56df8b38ca
roles/common: Use new cron-apt tasks
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:40 +03:00
96fe209843
roles/common: Fix mode on Debian 8 sshd_config
...
Accidentally added it with 777.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
7519995153
roles/common: Add Debian 8 sshd_config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
dc24285ec6
roles/common: Use apt_mirror variable in Debian sources
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
28f61d589e
roles/common: Add Debian support to sources.list template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
e15d1be867
roles/common: Add playbook for Debian packages
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
1fc2453703
roles/common: Add firewalld support
...
Needed in Ubuntu 15.04 where iptables-persistent is going away. I
have added translations of the current IPv4 and IPv6 iptables rules.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
16a0bb9086
roles/nginx: Use utopic (14.10) nginx builds on 15.04
...
Upstream hasn't made 15.04 builds yet...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
9aaad366f5
roles/common: Only add extras repo on Ubuntu 14.04
...
The Extras repo was discontinued after 14.10 (but the latest we
deploy is 14.04).
See: https://lists.ubuntu.com/archives/technical-board/2015-January/002063.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
e84f777a6b
roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
b2dbd138f7
roles/common: Add Ubuntu 15.04 sshd_config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
68493beba3
roles/common: Reload sshd instead of restarting
...
No need to restart for a config change.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:01:17 +03:00
8e0a292b1d
roles/common: Move sshd tasks to their own playbook
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:00:43 +03:00
7f929d5b80
roles/common: Remove unused cron-apt files
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:42:03 +03:00
fc586a2297
roles/common: Adjust cron-apt stuff
...
- Don't run the static files as templates
- Use a separate playbook for related tasks
- Use a template for security.sources.list
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:39:22 +03:00
ce1d64ce66
roles/php5-fpm: Hide HTTP X-Powered-By PHP header
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-09 20:10:11 +03:00
78cb49c88b
roles/nginx: Add missing nginx tag to blank vhost task
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
151fb29687
roles/nginx: Add blank vhost
...
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.
If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
8b77fd7f94
roles/nginx: Templatize SSL parameters using role defaults
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
ae10677b65
roles/common: Specify default apt_mirror for fallback in sources.list template
...
New hosts often fail due to not having an apt_mirror, because there
isn't one defined for their group and their host_vars haven't over-
ridden it.
We want new hosts to deploy successfully, so let's just use a default
apt_mirror if there isn't one defined. Rather have a slow mirror than
a failed deployment. And in any case, Linode can download from KENET's
mirror at 10MB/sec. ;)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 21:57:11 +03:00
fe765f5d3a
roles/nginx: Fix TLS cert loop to use the current item
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:46:06 +03:00
4b74964963
roles/nginx: Do a shallow clone of WordPress git
...
I realized there was no need to do a full clone when I was working
in a Vagrant environment in a coffee shop with slow Internet. ;)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:32:05 +03:00
def8d83d49
roles/munin: Use apt module explicitly
...
Instead of using dynamic hack to use the package manager for the
current host. We only have Ubuntu here anyways.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-26 00:02:43 +03:00
a8f4500567
Add IPv6 support to firewall tasks / template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 18:17:23 +03:00
a17cb2a0a0
roles/nginx: Add initial IPv6 support to vhost template
...
Still need to add ip6tables rules
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 11:53:57 +03:00
3746e798b6
roles/nginx: Use template for nginx repo
...
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 00:15:49 +03:00
aa5a9f5dd8
roles/common: Add vim modeline
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-24 23:55:04 +03:00
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
...
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
caec2440bb
roles/nginx: Fix HSTS header in vhost config
...
We always want to add the header, not add a header with value
"always"!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:54:10 +03:00
f9ea01ba8f
roles/nginx: Use stronger HSTS header
...
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.
See: https://hstspreload.appspot.com/
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:35:26 +03:00
3a4e7455c7
roles/php5-fpm: Tweak opcache settings
...
Reduce memory allocation from 128 -> 72M because after a few days
of running it's only using 64 or so, so it's really just a waste of
memory.
Also, disable opcache for CLI. What the hell do you need opcaching
in the CLI invocation for? It only persists for one process!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-09 12:34:45 +03:00
2d6ce778df
roles/php5-fpm: Add templated php.ini
...
