Commit Graph

682 Commits

Author SHA1 Message Date
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
da6d1e05b9
roles/common: Don't use ansible facts when we don't need to
No use testing the distro version only to use an ansible fact to
find the correct template.
2016-08-24 10:11:13 +03:00
861b5c5413
roles/common: Remove old comment from main playbook 2016-08-22 16:35:02 +03:00
6c6ff1b112
roles/common: Use ansible facts to reduce includes 2016-08-22 16:34:05 +03:00
bd318c5754
Use long GPG key id fingerprints 2016-08-22 16:30:20 +03:00
14de9caed8
roles/common: Use https for Ubuntu Extras repo signing key
Missed this in the earlier commit where I changed to https:// for
transporting apt keys.
2016-08-22 16:28:24 +03:00
c8adba0580
roles/nginx: Add nginx signing key id to apt_key task
When you give Ansible the key id it will check if the key exists
before trying to download and add it. I got the long fingerprint
from `sudo apt-key finger`.
2016-08-22 16:20:10 +03:00
c9ef9e24f5
Use https:// for fetching apt package signing keys
I don't know why I wasn't using these before.
2016-08-22 16:06:13 +03:00
96500a6e33
roles/mariadb: Use Ubuntu 16.04 (xenial) builds
When I originally deployed Ubuntu 16.04 there were no public xenial
MariaDB builds yet, so I used wily (15.10). Now there are official
xenial builds so we can use them instead.
2016-08-22 16:00:45 +03:00
201165cff6
Only update packages indexes if the cache is 1 hour old
I have added cache_valid_time=3600 for the first task in each
tag that could be possibly running apt-related commands. For ex,
the "nginx" tag is also in the "packages" tag, but sometimes you
run the nginx tag by itself (perhaps repeatadely), so you'd want
to limit the update unless the cache was 1 hour old
2016-08-22 15:33:57 +03:00
8a70b526ee
roles/common: Remove extra systemd-timesyncd task
Now it runs in the main play for all Ubuntu and Debian hosts, as
currently they all use systemd.
2016-08-22 15:29:36 +03:00
e9aa4d0fdf
Add ansible.cfg
Pipelining makes ansible run tasks much faster, and as of Ansible
2.0 or 2.1 or so, it now works on older hosts that have requiretty
in their sudo config[0]. Also, disable the creation of those stupid
retry files.

[0] https://github.com/ansible/ansible/pull/13200
2016-08-22 13:04:13 +03:00
0445c3cdee
roles/php-fpm: Set timezone in php.ini template
Since we're using a variable for the timezone for systemd-timesyncd
anyways, we can also use it for PHP's config.
2016-08-22 12:56:50 +03:00
d3a6e71ab8
roles/common: Use service module to enable systemd NTP client instead of timedatectl
The `timedatectl set-ntp on` command is actually just enabling the
systemd service anyways, so it's better we use Ansible's service
module.
2016-08-22 12:49:00 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
2016-08-17 12:27:33 +03:00
2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
2016-08-17 12:27:24 +03:00
f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
2016-08-17 11:39:10 +03:00
8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day"
This reverts commit a38d822fad.

The docs definitely recommend twice a day. From a note on certbot's
installation page:

> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.

See: https://certbot.eff.org/#ubuntuxenial-nginx
2016-08-17 11:30:10 +03:00
437dbf470e
host_vars/web08: All vhosts to WordPress 4.6 2016-08-17 00:08:03 +03:00
b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.

It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
2016-08-16 14:28:58 +03:00
33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config
Fixes a problem with Paramiko, which Ansible uses for transport.

See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
2016-08-16 14:24:53 +03:00
e343ddc9a6
Add 'packages' tag to any task doing package stuff
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
2016-08-14 16:33:48 +03:00
7589136453
host_vars/web08: Update one blog to WordPress 4.6 RC2 2016-08-11 09:06:46 +03:00
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00
a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
2016-07-08 13:50:11 +03:00
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
24e54c0580
host_vars/web08: Set "use_letsencrypt" for this host 2016-06-28 10:33:57 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00
1254cea195
roles/nginx: Replace "&" with "and" 2016-06-27 19:13:20 +03:00
da784467e1
host_vars/web08: Specify use_letsencrypt: 'yes' for vhosts 2016-06-27 19:11:06 +03:00
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers
From Linode's Frankfurt datacenter.
2016-06-27 18:40:25 +03:00
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
2016-06-27 18:32:59 +03:00
09feb9a40c
roles/mariadb: Add "ansible managed" header to managed files 2016-06-27 18:09:04 +03:00
283cecf2a2
host_vars/web08: Use mariadb_databases instead of wordpress_blogs to enumerate databases 2016-06-27 18:08:38 +03:00
2efe2479ad
roles/mariadb: Use mariadb_databases instead of wordpress_blogs for variable 2016-06-27 18:08:02 +03:00
386482494d
Remove web07 2016-06-27 17:58:28 +03:00
b41bd432df
roles/nginx: Add "ansible managed" string to configs
Generates a placeholder text to say that the file is managed by
ansible.
2016-06-27 17:50:49 +03:00
17062c6ea7 Merge pull request #27 from alanorth/timezone
Timezone
2016-06-27 10:31:58 +03:00
715e9ed2e5
host_vars/web08: Add timezone variable 2016-06-27 10:30:31 +03:00
06034a8b8b
roles/common: Use systemd's timedatectl for time stuff
Debian 8 and Ubuntu 16.04 use systemd, so we can make use of its
NTP stuff rather than using the standalone `ntp` package.
2016-06-27 10:30:11 +03:00
91f97577c8
Add web08 2016-06-26 13:56:56 +03:00
7d455b7066
README.md: Clarify requirements note to add Ubuntu 16.04 2016-06-25 21:45:24 +03:00
03dc8610e9
host_vars/web07: Update WordPress to 4.5.3 2016-06-22 23:35:32 +02:00
24ca33c605
roles/nginx: Disable rules for Yoast SEO
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
2016-06-02 11:03:35 +03:00
1ed7d45c7f
roles/nginx: Fix comment about version numbers 2016-05-27 08:14:46 +03:00
93451e6c5e
roles/nginx: Use mainline branch by default
Has all the good stuff:

    http://nginx.org/en/CHANGES
2016-05-27 08:14:04 +03:00