aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
...
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
...
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs
...
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
2016-08-17 12:27:33 +03:00
2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable
...
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
2016-08-17 12:27:24 +03:00
f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone
...
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
2016-08-17 11:39:10 +03:00
8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day"
...
This reverts commit a38d822fad
.
The docs definitely recommend twice a day. From a note on certbot's
installation page:
> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.
See: https://certbot.eff.org/#ubuntuxenial-nginx
2016-08-17 11:30:10 +03:00
b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config
...
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.
It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
2016-08-16 14:28:58 +03:00
33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config
...
Fixes a problem with Paramiko, which Ansible uses for transport.
See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
2016-08-16 14:24:53 +03:00
e343ddc9a6
Add 'packages' tag to any task doing package stuff
...
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
2016-08-14 16:33:48 +03:00
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability
...
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.
See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00
a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day
...
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
2016-07-08 13:50:11 +03:00
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service
2016-07-07 14:36:29 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
...
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
...
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00
1254cea195
roles/nginx: Replace "&" with "and"
2016-06-27 19:13:20 +03:00
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
...
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers
...
From Linode's Frankfurt datacenter.
2016-06-27 18:40:25 +03:00
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt
...
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
2016-06-27 18:32:59 +03:00
09feb9a40c
roles/mariadb: Add "ansible managed" header to managed files
2016-06-27 18:09:04 +03:00
2efe2479ad
roles/mariadb: Use mariadb_databases instead of wordpress_blogs for variable
2016-06-27 18:08:02 +03:00
b41bd432df
roles/nginx: Add "ansible managed" string to configs
...
Generates a placeholder text to say that the file is managed by
ansible.
2016-06-27 17:50:49 +03:00
06034a8b8b
roles/common: Use systemd's timedatectl for time stuff
...
Debian 8 and Ubuntu 16.04 use systemd, so we can make use of its
NTP stuff rather than using the standalone `ntp` package.
2016-06-27 10:30:11 +03:00
24ca33c605
roles/nginx: Disable rules for Yoast SEO
...
Not using Yoast anymore. Now using the much simpler SEO Framework:
https://github.com/sybrew/the-seo-framework
2016-06-02 11:03:35 +03:00
1ed7d45c7f
roles/nginx: Fix comment about version numbers
2016-05-27 08:14:46 +03:00
93451e6c5e
roles/nginx: Use mainline branch by default
...
Has all the good stuff:
http://nginx.org/en/CHANGES
2016-05-27 08:14:04 +03:00
33f22b32a4
roles/common: Update sources for cron-apt
...
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
2016-05-05 12:16:37 +03:00
6837b48fae
roles/nginx: Switch default version to 1.10.x (stable)
2016-04-27 15:05:19 +03:00
447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out
2016-04-27 15:04:17 +03:00
81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost
2016-04-25 21:49:41 +03:00
1ffc4eebc9
roles/nginx: Use default_server instead of default
...
Seems to be the new keyword for quite some time now, despite not
causing an error:
http://nginx.org/en/docs/http/server_names.html
2016-04-25 21:48:36 +03:00
03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames
...
444 is a special nginx return code that means the request was
closed without a response, see:
http://nginx.org/en/docs/http/request_processing.html
2016-04-25 21:45:21 +03:00
37b4809546
roles/nginx: Add IPv6 DNS resolvers for OCSP stapling
2016-04-25 13:25:05 +03:00
cd77b088e9
Fix a few references to php5-fpm
...
Unless we really mean php5-fpm, let's just say php-fpm.
2016-04-25 12:33:12 +03:00
6bf9aec64e
roles/php-fpm: Add some packages needed by Piwik on PHP7
2016-04-24 19:04:29 +03:00
0bed8e4c0b
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04
2016-04-22 18:19:30 +03:00
4a99c73d62
roles/php-fpm: Add php.ini and pool.conf for PHP 7
2016-04-22 11:25:35 +03:00
da63e67614
roles/php-fpm: Split up task for Debian and Ubuntu
...
Debian 8 and Ubuntu 16.04 use PHP 5.6 and 7.0, respectively, and
the php-fpm versions use slightly different configs and service
names.
2016-04-22 11:25:35 +03:00
904bb9c094
roles/php-fpm: Rename tags from php5-fpm to php-fpm
2016-04-22 11:25:35 +03:00
8d4ee6f430
Rename php5-fpm role to php-fpm
...
In Ubuntu 16.04 the package is now called just "php-fpm" and it
makes more sense to just have this role be called that.
2016-04-22 11:25:35 +03:00
f90eff6b1a
roles/nginx: Update sources.list template for Ubuntu 16.04
...
Use Ubuntu 15.10 builds for now.
2016-04-22 11:25:35 +03:00
419d0c7e9a
roles/mariadb: Remove old MariaDB sources.list
2016-04-22 11:25:35 +03:00
35d0bee6cf
roles/mariadb: Use a template for sources
...
When you use the apt_repository module it adds a sources.list with
an annoying filename, and also it's just easier to use a template
when we have different distros/versions to support.
2016-04-22 11:25:35 +03:00
a0bb4c2f57
roles/common: Add sshd_config for Ubuntu 16.04
2016-04-22 11:25:35 +03:00
d265b522e8
roles/common: Update iptables for Ubuntu 16.04
...
Basically, anything after 15.04 is using firewalld.
2016-04-22 11:25:35 +03:00
ad232a7a8b
roles/common: Remove old SSH key
2016-04-22 11:24:35 +03:00
bedc820312
roles/mariadb: Manage /etc/mysql/my.cnf
...
Set some sane defaults and manage the config file with a template.
2016-04-22 10:08:32 +03:00
ebf79c5b07
roles/nginx: Add missing nginx tag
...
The creation of the fastcgi cache dir is part of the nginx role and
should be labled as such. In situations where you only run nginx
tasks with `-t nginx` nginx will fail to start due to the missing
cache dir.
2016-04-15 12:29:35 +03:00
c8d2783159
roles/php5-fpm: Update php.ini from latest upstream
...
Debian 8.4 shipped with a new php.ini. It's mostly just updates to
comments and default values.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-04-02 20:14:53 +03:00
d50212c66c
roles/nginx: Remove extra semi colon in HSTS preload header
...
Google's preload check application pointed out that there was an
extra semi colon in the HTTP header:
$ hstspreload checkdomain alaninkenya.org
Warning:
1. Syntax warning: Header includes an empty directive or extra semicolon.
The tool can be downloaded here: https://github.com/chromium/hstspreload
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-31 13:35:44 +03:00
fe6c733cae
roles/nginx: Turn on tcp_nopush in nginx.conf
...
It seems tcp_nopush is meant to be used with sendfile in newer
versions of nginx.
See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
See: https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 00:07:35 +02:00