Commit Graph

70 Commits

Author SHA1 Message Date
b71269e6cb
host_vars/web05: Add TLS keys back
The other method wasn't as clever as I had thought, as I couldn't
get it to work again!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-27 21:19:53 +03:00
08a920d0cb Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file"
This reverts commit 59b9bd70b8.

Might not be so ingenious.  Can't get this to work anymore...
2014-10-27 21:16:43 +03:00
54993d6d6b
Update tls cipher suite with latest string from Mozilla TLS guide
https://wiki.mozilla.org/Security/Server_Side_TLS states"

    Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-25 12:36:19 +03:00
c3f5e27642
roles/common: Add ECDSA public key for noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:25:48 +03:00
a265e48a9f
roles/common: Remove RSA public key
Both client and server support ed25519, so there's no need to even
have the RSA key here.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:23:01 +03:00
b89e51d270
host_vars/web05: Remove TLS keys from host_vars
Now they live in one file, vars/tls_keys.yml.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:43:17 +03:00
59b9bd70b8 roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file
This is kinda crazy, but makes the host_vars much easier to read.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:42:44 +03:00
7ad41df199
Add host_var file for web05
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:03:56 +03:00
e24a987d3b
vars/Debian.yml: Update apt mirror to Linode one
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 14:20:37 +03:00
5e0da37542
roles/common: Remove task which removes irqbalance
Prevailing wisdom is actually that this *can* help virtual hosts,
especially when the VM guest has multiple CPUs.

See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:31:23 +03:00
1ee7b385bf
roles/common: Rename SSH keys
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:19:32 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
614f90a058
web.yml: Modify to incorporate provisioning user stuff
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:12:32 +03:00
c53dd18181
roles/common: Add role to manage provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:11:44 +03:00
42b893b2a7
roles/nginx: Add expires to static files
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-10 11:05:42 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:

https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
06543b10d5
host_vars/web04: Re-generate alaninkenya TLS chain
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:58:05 +03:00
fd9c6f31cb
roles/nginx: Add index to munin vhost
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:47:14 +03:00
7956a1c6f6
web.yml: Use ubuntu user for now
This is the default with OpenStack hosts like Kili.io...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:39:12 +03:00
da2c8fc043
vars/Debian.yml: Switch to KENET Ubuntu mirror
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:25:45 +03:00
e741a77c00
roles/common: Add unzip to Ubuntu base packages
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:21:47 +03:00
c6ce4e6630
Add host_vars for web04
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 13:25:42 +03:00
ba751625d6
host_vars/web02: Remove anchor from chained TLS cert
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-15 22:00:26 +03:00
3c4aa85319
host_vars/web02: Update TLS certs for alaninkenya.org
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 23:54:00 +03:00
8362af0a02
Add web02
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 22:26:34 +03:00
6d07af97f3
roles/php5-fpm: Fix php.ini reconfiguration (pathinfo)
Use replace instead of lineinfile, addresses GitHub issue #1.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:34:44 +03:00
3d3b6c8a3f
roles/php5-fpm: Fix pool creation for vhosts
Now loops over both http and https vhosts properly. Fixes GitHub
issue #2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:19:26 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
4e4f415acd
vars/Debian.yml: Add vim modeline
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:14:53 +03:00
bf25229555
vars/Debian.yml: Switch to Liquid Telecom Ubuntu mirror
This should really be in an Ubuntu.yml file... but we currently
include it with ansible_os_family, instead of ansible_os_distribution.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:13:54 +03:00
dbf3bcfb0c
Add ipsets.yml
Contains "ghetto" ipsets which we use in firewall rules etc.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:12:55 +03:00
be0e0ea21a
roles/common: Remove irqbalance
We're a VM, we don't have IRQs.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 23:51:52 +03:00
2156f8b07d
roles/nginx: Tweaks for vhosts with WordPress
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.

Technically, all we need is the tweaks to the try_files:
    - `?args` passes query strings to php5-fpm
    - removing 404 from the vhost's try_files so we don't return 404
    when the requested file doesn't exist (obviously not all request
    URI's in WordPress are actual files on the disk)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 22:51:34 +03:00
df65172952
roles/common: Add lrzip to base packages
Provides good mix of compression/decompression speed with size,
see: http://ck.kolivas.org/apps/lrzip/README.benchmarks

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 16:32:06 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
b6d4f090ec
host_vars/web01: Update WordPress version and vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 20:49:41 +03:00
05faeecc5d
roles/mariadb: Quote the password in .my.conf template
Ansible's mysql module can get this password and connect fine, but
`mysql` on the command line chokes if the password is slightly
complicated and is not quoted.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-01 12:41:56 +03:00
5166ebf219
roles/munin: Fix nginx template
Accidental syntax error came in when I removed the dns domain

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 22:08:32 +03:00
ef4a9edbd7
Add host_vars/web01
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 22:08:05 +03:00
8e1c2c5518
Remove host_vars/.gitignore
I'll just use ansible-vault and encrypt it instead.  If I had more
host_vars this would suck, as you can't grep the vars there...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 21:37:37 +03:00
e24464941f
roles/mariadb: Create WordPress db/users when necessary
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 14:29:23 +03:00
850a6a8da3
roles/mariadb: Add plays for creating WordPress db/users
Relies on the host having a dict with appropriate values defined,
for example:

  wordpress_blogs:
    - site_name:            blah.com
      wordpress_version:    3.9.2
      wordpress_db_user:    db_user
      wordpress_db_name:    db_name
      wordpress_db_pass:    V9&XvvKu1hYl

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:47:30 +03:00
fafd475f6b
roles/nginx: Add index to vhost config
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:27:24 +03:00
03d0288a78
web.yml: Remove wordpress role
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 11:26:08 +03:00
41b1ab79c2
roles/php5-fpm: Update comment
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 11:25:35 +03:00
0b8e0c38bf
roles/nginx: Per-vhost logs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:26:12 +03:00
5bbec6716c
roles/nginx: Use template to configure nginx vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:03:34 +03:00