Commit Graph

220 Commits

Author SHA1 Message Date
bd0b6a16de
roles/nginx/defaults/main.yml: Update version comment
Stable is now 1.20.0
2021-05-10 16:00:44 +03:00
7ba5afcec4
roles/nginx: Opt out of Google FLoC
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
2021-04-16 12:41:09 +03:00
96cefc7f74
roles/nginx: Parameterize HSTS header
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
2021-03-23 15:36:28 +02:00
f85eb2841a
roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
af49f27551
roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
f341d2e5eb
roles/nginx: Remove nginx pre/post hooks
We are now using the well-known webroot.
2021-03-19 23:46:22 +02:00
ceba0ea417
roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
a34cb1e666
roles/nginx: Switch to acme.sh for Let's Encrypt
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
65fc52c5e5
roles/nginx: Use variable for nginx_ssl_dhparam
I went years without realizing that I was hard coding the file dest
in this particular task.
2021-03-19 18:13:55 +02:00
7f72a9eda4
roles/nginx: Use RFC 7919 4096-bit dhparams
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
2021-03-19 13:13:56 +02:00
73d6abd15f
roles/nginx: Allow sites to override the root 2020-12-28 22:53:32 +02:00
d4fd06862a
roles/nginx: Fix Let's Encrypt pre/post renewal hooks 2020-12-10 15:20:23 +02:00
b366b0af3d
roles/nginx: Update version comment 2020-07-14 09:48:12 +03:00
72b8b193b5
Remove support for Debian 9 and Ubuntu 16.04 2020-07-14 09:45:33 +03:00
a1f110c8bc
Add PHP 7.4 FPM support 2020-07-13 23:25:32 +03:00
9abfe80245 roles/nginx: Add pre and post hooks for Let's Encrypt on Ubuntu 20.04
Certbot will run any executables in the pre and post directories
during certificate renewal.
2020-06-08 12:15:29 +03:00
0587841476 roles/nginx: Adjust certbot tasks
It seems that it is no longer recommended/supported to install the
standalone certbot-auto client on Ubuntu 20.04. We apparently need
to use the one provided by Ubuntu, which luckily includes a service
and timer to renew the certs.
2020-06-08 12:15:29 +03:00
4b5d17ef8c
roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00
e169a3744a
roles/nginx: Fix munin.conf for nginx_status
This config stopped working a few years ago probably when hosts started
getting IPv6 and we need to allow ::1. Make sure we're only listening
on local loopback interfaces also.
2020-03-10 12:23:12 +02:00
2dc195b33c
Use version() instad of version_compare()
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
2020-03-09 15:20:51 +02:00
aa1dac8c30
roles: Fix syntax for testing booleans
ansible-lint told me not to test equality with booleans using literal
"True" and "False", but it Ansible complains if I use "is True" also.
It seems that I need to adjust the syntax slightly.
2019-11-26 11:19:22 +02:00
1c631739e7
roles: Fix issue raised by ansible-lint
[601] Don't compare to literal True/False
2019-11-21 22:55:39 +02:00
eb7998fd12
roles/nginx: Fix hardcoded "stretch" release in sources
This was causing the stretch version to get installed on buster, w-
hich led to the cipher suite and ssl protocol support to behave st-
rangeley.
2019-09-15 16:03:17 +03:00
1ec6d07232
roles/nginx: Fix php7.3-fpm socket location on Debian 10 2019-09-15 15:55:42 +03:00
b59f7c0702
roles/nginx: Update certbot dependencies for Debian 10
Taken after a clean Debian 10 install on Linode.
2019-07-23 18:38:33 +03:00
2d98d70e02
Update nginx cipher suite and TLS protocols
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.

See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
e124cac945
roles/nginx: Adjust formatting of apt sources template 2019-07-08 18:44:21 +03:00
70e736bdc5
roles/nginx: Use buster builds
nginx.org has buster builds now.
2019-07-08 18:43:43 +03:00
ca293289aa
roles/nginx: Fix logic error in apt sources template 2019-07-07 17:59:00 +03:00
5fe583541a roles/nginx: Set Let's Encrypt packages for Debian 10
Taken from the list of packages that the certbot-auto script wants
to bootstrap on a fresh Debian 10 "buster" install.
2019-07-06 21:16:19 +03:00
619f536cd8 roles/nginx: Use Debian 9 "stretch" builds on Debian 10 "buster"
There are no Debian 10 "buster" builds from nginx.org yet.
2019-07-06 21:16:19 +03:00
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
c5b5cda3d3
Smarter updating of apt index during playbook execution
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
bbab45ae6f
Adjust ansible_managed to use comment filter
We don't need to comment the ansible_managed block manually.
2019-01-10 12:50:54 +02:00
42fcd933a8
roles/nginx: Fix Jinja2 logic in apt sources template 2018-05-08 23:53:47 +03:00
3f0c45d504
roles/nginx: Force amd64 builds on apt sources
Avoids the following error in apt:

