Commit Graph

884 Commits

Author SHA1 Message Date
ab47df6031
Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
de75b2ffb6
host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
e10d83dadd
Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
f070fd9a64
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-11-07 10:12:43 +02:00
6e1527b1a8
Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
ebd8b0632b
roles/common: Disable unsafe Diffie-Hellman SSH moduli
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
2021-10-10 16:57:05 +03:00
df26b6c17e
roles/common: notify fail2ban after updating firewall
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
2021-09-28 10:45:51 +03:00
d92151b8a6
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
2021-09-28 10:28:02 +03:00
b13ead0657
roles/common: use a range for mosh ports in nftables
This is better than a loop in Jinja (though that is useful!).
2021-09-28 07:34:25 +03:00
89ced6f952
Pipfile.lock: run pipenv update 2021-09-27 17:28:41 +03:00
ae5ba0607a
Remove host_vars/nomad01
Replaced by web23.
2021-09-27 14:17:48 +03:00
89fd642b78
roles/nginx: minor rework of acme.sh tasks
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
2021-09-27 13:40:17 +03:00
65e6dd34cd
roles/common: Add missing section to Debian 11 sshd_config
We need to be able to configure the list of SSH users.
2021-09-27 12:59:27 +03:00
0421807e4d
Add web23
Will replace nomad01
2021-09-27 12:22:45 +03:00
d5eed5055e
roles/nginx: Add support for gitea
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
2021-09-27 12:15:47 +03:00
f8752bb3e7
roles/nginx: add todo about document roots
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
2021-09-27 12:05:53 +03:00
170e591701
roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
8d6c3c57c3
roles/nginx: install acme.sh after downloading
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
2021-09-27 11:28:02 +03:00
79b29f0c51
roles/nginx: generate snakeoil cert manually
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
2021-09-27 10:48:24 +03:00
a4acc85704
roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
f7b9aa67f5
roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
0a39c4f0ef
README.md: Update debian/ubuntu note 2021-09-27 10:13:47 +03:00
85323d789c
Remove host_vars/web19
Replaced by web22.
2021-09-13 11:49:32 +03:00
341a1bf11e
roles/php-fpm: Install php7.4-xml
The RSS feeds in the WordPress admin dashboard need this.
2021-09-13 10:19:33 +03:00
6ee389eda5
roles/php-fpm: Use concrete dependencies
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
2021-09-13 10:18:40 +03:00
83fea62b0f
host_vars/web22: WordPress 5.8.1 2021-09-13 07:37:40 +03:00
0d1a5fbb25
Add host_vars/web22
Will replace web19 soon.
2021-09-12 21:59:38 +03:00
4d8444abf2
host_vars/web21: Fix path to cert 2021-09-12 20:39:45 +03:00
e8486f6c9e
host_vars/nomad02: Update Drone to version 2 2021-09-10 21:49:00 +03:00
20cd6f213c
roles/common: cache_valid_time explicitly sets update_cache
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
2021-09-08 21:59:51 +03:00
eb80e797c6
Add host_vars/web21
Replaces web20.
2021-09-08 21:57:04 +03:00
736bb8eb38
Remove host_vars/web20
Will be replaced by web21.
2021-09-08 21:56:43 +03:00
34a30c4d13
roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
c03e75d736
roles/common: explicitly install systemd-timesyncd
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
2021-09-08 17:04:46 +03:00
d08f10f9c8
roles/common: Fix comment in ntp playbook 2021-09-08 17:04:20 +03:00
8467dc1300
roles/mariadb: Change socket location
Instead of using /var/run, just use /run directly. This is the real
path and it's the default anyways.
2021-09-08 15:50:48 +03:00
635bb5234d
roles/common: fix logic for copying AbuseIPDB.com nft sets
We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
2021-09-08 09:58:13 +03:00
37901da5b5
roles/common: update AbuseIPDB lists for nftables 2021-09-08 09:57:58 +03:00
e36ae3b11e
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-09-08 09:35:36 +03:00
81c1231a28
roles/php-fpm: Fix logic
First, we cannot do a global check for has_wordpress or needs_php,
as those are defined per nginx vhost. Second, I realized that this
was only working in the past because vhosts that had WordPress or
needed PHP were listed first in the nginx_vhosts dict.

This changes the logic to first check if any vhosts have WordPress
or need PHP, then sets a fact that we can use to decide whether to
run php-fpm tasks or not.
2021-09-08 09:32:06 +03:00
bb6f058025
roles/php-fpm: whitespace 2021-09-07 20:12:31 +03:00
547395b26e
roles/nginx: Use php7.4-fpm socket on Debian 11 as well 2021-09-07 17:51:54 +03:00
15208241d3
roles/common: Add git-lfs to base packages 2021-09-07 17:51:33 +03:00
0fd05d496e
roles/nginx: Set mode of downloaded acme.sh 2021-09-07 17:10:35 +03:00
023a0d48ba
roles/nginx: Remove old comment 2021-09-07 17:07:53 +03:00
c687b7a91a
roles/nginx: Run Let's Encrypt on Debian 11 too 2021-09-07 17:07:33 +03:00
bd4ae36bb6
roles/mariadb: use socket for all operations
Otherwise Ansible will try to connect with host 'localhost', which
we do not use (and we have disabled name resolution anyways).
2021-09-07 16:48:15 +03:00
b60637c7d9
roles/mariadb: Update comments for Ansible module 2021-09-07 16:47:47 +03:00
479127a5e4
roles/common: Fix nftables handler in Debian firewall
We used to use reload, but now the idempotent thing to do is to use
restart instead of reload.
2021-09-07 15:43:33 +03:00
d261f81642
roles/php-fpm: Use Ubuntu 20.04 configs on Debian 11
They both use PHP 7.4.
2021-09-06 21:19:57 +03:00