Commit Graph

732 Commits

Author SHA1 Message Date
4edf92fe0d
roles/common: Allow adding extra SSH users 2020-12-08 23:15:51 +02:00
a105923f4b
host_vars/nomad01: Open TCP 80 and 443 2020-12-08 20:57:59 +02:00
a49dc82da6
host_vars/nomad01: Add comments 2020-12-08 20:56:56 +02:00
5055e425be
Add host_vars/nomad01 2020-12-08 20:56:03 +02:00
66de556d83
Add a "nomads" group of hosts
Hosts that I want to run common config stuff like SSH, firewalls,
etc.
2020-12-08 20:55:24 +02:00
90a8c1c8db
Remove host_vars/web18
Replaced by web19 months ago.
2020-12-08 18:52:11 +02:00
08ae79ae88
Use Python 3.9 in pipenv setup 2020-12-02 11:33:10 +02:00
776fd7cc76
Pipfile.lock: Update dependencies with pipenv update 2020-11-29 10:31:13 +02:00
dd2f65947d
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

    $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
      confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
      -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
      -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-11-06 15:44:57 +02:00
31ffda5466
Re-create Pipfile
Something about upgrading from Ansible 2.9 to 2.10 wasn't working.
2020-11-01 19:04:07 +02:00
7087d68459
host_vars/web19: WordPress 5.5.3 2020-11-01 19:03:49 +02:00
d3c2b0559a
Pipfile.lock: Run pipenv update
Ansible 2.9.13
2020-09-02 15:31:01 +03:00
2e77780ae3
host_vars/web19: WordPress 5.5.1 2020-09-02 15:30:42 +03:00
f4b104953c
roles/common: Use correct Ansible version comparison
The major version is "16", not "16.04".
2020-07-27 14:23:58 +03:00
c9ea286fff
roles/mariadb: Simplify sources.list 2020-07-14 09:51:35 +03:00
b366b0af3d
roles/nginx: Update version comment 2020-07-14 09:48:12 +03:00
0c192e6c4a
roles/munin: Remove tomcat config
We don't use tomcat here.
2020-07-14 09:47:39 +03:00
f5b6fa74c6
roles/munin: Use systemd module instead of service
All hosts are running systemd.
2020-07-14 09:47:18 +03:00
dbb4dd7098
roles/php-fpm: Add missing Ubuntu 20.04 PHP-FPM task 2020-07-14 09:45:51 +03:00
72b8b193b5
Remove support for Debian 9 and Ubuntu 16.04 2020-07-14 09:45:33 +03:00
539f081d4d
roles/common: Remove storage-specific tweaks
We don't have any "storage" group. This was ported from somewhere
else and I didn't notice that code.
2020-07-14 09:10:07 +03:00
950b949eac
README.md: Update copyright year 2020-07-14 09:04:26 +03:00
a1f110c8bc
Add PHP 7.4 FPM support 2020-07-13 23:25:32 +03:00
20ab27e1d2
roles/php-fpm: Fix 7.4 pool config 2020-07-13 23:25:09 +03:00
7f5499c307
roles/php-fpm: Import config changes for PHP 7.4 2020-07-13 22:37:12 +03:00
057e98ab47
roles/php-fpm: Import Ubuntu 20.04 PHP 7.4 FPM configs 2020-07-13 22:34:02 +03:00
5282154d7d
roles/common: Disable Canonical spam in MOTD 2020-06-25 21:12:00 +03:00
f4da35acee
Pipfile.lock: Run pipenv update
Ansible 2.9.10
2020-06-25 20:56:18 +03:00
e286866a6a
host_vars/web18: WordPress 5.4.2 2020-06-21 19:22:17 +03:00
99b55403d3
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-21 16:31:09 +03:00
9abfe80245 roles/nginx: Add pre and post hooks for Let's Encrypt on Ubuntu 20.04
Certbot will run any executables in the pre and post directories
during certificate renewal.
2020-06-08 12:15:29 +03:00
0587841476 roles/nginx: Adjust certbot tasks
It seems that it is no longer recommended/supported to install the
standalone certbot-auto client on Ubuntu 20.04. We apparently need
to use the one provided by Ubuntu, which luckily includes a service
and timer to renew the certs.
2020-06-08 12:15:29 +03:00
40ac858d60 roles/common: Ignore errors removing snaps
If the snap binary doesn't even exist then it means we've probably
already run this playbook and removed all installed snaps as well.
2020-06-08 12:15:29 +03:00
ba3004ef2b roles/common: Don't run rc.local task on Ubuntu 20.04
We haven't actually used rc.local since Ubuntu 16.04. Now anything
that we need to run at boot we can do with systemd anyways.
2020-06-08 12:15:29 +03:00
ef6ce2335e roles/common: Remove systemd-journald drop-in
Older Ubuntus originally didn't use a persistent journal, which was
somewhat of a surprise when looking at logs after a few months. Now
this does not seem to be an issue since Ubuntu 18.04. As for CentOS
I do not use that distro here so I don't need to care.
2020-06-08 12:15:29 +03:00
6fcb1290fe roles/common: Port sshd_config changes from Debian 10 to Ubuntu 20.04
By now the recommendations we were using as guidance are five years
old. The ciphers have not changed much since then.
2020-06-08 12:15:29 +03:00
5a58d93dfe roles/common: Import sshd_config for Ubuntu 20.04 2020-06-08 12:15:29 +03:00
870bdbfcc3 roles/common: Harden fail2ban service on Ubuntu 20.04 2020-06-08 12:15:29 +03:00
96f62a17d1 roles/common: Use nftables backend in firewalld on Ubuntu 20.04
The nftables backend should be more performant and flexible. I had
been planning to use it on Ubuntu 18.04 and Debian 10 as well, but
there were issues with the specific versions used in those distros.

See: https://firewalld.org/2018/07/nftables-backend
2020-06-08 12:15:29 +03:00
29bbc14068 roles/common: Remove ufw from Ubuntu systems
We never used this simple firewall utility and in at least one case
a user on the server tried to use it and messed up the rules I had
set via firewalld.
2020-06-08 12:15:29 +03:00
7288a85e72 roles/common: Remove snaps on Ubuntu 20.04
The list of pre-installed snaps and system packages is different on
Ubuntu 20.04 than it was in previous LTS releases.

See: https://www.kevin-custer.com/blog/disabling-snaps-in-ubuntu-20-04/
2020-06-08 12:15:29 +03:00
aedb42a1b9
host_vars/web18: WordPress 5.4.1 2020-06-08 12:14:58 +03:00
5242493b53
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

$ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
  confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
  -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
  -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
    $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2020-06-03 10:10:49 +03:00
ed2e0efd9c
roles/common: Actually remove annoying Ubuntu motd spam 2020-04-24 22:37:50 +03:00
12a35f4af7
host_vars/web18: WordPress 5.4 2020-04-24 11:39:32 +03:00
0e0c21bd16
Pipfile.lock: Run pipenv update
Brings Ansible 2.9.2.
2020-04-24 11:27:35 +03:00
4b5d17ef8c
roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00
03254d6aae
roles/common: Use normal tarsnap GPG packaging key 2020-03-16 18:03:53 +02:00
4eb94d9127
Pipfile.lock: Run pipenv update
Ansible 2.9.6 and other minor updates to dependencies.
2020-03-16 17:56:19 +02:00
e169a3744a
roles/nginx: Fix munin.conf for nginx_status
This config stopped working a few years ago probably when hosts started
getting IPv6 and we need to allow ::1. Make sure we're only listening
on local loopback interfaces also.
2020-03-10 12:23:12 +02:00