I think it's a good idea to only run/include a role if the remote host
is running Ubuntu OS - doesn't hurt to do an extra check even though
the README clearly assumes so.
Signed-off-by: James Oguya <oguyajames@gmail.com>
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.
If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Quickly bring up an Ubuntu 14.04 box then SSH in and add the provisioning
user. Then provision it with ansible like any other machine.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
New hosts often fail due to not having an apt_mirror, because there
isn't one defined for their group and their host_vars haven't over-
ridden it.
We want new hosts to deploy successfully, so let's just use a default
apt_mirror if there isn't one defined. Rather have a slow mirror than
a failed deployment. And in any case, Linode can download from KENET's
mirror at 10MB/sec. ;)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
I realized there was no need to do a full clone when I was working
in a Vagrant environment in a coffee shop with slow Internet. ;)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Instead of using dynamic hack to use the package manager for the
current host. We only have Ubuntu here anyways.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.
See: https://hstspreload.appspot.com/
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Reduce memory allocation from 128 -> 72M because after a few days
of running it's only using 64 or so, so it's really just a waste of
memory.
Also, disable opcache for CLI. What the hell do you need opcaching
in the CLI invocation for? It only persists for one process!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Use second- and third-level headings, respectively. When rendered
in GitHub, `#` is an `<h1>`, which should actually be the most pro-
minent heading on the page; in this case GitHub's own headings sho-
uld take precedence, so ours should start at `<h2>` essentially.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
Adds a default php.ini for php5-fpm from Ubuntu 14.04 which enables
sane settings for PHP 5.5's opcache as well as disables pathinfo.
Closes#9.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.
[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html
Fixes GitHub #7.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
This reverts commit 5c7404d22856a332ea4176beb88be3723a6a169e.
'always' is legal in nginx >= 1.7.5:
If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.
See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
I think it was originally supposed to be `ansible_os_family` but
we don't have anything other than Ubuntu, so let's just use that.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
