alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
520 Commits 2 Branches 0 Tags 4.5 MiB
Commit Graph

520 Commits

Author SHA1 Message Date
Alan Orth 0445c3cdee
roles/php-fpm: Set timezone in php.ini template 
Since we're using a variable for the timezone for systemd-timesyncd
anyways, we can also use it for PHP's config.
 2016-08-22 12:56:50 +03:00
Alan Orth d3a6e71ab8
roles/common: Use service module to enable systemd NTP client instead of timedatectl 
The `timedatectl set-ntp on` command is actually just enabling the
systemd service anyways, so it's better we use Ansible's service
module.
 2016-08-22 12:49:00 +03:00
Alan Orth aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" 
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
 2016-08-17 12:55:14 +03:00
Alan Orth de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes" 
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
 2016-08-17 12:42:48 +03:00
Alan Orth 60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs 
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
 2016-08-17 12:27:33 +03:00
Alan Orth 2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable 
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
 2016-08-17 12:27:24 +03:00
Alan Orth f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone 
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
 2016-08-17 11:39:10 +03:00
Alan Orth 8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day" 
This reverts commit a38d822fad.

The docs definitely recommend twice a day. From a note on certbot's
installation page:

> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.

See: https://certbot.eff.org/#ubuntuxenial-nginx
 2016-08-17 11:30:10 +03:00
Alan Orth 437dbf470e
host_vars/web08: All vhosts to WordPress 4.6 2016-08-17 00:08:03 +03:00
Alan Orth b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config 
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.

It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
 2016-08-16 14:28:58 +03:00
Alan Orth 33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config 
Fixes a problem with Paramiko, which Ansible uses for transport.

See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
 2016-08-16 14:24:53 +03:00
Alan Orth e343ddc9a6
Add 'packages' tag to any task doing package stuff 
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
 2016-08-14 16:33:48 +03:00
Alan Orth 7589136453
host_vars/web08: Update one blog to WordPress 4.6 RC2 2016-08-11 09:06:46 +03:00
Alan Orth b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability 
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
 2016-07-21 14:45:41 +03:00
Alan Orth a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day 
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
 2016-07-08 13:50:11 +03:00
Alan Orth b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
Alan Orth 78dbdae783
roles/nginx: Fix variable check in HTTPS template 
Don't assume the variables for TLS certs exist.
 2016-07-05 19:42:56 +03:00
Alan Orth 24e54c0580
host_vars/web08: Set "use_letsencrypt" for this host 2016-06-28 10:33:57 +03:00
Alan Orth 0cd2735c82
roles/nginx: Rework Let's Encrypt stuff 
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
 2016-06-27 23:52:39 +03:00
Alan Orth 1254cea195
roles/nginx: Replace "&" with "and" 2016-06-27 19:13:20 +03:00
Alan Orth da784467e1
host_vars/web08: Specify use_letsencrypt: 'yes' for vhosts 2016-06-27 19:11:06 +03:00
Alan Orth b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs 
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
 2016-06-27 19:07:48 +03:00
Alan Orth 8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers 
From Linode's Frankfurt datacenter.
 2016-06-27 18:40:25 +03:00
Alan Orth a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt 
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
 2016-06-27 18:32:59 +03:00
Alan Orth 09feb9a40c
roles/mariadb: Add "ansible managed" header to managed files 2016-06-27 18:09:04 +03:00
Alan Orth 283cecf2a2
host_vars/web08: Use mariadb_databases instead of wordpress_blogs to enumerate databases 2016-06-27 18:08:38 +03:00
Alan Orth 2efe2479ad
roles/mariadb: Use mariadb_databases instead of wordpress_blogs for variable 2016-06-27 18:08:02 +03:00
Alan Orth 386482494d
Remove web07 2016-06-27 17:58:28 +03:00
Alan Orth b41bd432df
roles/nginx: Add "ansible managed" string to configs 
Generates a placeholder text to say that the file is managed by
ansible.
 2016-06-27 17:50:49 +03:00
Alan Orth 17062c6ea7 Merge pull request #27 from alanorth/timezone 
Timezone
 2016-06-27 10:31:58 +03:00
Alan Orth 715e9ed2e5
host_vars/web08: Add timezone variable 2016-06-27 10:30:31 +03:00
Alan Orth 06034a8b8b
roles/common: Use systemd's timedatectl for time stuff 
Debian 8 and Ubuntu 16.04 use systemd, so we can make use of its
NTP stuff rather than using the standalone `ntp` package.
 2016-06-27 10:30:11 +03:00
Alan Orth 91f97577c8
Add web08 2016-06-26 13:56:56 +03:00
Alan Orth 7d455b7066
README.md: Clarify requirements note to add Ubuntu 16.04 2016-06-25 21:45:24 +03:00
Alan Orth 03dc8610e9
host_vars/web07: Update WordPress to 4.5.3 2016-06-22 23:35:32 +02:00
Alan Orth 24ca33c605
roles/nginx: Disable rules for Yoast SEO 
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
 2016-06-02 11:03:35 +03:00
Alan Orth 1ed7d45c7f
roles/nginx: Fix comment about version numbers 2016-05-27 08:14:46 +03:00
Alan Orth 93451e6c5e
roles/nginx: Use mainline branch by default 
Has all the good stuff:

    http://nginx.org/en/CHANGES
 2016-05-27 08:14:04 +03:00
Alan Orth 064d277d03
host_vars/web07: Wordpress 4.5.2 2016-05-08 19:24:19 +03:00
Alan Orth 33f22b32a4
roles/common: Update sources for cron-apt 
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
 2016-05-05 12:16:37 +03:00
Alan Orth 6837b48fae
roles/nginx: Switch default version to 1.10.x (stable) 2016-04-27 15:05:19 +03:00
Alan Orth 447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
Alan Orth 38a972e085
host_vars/web07: WordPress 4.5 → 4.5.1 2016-04-27 10:38:50 +03:00
Alan Orth 0ff8fb0c05
Remove web06 host 2016-04-26 13:30:19 +03:00
Alan Orth 81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
Alan Orth 1ffc4eebc9
roles/nginx: Use default_server instead of default 
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
 2016-04-25 21:48:36 +03:00
Alan Orth 03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames 
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
 2016-04-25 21:45:21 +03:00
Alan Orth 37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
Alan Orth cd77b088e9
Fix a few references to php5-fpm 
Unless we really mean php5-fpm, let's just say php-fpm.
 2016-04-25 12:33:12 +03:00
Alan Orth 336ff4c2e5
Add web07 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2016-04-24 19:04:55 +03:00