Commit Graph

271 Commits

Author SHA1 Message Date
16a9ebf97f
Adjust playbooks for Ansible 2.4 import changes
Ansible 2.4 changes the way includes work. Now you have to use "import"
for playbooks and tasks that are static, and "include" for those that
are dynamic (ie, those that use variables, loops, etc).

See: http://docs.ansible.com/ansible/devel/playbooks_reuse_includes.html
2017-09-21 21:30:47 +03:00
d518bc51a4
Use nginx user instead of www-data on Debian 9
Using www-data was a temporary measure while I was waiting for the
official nginx.org packages to be released for Debian 9 and we had
to use Debian's own nginx package.
2017-06-19 18:36:13 +03:00
b945240756
roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04
From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
2017-06-19 10:13:24 +03:00
b2d3984c5a
roles/nginx: Fix PHP-FPM socket location on Debian 9
Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we
can make use of that here.
2017-06-18 11:04:30 +03:00
4f22052afe
roles/common: Remove duplicate timezone task
We set it in the separate ntp.yml playbook now, as there are a few
different systems we cater to (systemd, old ntp, etc).
2017-06-18 09:30:05 +03:00
ffac0b8afd
roles/common: Update apt cache in tarsnap step
This fails on clean installs otherwise.
2017-06-18 09:27:53 +03:00
f9a0f9e6bf
roles/php-fpm: Update php7.0-php.ini.j2
Minor comment updates from the latest version from Ubuntu 16.04.
2017-05-28 15:46:15 +03:00
f85c5f3605
roles/php-fpm: Update defaults
Latest defaults from the PHP.net opcache documentation:

    https://secure.php.net/manual/en/opcache.installation.php
2017-05-28 15:45:05 +03:00
4ff2ac1737
roles/nginx: Update comment about nginx versions
Version 1.12.x is now stable and 1.13.x is now mainline.

See: https://www.nginx.com/blog/nginx-1-12-1-13-released/
2017-04-14 16:07:33 +03:00
a7a6fa38c9
roles/nginx: Official builds for Debian Stretch
Now that there are official nginx.org builds for Debian 9 we don't
need to use Debian's own nginx packages.
2017-04-14 16:06:32 +03:00
f53f3c8e7a
roles/php-fpm: Update php7.0-php.ini template
Sync with latest packaged version from Debian 9. Effectively this
only updates comments and disabled options, but having less changes
to look at during an apt upgrade is nice and reduces the chance of
adding errors.
2017-03-06 12:53:17 +02:00
5b51fcedc2
roles/nginx: Sort packages for Let's Encrypt deps on Ubuntu 2017-02-16 18:16:09 +02:00
a6f0d5f7d3
roles/nginx: Add package deps for Let's Encrypt on Debian 9
Taken from running certbot-auto on a clean Debian 9 installation.
2017-02-16 18:15:06 +02:00
d766c3dbbe
roles/common: Add tasks to install tarsnap
Now that Tarsnap has official packages this is one less thing that
needs to be manually installed from source after bringing a machine
up.

See: http://mail.tarsnap.com/tarsnap-announce/msg00037.html
2017-02-07 07:28:35 -08:00
47407188cb
roles/mariadb: Use Debian's MariaDB packages for now
MariaDB actually already has Debian 9 (stretch) packages, but they
seem to cause issues with how I'm deploying. I'll skip them for now
I think.
2017-01-30 16:54:22 +02:00
e13ef95f70
roles/nginx: Update nginx.conf.j2
This is to accomodate Debian's 9 nginx package, as it provides a
different system user/group than nginx.org's packages.
2017-01-30 15:45:50 +02:00
6de385021d
roles/nginx: Updates to accomodate Debian 9 (stretch)
There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).
2017-01-30 15:43:03 +02:00
8c3a8fc26a
roles/php-fpm: Updates for Debian 9 (stretch)
Debian 9 is still in beta and doesn't have nginx.org builds yet, so
we need to use the nginx package in Debian's repositories, and that
required a bit of a different configuration.

