Commit Graph

951 Commits

Author SHA1 Message Date
a5f8ab6182
roles/nginx: Harden security headers
Always add security headers, not just for successful HTTP response
codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
8df5d5ed0f
host_vars/web08: Remove mjanja.co.ke as it is expired 2016-10-17 11:08:33 -04:00
3d6afc667d
roles/nginx/tasks/letsencrypt.yml: Add system deps for certbot
Shit ton of dependencies actually... wow.
2016-10-09 14:06:06 +03:00
651c01a29b
Set use_letsencrypt to true for nginx role
The variable name is misleading as this really does is install the
certbot client and its dependencies, and we generally want this to
always happen. If a host doesn't want it, they can override it in
their host vars.

Perhaps I should rename this variable to "bootstrap_letsencrypt" or
something so it is more accurate.
2016-10-09 11:59:21 +03:00
75ef77e3cc
roles/common: Don't set up apt sources on arm
The package archives appear to be different for some reason.
2016-09-29 16:47:44 +03:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
850342a175
host_vars/web08: Add vhost for picturingjordan.com 2016-09-13 16:51:42 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
586ad76d6b
roles/nginx: Only use index.php on hosts that need it
Otherwise, use index.html.
2016-09-13 15:58:40 +03:00
bf7accdade
roles/php-fpm: Only create pools for vhosts that need PHP
Only vhosts running WordPress, etc need PHP. Make sure to set the
appopriate variables for each vhost in the host's vars, ie:

  nginx_vhosts:
    - domain_name:   example.com
      has_wordpress: True

    - domain_name:   example.net
      needs_php:     True

You can set either of them, but not both—needing WordPress implies
needing PHP.
2016-09-13 15:58:09 +03:00
740e5195a0
roles/nginx: Add new variable "needs_php"
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
2016-09-13 14:53:12 +03:00
4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
d1871d9706
roles/nginx: Check for variable existence before testing
Some vhosts might not have WordPress so we need to be better about
testing for this before checking its value.
2016-09-12 20:58:21 +03:00
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
d4ffc28d62
host_vars/web08: WordPress 4.6→4.6.1 2016-09-07 20:13:12 +03:00
2b1354ce91
ansible.cfg: Fix SSH pipelining config
The docs aren't very clear on this to be honest, but this option
needs to be under a [ssh_connection] section.

See: http://docs.ansible.com/ansible/intro_configuration.html#pipelining
See: https://review.openstack.org/#/c/331499/
2016-09-07 10:37:25 +03:00
10cbf75c27
group_vars/all: Disable TLS cipher suites using Triple DES
An attack on Triple DES was recently published[0]. It's not a very
high severity attack but the fact is that Triple DES is very old
and there are much better ciphers to use, like AES and ChaCha20.

I logged the ciphers that were negotiated on all of my vhosts over
a period of 72 hours and there were zero occurences of Triple DES,
so I am removing it, as suggested by the authors of the attack as
well as OpenSSL[1].

[0] https://sweet32.info
[1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
2016-08-27 18:25:37 +03:00
5f656285c0
roles/common: Add a dedicated playbook for ntp tasks
Hosts with systemd should use its NTP client and explicitly remove
the `ntp` packages. Hosts with older init systems should use `ntp`.
2016-08-25 14:19:51 +03:00
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
da6d1e05b9
roles/common: Don't use ansible facts when we don't need to
No use testing the distro version only to use an ansible fact to
find the correct template.
2016-08-24 10:11:13 +03:00
861b5c5413
roles/common: Remove old comment from main playbook 2016-08-22 16:35:02 +03:00
6c6ff1b112
roles/common: Use ansible facts to reduce includes 2016-08-22 16:34:05 +03:00
bd318c5754
Use long GPG key id fingerprints 2016-08-22 16:30:20 +03:00
14de9caed8
roles/common: Use https for Ubuntu Extras repo signing key
Missed this in the earlier commit where I changed to https:// for
transporting apt keys.
2016-08-22 16:28:24 +03:00
c8adba0580
roles/nginx: Add nginx signing key id to apt_key task
When you give Ansible the key id it will check if the key exists
before trying to download and add it. I got the long fingerprint
from `sudo apt-key finger`.
2016-08-22 16:20:10 +03:00
c9ef9e24f5
Use https:// for fetching apt package signing keys
I don't know why I wasn't using these before.
2016-08-22 16:06:13 +03:00
96500a6e33
roles/mariadb: Use Ubuntu 16.04 (xenial) builds
When I originally deployed Ubuntu 16.04 there were no public xenial
MariaDB builds yet, so I used wily (15.10). Now there are official
xenial builds so we can use them instead.
2016-08-22 16:00:45 +03:00
201165cff6
Only update packages indexes if the cache is 1 hour old
I have added cache_valid_time=3600 for the first task in each
tag that could be possibly running apt-related commands. For ex,
the "nginx" tag is also in the "packages" tag, but sometimes you
run the nginx tag by itself (perhaps repeatadely), so you'd want
to limit the update unless the cache was 1 hour old
2016-08-22 15:33:57 +03:00
8a70b526ee
roles/common: Remove extra systemd-timesyncd task
Now it runs in the main play for all Ubuntu and Debian hosts, as
currently they all use systemd.
2016-08-22 15:29:36 +03:00
e9aa4d0fdf
Add ansible.cfg
Pipelining makes ansible run tasks much faster, and as of Ansible
2.0 or 2.1 or so, it now works on older hosts that have requiretty
in their sudo config[0]. Also, disable the creation of those stupid
retry files.

[0] https://github.com/ansible/ansible/pull/13200
2016-08-22 13:04:13 +03:00
0445c3cdee
roles/php-fpm: Set timezone in php.ini template
Since we're using a variable for the timezone for systemd-timesyncd
anyways, we can also use it for PHP's config.
2016-08-22 12:56:50 +03:00
d3a6e71ab8
roles/common: Use service module to enable systemd NTP client instead of timedatectl
The `timedatectl set-ntp on` command is actually just enabling the
systemd service anyways, so it's better we use Ansible's service
module.
2016-08-22 12:49:00 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
2016-08-17 12:27:33 +03:00
2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
2016-08-17 12:27:24 +03:00
f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
2016-08-17 11:39:10 +03:00
8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day"
This reverts commit a38d822fad.

The docs definitely recommend twice a day. From a note on certbot's
installation page:

> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.

See: https://certbot.eff.org/#ubuntuxenial-nginx
2016-08-17 11:30:10 +03:00
437dbf470e
host_vars/web08: All vhosts to WordPress 4.6 2016-08-17 00:08:03 +03:00
b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.

It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
2016-08-16 14:28:58 +03:00
33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config
Fixes a problem with Paramiko, which Ansible uses for transport.

See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
2016-08-16 14:24:53 +03:00
e343ddc9a6
Add 'packages' tag to any task doing package stuff
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
2016-08-14 16:33:48 +03:00
7589136453
host_vars/web08: Update one blog to WordPress 4.6 RC2 2016-08-11 09:06:46 +03:00
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00
a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
2016-07-08 13:50:11 +03:00
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
24e54c0580
host_vars/web08: Set "use_letsencrypt" for this host 2016-06-28 10:33:57 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00