ansible-personal

Author	SHA1	Message	Date
Alan Orth	33f22b32a4	roles/common: Update sources for cron-apt The system's apt configuration is using restricted and multiverse so the security sources list should as well.	2016-05-05 12:16:37 +03:00
Alan Orth	a0bb4c2f57	roles/common: Add sshd_config for Ubuntu 16.04	2016-04-22 11:25:35 +03:00
Alan Orth	5f71991259	roles/common: Use httpredir.debian.org as default Debian mirror Automatically uses the best mirror for your location, see: http://httpredir.debian.org/demo.html Should be much better than any hardcoded default for most hosts. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-11-30 09:34:16 +02:00
Alan Orth	973b37be4e	roles/common: Tweak sshd_config to match NSA Suite B recommendations NSA stopped recommending AES-128 in August, 2015... Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml I don't see why we shouldn't follow suit; maybe they know something we don't! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-09-02 16:55:51 +03:00
Alan Orth	8b336352d7	roles/common: Only allow ssh access by provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-09-02 12:24:11 +03:00
Alan Orth	c480075789	roles/common: Use "interface" instead of "alias" to get interface name in firewalld template Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 12:06:47 +03:00
Alan Orth	18ca44193d	roles/common: Add sysctl template for Debian hosts Note: I've only tested this on a Debian container, and you can't set these sysctls on containers (the host controls them). To make matters worse, there is no fact to make ansible skip this on hosts that are running in containers. For now I will just skip it on hosts that are "virtualization" servers... even though we actually do have KVM running on Debian on real hardware. sigh Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:12:17 +03:00
Alan Orth	96fe209843	roles/common: Fix mode on Debian 8 sshd_config Accidentally added it with 777. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:39 +03:00
Alan Orth	7519995153	roles/common: Add Debian 8 sshd_config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:39 +03:00
Alan Orth	dc24285ec6	roles/common: Use apt_mirror variable in Debian sources Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:39 +03:00
Alan Orth	28f61d589e	roles/common: Add Debian support to sources.list template Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:39 +03:00
Alan Orth	1fc2453703	roles/common: Add firewalld support Needed in Ubuntu 15.04 where iptables-persistent is going away. I have added translations of the current IPv4 and IPv6 iptables rules. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:39 +03:00
Alan Orth	9aaad366f5	roles/common: Only add extras repo on Ubuntu 14.04 The Extras repo was discontinued after 14.10 (but the latest we deploy is 14.04). See: https://lists.ubuntu.com/archives/technical-board/2015-January/002063.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:38 +03:00
Alan Orth	e84f777a6b	roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:38 +03:00
Alan Orth	b2dbd138f7	roles/common: Add Ubuntu 15.04 sshd_config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-23 00:02:38 +03:00
Alan Orth	fc586a2297	roles/common: Adjust cron-apt stuff - Don't run the static files as templates - Use a separate playbook for related tasks - Use a template for security.sources.list Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-08-22 23:39:22 +03:00
Alan Orth	ae10677b65	roles/common: Specify default apt_mirror for fallback in sources.list template New hosts often fail due to not having an apt_mirror, because there isn't one defined for their group and their host_vars haven't over- ridden it. We want new hosts to deploy successfully, so let's just use a default apt_mirror if there isn't one defined. Rather have a slow mirror than a failed deployment. And in any case, Linode can download from KENET's mirror at 10MB/sec. ;) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-06-04 21:57:11 +03:00
Alan Orth	a8f4500567	Add IPv6 support to firewall tasks / template Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-05-25 18:17:23 +03:00
Alan Orth	3a5b50f941	roles/common: Set I/O scheduler via udev All servers with non-rotating disks (SSDs) should be running noop, and the rest should be running deadline. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:52:05 +03:00
Alan Orth	2367b843d9	roles/common: Remove I/O scheduler logic from rc.local It's better to set this using udev rules anyways Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:40:54 +03:00
Alan Orth	58222706ba	roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl We don't have anything near 2.6.32 anymore. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:25:33 +03:00
Alan Orth	60ba4dacbd	roles/common: Add TCP/IP tweaks to sysctl template Disable TCP slow start and increase the number of ports available for client connections. See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html See: http://www.chromium.org/spdy/spdy-best-practices Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:23:10 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	60b8ecdd4c	Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-17 00:35:57 +03:00

25 Commits