Commit Graph

369 Commits

Author SHA1 Message Date
57120308dc
Update with_items loops to use new-ish "loop" keyword
Ansible 2.4 and 2.5 are moving away from specialized loop functions
and the old syntax will eventually be deprecated and removed. I did
not change the with_fileglob loops because I'm not sure about their
syntax yet.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
2018-04-02 15:52:51 +03:00
fbf61c8e61
roles/munin: Don't use loop when installing one package 2018-04-02 15:51:29 +03:00
ffee9250ee
Use new syntax for Jinja2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-02 15:37:37 +03:00
d155898bb1
Use new syntax for Jinj2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-03-21 21:17:21 +02:00
52b4efd3b0
roles/common: Use HTTPS for tarsnap package mirror 2018-03-17 11:51:45 +02:00
948058151a
roles/common: Fix issues raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-12-29 20:11:55 +02:00
a5e6513be3
roles/dspace: Update gzip_types formatting
From the H5BP project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2017-11-14 12:44:56 +02:00
97aca2cad2
roles/nginx: Remove Internet Explorer 6 gzip disable
I have zero idea if we have IE6 clients any more, but according to the
H5BP community IE6 actually did support gzip and only represents 0.1%
of Internet traffic in 2015 (!) anyways.

See: https://github.com/h5bp/server-configs-nginx/issues/125
2017-11-14 12:43:02 +02:00
92fe57a4da
Revert "Revert "roles/common: Use static imports for tasks""
This reverts commit 63c5477f85.

I'm actually still seeing this problem on Ansible 2.4.0.0 with Python
2.7.14.
2017-11-05 01:51:49 +02:00
36d6360eeb
roles/common: Fix error in conditional 2017-11-05 01:41:38 +02:00
fec081d40a
roles/common: Use deb.debian.org instead of httpredir
Seems to be the evolution of httpredir.
2017-11-05 01:31:16 +02:00
d15c9851db
roles/nginx: Use https for apt repository 2017-11-05 01:30:49 +02:00
55b464e8f7
roles/common: Add apt-transport-https to base packages
Allows fetching debian repositories over HTTPS.
2017-11-05 01:29:00 +02:00
1882ba612f
roles/munin: Remove ansible_os_family checks
We only run Debian family distributions now so there is no need to check
this case.
2017-11-05 01:20:20 +02:00
547d808aea
roles/common: Remove ansible_os_family checks
We're only supporting Debian family now so there's no point to check
this variable now.
2017-11-05 01:19:28 +02:00
e43d8924e8
roles/munin: Remove ansible_os_family checks
First of all, there is no ansible_os_family Ubuntu! Second, we are only
supporting Debian-based systems here so there is no need to check this.
2017-11-05 01:17:01 +02:00
5f8820bf9f
roles/common: Remove Ubuntu 14.04 logic
We're only supporting Ubuntu 16.04 now.
2017-11-05 01:11:37 +02:00
7fd6127d29
roles/common: Remove check for CentOS in sshd task
I'm not supporting CentOS here so we don't need to check this.
2017-11-05 01:01:37 +02:00
f76fc64afa
roles/common: Remove unused sshd_config templates
We're not supporting Ubuntu 14.04 or 15.04 anymore so we don't need
these templates.
2017-11-05 00:59:19 +02:00
77a3b1cff7
roles/common: Remove Debian 8 sshd_config template 2017-11-05 00:58:03 +02:00
b0524d2a2e
Remove references to Debian 8
I don't need or want to support Debian 8 anymore so I can remove all
references to it in comments and code.
2017-11-05 00:54:53 +02:00
b87f2e2fb0
roles/common: Use command module instead of shell
You should only use the "shell" module when you need shell functions
like flow control and redirects. Also, the "command" module is safer
because it is not affected by the user's environment.
2017-11-05 00:49:03 +02:00
58598f470c
roles/mariadb: Remove start/enable task
After installation the mariadb service is started and enabled, so we
don't need to do that explicitly.
2017-11-05 00:28:07 +02:00
9b4f662bc5 roles/nginx: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
2d6819986f roles/munin: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
0d694d44c8 roles/php-fpm: Update comment about Debian 9 2017-11-05 00:27:44 +02:00
51183617b8 roles/php-fpm: Reload service instead of restarting
No need to bounce the service for most config changes when we can just
tell the daemon to reload gracefully.
2017-11-05 00:27:44 +02:00
2a230ceff4 roles/php-fpm: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
7aafa1553b roles/mariadb: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
b6a54ca4d1 roles/common: Reload firewalld instead of restart
There is no need to bounce the service, just reload it.
2017-11-05 00:27:44 +02:00
0a92f3ae8f roles/common: Use systemd module instead of "service"
This was new in Ansible 2.2 but I didn't notice until now. All of our
servers are running distributions with systemd so let's just use this.
2017-11-05 00:27:44 +02:00
0e409792ca
roles/mariadb: Update comment with link to MySQL module docs 2017-11-05 00:26:32 +02:00
7b60e6d24f
Revert "Import OS-specific vars in tasks instead of play"
This reverts commit e30e4d4b1e.

