ansible-personal

Author	SHA1	Message	Date
Alan Orth	be22b70ec3	host_vars/web05: Update WordPress from 4.1.2 -> 4.2 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-04-24 22:06:24 +03:00
Alan Orth	25de66d605	host_vars/web05: WordPress 4.1.1 -> 4.1.2 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-04-23 23:12:20 +03:00
Alan Orth	e675b750c4	roles/nginx: Switch to nginx stable branch Remove old mainline repo and add stable repo to get nginx 1.8.0. See: http://nginx.org/en/CHANGES-1.8 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-04-23 14:52:22 +03:00
Alan Orth	4602f03bed	roles/nginx: Fix comment in main task Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-25 12:59:10 +03:00
Alan Orth	bb55506464	roles/nginx: Use Linode DNS servers for OCSP resolvers I didn't realize Linode had DNS resolvers, but they are much closer than anything else (obviously). Here is OpenDNS: # mtr --report 208.67.222.222 Start: Sun Mar 22 15:31:50 2015 HOST: mjanja Loss% Snt Last Avg Best Wrst StDev 1.\|-- router1-lon.linode.com 0.0% 10 0.5 0.9 0.5 3.4 0.7 2.\|-- 212.111.33.233 0.0% 10 1.4 1.4 1.2 1.9 0.0 3.\|-- 217.20.44.194 0.0% 10 0.7 0.8 0.7 1.2 0.0 4.\|-- lonap.rtr1.lon.opendns.co 0.0% 10 1.2 1.1 0.9 1.4 0.0 5.\|-- resolver1.opendns.com 0.0% 10 1.0 0.9 0.8 1.0 0.0 And here is Linode's: # mtr --report 109.74.192.20 Start: Sun Mar 22 15:32:30 2015 HOST: mjanja Loss% Snt Last Avg Best Wrst StDev 1.\|-- router2-lon.linode.com 0.0% 10 0.5 0.6 0.5 0.8 0.0 2.\|-- resolver1.london.linode.c 0.0% 10 0.4 0.4 0.3 0.8 0.0 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-22 19:06:33 +03:00
Alan Orth	ae8937eb96	roles/nginx: Just enable OCSP I was attempting to make the config easier to use in test environments where the key is self-signed, but meh, I rarely do that and I think this logic doesn't actually work. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-22 19:05:50 +03:00
Alan Orth	9ce7ac72f9	roles/nginx: Add extra-security headers to PHP block nginx inherits headers from higher-level blocks UNLESS we also set headers in the current block. In this case the FastCGI cache header was being set, so we weren't getting the extra-security ones. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-19 09:32:06 +03:00
Alan Orth	934db06887	roles/nginx: Add HTTP Strict Transport Security headers to PHP block nginx blocks inherit headers set in blocks above them UNLESS the current level also sets headers[0]. This was causing PHP requests to not have STS headers because of the FastCGI cache header which is set in that block. [0] http://nginx.org/en/docs/http/ngx_http_headers_module.html Fixes GitHub #7. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-19 09:30:26 +03:00
Alan Orth	04e453df51	Revert "roles/nginx: Correct HSTS header in https template" This reverts commit 5c7404d22856a332ea4176beb88be3723a6a169e. 'always' is legal in nginx >= 1.7.5: If the always parameter is specified (1.7.5), the header field will be added regardless of the response code. See: http://nginx.org/en/docs/http/ngx_http_headers_module.html	2015-03-18 18:33:19 +03:00
Alan Orth	5c7404d228	roles/nginx: Correct HSTS header in https template Apparently the "always" syntax isn't used anymore (ever?), not sure where I got it from but this definitely causes HSTS to not work. See: https://mozilla.github.io/server-side-tls/ssl-config-generator/ See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 10:20:55 +03:00
Alan Orth	6422cb7507	roles/nginx: Switch nginx OCSP resolver to OpenDNS We don't need to give Google EVERYTHING. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 09:06:22 +03:00
Alan Orth	a3d29a559b	roles/munin: Remove unused config file We are using a Jinja template instead. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-18 09:00:06 +03:00
Alan Orth	116fc9c7bf	vars/Ubuntu.yml: Add variables for provisioning user This user should already exist from the preseed! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-16 13:47:54 +03:00
Alan Orth	3a5b50f941	roles/common: Set I/O scheduler via udev All servers with non-rotating disks (SSDs) should be running noop, and the rest should be running deadline. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:52:05 +03:00
Alan Orth	9fda345a24	roles/common: Fix one logic mistake in rc.local task I think it was originally supposed to be `ansible_os_family` but we don't have anything other than Ubuntu, so let's just use that. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:43:21 +03:00
Alan Orth	2367b843d9	roles/common: Remove I/O scheduler logic from rc.local It's better to set this using udev rules anyways Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:40:54 +03:00
Alan Orth	4a1158e163	roles/common: Remove CentOS rclocal task No CentOS hosts here! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:40:07 +03:00
Alan Orth	891bd35171	roles/common: Move tags from subtask to main one Child tasks inherit the tag of the parent. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:34:13 +03:00
Alan Orth	4efb6edb7e	roles/common: Indent some yaml stuff in main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:31:29 +03:00
