Commit Graph

284 Commits

Author SHA1 Message Date
5147f4029b
roles/common: Use static imports for tasks
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

In practice this achieves the same function, but without the "magic"
ability to use one task for different operating systems.
2017-11-01 01:25:46 +02:00
e30e4d4b1e
Import OS-specific vars in tasks instead of play
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

We make sure that this tasks always runs by using the special tag of
the same name.
2017-11-01 01:21:48 +02:00
73e6d0b7ed
roles/nginx: Fix issue raised by ansible-lint
[ANSIBLE0006] systemctl used in place of systemd module

Also, move the functionality of the changed check to the systemd task,
because it has the ability to simply daemon-reload itself now.
2017-10-31 23:18:15 +02:00
4ad4d79b3d
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-10-31 22:41:40 +02:00
f362207616
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0002] Trailing whitespace
2017-10-31 22:39:34 +02:00
e043cd7dfe
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-10-31 22:38:32 +02:00
15bf4727c1
roles/common: Add names to include tasks
I'm not sure why these weren't caught by ansible-lint.
2017-10-03 17:46:55 +03:00
e86e2c081b
roles/nginx: Use 'present' instead of 'latest' to install nginx
Raised by the following rule in ansible-lint:

[ANSIBLE0010] Package installs should not use latest
2017-10-03 15:04:54 +03:00
5281d41445
Add names to include tasks
Raised by ansible-lint in the following rule:

[ANSIBLE0011] All tasks should be named
2017-10-03 15:03:09 +03:00
a38e2a4ff6
roles/mariadb: Use MariaDB 10.2 from vendor repo
I can't remember right now why I needed to use Debian's MariaDB build
but now I just want to use upstream's latest stable. Debian's version
is 10.1 and upstream has moved on to 10.2.
2017-09-26 15:15:27 +03:00
ff6253213a
roles/common: Rename "iptables" task to "firewall" 2017-09-26 14:32:21 +03:00
818cbfd533
roles/common: Enable firewalld in Debian 9 2017-09-26 14:30:18 +03:00
58245e3480
roles/common/tasks/main.yml: Remove comment 2017-09-22 15:53:01 +03:00
16a9ebf97f
Adjust playbooks for Ansible 2.4 import changes
Ansible 2.4 changes the way includes work. Now you have to use "import"
for playbooks and tasks that are static, and "include" for those that
are dynamic (ie, those that use variables, loops, etc).

See: http://docs.ansible.com/ansible/devel/playbooks_reuse_includes.html
2017-09-21 21:30:47 +03:00
d518bc51a4
Use nginx user instead of www-data on Debian 9
Using www-data was a temporary measure while I was waiting for the
official nginx.org packages to be released for Debian 9 and we had
to use Debian's own nginx package.
2017-06-19 18:36:13 +03:00
b945240756
roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04
From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
2017-06-19 10:13:24 +03:00
b2d3984c5a
roles/nginx: Fix PHP-FPM socket location on Debian 9
Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we
can make use of that here.
2017-06-18 11:04:30 +03:00
4f22052afe
roles/common: Remove duplicate timezone task
We set it in the separate ntp.yml playbook now, as there are a few
different systems we cater to (systemd, old ntp, etc).
2017-06-18 09:30:05 +03:00
ffac0b8afd
roles/common: Update apt cache in tarsnap step
This fails on clean installs otherwise.
2017-06-18 09:27:53 +03:00
f9a0f9e6bf
roles/php-fpm: Update php7.0-php.ini.j2
Minor comment updates from the latest version from Ubuntu 16.04.
2017-05-28 15:46:15 +03:00
f85c5f3605
roles/php-fpm: Update defaults
Latest defaults from the PHP.net opcache documentation:

    https://secure.php.net/manual/en/opcache.installation.php
2017-05-28 15:45:05 +03:00
4ff2ac1737
roles/nginx: Update comment about nginx versions
Version 1.12.x is now stable and 1.13.x is now mainline.

See: https://www.nginx.com/blog/nginx-1-12-1-13-released/
2017-04-14 16:07:33 +03:00
a7a6fa38c9
roles/nginx: Official builds for Debian Stretch
Now that there are official nginx.org builds for Debian 9 we don't
need to use Debian's own nginx packages.
2017-04-14 16:06:32 +03:00
f53f3c8e7a
roles/php-fpm: Update php7.0-php.ini template
Sync with latest packaged version from Debian 9. Effectively this
only updates comments and disabled options, but having less changes
to look at during an apt upgrade is nice and reduces the chance of
adding errors.
2017-03-06 12:53:17 +02:00
5b51fcedc2
roles/nginx: Sort packages for Let's Encrypt deps on Ubuntu 2017-02-16 18:16:09 +02:00
a6f0d5f7d3
roles/nginx: Add package deps for Let's Encrypt on Debian 9
Taken from running certbot-auto on a clean Debian 9 installation.
2017-02-16 18:15:06 +02:00
d766c3dbbe
roles/common: Add tasks to install tarsnap
Now that Tarsnap has official packages this is one less thing that
needs to be manually installed from source after bringing a machine
up.

