Commit Graph

241 Commits

Author SHA1 Message Date
1ed7d45c7f
roles/nginx: Fix comment about version numbers 2016-05-27 08:14:46 +03:00
93451e6c5e
roles/nginx: Use mainline branch by default
Has all the good stuff:

    http://nginx.org/en/CHANGES
2016-05-27 08:14:04 +03:00
33f22b32a4
roles/common: Update sources for cron-apt
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
2016-05-05 12:16:37 +03:00
6837b48fae
roles/nginx: Switch default version to 1.10.x (stable) 2016-04-27 15:05:19 +03:00
447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
1ffc4eebc9
roles/nginx: Use default_server instead of default
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
2016-04-25 21:48:36 +03:00
03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
2016-04-25 21:45:21 +03:00
37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
cd77b088e9
Fix a few references to php5-fpm
Unless we really mean php5-fpm, let's just say php-fpm.
2016-04-25 12:33:12 +03:00
6bf9aec64e
roles/php-fpm: Add some packages needed by Piwik on PHP7 2016-04-24 19:04:29 +03:00
0bed8e4c0b
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 18:19:30 +03:00
4a99c73d62 roles/php-fpm: Add php.ini and pool.conf for PHP 7 2016-04-22 11:25:35 +03:00
da63e67614 roles/php-fpm: Split up task for Debian and Ubuntu
Debian 8 and Ubuntu 16.04 use PHP 5.6 and 7.0, respectively, and
the php-fpm versions use slightly different configs and service
names.
2016-04-22 11:25:35 +03:00
904bb9c094 roles/php-fpm: Rename tags from php5-fpm to php-fpm 2016-04-22 11:25:35 +03:00
8d4ee6f430 Rename php5-fpm role to php-fpm
In Ubuntu 16.04 the package is now called just "php-fpm" and it
makes more sense to just have this role be called that.
2016-04-22 11:25:35 +03:00
f90eff6b1a roles/nginx: Update sources.list template for Ubuntu 16.04
Use Ubuntu 15.10 builds for now.
2016-04-22 11:25:35 +03:00
419d0c7e9a roles/mariadb: Remove old MariaDB sources.list 2016-04-22 11:25:35 +03:00
35d0bee6cf roles/mariadb: Use a template for sources
When you use the apt_repository module it adds a sources.list with
an annoying filename, and also it's just easier to use a template
when we have different distros/versions to support.
2016-04-22 11:25:35 +03:00
a0bb4c2f57 roles/common: Add sshd_config for Ubuntu 16.04 2016-04-22 11:25:35 +03:00
d265b522e8 roles/common: Update iptables for Ubuntu 16.04
Basically, anything after 15.04 is using firewalld.
2016-04-22 11:25:35 +03:00
ad232a7a8b
roles/common: Remove old SSH key 2016-04-22 11:24:35 +03:00
bedc820312
roles/mariadb: Manage /etc/mysql/my.cnf
Set some sane defaults and manage the config file with a template.
2016-04-22 10:08:32 +03:00
ebf79c5b07
roles/nginx: Add missing nginx tag
The creation of the fastcgi cache dir is part of the nginx role and
should be labled as such. In situations where you only run nginx
tasks with `-t nginx` nginx will fail to start due to the missing
cache dir.
2016-04-15 12:29:35 +03:00
c8d2783159
roles/php5-fpm: Update php.ini from latest upstream
Debian 8.4 shipped with a new php.ini. It's mostly just updates to
comments and default values.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-04-02 20:14:53 +03:00
d50212c66c roles/nginx: Remove extra semi colon in HSTS preload header
Google's preload check application pointed out that there was an
extra semi colon in the HTTP header:

    $ hstspreload checkdomain alaninkenya.org

    Warning:

    1. Syntax warning: Header includes an empty directive or extra semicolon.

The tool can be downloaded here: https://github.com/chromium/hstspreload

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-31 13:35:44 +03:00
fe6c733cae
roles/nginx: Turn on tcp_nopush in nginx.conf
It seems tcp_nopush is meant to be used with sendfile in newer
versions of nginx.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
See: https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 00:07:35 +02:00
250b196bf8
roles/nginx: Add comment for sendfile option
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:27:56 +02:00
89bee2e6db
roles/nginx: Add comment for gzip_vary
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:25:57 +02:00
27a3ee9651
roles/nginx: Add cache control header for SVG images
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:17:40 +02:00
c6cc1f57bb
roles/nginx: Add image/svg+xml to gzip types
Google's PageSpeed Insights tool pointed out that the Genericons
in WordPress' Jetpack module could be compressed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:16:23 +02:00
926cdf58cf
roles/nginx: keepalive_timeout is in seconds
See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:02:57 +02:00
6a3b8f0918
Update some bare variables in with_items loops to use Ansible 2.0 syntax
See: https://docs.ansible.com/ansible/porting_guide_2.0.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:53:07 +02:00
869d7f6c7e
roles/php5-fpm: Disable always_populate_raw_post_data
Deprecated in PHP 5.6 and causes problems with Piwik. I'm not sure
if WordPress needs this, but I did find some references in its code
to $HTTP_RAW_POST_DATA.