Alan Orth	b70ae58f48	roles/common: Simplify `when` logic in main template Less syntax is more readable syntax. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:29:41 +03:00
Alan Orth	58222706ba	roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl We don't have anything near 2.6.32 anymore. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:25:33 +03:00
Alan Orth	60ba4dacbd	roles/common: Add TCP/IP tweaks to sysctl template Disable TCP slow start and increase the number of ports available for client connections. See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html See: http://www.chromium.org/spdy/spdy-best-practices Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:23:10 +03:00
Alan Orth	942f45834f	roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-11 13:51:48 +03:00
Alan Orth	3dcc5e1411	roles/nginx: Move some common fastcgi settings out of vhost template Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-10 11:59:43 +03:00
Alan Orth	2b02d94254	roles/nginx: Don't cache 404 errors in munin config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 13:32:09 +03:00
Alan Orth	41f055306f	roles/nginx: Re-order $request_method in fastcgi_cache_key Everyone else on the Internet has it this way, so why not. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 13:18:02 +03:00
Alan Orth	53d2c85bf0	roles/nginx: Adjust fastcgi_cache_valid Only cache 200, 301, and 302 requests! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:23:48 +03:00
Alan Orth	066bf6fa85	roles/nginx: Set gzip_comp_level to 6 Seems to be the sweet spot, as gzip itself defaults to this. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:21:34 +03:00
Alan Orth	bb92bd080d	roles/nginx: Add $request_method to nginx fastcgi_cache_key nginx is caching HEAD requests, then when users come along and do a GET request they get an HTTP 200 with no request body. It seems setting fastcgi_request_methods to GET doesn't stop nginx from caching HEADs, so for now just add the $request_method to the key. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:19:34 +03:00
Alan Orth	1174db87bc	roles/nginx: Add task to clone WordPress git Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:39:17 +03:00
Alan Orth	d08a37526f	roles/nginx: Don't send OCSP responses for hosts using self-signed certs Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:38:30 +03:00
Alan Orth	cd65475d0d	roles/nginx: Add protection for PHP scripts in uploads directory By the way, :? starts a non-capturing group (ie, don't save the back references). Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:05:50 +03:00
Alan Orth	19f5b60cb7	Remove references to provisioning.yml We aren't managing the provisioning user anymore, it is just assumed to be there. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:53:48 +03:00
Alan Orth	29f7a76545	roles/nginx: Update location regex for PHP scripts Just use the same one as the Nginx wiki and some other resources. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:40:38 +03:00
Alan Orth	55fddf03b3	Remove provisioning user management It's just too tricky to manage this. Ubuntu / RedHat preseeds and kickstarts can create the user and add it to groups, but only when we control the initial boot environment (ie not on Linode, Digital Ocean, etc), so let's just say we assume this user exists and can get root with sudo by the some we are running ansible on it. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-20 15:06:45 +03:00
Alan Orth	6b528ecc92	roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts Ansible's union thing only works on sets and lists, here we have a dict. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 19:41:48 +03:00
Alan Orth	b93da27fde	roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:49:39 +03:00
Alan Orth	d8b6222527	host_vars/web05: Re-organize variables for wordpress_version logic Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:42:47 +03:00
Alan Orth	0b90bad6a9	roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-10 23:04:28 +03:00
Alan Orth	4ea152bf51	roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 13:05:42 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	c3bc6d949d	roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-23 12:26:24 +03:00
Alan Orth	171798c76d	roles/common: Add DSA/ECDSA cleanup to ssh tasks We don't want to support these signature algorithms! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-20 16:31:37 +03:00
Alan Orth	0d2763fb59	roles/common: Remove ECDSA SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:49 +03:00
Alan Orth	d7dd81bc84	roles/common: Add ED25519 SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:21 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	3b6c9745ab	roles/common: Add provisioning user to sudoers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-05 08:24:13 +03:00
Alan Orth	36a3bbf36d	vars/Ubuntu.yml: Remove apt_mirror It's better to just use Ubuntu's defaults, and then override on a per-host basis. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:54:22 +03:00

1 2 3

134 Commits