Alan Orth
2d98d70e02
Update nginx cipher suite and TLS protocols
...
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.
See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
Alan Orth
2fadb9029a
roles/mariadb: Use Unix socket for MariaDB tasks
...
Otherwise Ansible fails due to PyMySQL using a TCP connection.
See: https://github.com/ansible/ansible/issues/47736
2019-07-23 17:26:23 +03:00
Alan Orth
7d8457e5b3
roles/common: Remove old SSH public key
2019-07-23 16:07:39 +03:00
Alan Orth
c148da73e7
roles/common: Use experimental Tarsnap on Debian buster
...
Tarsnap currently provides experimental packages for Debian Buster.
See: https://www.tarsnap.com/pkg-deb.html#experimental
2019-07-19 12:07:27 +03:00
Alan Orth
e124cac945
roles/nginx: Adjust formatting of apt sources template
2019-07-08 18:44:21 +03:00
Alan Orth
70e736bdc5
roles/nginx: Use buster builds
...
nginx.org has buster builds now.
2019-07-08 18:43:43 +03:00
Alan Orth
ca293289aa
roles/nginx: Fix logic error in apt sources template
2019-07-07 17:59:00 +03:00
Alan Orth
372eb26450
host_vars/web17: WordPress 5.2.2
2019-07-07 17:58:40 +03:00
Alan Orth
c843ce1de5
README.md: Update copyright year
2019-07-07 16:07:16 +03:00
Alan Orth
03e2abc4fb
roles/common: Install gnupg2 on Debian
...
Needed by Ansible to add and verify apt package signing keys.
2019-07-07 15:52:25 +03:00
Alan Orth
12b6f3aaa2
roles/common: Don't ignore errors on Tarsnap key add
...
It turns out that I had the wrong key ID so it's no wonder this was
failing...
2019-07-07 15:51:04 +03:00
Alan Orth
704b02ce0a
roles/common: Fix tarsnap package key
...
For some reason the key ID I had here was wrong. According to the
Tarsnap website the key ID is 0x6D97F5A4CA38CF33.
ee: https://www.tarsnap.com/pkg-deb.html
2019-07-07 15:49:45 +03:00
Alan Orth
709a947987
Merge branch 'debian10'
2019-07-06 21:43:41 +03:00
Alan Orth
3b95730417
roles/common: Synchronize Debian package task with Ubuntu
2019-07-06 21:36:04 +03:00
Alan Orth
10200e52ab
roles/common: Use a fact for base packages on Debian
...
This is safer and ends up being faster because all packages get in-
stalled in one apt transaction.
2019-07-06 21:31:59 +03:00
Alan Orth
460c1df65b
roles/php-fpm: Update for PHP 7.3 in Debian 10
2019-07-06 21:16:19 +03:00
Alan Orth
5fe583541a
roles/nginx: Set Let's Encrypt packages for Debian 10
...
Taken from the list of packages that the certbot-auto script wants
to bootstrap on a fresh Debian 10 "buster" install.
2019-07-06 21:16:19 +03:00
Alan Orth
619f536cd8
roles/nginx: Use Debian 9 "stretch" builds on Debian 10 "buster"
...
There are no Debian 10 "buster" builds from nginx.org yet.
2019-07-06 21:16:19 +03:00
Alan Orth
39622077cd
roles/common: Use Debian 9 tarsnap packages
...
There are no tarsnap binaries for Debian 10 yet.
2019-07-06 21:16:19 +03:00
Alan Orth
b79001f97a
roles/common: Update security.sources.list for cron-apt
...
We need to make sure to get security updates for packages that are
not in main!
2019-07-06 21:16:19 +03:00
Alan Orth
207296b1f8
roles/common: Update Debian security apt repository
...
See: https://www.debian.org/security/
2019-07-06 21:16:19 +03:00
Alan Orth
1b4e9ae87c
roles/common: Install Python 3 version of pycurl on Debian 10
...
Debian 10 comes with Python 2 and Python 3 (at least from the ISO),
so we should prefer the Python 3 version of pycurl. We'll see whet-
her cloud providers like Linode and Digital Ocean ship with Python
3 or not in their default image.
2019-07-06 21:16:19 +03:00
Alan Orth
da4a6660fb
roles/common: Update comment in tasks/ntp.yml
2019-07-06 21:16:19 +03:00
Alan Orth
dd5662911e
roles/common: Import sshd_config from Debian 10
...
