Commit Graph

602 Commits

Author SHA1 Message Date
c317429f6d
roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
b512a7f765
roles/common: create /etc/apt/keyrings
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
2022-09-12 10:05:12 +03:00
e3a87d4f79
roles/mariadb: MariaDB 10.6
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
2022-09-12 09:25:46 +03:00
34be0013b7
Remove Debian 10 support 2022-09-11 09:21:08 +03:00
399585f4e7
roles: don't compare literal true and false
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
2022-09-11 08:41:25 +03:00
0240897b1b
Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
1da0da53ec
roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
2022-09-10 23:12:49 +03:00
677cc9f160
roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
ffe7a872dd
roles: strict truthy values
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
2022-09-10 22:33:19 +03:00
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
a2d61abba2
roles/mariadb: update mirror
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
2022-08-14 22:09:47 -07:00
2961578a54
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-28 18:51:35 +03:00
9e737466c5
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-04 21:47:37 +03:00
0ffb1b1a36
roles/common: use pyinotify backend for nginx fail2ban jail
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
2022-01-04 15:10:02 +02:00
ebbde530d2
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
2021-12-22 11:40:27 +02:00
f070fd9a64
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-11-07 10:12:43 +02:00
ebd8b0632b
roles/common: Disable unsafe Diffie-Hellman SSH moduli
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
2021-10-10 16:57:05 +03:00
df26b6c17e
roles/common: notify fail2ban after updating firewall
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
2021-09-28 10:45:51 +03:00
d92151b8a6
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
2021-09-28 10:28:02 +03:00
b13ead0657
roles/common: use a range for mosh ports in nftables
This is better than a loop in Jinja (though that is useful!).
2021-09-28 07:34:25 +03:00
89fd642b78
roles/nginx: minor rework of acme.sh tasks
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
2021-09-27 13:40:17 +03:00
65e6dd34cd
roles/common: Add missing section to Debian 11 sshd_config
We need to be able to configure the list of SSH users.
2021-09-27 12:59:27 +03:00
d5eed5055e
roles/nginx: Add support for gitea
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
2021-09-27 12:15:47 +03:00
f8752bb3e7
roles/nginx: add todo about document roots
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
2021-09-27 12:05:53 +03:00
170e591701
roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
8d6c3c57c3
roles/nginx: install acme.sh after downloading
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
2021-09-27 11:28:02 +03:00
79b29f0c51
roles/nginx: generate snakeoil cert manually
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
2021-09-27 10:48:24 +03:00
a4acc85704
roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
f7b9aa67f5
roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
341a1bf11e
roles/php-fpm: Install php7.4-xml
The RSS feeds in the WordPress admin dashboard need this.
2021-09-13 10:19:33 +03:00
6ee389eda5
roles/php-fpm: Use concrete dependencies
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
2021-09-13 10:18:40 +03:00
20cd6f213c
roles/common: cache_valid_time explicitly sets update_cache
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
2021-09-08 21:59:51 +03:00
34a30c4d13
roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
c03e75d736
roles/common: explicitly install systemd-timesyncd
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
2021-09-08 17:04:46 +03:00
d08f10f9c8
roles/common: Fix comment in ntp playbook 2021-09-08 17:04:20 +03:00
8467dc1300
roles/mariadb: Change socket location
Instead of using /var/run, just use /run directly. This is the real
path and it's the default anyways.
2021-09-08 15:50:48 +03:00
635bb5234d
roles/common: fix logic for copying AbuseIPDB.com nft sets
We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
2021-09-08 09:58:13 +03:00
37901da5b5
roles/common: update AbuseIPDB lists for nftables 2021-09-08 09:57:58 +03:00
e36ae3b11e
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-09-08 09:35:36 +03:00
81c1231a28
roles/php-fpm: Fix logic
First, we cannot do a global check for has_wordpress or needs_php,
as those are defined per nginx vhost. Second, I realized that this
was only working in the past because vhosts that had WordPress or
needed PHP were listed first in the nginx_vhosts dict.

This changes the logic to first check if any vhosts have WordPress
or need PHP, then sets a fact that we can use to decide whether to
run php-fpm tasks or not.
2021-09-08 09:32:06 +03:00
bb6f058025
roles/php-fpm: whitespace 2021-09-07 20:12:31 +03:00
547395b26e
roles/nginx: Use php7.4-fpm socket on Debian 11 as well 2021-09-07 17:51:54 +03:00
15208241d3
roles/common: Add git-lfs to base packages 2021-09-07 17:51:33 +03:00
0fd05d496e
roles/nginx: Set mode of downloaded acme.sh 2021-09-07 17:10:35 +03:00
023a0d48ba
roles/nginx: Remove old comment 2021-09-07 17:07:53 +03:00
c687b7a91a
roles/nginx: Run Let's Encrypt on Debian 11 too 2021-09-07 17:07:33 +03:00
bd4ae36bb6
roles/mariadb: use socket for all operations
Otherwise Ansible will try to connect with host 'localhost', which
we do not use (and we have disabled name resolution anyways).
2021-09-07 16:48:15 +03:00
b60637c7d9
roles/mariadb: Update comments for Ansible module 2021-09-07 16:47:47 +03:00
479127a5e4
roles/common: Fix nftables handler in Debian firewall
We used to use reload, but now the idempotent thing to do is to use
restart instead of reload.
2021-09-07 15:43:33 +03:00