ansible-personal

Author	SHA1	Message	Date
Alan Orth	55fddf03b3	Remove provisioning user management It's just too tricky to manage this. Ubuntu / RedHat preseeds and kickstarts can create the user and add it to groups, but only when we control the initial boot environment (ie not on Linode, Digital Ocean, etc), so let's just say we assume this user exists and can get root with sudo by the some we are running ansible on it. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-20 15:06:45 +03:00
Alan Orth	6b528ecc92	roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts Ansible's union thing only works on sets and lists, here we have a dict. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 19:41:48 +03:00
Alan Orth	b93da27fde	roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:49:39 +03:00
Alan Orth	0b90bad6a9	roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-10 23:04:28 +03:00
Alan Orth	4ea152bf51	roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 13:05:42 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	c3bc6d949d	roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-23 12:26:24 +03:00
Alan Orth	171798c76d	roles/common: Add DSA/ECDSA cleanup to ssh tasks We don't want to support these signature algorithms! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-20 16:31:37 +03:00
Alan Orth	0d2763fb59	roles/common: Remove ECDSA SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:49 +03:00
Alan Orth	d7dd81bc84	roles/common: Add ED25519 SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:21 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	3b6c9745ab	roles/common: Add provisioning user to sudoers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-05 08:24:13 +03:00
Alan Orth	0f5b088c08	roles/common: Add createhome:yes to provisioning user task Need to make sure the user gets created on a fresh install, like on Amazon EC2 or OpenStack images where the first user is `ubuntu' and you can't assume `provisioning' is already created. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:24:53 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	d04293a664	roles/nginx: Set nginx state to 'latest' in apt This way we can upgrade nginx simply by running the nginx tags. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-02 18:48:11 +03:00
Alan Orth	956fbefc1a	roles/nginx: Switch to nginx mainline (1.7) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 01:02:44 +03:00
Alan Orth	3f5634110a	roles/nginx: Add comment about try_files for serving static files from disk Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:41:07 +03:00
Alan Orth	c870044584	roles/nginx: Adjust Cache-Control headers Use "public" with "max-age" instead of Expires, as "max-age" is always preferred if it's present. Note: setting "public" doesn't make the resource "more cacheable", but it is just more explicit. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:29:53 +03:00
Alan Orth	08a920d0cb	Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file" This reverts commit `59b9bd70b8`. Might not be so ingenious. Can't get this to work anymore...	2014-10-27 21:16:43 +03:00
Alan Orth	c3f5e27642	roles/common: Add ECDSA public key for noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:25:48 +03:00
Alan Orth	a265e48a9f	roles/common: Remove RSA public key Both client and server support ed25519, so there's no need to even have the RSA key here. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-12 13:23:01 +03:00
Alan Orth	59b9bd70b8	roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file This is kinda crazy, but makes the host_vars much easier to read. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 15:42:44 +03:00
Alan Orth	5e0da37542	roles/common: Remove task which removes irqbalance Prevailing wisdom is actually that this can help virtual hosts, especially when the VM guest has multiple CPUs. See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:31:23 +03:00
Alan Orth	1ee7b385bf	roles/common: Rename SSH keys Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 13:19:32 +03:00
Alan Orth	1e2193efc9	roles/common: Add functionality to copy user keys to provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:13:45 +03:00
Alan Orth	c53dd18181	roles/common: Add role to manage provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-11 12:11:44 +03:00
Alan Orth	42b893b2a7	roles/nginx: Add expires to static files Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-10 11:05:42 +03:00
Alan Orth	81a98596e3	Downgrade TLS configuration to Mozilla's "intermediate" spec From looking at the list of clients who would be allowed to connect when using the "modern" spec, I think I'd be doing more harm than good to use that config right now... https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 21:09:18 +03:00
Alan Orth	d06ddf8a81	roles/nginx: Update TLS vhost task for Ansible > 1.7.1 Seems there is some YAML sublety that causes this syntax to insert double spaces on the destination file... using native YAML hashes are a workaround, see GitHub issues: https://github.com/ansible/ansible/issues/9067 https://github.com/ansible/ansible/issues/9172 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:57:24 +03:00
