alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
237 Commits 2 Branches 0 Tags 4.2 MiB
65d4c28396
Commit Graph

157 Commits

Author SHA1 Message Date
Alan Orth
4ea152bf51
roles/nginx: Add HTTP headers for web application security 
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 13:05:42 +03:00
Alan Orth
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:44:27 +03:00
Alan Orth
7457ac3b93
roles/nginx: Always set HSTS header 
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-24 12:40:48 +03:00
Alan Orth
c3bc6d949d
roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-23 12:26:24 +03:00
Alan Orth
171798c76d roles/common: Add DSA/ECDSA cleanup to ssh tasks 
We don't want to support these signature algorithms!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-20 16:31:37 +03:00
Alan Orth
0d2763fb59
roles/common: Remove ECDSA SSH public key for aorth@noma 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-12 18:19:49 +03:00
Alan Orth
d7dd81bc84
roles/common: Add ED25519 SSH public key for aorth@noma 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-12 18:19:21 +03:00
Alan Orth
13b592dfcd roles/common: Tune sshd_config to be more strict 
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.

See: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-07 01:47:06 +03:00
Alan Orth
a80cb49957 roles/common: Update sshd_config template to explicitly allow the provisioning user 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-06 17:45:06 +03:00
Alan Orth
3b6c9745ab
roles/common: Add provisioning user to sudoers 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-05 08:24:13 +03:00
Alan Orth
0f5b088c08 roles/common: Add createhome:yes to provisioning user task 
Need to make sure the user gets created on a fresh install, like on
Amazon EC2 or OpenStack images where the first user is `ubuntu' and
you can't assume `provisioning' is already created.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2015-01-04 02:24:53 +03:00
Alan Orth
6ccfdb99fa roles/nginx: Enable OCSP stapling 
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 23:28:05 +03:00
Alan Orth
f23f0713d2
roles/nginx: Enable SPDY header compression 
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:40:39 +03:00
Alan Orth
15603ba9e8
roles/nginx: Disable SSL session tickets 
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:37:00 +03:00
Alan Orth
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours 
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly.  Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:19:12 +03:00
Alan Orth
d8cd31049b
roles/nginx: Format and add comments to nginx https config 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:17:52 +03:00
Alan Orth
be6c76a2af roles/nginx: Set nginx SSL buffer size to 1400 
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU.  nginx default is 16k!

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-06 22:16:07 +03:00
Alan Orth
d04293a664
roles/nginx: Set nginx state to 'latest' in apt 
This way we can upgrade nginx simply by running the nginx tags.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-12-02 18:48:11 +03:00
Alan Orth
956fbefc1a
roles/nginx: Switch to nginx mainline (1.7) 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-11-07 01:02:44 +03:00
Alan Orth
3f5634110a
roles/nginx: Add comment about try_files for serving static files from disk 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-11-07 00:41:07 +03:00
Alan Orth
c870044584
roles/nginx: Adjust Cache-Control headers 
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present.  Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-11-07 00:29:53 +03:00
Alan Orth
08a920d0cb Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file" 
This reverts commit 59b9bd70b8.

Might not be so ingenious.  Can't get this to work anymore...
 2014-10-27 21:16:43 +03:00
Alan Orth
c3f5e27642
roles/common: Add ECDSA public key for noma 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-12 13:25:48 +03:00
Alan Orth
a265e48a9f
roles/common: Remove RSA public key 
Both client and server support ed25519, so there's no need to even
have the RSA key here.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-12 13:23:01 +03:00
Alan Orth
59b9bd70b8 roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file 
This is kinda crazy, but makes the host_vars much easier to read.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-11 15:42:44 +03:00
Alan Orth
5e0da37542
roles/common: Remove task which removes irqbalance 
Prevailing wisdom is actually that this *can* help virtual hosts,
especially when the VM guest has multiple CPUs.

