ansible-personal

Author	SHA1	Message	Date
Alan Orth	41f055306f	roles/nginx: Re-order $request_method in fastcgi_cache_key Everyone else on the Internet has it this way, so why not. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 13:18:02 +03:00
Alan Orth	53d2c85bf0	roles/nginx: Adjust fastcgi_cache_valid Only cache 200, 301, and 302 requests! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:23:48 +03:00
Alan Orth	066bf6fa85	roles/nginx: Set gzip_comp_level to 6 Seems to be the sweet spot, as gzip itself defaults to this. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:21:34 +03:00
Alan Orth	bb92bd080d	roles/nginx: Add $request_method to nginx fastcgi_cache_key nginx is caching HEAD requests, then when users come along and do a GET request they get an HTTP 200 with no request body. It seems setting fastcgi_request_methods to GET doesn't stop nginx from caching HEADs, so for now just add the $request_method to the key. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:19:34 +03:00
Alan Orth	1174db87bc	roles/nginx: Add task to clone WordPress git Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:39:17 +03:00
Alan Orth	d08a37526f	roles/nginx: Don't send OCSP responses for hosts using self-signed certs Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:38:30 +03:00
Alan Orth	cd65475d0d	roles/nginx: Add protection for PHP scripts in uploads directory By the way, :? starts a non-capturing group (ie, don't save the back references). Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:05:50 +03:00
Alan Orth	19f5b60cb7	Remove references to provisioning.yml We aren't managing the provisioning user anymore, it is just assumed to be there. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:53:48 +03:00
Alan Orth	29f7a76545	roles/nginx: Update location regex for PHP scripts Just use the same one as the Nginx wiki and some other resources. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:40:38 +03:00
Alan Orth	55fddf03b3	Remove provisioning user management It's just too tricky to manage this. Ubuntu / RedHat preseeds and kickstarts can create the user and add it to groups, but only when we control the initial boot environment (ie not on Linode, Digital Ocean, etc), so let's just say we assume this user exists and can get root with sudo by the some we are running ansible on it. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-20 15:06:45 +03:00
Alan Orth	6b528ecc92	roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts Ansible's union thing only works on sets and lists, here we have a dict. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 19:41:48 +03:00
Alan Orth	b93da27fde	roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:49:39 +03:00
Alan Orth	0b90bad6a9	roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-10 23:04:28 +03:00
Alan Orth	4ea152bf51	roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 13:05:42 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	c3bc6d949d	roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-23 12:26:24 +03:00
Alan Orth	171798c76d	roles/common: Add DSA/ECDSA cleanup to ssh tasks We don't want to support these signature algorithms! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-20 16:31:37 +03:00
Alan Orth	0d2763fb59	roles/common: Remove ECDSA SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:49 +03:00
Alan Orth	d7dd81bc84	roles/common: Add ED25519 SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:21 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	3b6c9745ab	roles/common: Add provisioning user to sudoers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-05 08:24:13 +03:00
Alan Orth	0f5b088c08	roles/common: Add createhome:yes to provisioning user task Need to make sure the user gets created on a fresh install, like on Amazon EC2 or OpenStack images where the first user is `ubuntu' and you can't assume `provisioning' is already created. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:24:53 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	d04293a664	roles/nginx: Set nginx state to 'latest' in apt This way we can upgrade nginx simply by running the nginx tags. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-02 18:48:11 +03:00
Alan Orth	956fbefc1a	roles/nginx: Switch to nginx mainline (1.7) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 01:02:44 +03:00
Alan Orth	3f5634110a	roles/nginx: Add comment about try_files for serving static files from disk Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:41:07 +03:00
Alan Orth	c870044584	roles/nginx: Adjust Cache-Control headers Use "public" with "max-age" instead of Expires, as "max-age" is always preferred if it's present. Note: setting "public" doesn't make the resource "more cacheable", but it is just more explicit. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:29:53 +03:00
Alan Orth	08a920d0cb	Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file" This reverts commit `59b9bd70b8`. Might not be so ingenious. Can't get this to work anymore...	2014-10-27 21:16:43 +03:00
Alan Orth	c3f5e27642	roles/common: Add ECDSA public key for noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:25:48 +03:00
Alan Orth	a265e48a9f	roles/common: Remove RSA public key Both client and server support ed25519, so there's no need to even have the RSA key here. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:23:01 +03:00
Alan Orth	59b9bd70b8	roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file This is kinda crazy, but makes the host_vars much easier to read. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:42:44 +03:00
Alan Orth	5e0da37542	roles/common: Remove task which removes irqbalance Prevailing wisdom is actually that this can help virtual hosts, especially when the VM guest has multiple CPUs. See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:31:23 +03:00
Alan Orth	1ee7b385bf	roles/common: Rename SSH keys Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:19:32 +03:00
Alan Orth	1e2193efc9	roles/common: Add functionality to copy user keys to provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:13:45 +03:00
Alan Orth	c53dd18181	roles/common: Add role to manage provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:11:44 +03:00
Alan Orth	42b893b2a7	roles/nginx: Add expires to static files Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-10 11:05:42 +03:00
Alan Orth	81a98596e3	Downgrade TLS configuration to Mozilla's "intermediate" spec From looking at the list of clients who would be allowed to connect when using the "modern" spec, I think I'd be doing more harm than good to use that config right now... https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 21:09:18 +03:00
Alan Orth	d06ddf8a81	roles/nginx: Update TLS vhost task for Ansible > 1.7.1 Seems there is some YAML sublety that causes this syntax to insert double spaces on the destination file... using native YAML hashes are a workaround, see GitHub issues: https://github.com/ansible/ansible/issues/9067 https://github.com/ansible/ansible/issues/9172 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:57:24 +03:00
Alan Orth	ad8a704470	Update TLS configuration to Mozilla's "modern" spec Details, see: - https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines - https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:56:08 +03:00
Alan Orth	ad90f7f0fb	roles/nginx: Use HSTS for https vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-06 10:46:04 +03:00
Alan Orth	fd9c6f31cb	roles/nginx: Add index to munin vhost Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:47:14 +03:00
Alan Orth	e741a77c00	roles/common: Add unzip to Ubuntu base packages Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:21:47 +03:00
Alan Orth	6d07af97f3	roles/php5-fpm: Fix php.ini reconfiguration (pathinfo) Use replace instead of lineinfile, addresses GitHub issue #1. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-14 12:34:44 +03:00

1 2

70 Commits