Alan Orth	ad8a704470	Update TLS configuration to Mozilla's "modern" spec Details, see: - https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines - https://wiki.mozilla.org/Security/Server_Side_TLS Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-09 20:56:08 +03:00
Alan Orth	ad90f7f0fb	roles/nginx: Use HSTS for https vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-06 10:46:04 +03:00
Alan Orth	fd9c6f31cb	roles/nginx: Add index to munin vhost Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:47:14 +03:00
Alan Orth	e741a77c00	roles/common: Add unzip to Ubuntu base packages Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-05 15:21:47 +03:00
Alan Orth	6d07af97f3	roles/php5-fpm: Fix php.ini reconfiguration (pathinfo) Use replace instead of lineinfile, addresses GitHub issue #1. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-14 12:34:44 +03:00
Alan Orth	3d3b6c8a3f	roles/php5-fpm: Fix pool creation for vhosts Now loops over both http and https vhosts properly. Fixes GitHub issue #2. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-14 12:19:26 +03:00
Alan Orth	e6ffdf8652	roles/nginx: Update nginx https stuff - re-organize tls vhost configuration - copy TLS cert from host_vars directly to file Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-13 23:16:54 +03:00
Alan Orth	be0e0ea21a	roles/common: Remove irqbalance We're a VM, we don't have IRQs. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-07 23:51:52 +03:00
Alan Orth	2156f8b07d	roles/nginx: Tweaks for vhosts with WordPress My WordPress blogs have a /wordpress subdirectory in the document root, but I don't serve from the /wordpress URI. Technically, all we need is the tweaks to the try_files: - `?args` passes query strings to php5-fpm - removing 404 from the vhost's try_files so we don't return 404 when the requested file doesn't exist (obviously not all request URI's in WordPress are actual files on the disk) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-07 22:51:34 +03:00
Alan Orth	df65172952	roles/common: Add lrzip to base packages Provides good mix of compression/decompression speed with size, see: http://ck.kolivas.org/apps/lrzip/README.benchmarks Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-07 16:32:06 +03:00
Alan Orth	162197ad25	roles/nginx: Re-work vhost template to support HTTPS Assumes you have a TLS cert for one domain, but not the others, ie: http://blah.com \ http://blah.net -> https://blah.io http://blah.org / Otherwise, without https, it creates a vhost with all domain names. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-06 21:32:37 +03:00
Alan Orth	05faeecc5d	roles/mariadb: Quote the password in .my.conf template Ansible's mysql module can get this password and connect fine, but `mysql` on the command line chokes if the password is slightly complicated and is not quoted. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-09-01 12:41:56 +03:00
Alan Orth	5166ebf219	roles/munin: Fix nginx template Accidental syntax error came in when I removed the dns domain Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-28 22:08:32 +03:00
Alan Orth	e24464941f	roles/mariadb: Create WordPress db/users when necessary Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-28 14:29:23 +03:00
Alan Orth	850a6a8da3	roles/mariadb: Add plays for creating WordPress db/users Relies on the host having a dict with appropriate values defined, for example: wordpress_blogs: - site_name: blah.com wordpress_version: 3.9.2 wordpress_db_user: db_user wordpress_db_name: db_name wordpress_db_pass: V9&XvvKu1hYl Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-28 12:47:30 +03:00
Alan Orth	fafd475f6b	roles/nginx: Add index to vhost config Without this, all requests to directory URIs throw 403 errors due to directory listings not being allowed. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-28 12:27:24 +03:00
Alan Orth	41b1ab79c2	roles/php5-fpm: Update comment Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-28 11:25:35 +03:00
Alan Orth	0b8e0c38bf	roles/nginx: Per-vhost logs Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 20:26:12 +03:00
Alan Orth	5bbec6716c	roles/nginx: Use template to configure nginx vhosts Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 20:03:34 +03:00
Alan Orth	75a705ac87	roles/nginx: Add defaults for nginx role Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 20:02:29 +03:00
Alan Orth	ff95a34605	roles/nginx: Add vim modeline to main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 20:00:42 +03:00
Alan Orth	0689153bd9	roles/php5-fpm: Use template for pools Each vhost has a separate pool. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 19:48:21 +03:00
Alan Orth	2afa1ef2f3	roles/munin: Remove dns domain Don't really need this, as we only have one server. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 15:57:28 +03:00
Alan Orth	775f0e7f5f	roles/mariadb: Install python bindings for ansible's mysql module Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-27 15:56:54 +03:00
Alan Orth	60b8ecdd4c	Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-08-17 00:35:57 +03:00

... 7 8 9 10 11

511 Commits