +02:00
61919745c8
roles/nginx: Update gzip compression types
Latest from the HTML 5 Boilerplate project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:28:18 +02:00
36c16e93bb
roles/nginx: Reduce gzip_comp_level from 6 to 5
After performing some tests[0] again I see that level 5 produces
the most acceptable results for my site currently. Others[1] are
using the same, so I'll gladly accept a little less CPU load for
a tradeoff of a few bits of file size.

[0] https://mjanja.ch/2015/03/finding-the-nginx-gzip_comp_level-sweet-spot/
[1] https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:08:21 +02:00
a94b14119e
roles/nginx: Increase error log level to warn
This will show warnings in the error log, as well as more severe
log messages.

See: http://nginx.org/en/docs/ngx_core_module.html#error_log
2016-11-14 11:58:51 +02:00
3d6844a7b7
roles/nginx: Update comments in nginx.conf
Update comments from latest copy of the HTML 5 Boilerplate's nginx
server configs repo.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 11:55:37 +02:00
3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-14 07:58:46 +02:00
a5f8ab6182
roles/nginx: Harden security headers
Always add security headers, not just for successful HTTP response
codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
3d6afc667d
roles/nginx/tasks/letsencrypt.yml: Add system deps for certbot
Shit ton of dependencies actually... wow.
2016-10-09 14:06:06 +03:00
651c01a29b
Set use_letsencrypt to true for nginx role
The variable name is misleading as this really does is install the
certbot client and its dependencies, and we generally want this to
always happen. If a host doesn't want it, they can override it in
their host vars.

Perhaps I should rename this variable to "bootstrap_letsencrypt" or
something so it is more accurate.
2016-10-09 11:59:21 +03:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
586ad76d6b
roles/nginx: Only use index.php on hosts that need it
Otherwise, use index.html.
2016-09-13 15:58:40 +03:00
740e5195a0
roles/nginx: Add new variable "needs_php"
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
2016-09-13 14:53:12 +03:00
4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
d1871d9706
roles/nginx: Check for variable existence before testing
Some vhosts might not have WordPress so we need to be better about
testing for this before checking its value.
2016-09-12 20:58:21 +03:00
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
c8adba0580
roles/nginx: Add nginx signing key id to apt_key task
When you give Ansible the key id it will check if the key exists
before trying to download and add it. I got the long fingerprint
from `sudo apt-key finger`.
2016-08-22 16:20:10 +03:00
c9ef9e24f5
Use https:// for fetching apt package signing keys
I don't know why I wasn't using these before.
2016-08-22 16:06:13 +03:00
201165cff6
Only update packages indexes if the cache is 1 hour old
I have added cache_valid_time=3600 for the first task in each
tag that could be possibly running apt-related commands. For ex,
the "nginx" tag is also in the "packages" tag, but sometimes you
run the nginx tag by itself (perhaps repeatadely), so you'd want
to limit the update unless the cache was 1 hour old
2016-08-22 15:33:57 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00