Commit Graph

926 Commits

Author SHA1 Message Date
c840ffe018
roles/caddy: improve vhost template
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
2022-11-13 18:54:03 +03:00
45c9d7ea0a
Pipfile.lock: run pipenv update 2022-11-13 16:50:07 +03:00
a62bc446e8
host_vars/web22: WordPress 6.1 2022-11-06 23:00:41 +03:00
62a6a491db
host_vars/web23: use caddy 2022-11-02 22:30:32 +03:00
4867d6da6a
Add basic caddy role 2022-11-02 22:29:30 +03:00
d9f7c7a93b
group_vars/web: set default webserver to nginx
While I'm still getting experience with caddy and adapting it to my
workloads.
2022-11-02 22:12:36 +03:00
bc8c030700
roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
f7598d8f1c
Pipfile.lock: run pipenv update 2022-11-02 20:50:59 +03:00
c353e84a84
site.yml: use fully-qualified modules 2022-10-25 21:08:27 +03:00
99ca23f258
Pipfile.lock: run pipenv update 2022-10-17 19:56:30 +03:00
b663d27fd8
roles/common: rework firewall_Debian.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
2022-09-12 17:25:40 +03:00
67c99dacf6
roles/common: rework firewall_Ubuntu.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
2022-09-12 17:18:33 +03:00
4abf2b10e4
ansible.cfg: smart fact gathering 2022-09-12 17:18:19 +03:00
f5199264f9
ansible.cfg: disable SSH host key checking 2022-09-12 17:14:39 +03:00
b259f09cbd
roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
f4b32e516b
roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
fcb12ecee0
roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
5bc03ceacc
roles/mariadb: install packages in single transaction
Using a list we can install these in a single apt transaction. Also
use the newer task format.
2022-09-12 10:12:07 +03:00
c317429f6d
roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
b512a7f765
roles/common: create /etc/apt/keyrings
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
2022-09-12 10:05:12 +03:00
e3a87d4f79
roles/mariadb: MariaDB 10.6
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
2022-09-12 09:25:46 +03:00
dec2d50fbc
host_vars/web22: WordPress 6.0.2 2022-09-12 09:00:05 +03:00
34be0013b7
Remove Debian 10 support 2022-09-11 09:21:08 +03:00
399585f4e7
roles: don't compare literal true and false
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
2022-09-11 08:41:25 +03:00
0240897b1b
Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
1da0da53ec
roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
2022-09-10 23:12:49 +03:00
677cc9f160
roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
ffe7a872dd
roles: strict truthy values
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
2022-09-10 22:33:19 +03:00
95d0005978
Add ansible-lint 2022-09-10 18:36:53 +03:00
498766fdc4
Pipfile.lock: run pipenv update 2022-09-10 18:36:07 +03:00
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
92a4c72809
Pipfile.lock: run pipenv update 2022-08-16 21:24:34 -07:00
a2d61abba2
roles/mariadb: update mirror
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
2022-08-14 22:09:47 -07:00
d2a5a28809
Pipfile.lock: run pipenv update 2022-08-01 15:20:56 +03:00
84c0589aee
host_vars/web22: WordPress 5.9.2 2022-03-31 22:35:15 +03:00
2961578a54
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-28 18:51:35 +03:00
4d74f76b3c
Pipfile.lock: run pipenv update 2022-02-04 21:47:53 +03:00
9e737466c5
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-04 21:47:37 +03:00
0ffb1b1a36
roles/common: use pyinotify backend for nginx fail2ban jail
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
2022-01-04 15:10:02 +02:00
68f0b85eb3
Pipfile.lock: run pipenv update 2021-12-22 11:49:24 +02:00
ebbde530d2
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
2021-12-22 11:40:27 +02:00
ab47df6031
Use Python 3.10 with pipenv 2021-12-13 08:38:08 +02:00
de75b2ffb6
host_vars/web22: WordPress 5.8.2 2021-11-30 19:48:18 +02:00
e10d83dadd
Pipfile.lock: run pipenv update 2021-11-30 19:34:46 +02:00
f070fd9a64
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-11-07 10:12:43 +02:00
6e1527b1a8
Pipfile.lock: run pipenv update 2021-11-07 10:11:46 +02:00
ebd8b0632b
roles/common: Disable unsafe Diffie-Hellman SSH moduli
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
2021-10-10 16:57:05 +03:00
df26b6c17e
roles/common: notify fail2ban after updating firewall
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
2021-09-28 10:45:51 +03:00
d92151b8a6
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
2021-09-28 10:28:02 +03:00