I suspect this was a side effect of using Python 3 rather than an
issue in Ansible 2.4.0.0.
2017-11-04 23:53:38 +02:00
63c5477f85
Revert "roles/common: Use static imports for tasks"
This reverts commit 5147f4029b.

I think this was a side effect of using Python 3, not a regression in
Ansible 2.4.0.0.
2017-11-04 23:53:25 +02:00
620e8258ac
roles/common: Remove duplicate option in sshd_config 2017-11-01 13:22:18 +02:00
5147f4029b
roles/common: Use static imports for tasks
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

In practice this achieves the same function, but without the "magic"
ability to use one task for different operating systems.
2017-11-01 01:25:46 +02:00
e30e4d4b1e
Import OS-specific vars in tasks instead of play
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

We make sure that this tasks always runs by using the special tag of
the same name.
2017-11-01 01:21:48 +02:00
73e6d0b7ed
roles/nginx: Fix issue raised by ansible-lint
[ANSIBLE0006] systemctl used in place of systemd module

Also, move the functionality of the changed check to the systemd task,
because it has the ability to simply daemon-reload itself now.
2017-10-31 23:18:15 +02:00
4ad4d79b3d
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-10-31 22:41:40 +02:00
f362207616
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0002] Trailing whitespace
2017-10-31 22:39:34 +02:00
e043cd7dfe
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-10-31 22:38:32 +02:00
15bf4727c1
roles/common: Add names to include tasks
I'm not sure why these weren't caught by ansible-lint.
2017-10-03 17:46:55 +03:00
e86e2c081b
roles/nginx: Use 'present' instead of 'latest' to install nginx
Raised by the following rule in ansible-lint:

[ANSIBLE0010] Package installs should not use latest
2017-10-03 15:04:54 +03:00
5281d41445
Add names to include tasks
Raised by ansible-lint in the following rule:

[ANSIBLE0011] All tasks should be named
2017-10-03 15:03:09 +03:00
a38e2a4ff6
roles/mariadb: Use MariaDB 10.2 from vendor repo
I can't remember right now why I needed to use Debian's MariaDB build
but now I just want to use upstream's latest stable. Debian's version
is 10.1 and upstream has moved on to 10.2.
2017-09-26 15:15:27 +03:00
ff6253213a
roles/common: Rename "iptables" task to "firewall" 2017-09-26 14:32:21 +03:00
818cbfd533
roles/common: Enable firewalld in Debian 9 2017-09-26 14:30:18 +03:00
58245e3480
roles/common/tasks/main.yml: Remove comment 2017-09-22 15:53:01 +03:00
16a9ebf97f
Adjust playbooks for Ansible 2.4 import changes
Ansible 2.4 changes the way includes work. Now you have to use "import"
for playbooks and tasks that are static, and "include" for those that
are dynamic (ie, those that use variables, loops, etc).

