Commit Graph

930 Commits

Author SHA1 Message Date
16b661efe1
Pipfile.lock: run pipenv update 2023-04-14 10:09:29 -07:00
fdb9a75489
roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
232d7a0348
host_vars/web22: WordPress 6.1.1 2022-11-24 18:31:48 +03:00
6e4bb5bc34
host_vars/web21: use caddy 2022-11-13 18:58:57 +03:00
c840ffe018
roles/caddy: improve vhost template
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
2022-11-13 18:54:03 +03:00
45c9d7ea0a
Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
a62bc446e8
host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
62a6a491db
host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
4867d6da6a
Add basic caddy role 2022-11-02 22:29:30 +03:00
d9f7c7a93b
group_vars/web: set default webserver to nginx
While I'm still getting experience with caddy and adapting it to my
workloads.
2022-11-02 22:12:36 +03:00
bc8c030700
roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
f7598d8f1c
Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
c353e84a84
site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
99ca23f258
Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
b663d27fd8
roles/common: rework firewall_Debian.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
2022-09-12 17:25:40 +03:00
67c99dacf6
roles/common: rework firewall_Ubuntu.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
2022-09-12 17:18:33 +03:00
4abf2b10e4
ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
f5199264f9
ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
b259f09cbd
roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
f4b32e516b
roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
fcb12ecee0
roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
5bc03ceacc
roles/mariadb: install packages in single transaction
Using a list we can install these in a single apt transaction. Also
use the newer task format.
2022-09-12 10:12:07 +03:00
c317429f6d
roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
b512a7f765
roles/common: create /etc/apt/keyrings
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
2022-09-12 10:05:12 +03:00
e3a87d4f79
roles/mariadb: MariaDB 10.6
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
2022-09-12 09:25:46 +03:00
dec2d50fbc
host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
34be0013b7
Remove Debian 10 support 2022-09-11 09:21:08 +03:00
399585f4e7
roles: don't compare literal true and false
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
2022-09-11 08:41:25 +03:00
0240897b1b
Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
1da0da53ec
roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
2022-09-10 23:12:49 +03:00
677cc9f160
roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
ffe7a872dd
roles: strict truthy values
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
2022-09-10 22:33:19 +03:00
95d0005978
Add ansible-lint 2022-09-10 18:36:53 +03:00
498766fdc4
Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
92a4c72809
Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
a2d61abba2
roles/mariadb: update mirror
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
2022-08-14 22:09:47 -07:00
d2a5a28809
Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
84c0589aee
host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
2961578a54
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-28 18:51:35 +03:00
4d74f76b3c
Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
9e737466c5
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-04 21:47:37 +03:00
0ffb1b1a36
roles/common: use pyinotify backend for nginx fail2ban jail
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
2022-01-04 15:10:02 +02:00
68f0b85eb3
Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
ebbde530d2
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
2021-12-22 11:40:27 +02:00
ab47df6031
Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
de75b2ffb6
host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
e10d83dadd
Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
f070fd9a64
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-11-07 10:12:43 +02:00