See: http://mail.tarsnap.com/tarsnap-announce/msg00037.html
2017-02-07 07:28:35 -08:00
47407188cb
roles/mariadb: Use Debian's MariaDB packages for now
MariaDB actually already has Debian 9 (stretch) packages, but they
seem to cause issues with how I'm deploying. I'll skip them for now
I think.
2017-01-30 16:54:22 +02:00
e13ef95f70
roles/nginx: Update nginx.conf.j2
This is to accomodate Debian's 9 nginx package, as it provides a
different system user/group than nginx.org's packages.
2017-01-30 15:45:50 +02:00
6de385021d
roles/nginx: Updates to accomodate Debian 9 (stretch)
There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).
2017-01-30 15:43:03 +02:00
8c3a8fc26a
roles/php-fpm: Updates for Debian 9 (stretch)
Debian 9 is still in beta and doesn't have nginx.org builds yet, so
we need to use the nginx package in Debian's repositories, and that
required a bit of a different configuration.

After official nginx.org builds are released we can revert this.
2017-01-30 15:11:39 +02:00
1fef5c9b5a roles/common: Add sshd_config for Debian 9 (stretch)
Taken from base install and diffed against the current Ubuntu 16.04
and Debian 8 config templates.
2017-01-30 14:56:27 +02:00
9ca685a6af
roles/common: Adjust allowed user logic for Ubuntu 16.04 sshd_config 2017-01-30 12:54:35 +02:00
0d79769a5f
roles/php-fpm: Update php.ini template
Updates from upstream config.
2017-01-19 15:25:15 +02:00
50536af990
Use Ansible's version_compare instead of doing math on strings
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
2016-12-20 15:04:47 +02:00
d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
2016-11-20 17:25:01 +02:00
30a5744812
roles/nginx: Decrease gzip_min_length from 860 to 256
There was some knowledge floating around that 860 bytes was the
optimal size, I think it was from an Akamai engineer or something,
but the HTML 5 Boilerplate server configs use 256 bytes, and I
actually have HTML content that is less than 860 bytes, so I guess
I could benefit from compressing it. gzip compression is costly
for the compression side, but very quick for the client, so this
is a good thing.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:46:34 +02:00
c1cecd4cbf
roles/nginx: Update comment for gzip_comp_level
From the HTML 5 Boilerplate server configs, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:32:39 +02:00
61919745c8
roles/nginx: Update gzip compression types
Latest from the HTML 5 Boilerplate project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:28:18 +02:00
36c16e93bb
roles/nginx: Reduce gzip_comp_level from 6 to 5
After performing some tests[0] again I see that level 5 produces
the most acceptable results for my site currently. Others[1] are
using the same, so I'll gladly accept a little less CPU load for
a tradeoff of a few bits of file size.

[0] https://mjanja.ch/2015/03/finding-the-nginx-gzip_comp_level-sweet-spot/
[1] https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:08:21 +02:00
a94b14119e
roles/nginx: Increase error log level to warn
This will show warnings in the error log, as well as more severe
log messages.

See: http://nginx.org/en/docs/ngx_core_module.html#error_log
2016-11-14 11:58:51 +02:00
3d6844a7b7
roles/nginx: Update comments in nginx.conf
Update comments from latest copy of the HTML 5 Boilerplate's nginx
server configs repo.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 11:55:37 +02:00
3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-14 07:58:46 +02:00
a5f8ab6182
roles/nginx: Harden security headers
Always add security headers, not just for successful HTTP response
codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
3d6afc667d
roles/nginx/tasks/letsencrypt.yml: Add system deps for certbot
Shit ton of dependencies actually... wow.
2016-10-09 14:06:06 +03:00
651c01a29b
Set use_letsencrypt to true for nginx role
The variable name is misleading as this really does is install the
certbot client and its dependencies, and we generally want this to
always happen. If a host doesn't want it, they can override it in
their host vars.

Perhaps I should rename this variable to "bootstrap_letsencrypt" or
something so it is more accurate.
2016-10-09 11:59:21 +03:00
75ef77e3cc
roles/common: Don't set up apt sources on arm
The package archives appear to be different for some reason.
2016-09-29 16:47:44 +03:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00