Skipping acquire of configured file 'nginx/binary-i386/Packages' as repository 'https://nginx.org/packages/ubuntu bionic InRelease' doesn't support architecture 'i386'
2018-05-08 23:41:25 +03:00
f5fbc4b8f1
roles/nginx: Use bionic builds on Ubuntu 18.04
NGINX finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
2018-05-08 23:39:59 +03:00
0a39051a95
roles/nginx: Allow custom resolvers for TLS stapling
Allows to specify custom DNS resolvers for TLS stapling, with a default
of Cloudflare's public DNS servers.
2018-04-30 18:04:17 +03:00
bda95b6a1c
roles/nginx: Default to Cloudflare public DNS for TLS stapling
No need to give Google even more data or free advertising by using
this as the default! In practice I always use the DNS servers from
the VPS provider anyways.
2018-04-30 17:51:59 +03:00
6208d1518c
roles/nginx: Use set_fact to set certbot dependencies
Instead of looping over a list of items to install, we can actually
just give a list directly to the apt module. This allows the module
to install all packages in one transaction, which is faster as well
as slightly safer for some dependency resolution scenarios.
2018-04-26 19:48:05 +03:00
baa5890d6d
roles/nginx: Add name to Let's Encrypt task
All tasks should have names, even if they are just including other
tasks.
2018-04-26 17:12:22 +03:00
fa5db39674
roles/nginx: Move WordPress tasks to separate file
Because of the shift from static imports to dynamic includes these
tags will never be reached unless they have their own task that is
tagged at the top-level (dynamic includes don't pass their tags to
their children).
2018-04-26 17:09:09 +03:00
7d950ade99
roles: Remove unreachable "packages" tags
After reörganizing for dynamic includes these tags will never be reached
because the children of dynamic includes do not inherit tags from their
parents as they did with static imports.
2018-04-26 16:31:06 +03:00
1738507ee9
roles/nginx: Use dynamic includes for Let's Encrypt
As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed
to introduce the notion of static imports and dynamic includes. If the
tasks doing the import is using variable interpolation or conditionals
then the task should be dynamic. This results in quicker playbook runs
due to less importing of unneccessary tasks.

One side effect of this is that child tasks of dynamic includes do not
inherit their parents' tags so you must tag them explicitly or a block.

Also, I had to move the letsencrypt tasks to the main task file so the
tags were available (due to dynamic tasks not inheriting tags).
2018-04-26 11:00:47 +03:00
2da7f39bb4
roles/nginx: Use dynamic includes for tasks
As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed
to introduce the notion of static imports and dynamic includes. If the
tasks doing the import is using variable interpolation or conditionals
then the task should be dynamic. This results in quicker playbook runs
due to less importing of unneccessary tasks.

One side effect of this is that child tasks of dynamic includes do not
inherit their parents' tags so you must tag them explicitly or a block.
2018-04-26 10:45:01 +03:00
c608331e3c
roles/nginx: Rename Let's Encrypt dependency lists 2018-04-26 08:26:58 +03:00
e50f413f5e
roles/nginx: Use dynamic include_tasks for Let's Encrypt
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 20:03:32 +03:00
ebda406de3
roles/nginx: Separate Debian 9 "stretch" Let's Encrypt deps
Instead of iterating over fifteen packages with a loop that does fifteen
separate apt transactions, it is better to give the apt module a list so
it can install them all in one transaction. This is both quicker and te-
chnically more safe for dependency resolution.
2018-04-25 20:02:42 +03:00
f427350feb
roles/nginx: Separate Ubuntu 16.04 "Xenial" Let's Encrypt deps
Instead of iterating over fifteen packages with a loop that does fifteen
separate apt transactions, it is better to give the apt module a list so
it can install them all in one transaction. This is both quicker and te-
chnically more safe for dependency resolution.
2018-04-25 20:01:39 +03:00
12711afac9
roles/nginx: Add dependencies for certbot on Ubuntu 18.04
Taken from running the Let's Encrypt certbot-auto client on a freshly
installed Ubuntu 18.04 system.
2018-04-25 19:40:33 +03:00