See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-11 13:31:23 +03:00
Alan Orth
1ee7b385bf
roles/common: Rename SSH keys 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-11 13:19:32 +03:00
Alan Orth
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-11 12:13:45 +03:00
Alan Orth
c53dd18181
roles/common: Add role to manage provisioning user 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-11 12:11:44 +03:00
Alan Orth
42b893b2a7
roles/nginx: Add expires to static files 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-10 11:05:42 +03:00
Alan Orth
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec 
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-09 21:09:18 +03:00
Alan Orth
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1 
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:

https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-09 20:57:24 +03:00
Alan Orth
ad8a704470
Update TLS configuration to Mozilla's "modern" spec 
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-09 20:56:08 +03:00
Alan Orth
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-06 10:46:04 +03:00
Alan Orth
fd9c6f31cb
roles/nginx: Add index to munin vhost 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-05 15:47:14 +03:00
Alan Orth
e741a77c00
roles/common: Add unzip to Ubuntu base packages 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-10-05 15:21:47 +03:00
Alan Orth
6d07af97f3
roles/php5-fpm: Fix php.ini reconfiguration (pathinfo) 
Use replace instead of lineinfile, addresses GitHub issue #1.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-14 12:34:44 +03:00
Alan Orth
3d3b6c8a3f
roles/php5-fpm: Fix pool creation for vhosts 
Now loops over both http and https vhosts properly. Fixes GitHub
issue #2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-14 12:19:26 +03:00
Alan Orth
e6ffdf8652
roles/nginx: Update nginx https stuff 
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-13 23:16:54 +03:00
Alan Orth
be0e0ea21a
roles/common: Remove irqbalance 
We're a VM, we don't have IRQs.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-07 23:51:52 +03:00
Alan Orth
2156f8b07d
roles/nginx: Tweaks for vhosts with WordPress 
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.

Technically, all we need is the tweaks to the try_files:
    - `?args` passes query strings to php5-fpm
    - removing 404 from the vhost's try_files so we don't return 404
    when the requested file doesn't exist (obviously not all request
    URI's in WordPress are actual files on the disk)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-07 22:51:34 +03:00
Alan Orth
df65172952
roles/common: Add lrzip to base packages 
Provides good mix of compression/decompression speed with size,
see: http://ck.kolivas.org/apps/lrzip/README.benchmarks

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-07 16:32:06 +03:00
Alan Orth
162197ad25
roles/nginx: Re-work vhost template to support HTTPS 
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-06 21:32:37 +03:00
Alan Orth
05faeecc5d
roles/mariadb: Quote the password in .my.conf template 
Ansible's mysql module can get this password and connect fine, but
`mysql` on the command line chokes if the password is slightly
complicated and is not quoted.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-09-01 12:41:56 +03:00
Alan Orth
5166ebf219
roles/munin: Fix nginx template 
Accidental syntax error came in when I removed the dns domain

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-28 22:08:32 +03:00
Alan Orth
e24464941f
roles/mariadb: Create WordPress db/users when necessary 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-28 14:29:23 +03:00
Alan Orth
850a6a8da3
roles/mariadb: Add plays for creating WordPress db/users 
Relies on the host having a dict with appropriate values defined,
for example:

  wordpress_blogs:
    - site_name:            blah.com
      wordpress_version:    3.9.2
      wordpress_db_user:    db_user
      wordpress_db_name:    db_name
      wordpress_db_pass:    V9&XvvKu1hYl

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-28 12:47:30 +03:00
Alan Orth
fafd475f6b
roles/nginx: Add index to vhost config 
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-28 12:27:24 +03:00
Alan Orth
41b1ab79c2
roles/php5-fpm: Update comment 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-28 11:25:35 +03:00
Alan Orth
0b8e0c38bf
roles/nginx: Per-vhost logs 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 20:26:12 +03:00
Alan Orth
5bbec6716c
roles/nginx: Use template to configure nginx vhosts 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 20:03:34 +03:00
Alan Orth
75a705ac87
roles/nginx: Add defaults for nginx role 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 20:02:29 +03:00
Alan Orth
ff95a34605
roles/nginx: Add vim modeline to main.yml 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 20:00:42 +03:00
Alan Orth
0689153bd9
roles/php5-fpm: Use template for pools 
Each vhost has a separate pool.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 19:48:21 +03:00
Alan Orth
2afa1ef2f3
roles/munin: Remove dns domain 
Don't really need this, as we only have one server.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 15:57:28 +03:00
Alan Orth
775f0e7f5f
roles/mariadb: Install python bindings for ansible's mysql module 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-27 15:56:54 +03:00
Alan Orth
60b8ecdd4c
Initial commit 
Signed-off-by: Alan Orth <alan.orth@gmail.com>
 2014-08-17 00:35:57 +03:00