Commit Graph

761 Commits

Author SHA1 Message Date
151fb29687 roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
bd4f2ae5b6
README.md: Use simple syntax for code blocks
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-05 18:18:28 +03:00
afa15c9671
README.md: Update instructions for usage with Vagrant
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-05 18:17:13 +03:00
eae33a26d7 Add Vagrantfile
Quickly bring up an Ubuntu 14.04 box then SSH in and add the provisioning
user. Then provision it with ansible like any other machine.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-05 08:34:30 +03:00
b701e9641c
host_vars/web05: Override apt_mirror
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 21:59:13 +03:00
ae10677b65
roles/common: Specify default apt_mirror for fallback in sources.list template
New hosts often fail due to not having an apt_mirror, because there
isn't one defined for their group and their host_vars haven't over-
ridden it.

We want new hosts to deploy successfully, so let's just use a default
apt_mirror if there isn't one defined. Rather have a slow mirror than
a failed deployment. And in any case, Linode can download from KENET's
mirror at 10MB/sec. ;)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 21:57:11 +03:00
fe765f5d3a
roles/nginx: Fix TLS cert loop to use the current item
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:46:06 +03:00
4b74964963
roles/nginx: Do a shallow clone of WordPress git
I realized there was no need to do a full clone when I was working
in a Vagrant environment in a coffee shop with slow Internet. ;)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:32:05 +03:00
636d37f5a3
Add miscellaneous playbook to change the provisioning user's password
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:27:58 +03:00
def8d83d49
roles/munin: Use apt module explicitly
Instead of using dynamic hack to use the package manager for the
current host. We only have Ubuntu here anyways.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-26 00:02:43 +03:00
a8f4500567 Add IPv6 support to firewall tasks / template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 18:17:23 +03:00
a17cb2a0a0 roles/nginx: Add initial IPv6 support to vhost template
Still need to add ip6tables rules

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 11:53:57 +03:00
3746e798b6
roles/nginx: Use template for nginx repo
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 00:15:49 +03:00
aa5a9f5dd8
roles/common: Add vim modeline
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-24 23:55:04 +03:00
44642387b4
.gitignore: Ignore Vagrant directory
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-24 23:00:48 +03:00
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
caec2440bb
roles/nginx: Fix HSTS header in vhost config
We always want to add the header, not add a header with value
"always"!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:54:10 +03:00
f9ea01ba8f roles/nginx: Use stronger HSTS header
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.

See: https://hstspreload.appspot.com/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:35:26 +03:00
3a4e7455c7
roles/php5-fpm: Tweak opcache settings
Reduce memory allocation from 128 -> 72M because after a few days
of running it's only using 64 or so, so it's really just a waste of
memory.

Also, disable opcache for CLI. What the hell do you need opcaching
in the CLI invocation for? It only persists for one process!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-09 12:34:45 +03:00
3edd31d347
README.md: Add section about Licensing
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-08 15:59:32 +03:00
06e9672d04
Add copy of GPLv3 license
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-08 15:59:15 +03:00
9c9af27211
README.md: Adjust headings
Use second- and third-level headings, respectively. When rendered
in GitHub, `#` is an `<h1>`, which should actually be the most pro-
minent heading on the page; in this case GitHub's own headings sho-
uld take precedence, so ours should start at `<h2>` essentially.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-08 11:19:46 +03:00
00ad866655
host_vars/web05: WordPress 4.2.1 -> 4.2.2
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-07 10:16:47 +03:00
40499131cc Merge pull request #10 from alanorth/php.ini
roles/php5-fpm: Add templated php.ini
2015-05-05 11:33:51 +03:00
2d6ce778df
roles/php5-fpm: Add templated php.ini
Adds a default php.ini for php5-fpm from Ubuntu 14.04 which enables
sane settings for PHP 5.5's opcache as well as disables pathinfo.

Closes #9.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-05 11:27:13 +03:00
48daa37462
host_vars/web05: Update WordPress to 4.2.1
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-28 12:06:06 +03:00
be22b70ec3
host_vars/web05: Update WordPress from 4.1.2 -> 4.2
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-24 22:06:24 +03:00
25de66d605
host_vars/web05: WordPress 4.1.1 -> 4.1.2
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 23:12:20 +03:00
e675b750c4
roles/nginx: Switch to nginx stable branch
Remove old mainline repo and add stable repo to get nginx 1.8.0.

See: http://nginx.org/en/CHANGES-1.8

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 14:52:22 +03:00
4602f03bed
roles/nginx: Fix comment in main task
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-25 12:59:10 +03:00
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).

Here is OpenDNS:

    # mtr --report 208.67.222.222
    Start: Sun Mar 22 15:31:50 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router1-lon.linode.com     0.0%    10    0.5   0.9   0.5   3.4   0.7
      2.|-- 212.111.33.233             0.0%    10    1.4   1.4   1.2   1.9   0.0
      3.|-- 217.20.44.194              0.0%    10    0.7   0.8   0.7   1.2   0.0
      4.|-- lonap.rtr1.lon.opendns.co  0.0%    10    1.2   1.1   0.9   1.4   0.0
      5.|-- resolver1.opendns.com      0.0%    10    1.0   0.9   0.8   1.0   0.0

And here is Linode's:

    # mtr --report 109.74.192.20
    Start: Sun Mar 22 15:32:30 2015
    HOST: mjanja                    Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- router2-lon.linode.com     0.0%    10    0.5   0.6   0.5   0.8   0.0
      2.|-- resolver1.london.linode.c  0.0%    10    0.4   0.4   0.3   0.8   0.0

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
ae8937eb96 roles/nginx: Just enable OCSP
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:32:06 +03:00
934db06887 roles/nginx: Add HTTP Strict Transport Security headers to PHP block
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.

[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html

Fixes GitHub #7.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:30:26 +03:00
04e453df51 Revert "roles/nginx: Correct HSTS header in https template"
This reverts commit 5c7404d228.

'always' is legal in nginx >= 1.7.5:

If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.

See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
5c7404d228
roles/nginx: Correct HSTS header in https template
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.

See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
We don't need to give Google EVERYTHING.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
a3d29a559b
roles/munin: Remove unused config file
We are using a Jinja template instead.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:00:06 +03:00
116fc9c7bf
vars/Ubuntu.yml: Add variables for provisioning user
This user should already exist from the preseed!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-16 13:47:54 +03:00
3a5b50f941
roles/common: Set I/O scheduler via udev
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:52:05 +03:00
9fda345a24
roles/common: Fix one logic mistake in rc.local task
I think it was originally supposed to be `ansible_os_family` but
we don't have anything other than Ubuntu, so let's just use that.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:43:21 +03:00
2367b843d9
roles/common: Remove I/O scheduler logic from rc.local
It's better to set this using udev rules anyways

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:54 +03:00
4a1158e163
roles/common: Remove CentOS rclocal task
No CentOS hosts here!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:07 +03:00
891bd35171 roles/common: Move tags from subtask to main one
Child tasks inherit the tag of the parent.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:34:13 +03:00
4efb6edb7e
roles/common: Indent some yaml stuff in main.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:31:29 +03:00
b70ae58f48
roles/common: Simplify when logic in main template
Less syntax is more readable syntax.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:29:41 +03:00
58222706ba
roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl
We don't have anything near 2.6.32 anymore.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:25:33 +03:00
60ba4dacbd
roles/common: Add TCP/IP tweaks to sysctl template
Disable TCP slow start and increase the number of ports available
for client connections.

See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
See: http://www.chromium.org/spdy/spdy-best-practices

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:23:10 +03:00
942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00