Alan Orth
a8f4500567
Add IPv6 support to firewall tasks / template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 18:17:23 +03:00
Alan Orth
a17cb2a0a0
roles/nginx: Add initial IPv6 support to vhost template
...
Still need to add ip6tables rules
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 11:53:57 +03:00
Alan Orth
3746e798b6
roles/nginx: Use template for nginx repo
...
A template is better than ansible's `apt_repository` module because
we can idempotently control the contents of the file based on vari-
ables.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-25 00:15:49 +03:00
Alan Orth
aa5a9f5dd8
roles/common: Add vim modeline
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-24 23:55:04 +03:00
Alan Orth
44642387b4
.gitignore: Ignore Vagrant directory
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-24 23:00:48 +03:00
Alan Orth
7212b87f09
roles/nginx: Adjust HSTS headers for https block of vhost template
...
I was only setting it on the PHP block, which is for all dynamic
requests (ie pages from WordPress), but it should also be the same
for all static files not served from that block.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:56:19 +03:00
Alan Orth
caec2440bb
roles/nginx: Fix HSTS header in vhost config
...
We always want to add the header, not add a header with value
"always"!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-20 15:54:10 +03:00
Alan Orth
f9ea01ba8f
roles/nginx: Use stronger HSTS header
...
Include subdomains in the HTTP Strict Transport Security header,
and include the "preload" verb to inform Google we want to be pre-
loaded into the HSTS preload.
See: https://hstspreload.appspot.com/
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-13 18:35:26 +03:00
Alan Orth
3a4e7455c7
roles/php5-fpm: Tweak opcache settings
...
Reduce memory allocation from 128 -> 72M because after a few days
of running it's only using 64 or so, so it's really just a waste of
memory.
Also, disable opcache for CLI. What the hell do you need opcaching
in the CLI invocation for? It only persists for one process!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-09 12:34:45 +03:00
Alan Orth
3edd31d347
README.md: Add section about Licensing
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-08 15:59:32 +03:00
Alan Orth
06e9672d04
Add copy of GPLv3 license
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-08 15:59:15 +03:00
Alan Orth
9c9af27211
README.md: Adjust headings
...
Use second- and third-level headings, respectively. When rendered
in GitHub, `#` is an `<h1>`, which should actually be the most pro-
minent heading on the page; in this case GitHub's own headings sho-
uld take precedence, so ours should start at `<h2>` essentially.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-08 11:19:46 +03:00
Alan Orth
00ad866655
host_vars/web05: WordPress 4.2.1 -> 4.2.2
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-07 10:16:47 +03:00
Alan Orth
40499131cc
Merge pull request #10 from alanorth/php.ini
...
roles/php5-fpm: Add templated php.ini
2015-05-05 11:33:51 +03:00
Alan Orth
2d6ce778df
roles/php5-fpm: Add templated php.ini
...
Adds a default php.ini for php5-fpm from Ubuntu 14.04 which enables
sane settings for PHP 5.5's opcache as well as disables pathinfo.
Closes #9 .
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-05-05 11:27:13 +03:00
Alan Orth
48daa37462
host_vars/web05: Update WordPress to 4.2.1
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-28 12:06:06 +03:00
Alan Orth
be22b70ec3
host_vars/web05: Update WordPress from 4.1.2 -> 4.2
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-24 22:06:24 +03:00
Alan Orth
25de66d605
host_vars/web05: WordPress 4.1.1 -> 4.1.2
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 23:12:20 +03:00
Alan Orth
e675b750c4
roles/nginx: Switch to nginx stable branch
...
Remove old mainline repo and add stable repo to get nginx 1.8.0.
See: http://nginx.org/en/CHANGES-1.8
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-04-23 14:52:22 +03:00
Alan Orth
4602f03bed
roles/nginx: Fix comment in main task
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-25 12:59:10 +03:00
Alan Orth
bb55506464
roles/nginx: Use Linode DNS servers for OCSP resolvers
...
I didn't realize Linode had DNS resolvers, but they are much closer
than anything else (obviously).
Here is OpenDNS:
# mtr --report 208.67.222.222
Start: Sun Mar 22 15:31:50 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7
2.|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0
3.|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0
4.|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0
5.|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0
And here is Linode's:
# mtr --report 109.74.192.20
Start: Sun Mar 22 15:32:30 2015
HOST: mjanja Loss% Snt Last Avg Best Wrst StDev
1.|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0
2.|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:06:33 +03:00
Alan Orth
ae8937eb96
roles/nginx: Just enable OCSP
...
I was attempting to make the config easier to use in test environments
where the key is self-signed, but meh, I rarely do that and I think
this logic doesn't actually work.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-22 19:05:50 +03:00
Alan Orth
9ce7ac72f9
roles/nginx: Add extra-security headers to PHP block
...
nginx inherits headers from higher-level blocks UNLESS we also set
headers in the current block. In this case the FastCGI cache header
was being set, so we weren't getting the extra-security ones.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:32:06 +03:00
Alan Orth
934db06887
roles/nginx: Add HTTP Strict Transport Security headers to PHP block
...
nginx blocks inherit headers set in blocks above them UNLESS the
current level also sets headers[0]. This was causing PHP requests
to not have STS headers because of the FastCGI cache header which
is set in that block.