Adds a default php.ini for php5-fpm from Ubuntu 14.04 which enables
sane settings for PHP 5.5's opcache as well as disables pathinfo.
Closes #9 .
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-05 11:27:13 +03:00
e675b750c4
roles/nginx: Switch to nginx stable branch
...
Remove old mainline repo and add stable repo to get nginx 1.8.0.
See: http://nginx.org/en/CHANGES-1.8
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 14:52:22 +03:00
4602f03bed
roles/nginx: Fix comment in main task
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-25 12:59:10 +03:00
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
...
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).
Here is OpenDNS:
# mtr --report 208.67.222.222
Start: Sun Mar 22 15:31:50 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7
2.|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0
3.|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0
4.|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0
5.|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0
And here is Linode's:
# mtr --report 109.74.192.20
Start: Sun Mar 22 15:32:30 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0
2.|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
ae8937eb96
roles/nginx: Just enable OCSP
...
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block
...
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:32:06 +03:00
934db06887
roles/nginx: Add HTTP Strict Transport Security headers to PHP block
...
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.
[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html
Fixes GitHub #7 .
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:30:26 +03:00
04e453df51
Revert "roles/nginx: Correct HSTS header in https template"
...
This reverts commit 5c7404d228
.
'always' is legal in nginx >= 1.7.5:
If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.
See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
5c7404d228
roles/nginx: Correct HSTS header in https template
...
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.
See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
...
We don't need to give Google EVERYTHING.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
a3d29a559b
roles/munin: Remove unused config file
...
We are using a Jinja template instead.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:00:06 +03:00
3a5b50f941
roles/common: Set I/O scheduler via udev
...
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:52:05 +03:00
9fda345a24
roles/common: Fix one logic mistake in rc.local task
...
I think it was originally supposed to be `ansible_os_family` but
we don't have anything other than Ubuntu, so let's just use that.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:43:21 +03:00
2367b843d9
roles/common: Remove I/O scheduler logic from rc.local
...
It's better to set this using udev rules anyways
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:54 +03:00
4a1158e163
roles/common: Remove CentOS rclocal task
...
No CentOS hosts here!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:07 +03:00
891bd35171
roles/common: Move tags from subtask to main one
...
Child tasks inherit the tag of the parent.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:34:13 +03:00
4efb6edb7e
roles/common: Indent some yaml stuff in main.yml
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:31:29 +03:00
b70ae58f48
roles/common: Simplify when
logic in main template
...
Less syntax is more readable syntax.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:29:41 +03:00
58222706ba
roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl
...
We don't have anything near 2.6.32 anymore.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:25:33 +03:00
60ba4dacbd
roles/common: Add TCP/IP tweaks to sysctl template
...
Disable TCP slow start and increase the number of ports available
for client connections.
See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
See: http://www.chromium.org/spdy/spdy-best-practices
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:23:10 +03:00
942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00
3dcc5e1411
roles/nginx: Move some common fastcgi settings out of vhost template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-10 11:59:43 +03:00
2b02d94254
roles/nginx: Don't cache 404 errors in munin config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:32:09 +03:00
41f055306f
roles/nginx: Re-order $request_method in fastcgi_cache_key
...
Everyone else on the Internet has it this way, so why not.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:18:02 +03:00
53d2c85bf0
roles/nginx: Adjust fastcgi_cache_valid
...
Only cache 200, 301, and 302 requests!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:23:48 +03:00
066bf6fa85
roles/nginx: Set gzip_comp_level to 6
...
Seems to be the sweet spot, as gzip itself defaults to this.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:21:34 +03:00
bb92bd080d
roles/nginx: Add $request_method to nginx fastcgi_cache_key
...
nginx is caching HEAD requests, then when users come along and do
a GET request they get an HTTP 200 with no request body. It seems
setting fastcgi_request_methods to GET doesn't stop nginx from caching
HEADs, so for now just add the $request_method to the key.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:19:34 +03:00
1174db87bc
roles/nginx: Add task to clone WordPress git
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:39:17 +03:00
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
cd65475d0d
roles/nginx: Add protection for PHP scripts in uploads directory
...
By the way, :? starts a non-capturing group (ie, don't save the
back references).
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:05:50 +03:00
19f5b60cb7
Remove references to provisioning.yml
...
We aren't managing the provisioning user anymore, it is just assumed
to be there.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:53:48 +03:00
29f7a76545
roles/nginx: Update location regex for PHP scripts
...
