alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
372 Commits 2 Branches 0 Tags 4.2 MiB
7b4f47a42b
Commit Graph

372 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alan Orth
8a70b526ee
roles/common: Remove extra systemd-timesyncd task 
Now it runs in the main play for all Ubuntu and Debian hosts, as
currently they all use systemd.
 2016-08-22 15:29:36 +03:00
Alan Orth
e9aa4d0fdf
Add ansible.cfg 
Pipelining makes ansible run tasks much faster, and as of Ansible
2.0 or 2.1 or so, it now works on older hosts that have requiretty
in their sudo config[0]. Also, disable the creation of those stupid
retry files.

[0] https://github.com/ansible/ansible/pull/13200
 2016-08-22 13:04:13 +03:00
Alan Orth
0445c3cdee
roles/php-fpm: Set timezone in php.ini template 
Since we're using a variable for the timezone for systemd-timesyncd
anyways, we can also use it for PHP's config.
 2016-08-22 12:56:50 +03:00
Alan Orth
d3a6e71ab8
roles/common: Use service module to enable systemd NTP client instead of timedatectl 
The `timedatectl set-ntp on` command is actually just enabling the
systemd service anyways, so it's better we use Ansible's service
module.
 2016-08-22 12:49:00 +03:00
Alan Orth
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" 
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
 2016-08-17 12:55:14 +03:00
Alan Orth
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes" 
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
 2016-08-17 12:42:48 +03:00
Alan Orth
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs 
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
 2016-08-17 12:27:33 +03:00
Alan Orth
2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable 
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
 2016-08-17 12:27:24 +03:00
Alan Orth
f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone 
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
 2016-08-17 11:39:10 +03:00
Alan Orth
8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day" 
This reverts commit a38d822fad.

The docs definitely recommend twice a day. From a note on certbot's
installation page:

> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.

See: https://certbot.eff.org/#ubuntuxenial-nginx
 2016-08-17 11:30:10 +03:00
Alan Orth
437dbf470e
host_vars/web08: All vhosts to WordPress 4.6 2016-08-17 00:08:03 +03:00
Alan Orth
b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config 
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.

It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
 2016-08-16 14:28:58 +03:00
Alan Orth
33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config 
Fixes a problem with Paramiko, which Ansible uses for transport.

See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
 2016-08-16 14:24:53 +03:00
Alan Orth
e343ddc9a6
Add 'packages' tag to any task doing package stuff 
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
 2016-08-14 16:33:48 +03:00
Alan Orth
7589136453
host_vars/web08: Update one blog to WordPress 4.6 RC2 2016-08-11 09:06:46 +03:00
Alan Orth
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability 
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
 2016-07-21 14:45:41 +03:00
Alan Orth
a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day 
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
 2016-07-08 13:50:11 +03:00
Alan Orth
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
Alan Orth
78dbdae783
roles/nginx: Fix variable check in HTTPS template 
Don't assume the variables for TLS certs exist.
 2016-07-05 19:42:56 +03:00
Alan Orth
24e54c0580
host_vars/web08: Set "use_letsencrypt" for this host 2016-06-28 10:33:57 +03:00
Alan Orth
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff 
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
 2016-06-27 23:52:39 +03:00
Alan Orth
1254cea195
roles/nginx: Replace "&" with "and" 2016-06-27 19:13:20 +03:00
Alan Orth
da784467e1
host_vars/web08: Specify use_letsencrypt: 'yes' for vhosts 2016-06-27 19:11:06 +03:00
Alan Orth
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs 
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
 2016-06-27 19:07:48 +03:00
Alan Orth
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers 
From Linode's Frankfurt datacenter.
 2016-06-27 18:40:25 +03:00
Alan Orth
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt 
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
 2016-06-27 18:32:59 +03:00
Alan Orth
09feb9a40c
roles/mariadb: Add "ansible managed" header to managed files 2016-06-27 18:09:04 +03:00
Alan Orth
283cecf2a2
host_vars/web08: Use mariadb_databases instead of wordpress_blogs to enumerate databases 2016-06-27 18:08:38 +03:00
Alan Orth
2efe2479ad
roles/mariadb: Use mariadb_databases instead of wordpress_blogs for variable 2016-06-27 18:08:02 +03:00
Alan Orth
386482494d
Remove web07 2016-06-27 17:58:28 +03:00
Alan Orth
b41bd432df
roles/nginx: Add "ansible managed" string to configs 
Generates a placeholder text to say that the file is managed by
ansible.
 2016-06-27 17:50:49 +03:00
Alan Orth
17062c6ea7 Merge pull request #27 from alanorth/timezone 
Timezone
 2016-06-27 10:31:58 +03:00
Alan Orth
715e9ed2e5
host_vars/web08: Add timezone variable 2016-06-27 10:30:31 +03:00
Alan Orth
06034a8b8b
roles/common: Use systemd's timedatectl for time stuff 
Debian 8 and Ubuntu 16.04 use systemd, so we can make use of its
NTP stuff rather than using the standalone `ntp` package.
 2016-06-27 10:30:11 +03:00
Alan Orth
91f97577c8
Add web08 2016-06-26 13:56:56 +03:00
Alan Orth
7d455b7066
README.md: Clarify requirements note to add Ubuntu 16.04 2016-06-25 21:45:24 +03:00
Alan Orth
03dc8610e9
host_vars/web07: Update WordPress to 4.5.3 2016-06-22 23:35:32 +02:00
Alan Orth
24ca33c605
roles/nginx: Disable rules for Yoast SEO 
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
 2016-06-02 11:03:35 +03:00
Alan Orth
1ed7d45c7f
roles/nginx: Fix comment about version numbers 2016-05-27 08:14:46 +03:00
Alan Orth
93451e6c5e
roles/nginx: Use mainline branch by default 
Has all the good stuff:

    http://nginx.org/en/CHANGES
 2016-05-27 08:14:04 +03:00
Alan Orth
064d277d03
host_vars/web07: Wordpress 4.5.2 2016-05-08 19:24:19 +03:00
Alan Orth
33f22b32a4
roles/common: Update sources for cron-apt 
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
 2016-05-05 12:16:37 +03:00
Alan Orth
6837b48fae
roles/nginx: Switch default version to 1.10.x (stable) 2016-04-27 15:05:19 +03:00
Alan Orth
447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
Alan Orth
38a972e085
host_vars/web07: WordPress 4.5 → 4.5.1 2016-04-27 10:38:50 +03:00
Alan Orth
0ff8fb0c05
Remove web06 host 2016-04-26 13:30:19 +03:00
Alan Orth
81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
Alan Orth
1ffc4eebc9
roles/nginx: Use default_server instead of default 
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
 2016-04-25 21:48:36 +03:00
Alan Orth
03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames 
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
 2016-04-25 21:45:21 +03:00
Alan Orth
37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00