[0] http://nginx.org/en/docs/http/ngx_http_headers_module.html
Fixes GitHub #7 .
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-19 09:30:26 +03:00
Alan Orth
04e453df51
Revert "roles/nginx: Correct HSTS header in https template"
...
This reverts commit 5c7404d228
.
'always' is legal in nginx >= 1.7.5:
If the always parameter is specified (1.7.5), the header field will be added regardless of the response code.
See: http://nginx.org/en/docs/http/ngx_http_headers_module.html
2015-03-18 18:33:19 +03:00
Alan Orth
5c7404d228
roles/nginx: Correct HSTS header in https template
...
Apparently the "always" syntax isn't used anymore (ever?), not sure
where I got it from but this definitely causes HSTS to not work.
See: https://mozilla.github.io/server-side-tls/ssl-config-generator/
See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 10:20:55 +03:00
Alan Orth
6422cb7507
roles/nginx: Switch nginx OCSP resolver to OpenDNS
...
We don't need to give Google EVERYTHING.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:06:22 +03:00
Alan Orth
a3d29a559b
roles/munin: Remove unused config file
...
We are using a Jinja template instead.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-18 09:00:06 +03:00
Alan Orth
116fc9c7bf
vars/Ubuntu.yml: Add variables for provisioning user
...
This user should already exist from the preseed!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-16 13:47:54 +03:00
Alan Orth
3a5b50f941
roles/common: Set I/O scheduler via udev
...
All servers with non-rotating disks (SSDs) should be running noop,
and the rest should be running deadline.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:52:05 +03:00
Alan Orth
9fda345a24
roles/common: Fix one logic mistake in rc.local task
...
I think it was originally supposed to be `ansible_os_family` but
we don't have anything other than Ubuntu, so let's just use that.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:43:21 +03:00
Alan Orth
2367b843d9
roles/common: Remove I/O scheduler logic from rc.local
...
It's better to set this using udev rules anyways
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:54 +03:00
Alan Orth
4a1158e163
roles/common: Remove CentOS rclocal task
...
No CentOS hosts here!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:40:07 +03:00
Alan Orth
891bd35171
roles/common: Move tags from subtask to main one
...
Child tasks inherit the tag of the parent.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:34:13 +03:00
Alan Orth
4efb6edb7e
roles/common: Indent some yaml stuff in main.yml
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:31:29 +03:00
Alan Orth
b70ae58f48
roles/common: Simplify `when` logic in main template
...
Less syntax is more readable syntax.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:29:41 +03:00
Alan Orth
58222706ba
roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl
...
We don't have anything near 2.6.32 anymore.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:25:33 +03:00
Alan Orth
60ba4dacbd
roles/common: Add TCP/IP tweaks to sysctl template
...
Disable TCP slow start and increase the number of ports available
for client connections.
See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
See: http://www.chromium.org/spdy/spdy-best-practices
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-15 17:23:10 +03:00
Alan Orth
942f45834f
roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-11 13:51:48 +03:00
Alan Orth
3dcc5e1411
roles/nginx: Move some common fastcgi settings out of vhost template
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-10 11:59:43 +03:00
Alan Orth
2b02d94254
roles/nginx: Don't cache 404 errors in munin config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:32:09 +03:00
Alan Orth
41f055306f
roles/nginx: Re-order $request_method in fastcgi_cache_key
...
Everyone else on the Internet has it this way, so why not.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 13:18:02 +03:00
Alan Orth
53d2c85bf0
roles/nginx: Adjust fastcgi_cache_valid
...
Only cache 200, 301, and 302 requests!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:23:48 +03:00
Alan Orth
066bf6fa85
roles/nginx: Set gzip_comp_level to 6
...
Seems to be the sweet spot, as gzip itself defaults to this.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:21:34 +03:00
Alan Orth
bb92bd080d
roles/nginx: Add $request_method to nginx fastcgi_cache_key
...
nginx is caching HEAD requests, then when users come along and do
a GET request they get an HTTP 200 with no request body. It seems
setting fastcgi_request_methods to GET doesn't stop nginx from caching
HEADs, so for now just add the $request_method to the key.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-03-09 10:19:34 +03:00
Alan Orth
1174db87bc
roles/nginx: Add task to clone WordPress git
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:39:17 +03:00
Alan Orth
d08a37526f
roles/nginx: Don't send OCSP responses for hosts using self-signed certs
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:38:30 +03:00
Alan Orth
cd65475d0d
roles/nginx: Add protection for PHP scripts in uploads directory
...
By the way, :? starts a non-capturing group (ie, don't save the
back references).
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 17:05:50 +03:00
Alan Orth
19f5b60cb7
Remove references to provisioning.yml
...
We aren't managing the provisioning user anymore, it is just assumed
to be there.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:53:48 +03:00
Alan Orth
29f7a76545
roles/nginx: Update location regex for PHP scripts
...
Just use the same one as the Nginx wiki and some other resources.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-26 16:40:38 +03:00