After official nginx.org builds are released we can revert this.
2017-01-30 15:11:39 +02:00
1fef5c9b5a roles/common: Add sshd_config for Debian 9 (stretch)
Taken from base install and diffed against the current Ubuntu 16.04
and Debian 8 config templates.
2017-01-30 14:56:27 +02:00
9ca685a6af
roles/common: Adjust allowed user logic for Ubuntu 16.04 sshd_config 2017-01-30 12:54:35 +02:00
0d79769a5f
roles/php-fpm: Update php.ini template
Updates from upstream config.
2017-01-19 15:25:15 +02:00
50536af990
Use Ansible's version_compare instead of doing math on strings
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
2016-12-20 15:04:47 +02:00
d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
2016-11-20 17:25:01 +02:00
30a5744812
roles/nginx: Decrease gzip_min_length from 860 to 256
There was some knowledge floating around that 860 bytes was the
optimal size, I think it was from an Akamai engineer or something,
but the HTML 5 Boilerplate server configs use 256 bytes, and I
actually have HTML content that is less than 860 bytes, so I guess
I could benefit from compressing it. gzip compression is costly
for the compression side, but very quick for the client, so this
is a good thing.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:46:34 +02:00
c1cecd4cbf
roles/nginx: Update comment for gzip_comp_level
From the HTML 5 Boilerplate server configs, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:32:39 +02:00
61919745c8
roles/nginx: Update gzip compression types
Latest from the HTML 5 Boilerplate project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:28:18 +02:00
36c16e93bb
roles/nginx: Reduce gzip_comp_level from 6 to 5
After performing some tests[0] again I see that level 5 produces
the most acceptable results for my site currently. Others[1] are
using the same, so I'll gladly accept a little less CPU load for
a tradeoff of a few bits of file size.

[0] https://mjanja.ch/2015/03/finding-the-nginx-gzip_comp_level-sweet-spot/
[1] https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:08:21 +02:00
a94b14119e
roles/nginx: Increase error log level to warn
This will show warnings in the error log, as well as more severe
log messages.

See: http://nginx.org/en/docs/ngx_core_module.html#error_log
2016-11-14 11:58:51 +02:00
3d6844a7b7
roles/nginx: Update comments in nginx.conf
Update comments from latest copy of the HTML 5 Boilerplate's nginx
server configs repo.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 11:55:37 +02:00
3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-14 07:58:46 +02:00
a5f8ab6182
roles/nginx: Harden security headers
Always add security headers, not just for successful HTTP response
codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
3d6afc667d
roles/nginx/tasks/letsencrypt.yml: Add system deps for certbot
Shit ton of dependencies actually... wow.
2016-10-09 14:06:06 +03:00
651c01a29b
Set use_letsencrypt to true for nginx role
The variable name is misleading as this really does is install the
certbot client and its dependencies, and we generally want this to
always happen. If a host doesn't want it, they can override it in
their host vars.

Perhaps I should rename this variable to "bootstrap_letsencrypt" or
something so it is more accurate.
2016-10-09 11:59:21 +03:00
75ef77e3cc
roles/common: Don't set up apt sources on arm
The package archives appear to be different for some reason.
2016-09-29 16:47:44 +03:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
586ad76d6b
roles/nginx: Only use index.php on hosts that need it
Otherwise, use index.html.
2016-09-13 15:58:40 +03:00
bf7accdade
roles/php-fpm: Only create pools for vhosts that need PHP
Only vhosts running WordPress, etc need PHP. Make sure to set the
appopriate variables for each vhost in the host's vars, ie:

  nginx_vhosts:
    - domain_name:   example.com
      has_wordpress: True

    - domain_name:   example.net
      needs_php:     True

You can set either of them, but not both—needing WordPress implies
needing PHP.
2016-09-13 15:58:09 +03:00
740e5195a0
roles/nginx: Add new variable "needs_php"
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
2016-09-13 14:53:12 +03:00
4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
d1871d9706
roles/nginx: Check for variable existence before testing
Some vhosts might not have WordPress so we need to be better about
testing for this before checking its value.
2016-09-12 20:58:21 +03:00
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
5f656285c0
roles/common: Add a dedicated playbook for ntp tasks
Hosts with systemd should use its NTP client and explicitly remove
the `ntp` packages. Hosts with older init systems should use `ntp`.
2016-08-25 14:19:51 +03:00
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
da6d1e05b9
roles/common: Don't use ansible facts when we don't need to
No use testing the distro version only to use an ansible fact to
find the correct template.
2016-08-24 10:11:13 +03:00
861b5c5413
roles/common: Remove old comment from main playbook 2016-08-22 16:35:02 +03:00
6c6ff1b112
roles/common: Use ansible facts to reduce includes 2016-08-22 16:34:05 +03:00
bd318c5754
Use long GPG key id fingerprints 2016-08-22 16:30:20 +03:00
14de9caed8
roles/common: Use https for Ubuntu Extras repo signing key
Missed this in the earlier commit where I changed to https:// for
transporting apt keys.
2016-08-22 16:28:24 +03:00