Just use the same one as the Nginx wiki and some other resources.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:40:38 +03:00
55fddf03b3
Remove provisioning user management
...
It's just too tricky to manage this. Ubuntu / RedHat preseeds and
kickstarts can create the user and add it to groups, but only when
we control the initial boot environment (ie not on Linode, Digital
Ocean, etc), so let's just say we assume this user exists and can
get root with sudo by the some we are running ansible on it.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-20 15:06:45 +03:00
6b528ecc92
roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts
...
Ansible's union thing only works on sets and lists, here we have a
dict.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 19:41:48 +03:00
b93da27fde
roles/nginx: Create fastcgi cache dir
...
Or else nginx doesn't start.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 18:49:39 +03:00
0b90bad6a9
roles/nginx: Add fastcgi caching
...
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:
$ siege -d1 -t1M -c50 https://mjanja.ch
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-10 23:04:28 +03:00
4ea152bf51
roles/nginx: Add HTTP headers for web application security
...
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 13:05:42 +03:00
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
7457ac3b93
roles/nginx: Always set HSTS header
...
nginx 1.7.5 allows us to always set HTTP headers:
See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
c3bc6d949d
roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-23 12:26:24 +03:00
171798c76d
roles/common: Add DSA/ECDSA cleanup to ssh tasks
...
We don't want to support these signature algorithms!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-20 16:31:37 +03:00
0d2763fb59
roles/common: Remove ECDSA SSH public key for aorth@noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:49 +03:00
d7dd81bc84
roles/common: Add ED25519 SSH public key for aorth@noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:21 +03:00
13b592dfcd
roles/common: Tune sshd_config to be more strict
...
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.
See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-07 01:47:06 +03:00
a80cb49957
roles/common: Update sshd_config template to explicitly allow the provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-06 17:45:06 +03:00
3b6c9745ab
roles/common: Add provisioning user to sudoers
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-05 08:24:13 +03:00
0f5b088c08
roles/common: Add createhome:yes to provisioning user task
...
Need to make sure the user gets created on a fresh install, like on
Amazon EC2 or OpenStack images where the first user is `ubuntu' and
you can't assume `provisioning' is already created.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 02:24:53 +03:00
6ccfdb99fa
roles/nginx: Enable OCSP stapling
...
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5 .
Seems to be working, test with:
$ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status
Look for "OCSP Response" with "Cert Status: good".
[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
...
Recommended by Ilya Grigorik to be set to 6.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
...
Session tickets increase performance, but decrease security, so
let's just turn them off. See the following posts:
- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
...
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly. Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af
roles/nginx: Set nginx SSL buffer size to 1400
...
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU. nginx default is 16k!
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
d04293a664
roles/nginx: Set nginx state to 'latest' in apt
...
This way we can upgrade nginx simply by running the nginx tags.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-02 18:48:11 +03:00
956fbefc1a
roles/nginx: Switch to nginx mainline (1.7)
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 01:02:44 +03:00
3f5634110a
roles/nginx: Add comment about try_files for serving static files from disk
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:41:07 +03:00
c870044584
roles/nginx: Adjust Cache-Control headers
...
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present. Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:29:53 +03:00
08a920d0cb
Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file"
...
This reverts commit 59b9bd70b8
.
Might not be so ingenious. Can't get this to work anymore...
2014-10-27 21:16:43 +03:00
c3f5e27642
roles/common: Add ECDSA public key for noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:25:48 +03:00
a265e48a9f
roles/common: Remove RSA public key
...
Both client and server support ed25519, so there's no need to even
have the RSA key here.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:23:01 +03:00
59b9bd70b8
roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file
...
This is kinda crazy, but makes the host_vars much easier to read.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:42:44 +03:00
5e0da37542
roles/common: Remove task which removes irqbalance
...
Prevailing wisdom is actually that this *can* help virtual hosts,
especially when the VM guest has multiple CPUs.
See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:31:23 +03:00
1ee7b385bf
roles/common: Rename SSH keys
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:19:32 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
c53dd18181
roles/common: Add role to manage provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:11:44 +03:00
42b893b2a7
roles/nginx: Add expires to static files
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-10 11:05:42 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
...
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...
https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
...
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:
https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
...
Details, see:
- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00