See: http://docs.ansible.com/ansible/devel/playbooks_reuse_includes.html
2017-09-21 21:30:47 +03:00
d518bc51a4
Use nginx user instead of www-data on Debian 9
Using www-data was a temporary measure while I was waiting for the
official nginx.org packages to be released for Debian 9 and we had
to use Debian's own nginx package.
2017-06-19 18:36:13 +03:00
b945240756
roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04
From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
2017-06-19 10:13:24 +03:00
b2d3984c5a
roles/nginx: Fix PHP-FPM socket location on Debian 9
Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we
can make use of that here.
2017-06-18 11:04:30 +03:00
4f22052afe
roles/common: Remove duplicate timezone task
We set it in the separate ntp.yml playbook now, as there are a few
different systems we cater to (systemd, old ntp, etc).
2017-06-18 09:30:05 +03:00
ffac0b8afd
roles/common: Update apt cache in tarsnap step
This fails on clean installs otherwise.
2017-06-18 09:27:53 +03:00
f9a0f9e6bf
roles/php-fpm: Update php7.0-php.ini.j2
Minor comment updates from the latest version from Ubuntu 16.04.
2017-05-28 15:46:15 +03:00
f85c5f3605
roles/php-fpm: Update defaults
Latest defaults from the PHP.net opcache documentation:

    https://secure.php.net/manual/en/opcache.installation.php
2017-05-28 15:45:05 +03:00
4ff2ac1737
roles/nginx: Update comment about nginx versions
Version 1.12.x is now stable and 1.13.x is now mainline.

See: https://www.nginx.com/blog/nginx-1-12-1-13-released/
2017-04-14 16:07:33 +03:00
a7a6fa38c9
roles/nginx: Official builds for Debian Stretch
Now that there are official nginx.org builds for Debian 9 we don't
need to use Debian's own nginx packages.
2017-04-14 16:06:32 +03:00
f53f3c8e7a
roles/php-fpm: Update php7.0-php.ini template
Sync with latest packaged version from Debian 9. Effectively this
only updates comments and disabled options, but having less changes
to look at during an apt upgrade is nice and reduces the chance of
adding errors.
2017-03-06 12:53:17 +02:00
5b51fcedc2
roles/nginx: Sort packages for Let's Encrypt deps on Ubuntu 2017-02-16 18:16:09 +02:00
a6f0d5f7d3
roles/nginx: Add package deps for Let's Encrypt on Debian 9
Taken from running certbot-auto on a clean Debian 9 installation.
2017-02-16 18:15:06 +02:00
d766c3dbbe
roles/common: Add tasks to install tarsnap
Now that Tarsnap has official packages this is one less thing that
needs to be manually installed from source after bringing a machine
up.

See: http://mail.tarsnap.com/tarsnap-announce/msg00037.html
2017-02-07 07:28:35 -08:00
47407188cb
roles/mariadb: Use Debian's MariaDB packages for now
MariaDB actually already has Debian 9 (stretch) packages, but they
seem to cause issues with how I'm deploying. I'll skip them for now
I think.
2017-01-30 16:54:22 +02:00
e13ef95f70
roles/nginx: Update nginx.conf.j2
This is to accomodate Debian's 9 nginx package, as it provides a
different system user/group than nginx.org's packages.
2017-01-30 15:45:50 +02:00
6de385021d
roles/nginx: Updates to accomodate Debian 9 (stretch)
There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).
2017-01-30 15:43:03 +02:00
8c3a8fc26a
roles/php-fpm: Updates for Debian 9 (stretch)
Debian 9 is still in beta and doesn't have nginx.org builds yet, so
we need to use the nginx package in Debian's repositories, and that
required a bit of a different configuration.

After official nginx.org builds are released we can revert this.
2017-01-30 15:11:39 +02:00
1fef5c9b5a roles/common: Add sshd_config for Debian 9 (stretch)
Taken from base install and diffed against the current Ubuntu 16.04
and Debian 8 config templates.
2017-01-30 14:56:27 +02:00
9ca685a6af
roles/common: Adjust allowed user logic for Ubuntu 16.04 sshd_config 2017-01-30 12:54:35 +02:00
0d79769a5f
roles/php-fpm: Update php.ini template
Updates from upstream config.
2017-01-19 15:25:15 +02:00
50536af990
Use Ansible's version_compare instead of doing math on strings
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
2016-12-20 15:04:47 +02:00
d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
2016-11-20 17:25:01 +02:00
30a5744812
roles/nginx: Decrease gzip_min_length from 860 to 256
There was some knowledge floating around that 860 bytes was the
optimal size, I think it was from an Akamai engineer or something,
but the HTML 5 Boilerplate server configs use 256 bytes, and I
actually have HTML content that is less than 860 bytes, so I guess
I could benefit from compressing it. gzip compression is costly
for the compression side, but very quick for the client, so this
is a good thing.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:46:34 +02:00
c1cecd4cbf
roles/nginx: Update comment for gzip_comp_level
From the HTML 5 Boilerplate server configs, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:32:39 +02:00
61919745c8
roles/nginx: Update gzip compression types
Latest from the HTML 5 Boilerplate project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:28:18 +02:00
36c16e93bb
roles/nginx: Reduce gzip_comp_level from 6 to 5
After performing some tests[0] again I see that level 5 produces
the most acceptable results for my site currently. Others[1] are
using the same, so I'll gladly accept a little less CPU load for
a tradeoff of a few bits of file size.

