Commit Graph

555 Commits

Author SHA1 Message Date
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:

https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
06543b10d5
host_vars/web04: Re-generate alaninkenya TLS chain
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:58:05 +03:00
fd9c6f31cb
roles/nginx: Add index to munin vhost
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:47:14 +03:00
7956a1c6f6
web.yml: Use ubuntu user for now
This is the default with OpenStack hosts like Kili.io...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:39:12 +03:00
da2c8fc043
vars/Debian.yml: Switch to KENET Ubuntu mirror
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:25:45 +03:00
e741a77c00
roles/common: Add unzip to Ubuntu base packages
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:21:47 +03:00
c6ce4e6630
Add host_vars for web04
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 13:25:42 +03:00
ba751625d6
host_vars/web02: Remove anchor from chained TLS cert
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-15 22:00:26 +03:00
3c4aa85319
host_vars/web02: Update TLS certs for alaninkenya.org
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 23:54:00 +03:00
8362af0a02
Add web02
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 22:26:34 +03:00
6d07af97f3
roles/php5-fpm: Fix php.ini reconfiguration (pathinfo)
Use replace instead of lineinfile, addresses GitHub issue #1.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:34:44 +03:00
3d3b6c8a3f
roles/php5-fpm: Fix pool creation for vhosts
Now loops over both http and https vhosts properly. Fixes GitHub
issue #2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:19:26 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
4e4f415acd
vars/Debian.yml: Add vim modeline
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:14:53 +03:00
bf25229555
vars/Debian.yml: Switch to Liquid Telecom Ubuntu mirror
This should really be in an Ubuntu.yml file... but we currently
include it with ansible_os_family, instead of ansible_os_distribution.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:13:54 +03:00
dbf3bcfb0c
Add ipsets.yml
Contains "ghetto" ipsets which we use in firewall rules etc.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:12:55 +03:00
be0e0ea21a
roles/common: Remove irqbalance
We're a VM, we don't have IRQs.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 23:51:52 +03:00
2156f8b07d
roles/nginx: Tweaks for vhosts with WordPress
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.

Technically, all we need is the tweaks to the try_files:
    - `?args` passes query strings to php5-fpm
    - removing 404 from the vhost's try_files so we don't return 404
    when the requested file doesn't exist (obviously not all request
    URI's in WordPress are actual files on the disk)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 22:51:34 +03:00
df65172952
roles/common: Add lrzip to base packages
Provides good mix of compression/decompression speed with size,
see: http://ck.kolivas.org/apps/lrzip/README.benchmarks

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 16:32:06 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
b6d4f090ec
host_vars/web01: Update WordPress version and vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 20:49:41 +03:00
05faeecc5d
roles/mariadb: Quote the password in .my.conf template
Ansible's mysql module can get this password and connect fine, but
`mysql` on the command line chokes if the password is slightly
complicated and is not quoted.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-01 12:41:56 +03:00
5166ebf219
roles/munin: Fix nginx template
Accidental syntax error came in when I removed the dns domain

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 22:08:32 +03:00
ef4a9edbd7
Add host_vars/web01
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 22:08:05 +03:00
8e1c2c5518
Remove host_vars/.gitignore
I'll just use ansible-vault and encrypt it instead.  If I had more
host_vars this would suck, as you can't grep the vars there...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 21:37:37 +03:00
e24464941f
roles/mariadb: Create WordPress db/users when necessary
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 14:29:23 +03:00
850a6a8da3
roles/mariadb: Add plays for creating WordPress db/users
Relies on the host having a dict with appropriate values defined,
for example:

  wordpress_blogs:
    - site_name:            blah.com
      wordpress_version:    3.9.2
      wordpress_db_user:    db_user
      wordpress_db_name:    db_name
      wordpress_db_pass:    V9&XvvKu1hYl

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:47:30 +03:00
fafd475f6b
roles/nginx: Add index to vhost config
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:27:24 +03:00
03d0288a78
web.yml: Remove wordpress role
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 11:26:08 +03:00
41b1ab79c2
roles/php5-fpm: Update comment
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 11:25:35 +03:00
0b8e0c38bf
roles/nginx: Per-vhost logs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:26:12 +03:00
5bbec6716c
roles/nginx: Use template to configure nginx vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:03:34 +03:00
75a705ac87
roles/nginx: Add defaults for nginx role
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:02:29 +03:00
ff95a34605
roles/nginx: Add vim modeline to main.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:00:42 +03:00
0689153bd9
roles/php5-fpm: Use template for pools
Each vhost has a separate pool.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 19:48:21 +03:00
2afa1ef2f3
roles/munin: Remove dns domain
Don't really need this, as we only have one server.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 15:57:28 +03:00
775f0e7f5f
roles/mariadb: Install python bindings for ansible's mysql module
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 15:56:54 +03:00
9fcdb89261
README.md: Spelling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 15:24:00 +03:00
b41b581601
README.md: Revamp and rennovate
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 15:16:29 +03:00
2c25d8c3e1
Add top-level .gitignore
Ignore hosts file.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 15:15:55 +03:00
f6f0b77a78
Remove hosts file
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 14:54:34 +03:00
5bcdfdd15a
README.md: Fix ansible-playbook invocation
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 14:49:53 +03:00
4867a2398f
Add site yml file
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 13:21:00 +03:00
c6546f37a3
web.yml: Add os_family vars to includes
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 13:20:43 +03:00
160337bd4d
web.yml: Clean up
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 13:19:14 +03:00
b45479066b
Rename site.yml to web.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 13:18:27 +03:00
1e54507b05
group_vars/all: Remove host-specific configs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-25 11:45:08 +03:00