Commit Graph

794 Commits

Author SHA1 Message Date
6c3cf40a16
roles/nginx: Use snakeoil cert from ssl-cert
Instead of manually creating our own self-signed certificate we can
use the one created automatically by the ssl-cert package on Debian.
This is only used by the dummy default HTTPS vhost.
2021-07-01 18:11:34 +03:00
681be5eb19
Pipfile.lock: run pipenv update
Ansible 4.2.0 and Ansible Core 2.11.2
2021-07-01 18:11:11 +03:00
4fae56a386
host_vars/web19: WordPress 5.7.2 2021-06-13 16:14:22 +03:00
1d5db7bdbe
Pipfile.lock: run pipenv update 2021-06-13 16:14:05 +03:00
32da3a3341
Pipfile.lock: Re-create pipenv environment for Ansible 4.0.0
Seems we need to manually uninstall and re-install.
2021-05-20 10:21:01 +03:00
31a3f5832a
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-05-20 10:20:47 +03:00
3e7130b519
Pipfile.lock: run pipenv update 2021-05-14 13:56:56 +03:00
bd0b6a16de
roles/nginx/defaults/main.yml: Update version comment
Stable is now 1.20.0
2021-05-10 16:00:44 +03:00
7145298f90
Pipfile.lock: Run pipenv update 2021-05-10 15:59:34 +03:00
1bfd2bc441
Pipfile.lock: Run pipenv update
Ansible 3.3.0
2021-04-28 12:49:23 +03:00
884b3b8425
host_vars/web19: remove dead host 2021-04-24 20:17:17 +03:00
e06a0c4093
host_vars/web19: WordPress 5.7.1 2021-04-16 19:51:55 +03:00
7ba5afcec4
roles/nginx: Opt out of Google FLoC
Google's new Federated Learning of Cohorts (FLoC) will read user's
browser history and assign them to cohorts to track them unless we
set this header.
2021-04-16 12:41:09 +03:00
d3978e5b07
Pipfile.lock: run pipenv update 2021-04-13 14:28:34 +03:00
4150dac57b
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-04-13 12:11:11 +03:00
58bc9d191f
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-03-24 10:02:43 +02:00
96cefc7f74
roles/nginx: Parameterize HSTS header
This parameterizes the HTTP Strict Transport Security header so we
can use it consistently across all templates. Also, it updates the
max-age to be ~1 year in seconds, which is recommended by Google.

See: https://hstspreload.org/
2021-03-23 15:36:28 +02:00
f85eb2841a
roles/nginx: Add webroot to systemd renewal service 2021-03-20 00:18:17 +02:00
5d506ebc65
README.md: Update copyright year 2021-03-20 00:16:16 +02:00
af49f27551
roles/nginx: Update comment in defaults 2021-03-19 23:50:39 +02:00
f341d2e5eb
roles/nginx: Remove nginx pre/post hooks
We are now using the well-known webroot.
2021-03-19 23:46:22 +02:00
ceba0ea417
roles/nginx: Use consistent task style 2021-03-19 23:45:41 +02:00
a34cb1e666
roles/nginx: Switch to acme.sh for Let's Encrypt
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
65fc52c5e5
roles/nginx: Use variable for nginx_ssl_dhparam
I went years without realizing that I was hard coding the file dest
in this particular task.
2021-03-19 18:13:55 +02:00
7f13c8c675
host_vars/web19: WordPress 3.7 2021-03-19 13:27:34 +02:00
9c36cfb8e5
Pipfile.lock: Run pipenv update 2021-03-19 13:18:19 +02:00
7f72a9eda4
roles/nginx: Use RFC 7919 4096-bit dhparams
Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
2021-03-19 13:13:56 +02:00
6e96d48ea6
Pipfile.lock: Run pipenv update
Ansible 3.0.0
2021-03-01 15:27:58 +02:00
db412066b3
roles/mariadb: Only create users on 127.0.0.1 and ::1
A few months ago I disabled hostname lookups so only IP addresses
work now anyways.
2021-02-13 13:11:28 +02:00
63a836e2a7
roles/common: Update Tarsnap GPG key
Apparently this changed since I last ran the tarsnap task.
2021-02-13 12:57:17 +02:00
dd04238a83
host_vars/web19: Add dev domain 2021-02-13 12:18:31 +02:00
efdbeb75ea host_vars/web19: WordPress 5.6.1 2021-02-13 11:48:21 +02:00
cd4411260c
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-02-07 15:56:33 +02:00
8cb232a765
Pipfile.lock: Run pipenv update 2021-02-07 15:53:10 +02:00
d4ca119265
Pipfile.lock: run pipenv update
Minor Ansible update
2021-01-27 11:06:12 +02:00
f72f8c7a8d
host_vars/web19: Remove piwik nginx host 2021-01-06 09:07:41 +02:00
d7fa1697a1
host_vars/web19: Remove piwik database 2021-01-06 09:00:54 +02:00
b0420d2adb
roles: Remove mentions of Piwik
I never check the damn analytics stats and the database is huge.
2021-01-06 09:00:18 +02:00
c70ebba151
Add host_vars/web20 2021-01-01 19:55:14 +02:00
ac860e72f2
roles/php-fpm: Only run PHP tasks if we need them 2021-01-01 19:54:12 +02:00
101c05d248
web.yml: Only run MariaDB role if it is needed
Not all web hosts need this. Some are static sites, for example.
2021-01-01 19:28:40 +02:00
1b75679496
roles/mariadb: The service is mariadb 2020-12-29 11:25:30 +02:00
ebf4a4c2ac
roles/mariadb: Disable name lookups
Add skip-name-resolve=1 to disable lookups of hostnames to IPs. We
need to make sure all accounts are using IPs like 127.0.0.1 instead
of "localhost" now.
2020-12-29 11:19:01 +02:00
57a83cef26
roles/mariadb: Tweak temp table size
mysqltuner.pl said:

    When making adjustments, make tmp_table_size/max_heap_table_size equal
2020-12-29 11:10:31 +02:00
8ee52143fc
roles/mariadb: Disable the query cache by default
It seems that the usefulness of the query cache is diminishing in
recent years. If your cache is large then the time taken to scan
the cache can be longer than the SQL query itself.

See: https://haydenjames.io/mysql-query-cache-size-performance/
2020-12-29 11:07:33 +02:00
67a18c4f49
roles/mariadb: Reduce key buffer size
mysqltuner.pl shows currently 6M out of 33M being used.
2020-12-29 10:58:12 +02:00
b8428e67a8
roles/mariadb: Install MariaDB 10.5 2020-12-29 10:41:27 +02:00
e18529e6e1
roles/mariadb: Update service name
As of MariaDB 10.5 the service name and binaries have changed from
mysql, mysqld, etc to mariadbd.

See: https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/
2020-12-29 10:40:13 +02:00
89db1449d1
roles/mariadb: Fetch signing key from mariadb.org
I downloaded the key and checked the fingerprint with gpg:

    $ gpg --dry-run --import mariadb_release_signing_key.asc
    gpg: key F1656F24C74CD1D8: 6 signatures not checked due to missing keys
    gpg: Total number processed: 1
2020-12-29 10:36:33 +02:00
6660a0cd36
roles/mariadb: Remove innodb_buffer_pool_instances
This was deprecated in MariaDB 10.5. The setting is now ignored and
will be removed in a future version.

See: https://mariadb.com/kb/en/changes-improvements-in-mariadb-105/#innodb-removed-or-deprecated-variables
2020-12-29 10:18:23 +02:00