ansible-personal

Author	SHA1	Message	Date
Alan Orth	d8b6222527	host_vars/web05: Re-organize variables for wordpress_version logic Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:42:47 +03:00
Alan Orth	0b90bad6a9	roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-10 23:04:28 +03:00
Alan Orth	4ea152bf51	roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 13:05:42 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	c3bc6d949d	roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-23 12:26:24 +03:00
Alan Orth	171798c76d	roles/common: Add DSA/ECDSA cleanup to ssh tasks We don't want to support these signature algorithms! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-20 16:31:37 +03:00
Alan Orth	0d2763fb59	roles/common: Remove ECDSA SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:49 +03:00
Alan Orth	d7dd81bc84	roles/common: Add ED25519 SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:21 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	3b6c9745ab	roles/common: Add provisioning user to sudoers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-05 08:24:13 +03:00
Alan Orth	36a3bbf36d	vars/Ubuntu.yml: Remove apt_mirror It's better to just use Ubuntu's defaults, and then override on a per-host basis. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:54:22 +03:00
Alan Orth	0f5b088c08	roles/common: Add createhome:yes to provisioning user task Need to make sure the user gets created on a fresh install, like on Amazon EC2 or OpenStack images where the first user is `ubuntu' and you can't assume `provisioning' is already created. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:24:53 +03:00
Alan Orth	f219cf23fe	Move Debian.yml vars to Ubuntu.yml I was using ansible_os_family to get settings for Debian-family hosts, but this doesn't work so well when you have an apt_mirror which is only Debian or Ubuntu, for example. I don't have any Debian hosts here, but anyways, it's better this way so I can be more flexible in the future. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 01:51:37 +03:00
Alan Orth	55b1362f54	host_vars/web05: Bump WordPress version to 4.1 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 00:43:53 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	d04293a664	roles/nginx: Set nginx state to 'latest' in apt This way we can upgrade nginx simply by running the nginx tags. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-02 18:48:11 +03:00
Alan Orth	1073b8e1b6	host_vars/web05: Add mosh ports to iptables Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-21 00:29:08 +01:00
Alan Orth	956fbefc1a	roles/nginx: Switch to nginx mainline (1.7) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 01:02:44 +03:00
Alan Orth	3f5634110a	roles/nginx: Add comment about try_files for serving static files from disk Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:41:07 +03:00
Alan Orth	c870044584	roles/nginx: Adjust Cache-Control headers Use "public" with "max-age" instead of Expires, as "max-age" is always preferred if it's present. Note: setting "public" doesn't make the resource "more cacheable", but it is just more explicit. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:29:53 +03:00
Alan Orth	b71269e6cb	host_vars/web05: Add TLS keys back The other method wasn't as clever as I had thought, as I couldn't get it to work again! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-27 21:19:53 +03:00
Alan Orth	08a920d0cb	Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file" This reverts commit `59b9bd70b8`. Might not be so ingenious. Can't get this to work anymore...	2014-10-27 21:16:43 +03:00
Alan Orth	54993d6d6b	Update tls cipher suite with latest string from Mozilla TLS guide https://wiki.mozilla.org/Security/Server_Side_TLS states" Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-25 12:36:19 +03:00
Alan Orth	c3f5e27642	roles/common: Add ECDSA public key for noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:25:48 +03:00
Alan Orth	a265e48a9f	roles/common: Remove RSA public key Both client and server support ed25519, so there's no need to even have the RSA key here. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:23:01 +03:00
Alan Orth	b89e51d270	host_vars/web05: Remove TLS keys from host_vars Now they live in one file, vars/tls_keys.yml. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:43:17 +03:00
Alan Orth	59b9bd70b8	roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file This is kinda crazy, but makes the host_vars much easier to read. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:42:44 +03:00
Alan Orth	7ad41df199	Add host_var file for web05 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:03:56 +03:00
Alan Orth	e24a987d3b	vars/Debian.yml: Update apt mirror to Linode one Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 14:20:37 +03:00
Alan Orth	5e0da37542	roles/common: Remove task which removes irqbalance Prevailing wisdom is actually that this can help virtual hosts, especially when the VM guest has multiple CPUs. See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:31:23 +03:00
Alan Orth	1ee7b385bf	roles/common: Rename SSH keys Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:19:32 +03:00
Alan Orth	1e2193efc9	roles/common: Add functionality to copy user keys to provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:13:45 +03:00
Alan Orth	614f90a058	web.yml: Modify to incorporate provisioning user stuff Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:12:32 +03:00
Alan Orth	c53dd18181	roles/common: Add role to manage provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:11:44 +03:00
Alan Orth	42b893b2a7	roles/nginx: Add expires to static files Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-10 11:05:42 +03:00
Alan Orth	81a98596e3	Downgrade TLS configuration to Mozilla's "intermediate" spec From looking at the list of clients who would be allowed to connect when using the "modern" spec, I think I'd be doing more harm than good to use that config right now... https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 21:09:18 +03:00
Alan Orth	d06ddf8a81	roles/nginx: Update TLS vhost task for Ansible > 1.7.1 Seems there is some YAML sublety that causes this syntax to insert double spaces on the destination file... using native YAML hashes are a workaround, see GitHub issues: https://github.com/ansible/ansible/issues/9067 https://github.com/ansible/ansible/issues/9172 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:57:24 +03:00
Alan Orth	ad8a704470	Update TLS configuration to Mozilla's "modern" spec Details, see: - https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines - https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:56:08 +03:00
Alan Orth	ad90f7f0fb	roles/nginx: Use HSTS for https vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-06 10:46:04 +03:00
Alan Orth	06543b10d5	host_vars/web04: Re-generate alaninkenya TLS chain Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:58:05 +03:00
Alan Orth	fd9c6f31cb	roles/nginx: Add index to munin vhost Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:47:14 +03:00
Alan Orth	7956a1c6f6	web.yml: Use ubuntu user for now This is the default with OpenStack hosts like Kili.io... Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:39:12 +03:00
Alan Orth	da2c8fc043	vars/Debian.yml: Switch to KENET Ubuntu mirror Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:25:45 +03:00

... 13 14 15 16 17

847 Commits