OpenSSH version is 7.9p1-10.
2019-07-06 21:16:19 +03:00
Alan Orth
d46c64ca29
Run pipenv update
2019-07-06 21:15:34 +03:00
Alan Orth
4fb2d48e10
roles/mariadb: Install MariaDB 10.4
...
MariaDB 10.4 is now GA.
See: https://mariadb.com/kb/en/library/changes-improvements-in-mariadb-104/
See: https://mariadb.com/kb/en/library/upgrading-from-mariadb-103-to-mariadb-104/
2019-07-05 20:39:17 +03:00
Alan Orth
4f1d413477
Pipfile.lock: Run pipenv update
2019-06-08 23:19:35 +03:00
Alan Orth
7b395c4039
host_vars/web17: WordPress 5.2.1
2019-06-08 23:19:23 +03:00
Alan Orth
ea936673d9
Pipfile.lock: Run pipenv update
2019-05-08 09:16:28 +03:00
Alan Orth
dc2e14a6a3
roles/mariadb: Use python3-pymysql for Ansible
...
For Python 3 Ansible needs a different library to help with MySQL
tasks.
2019-05-08 09:15:47 +03:00
Alan Orth
f129fdff8f
host_vars/web17: WordPress 5.2
2019-05-08 09:14:48 +03:00
Alan Orth
0f381d3993
host_vars/web17: Use Python 3 for Ansible
...
See: https://docs.ansible.com/ansible/latest/reference_appendices/python_3_support.html
2019-03-17 17:37:34 +02:00
Alan Orth
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
...
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
Alan Orth
c5b5cda3d3
Smarter updating of apt index during playbook execution
...
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
Alan Orth
dee90ed4bc
Run pipenv update
2019-03-17 17:12:27 +02:00
Alan Orth
bec79f18d1
roles/common: Ignore tarsnap key errors
...
Ansible errors on adding the tarsnap signing key because it is not
valid (expired a month ago). I contacted Colin Percival about this
on Twitter but he did not seem worried for some reason.
2019-03-13 12:36:47 +02:00
Alan Orth
9dc3396544
Pipfile.lock: run pipenv update
2019-03-13 12:36:30 +02:00
Alan Orth
464a24531a
host_vars/web17: WordPress 5.1.1
2019-03-13 12:36:11 +02:00
Alan Orth
3e1eddd4b8
Pipfile.lock: run pipenv update
2019-02-26 11:24:34 -08:00
Alan Orth
9bd6222654
host_vars/web17: WordPress 5.1
2019-02-26 11:00:39 -08:00
Alan Orth
18ee583261
roles/common: Don't log brute force SSH attempts
...
This is nice to see that the throttling is working, but the logs are
completely full of this useless crap now.
2019-02-26 10:30:03 -08:00
Alan Orth
329edaee87
roles/common: Rate limit SSH connections in firewalld
...
I think 5 connections per minute is more than enough. Any over this
and it will be logged to the systemd journal as a warning.
See: https://www.win.tue.nl/~vincenth/ssh_rate_limit_firewalld.htm
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_complex_firewall_rules_with_the_rich-language_syntax
2019-01-28 14:09:18 +02:00
Alan Orth
bc88e05aa5
Pipfile.lock: Run pipenv update
2019-01-28 14:02:12 +02:00
Alan Orth
bbab45ae6f
Adjust ansible_managed to use comment filter
...
We don't need to comment the ansible_managed block manually.
2019-01-10 12:50:54 +02:00
Alan Orth
e6d5e81d29
ansible.cfg: Adjust ansible_managed template
...
See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html
2019-01-10 12:50:33 +02:00
Alan Orth
a4fe3698e8
pipenv update
2019-01-10 08:07:09 +02:00
Alan Orth
79c1f814ba
host_vars/web17: WordPress 5.0.3
2019-01-10 08:06:56 +02:00
Alan Orth
9921a40c19
roles/common: Update comment
2018-12-20 10:31:18 +02:00
Alan Orth
91356ab364
roles/common: Disable Canonical spam in MOTD
2018-12-20 10:27:52 +02:00
Alan Orth
49cfbc4c47
roles/common: Add missing systemd-journald config
...
I apparently forgot to add this when I committed the systemd-journald
changes a few weeks ago.
2018-12-20 09:59:13 +02:00