[0] https://mjanja.ch/2015/03/finding-the-nginx-gzip_comp_level-sweet-spot/
[1] https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:08:21 +02:00
a94b14119e
roles/nginx: Increase error log level to warn
This will show warnings in the error log, as well as more severe
log messages.

See: http://nginx.org/en/docs/ngx_core_module.html#error_log
2016-11-14 11:58:51 +02:00
3d6844a7b7
roles/nginx: Update comments in nginx.conf
Update comments from latest copy of the HTML 5 Boilerplate's nginx
server configs repo.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 11:55:37 +02:00
3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-14 07:58:46 +02:00
a5f8ab6182
roles/nginx: Harden security headers
Always add security headers, not just for successful HTTP response
codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
3d6afc667d
roles/nginx/tasks/letsencrypt.yml: Add system deps for certbot
Shit ton of dependencies actually... wow.
2016-10-09 14:06:06 +03:00
651c01a29b
Set use_letsencrypt to true for nginx role
The variable name is misleading as this really does is install the
certbot client and its dependencies, and we generally want this to
always happen. If a host doesn't want it, they can override it in
their host vars.

Perhaps I should rename this variable to "bootstrap_letsencrypt" or
something so it is more accurate.
2016-10-09 11:59:21 +03:00
75ef77e3cc
roles/common: Don't set up apt sources on arm
The package archives appear to be different for some reason.
2016-09-29 16:47:44 +03:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
586ad76d6b
roles/nginx: Only use index.php on hosts that need it
Otherwise, use index.html.
2016-09-13 15:58:40 +03:00
bf7accdade
roles/php-fpm: Only create pools for vhosts that need PHP
Only vhosts running WordPress, etc need PHP. Make sure to set the
appopriate variables for each vhost in the host's vars, ie:

  nginx_vhosts:
    - domain_name:   example.com
      has_wordpress: True

    - domain_name:   example.net
      needs_php:     True

You can set either of them, but not both—needing WordPress implies
needing PHP.
2016-09-13 15:58:09 +03:00
740e5195a0
roles/nginx: Add new variable "needs_php"
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
2016-09-13 14:53:12 +03:00
4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
d1871d9706
roles/nginx: Check for variable existence before testing
Some vhosts might not have WordPress so we need to be better about
testing for this before checking its value.
2016-09-12 20:58:21 +03:00
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
5f656285c0
roles/common: Add a dedicated playbook for ntp tasks
Hosts with systemd should use its NTP client and explicitly remove
the `ntp` packages. Hosts with older init systems should use `ntp`.
2016-08-25 14:19:51 +03:00
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
da6d1e05b9
roles/common: Don't use ansible facts when we don't need to
No use testing the distro version only to use an ansible fact to
find the correct template.
2016-08-24 10:11:13 +03:00
861b5c5413
roles/common: Remove old comment from main playbook 2016-08-22 16:35:02 +03:00
6c6ff1b112
roles/common: Use ansible facts to reduce includes 2016-08-22 16:34:05 +03:00
bd318c5754
Use long GPG key id fingerprints 2016-08-22 16:30:20 +03:00
14de9caed8
roles/common: Use https for Ubuntu Extras repo signing key
Missed this in the earlier commit where I changed to https:// for
transporting apt keys.
2016-08-22 16:28:24 +03:00
c8adba0580
roles/nginx: Add nginx signing key id to apt_key task
When you give Ansible the key id it will check if the key exists
before trying to download and add it. I got the long fingerprint
from `sudo apt-key finger`.
2016-08-22 16:20:10 +03:00
c9ef9e24f5
Use https:// for fetching apt package signing keys
I don't know why I wasn't using these before.
2016-08-22 16:06:13 +03:00