See: https://secure.php.net/manual/en/migration56.deprecated.php#migration56.deprecated.raw-post-data
See: https://www.bram.us/2014/10/26/php-5-6-automatically-populating-http_raw_post_data-is-deprecated-and-will-be-removed-in-a-future-version/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:50:32 +02:00
43a7039dc9
roles/nginx: Remove "enable_https" config logic
Everything is HTTPS now, whether self-signed or otherwise, so it
doesn't make sense to have a config switch for this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:38:53 +02:00
940b2720da
Rename nginx_* variables underneath nginx_vhosts
It's just deduplication, since it's already obvious that the dict
is for nginx-related vars:

    - nginx_domain_name→domain_name
    - nginx_domain_aliases→domain_aliases
    - nginx_enable_https→enable_https
    - nginx_enable_hsts→enable_hsts

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:25:44 +02:00
41547defb9
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts
Everything is TLS now (whether self-signed or not), so it's pointless
to distinguish.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:14:47 +02:00
7b9536838c
roles/nginx: Move nginx tls_vhosts.yml to vhosts.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:56:50 +02:00
dc5c09036c
Change pattern from nginx_tls_vhosts→nginx_vhosts
All hosts should have TLS now, whether self-signed "snakeoil" certs
or otherwise.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:54:18 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
86ee36da77
roles/nginx: Clean up template spacing
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:25:38 +02:00
a8005404f1
roles/nginx: Use more consistent naming for per-host nginx options
The `enable_https` option in host_vars becomes `nginx_enable_https`
to be more consistent with other nginx options used in host_vars.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:21:19 +02:00
d80399d152
roles/php5-fpm: Increase memory allocation
I added another WordPress blog so I need more memory for caching
now. Eventually I wonder if I should deduplicate these somehow...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 21:08:34 +02:00
805db6a9ef
roles/mariadb: Create utf8mb4 databases by default
This is better for supporting Unicode values in the database, see:

https://mathiasbynens.be/notes/mysql-utf8mb4

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:27:37 +02:00
a7094e0964
roles/nginx: Adjust spacing in template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:19:46 +02:00
98afeddbbf
roles/nginx: Allow using self-signed TLS certs with dev hosts
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:18:21 +02:00
4507e20155 roles/nginx: Change owner/group of WordPress folder to nginx after cloning
Otherwise stuff like theme and plugin installs won't work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 16:58:54 +02:00
60c37821d6
roles/nginx: Only use Linode DNS resolvers for OCSP if it's a linode host
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 17:40:32 +02:00
5f71991259
roles/common: Use httpredir.debian.org as default Debian mirror
Automatically uses the best mirror for your location, see:

    http://httpredir.debian.org/demo.html

Should be much better than any hardcoded default for most hosts.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 09:34:16 +02:00
c0431d4247 Switch HTTPS vhosts to Let's Encrypt certificates
For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-07 20:53:39 +03:00
13a1889017
roles/mariadb: Upgrade to MariaDB 10.1
10.1 was marked as stable:

https://blog.mariadb.org/mariadb-10-1-is-stable-ga/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-10-19 21:54:26 +01:00
229dd499dd
roles/php5-fpm: Remove default www pool
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 01:28:47 +03:00
cb67d6aa40
Rename 'use_https' to 'enable_https'
To be consistent with other similar variables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:34:40 +03:00
52dc0c357b
roles/nginx: Add HSTS check to vhost template
We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00
48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00
f16b143eac
roles/munin: Update munin-node.conf template
We actually need to use /var/log/munin for munin-node on Debian
too, as that's what is created by the package manager during
installation.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-26 23:30:22 +03:00
24a3724dfe roles/nginx: Remove spdy_headers_comp
It was deprecated when nginx added support for HTTP/2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
a3e71e75d2
roles/nginx: SPDY -> HTTP/2
nginx 1.9.5 mainline adds support for HTTP/2 and deprecates SPDY.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-22 19:40:30 +03:00
973b37be4e
roles/common: Tweak sshd_config to match NSA Suite B recommendations
NSA stopped recommending AES-128 in August, 2015...

Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

I don't see why we shouldn't follow suit; maybe they know something
we don't!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 16:55:51 +03:00
8b336352d7
roles/common: Only allow ssh access by provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 12:24:11 +03:00
bc28cd008c
roles/munin: Allow running on Debian hosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-01 00:10:16 +03:00
9c70ab29e3
roles/nginx: Rename nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:24:43 +03:00
b214bdfae8
roles/nginx: Add Debian support to nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:22:36 +03:00
9ad8209fd4
roles/mariadb: Allow MariaDB repo installation on Debian and Ubuntu
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:14:46 +03:00
c480075789
roles/common: Use "interface" instead of "alias" to get interface name in firewalld template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 12:06:47 +03:00
9266d48c9f
roles/common: Separate firewalld tasks for Ubuntu and Debian
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 12:06:25 +03:00
18ca44193d
roles/common: Add sysctl template for Debian hosts
Note: I've only tested this on a Debian container, and you can't
set these sysctls on containers (the host controls them). To make
matters worse, there is no fact to make ansible skip this on hosts
that are running in containers. For now I will just skip it on
hosts that are "virtualization" servers... even though we actually
do have KVM running on Debian on real hardware. *sigh*

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:12:17 +03:00
56df8b38ca roles/common: Use new cron-apt tasks
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:40 +03:00
96fe209843 roles/common: Fix mode on Debian 8 sshd_config
Accidentally added it with 777.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
7519995153 roles/common: Add Debian 8 sshd_config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
dc24285ec6 roles/common: Use apt_mirror variable in Debian sources
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
28f61d589e roles/common: Add Debian support to sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
e15d1be867 roles/common: Add playbook for Debian packages
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
1fc2453703 roles/common: Add firewalld support
Needed in Ubuntu 15.04 where iptables-persistent is going away. I
have added translations of the current IPv4 and IPv6 iptables rules.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
16a0bb9086 roles/nginx: Use utopic (14.10) nginx builds on 15.04
Upstream hasn't made 15.04 builds yet...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
9aaad366f5 roles/common: Only add extras repo on Ubuntu 14.04
The Extras repo was discontinued after 14.10 (but the latest we
deploy is 14.04).

See: https://lists.ubuntu.com/archives/technical-board/2015-January/002063.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
e84f777a6b roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
b2dbd138f7 roles/common: Add Ubuntu 15.04 sshd_config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
68493beba3
roles/common: Reload sshd instead of restarting
No need to restart for a config change.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:01:17 +03:00
8e0a292b1d
roles/common: Move sshd tasks to their own playbook
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:00:43 +03:00
7f929d5b80
roles/common: Remove unused cron-apt files
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:42:03 +03:00
fc586a2297
roles/common: Adjust cron-apt stuff
- Don't run the static files as templates
- Use a separate playbook for related tasks
- Use a template for security.sources.list

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:39:22 +03:00
ce1d64ce66
roles/php5-fpm: Hide HTTP X-Powered-By PHP header
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-09 20:10:11 +03:00
78cb49c88b roles/nginx: Add missing nginx tag to blank vhost task
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
151fb29687 roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
ae10677b65
roles/common: Specify default apt_mirror for fallback in sources.list template
New hosts often fail due to not having an apt_mirror, because there
isn't one defined for their group and their host_vars haven't over-
ridden it.

We want new hosts to deploy successfully, so let's just use a default
apt_mirror if there isn't one defined. Rather have a slow mirror than
a failed deployment. And in any case, Linode can download from KENET's
mirror at 10MB/sec. ;)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 21:57:11 +03:00
fe765f5d3a
roles/nginx: Fix TLS cert loop to use the current item
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:46:06 +03:00
4b74964963
roles/nginx: Do a shallow clone of WordPress git
I realized there was no need to do a full clone when I was working
in a Vagrant environment in a coffee shop with slow Internet. ;)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:32:05 +03:00
def8d83d49
roles/munin: Use apt module explicitly
Instead of using dynamic hack to use the package manager for the
current host. We only have Ubuntu here anyways.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-26 00:02:43 +03:00
a8f4500567 Add IPv6 support to firewall tasks / template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 18:17:23 +03:00
a17cb2a0a0 roles/nginx: Add initial IPv6 support to vhost template
Still need to add ip6tables rules

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 11:53:57 +03:00
3746e798b6
roles/nginx: Use template for nginx repo
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 00:15:49 +03:00
aa5a9f5dd8
roles/common: Add vim modeline
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-24 23:55:04 +03:00
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
caec2440bb
roles/nginx: Fix HSTS header in vhost config
We always want to add the header, not add a header with value
"always"!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:54:10 +03:00
f9ea01ba8f roles/nginx: Use stronger HSTS header
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.

See: https://hstspreload.appspot.com/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:35:26 +03:00
3a4e7455c7
roles/php5-fpm: Tweak opcache settings
Reduce memory allocation from 128 -> 72M because after a few days
of running it's only using 64 or so, so it's really just a waste of
memory.

Also, disable opcache for CLI. What the hell do you need opcaching
in the CLI invocation for? It only persists for one process!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-09 12:34:45 +03:00
2d6ce778df
roles/php5-fpm: Add templated php.ini
Adds a default php.ini for php5-fpm from Ubuntu 14.04 which enables
sane settings for PHP 5.5's opcache as well as disables pathinfo.

Closes #9.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-05 11:27:13 +03:00
e675b750c4
roles/nginx: Switch to nginx stable branch
Remove old mainline repo and add stable repo to get nginx 1.8.0.

See: http://nginx.org/en/CHANGES-1.8

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 14:52:22 +03:00