alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity
583 Commits 2 Branches 0 Tags 4.5 MiB
Commit Graph

112 Commits

Author SHA1 Message Date
Alan Orth bbab45ae6f
Adjust ansible_managed to use comment filter 
We don't need to comment the ansible_managed block manually.
 2019-01-10 12:50:54 +02:00
Alan Orth 42fcd933a8
roles/nginx: Fix Jinja2 logic in apt sources template 2018-05-08 23:53:47 +03:00
Alan Orth 3f0c45d504
roles/nginx: Force amd64 builds on apt sources 
Avoids the following error in apt:

Skipping acquire of configured file 'nginx/binary-i386/Packages' as repository 'https://nginx.org/packages/ubuntu bionic InRelease' doesn't support architecture 'i386'
 2018-05-08 23:41:25 +03:00
Alan Orth f5fbc4b8f1
roles/nginx: Use bionic builds on Ubuntu 18.04 
NGINX finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
 2018-05-08 23:39:59 +03:00
Alan Orth 0a39051a95
roles/nginx: Allow custom resolvers for TLS stapling 
Allows to specify custom DNS resolvers for TLS stapling, with a default
of Cloudflare's public DNS servers.
 2018-04-30 18:04:17 +03:00
Alan Orth bda95b6a1c
roles/nginx: Default to Cloudflare public DNS for TLS stapling 
No need to give Google even more data or free advertising by using
this as the default! In practice I always use the DNS servers from
the VPS provider anyways.
 2018-04-30 17:51:59 +03:00
Alan Orth 632aa1cf14 Fix a few more Jinja2 filters used as tests 
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
 2018-04-05 12:17:26 +03:00
Alan Orth d1ba60e15d Use version_compare to test for Ubuntu 18.04 "bionic" 
It just feels more correct, plus I usually forget the release code
name from time to time.
 2018-04-05 12:17:26 +03:00
Alan Orth ed607aab68 roles/nginx: Use correct php-fpm socket on Ubuntu 18.04 2018-04-05 12:17:26 +03:00
Alan Orth 5c3553e684 roles/nginx: Use Ubuntu 17.10's packages on Ubuntu 18.04 
There are no nginx packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
 2018-04-05 12:17:25 +03:00
Alan Orth ffee9250ee
Use new syntax for Jinja2 filters that are used as tests 
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
 2018-04-02 15:37:37 +03:00
Alan Orth d155898bb1
Use new syntax for Jinj2 filters that are used as tests 
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
 2018-03-21 21:17:21 +02:00
Alan Orth a5e6513be3
roles/dspace: Update gzip_types formatting 
From the H5BP project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
 2017-11-14 12:44:56 +02:00
Alan Orth 97aca2cad2
roles/nginx: Remove Internet Explorer 6 gzip disable 
I have zero idea if we have IE6 clients any more, but according to the
H5BP community IE6 actually did support gzip and only represents 0.1%
of Internet traffic in 2015 (!) anyways.

See: https://github.com/h5bp/server-configs-nginx/issues/125
 2017-11-14 12:43:02 +02:00
Alan Orth d15c9851db
roles/nginx: Use https for apt repository 2017-11-05 01:30:49 +02:00
Alan Orth d518bc51a4
Use nginx user instead of www-data on Debian 9 
Using www-data was a temporary measure while I was waiting for the
official nginx.org packages to be released for Debian 9 and we had
to use Debian's own nginx package.
 2017-06-19 18:36:13 +03:00
Alan Orth b2d3984c5a
roles/nginx: Fix PHP-FPM socket location on Debian 9 
Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we
can make use of that here.
 2017-06-18 11:04:30 +03:00
Alan Orth 4ff2ac1737
roles/nginx: Update comment about nginx versions 
Version 1.12.x is now stable and 1.13.x is now mainline.

See: https://www.nginx.com/blog/nginx-1-12-1-13-released/
 2017-04-14 16:07:33 +03:00
Alan Orth e13ef95f70
roles/nginx: Update nginx.conf.j2 
This is to accomodate Debian's 9 nginx package, as it provides a
different system user/group than nginx.org's packages.
 2017-01-30 15:45:50 +02:00
Alan Orth 6de385021d
roles/nginx: Updates to accomodate Debian 9 (stretch) 
There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).
 2017-01-30 15:43:03 +02:00
Alan Orth 50536af990
Use Ansible's version_compare instead of doing math on strings 
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
 2016-12-20 15:04:47 +02:00
Alan Orth d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files 
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
 2016-11-20 17:25:01 +02:00
Alan Orth 3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header 
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
 2016-11-14 07:58:46 +02:00
Alan Orth 99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
Alan Orth 158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs 
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
 2016-09-25 15:55:45 +03:00
Alan Orth 422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
Alan Orth 586ad76d6b
roles/nginx: Only use index.php on hosts that need it 
Otherwise, use index.html.
 2016-09-13 15:58:40 +03:00
Alan Orth 740e5195a0
roles/nginx: Add new variable "needs_php" 
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
 2016-09-13 14:53:12 +03:00
Alan Orth 4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
Alan Orth e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress 
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
 2016-09-12 20:57:10 +03:00
Alan Orth aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no" 
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
 2016-08-17 12:55:14 +03:00
Alan Orth de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes" 
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
 2016-08-17 12:42:48 +03:00
Alan Orth 60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs 
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
 2016-08-17 12:27:33 +03:00
Alan Orth b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability 
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
 2016-07-21 14:45:41 +03:00
Alan Orth b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
Alan Orth 78dbdae783
roles/nginx: Fix variable check in HTTPS template 
Don't assume the variables for TLS certs exist.
 2016-07-05 19:42:56 +03:00
Alan Orth 0cd2735c82
roles/nginx: Rework Let's Encrypt stuff 
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
 2016-06-27 23:52:39 +03:00
Alan Orth b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs 
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
 2016-06-27 19:07:48 +03:00
Alan Orth 8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers 
From Linode's Frankfurt datacenter.
 2016-06-27 18:40:25 +03:00
Alan Orth a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt 
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
 2016-06-27 18:32:59 +03:00
Alan Orth b41bd432df
roles/nginx: Add "ansible managed" string to configs 
Generates a placeholder text to say that the file is managed by
ansible.
 2016-06-27 17:50:49 +03:00
Alan Orth 24ca33c605
roles/nginx: Disable rules for Yoast SEO 
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
 2016-06-02 11:03:35 +03:00
Alan Orth 447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
Alan Orth 81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
Alan Orth 1ffc4eebc9
roles/nginx: Use default_server instead of default 
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
 2016-04-25 21:48:36 +03:00
Alan Orth 03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames 
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
 2016-04-25 21:45:21 +03:00
Alan Orth 37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
Alan Orth cd77b088e9
Fix a few references to php5-fpm 
Unless we really mean php5-fpm, let's just say php-fpm.
 2016-04-25 12:33:12 +03:00
Alan Orth 0bed8e4c0b
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 18:19:30 +03:00
Alan Orth f90eff6b1a roles/nginx: Update sources.list template for Ubuntu 16.04 
Use Ubuntu 15.10 builds for now.
 2016-04-22 11:25:35 +03:00