Commit Graph

611 Commits

Author SHA1 Message Date
55fddf03b3
Remove provisioning user management
It's just too tricky to manage this. Ubuntu / RedHat preseeds and
kickstarts can create the user and add it to groups, but only when
we control the initial boot environment (ie not on Linode, Digital
Ocean, etc), so let's just say we assume this user exists and can
get root with sudo by the some we are running ansible on it.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-20 15:06:45 +03:00
6b528ecc92
roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts
Ansible's union thing only works on sets and lists, here we have a
dict.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 19:41:48 +03:00
b93da27fde
roles/nginx: Create fastcgi cache dir
Or else nginx doesn't start.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-19 18:49:39 +03:00
0b90bad6a9
roles/nginx: Add fastcgi caching
Bypasses caching for logged in users (right now only for sessions
where the "wordpress_logged_in" cookie is set. Doubles the trans-
actions per second as measured by siege:

    $ siege -d1 -t1M -c50 https://mjanja.ch

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-02-10 23:04:28 +03:00
4ea152bf51
roles/nginx: Add HTTP headers for web application security
See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf
See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 13:05:42 +03:00
0dc4d3f147
roles/nginx: Add a second OCSP stapling responder
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:44:27 +03:00
7457ac3b93
roles/nginx: Always set HSTS header
nginx 1.7.5 allows us to always set HTTP headers:

See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-24 12:40:48 +03:00
c3bc6d949d
roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-23 12:26:24 +03:00
171798c76d roles/common: Add DSA/ECDSA cleanup to ssh tasks
We don't want to support these signature algorithms!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-20 16:31:37 +03:00
0d2763fb59
roles/common: Remove ECDSA SSH public key for aorth@noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:49 +03:00
d7dd81bc84
roles/common: Add ED25519 SSH public key for aorth@noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-12 18:19:21 +03:00
13b592dfcd roles/common: Tune sshd_config to be more strict
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.

See: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-07 01:47:06 +03:00
a80cb49957 roles/common: Update sshd_config template to explicitly allow the provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-06 17:45:06 +03:00
3b6c9745ab
roles/common: Add provisioning user to sudoers
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-05 08:24:13 +03:00
0f5b088c08 roles/common: Add createhome:yes to provisioning user task
Need to make sure the user gets created on a fresh install, like on
Amazon EC2 or OpenStack images where the first user is `ubuntu' and
you can't assume `provisioning' is already created.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 02:24:53 +03:00
6ccfdb99fa roles/nginx: Enable OCSP stapling
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5.

Seems to be working, test with:

    $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status

Look for "OCSP Response" with "Cert Status: good".

[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
Recommended by Ilya Grigorik to be set to 6.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
Session tickets increase performance, but decrease security, so
let's just turn them off.  See the following posts:

- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly.  Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af roles/nginx: Set nginx SSL buffer size to 1400
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU.  nginx default is 16k!

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
d04293a664
roles/nginx: Set nginx state to 'latest' in apt
This way we can upgrade nginx simply by running the nginx tags.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-02 18:48:11 +03:00
956fbefc1a
roles/nginx: Switch to nginx mainline (1.7)
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 01:02:44 +03:00
3f5634110a
roles/nginx: Add comment about try_files for serving static files from disk
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:41:07 +03:00
c870044584
roles/nginx: Adjust Cache-Control headers
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present.  Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:29:53 +03:00
08a920d0cb Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file"
This reverts commit 59b9bd70b8.

Might not be so ingenious.  Can't get this to work anymore...
2014-10-27 21:16:43 +03:00
c3f5e27642
roles/common: Add ECDSA public key for noma
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:25:48 +03:00
a265e48a9f
roles/common: Remove RSA public key
Both client and server support ed25519, so there's no need to even
have the RSA key here.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:23:01 +03:00
59b9bd70b8 roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file
This is kinda crazy, but makes the host_vars much easier to read.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:42:44 +03:00
5e0da37542
roles/common: Remove task which removes irqbalance
Prevailing wisdom is actually that this *can* help virtual hosts,
especially when the VM guest has multiple CPUs.

See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:31:23 +03:00
1ee7b385bf
roles/common: Rename SSH keys
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:19:32 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
c53dd18181
roles/common: Add role to manage provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:11:44 +03:00
42b893b2a7
roles/nginx: Add expires to static files
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-10 11:05:42 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...

https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:

https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
Details, see:

- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
fd9c6f31cb
roles/nginx: Add index to munin vhost
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:47:14 +03:00
e741a77c00
roles/common: Add unzip to Ubuntu base packages
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:21:47 +03:00
6d07af97f3
roles/php5-fpm: Fix php.ini reconfiguration (pathinfo)
Use replace instead of lineinfile, addresses GitHub issue #1.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:34:44 +03:00
3d3b6c8a3f
roles/php5-fpm: Fix pool creation for vhosts
Now loops over both http and https vhosts properly. Fixes GitHub
issue #2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:19:26 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
be0e0ea21a
roles/common: Remove irqbalance
We're a VM, we don't have IRQs.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 23:51:52 +03:00
2156f8b07d
roles/nginx: Tweaks for vhosts with WordPress
My WordPress blogs have a /wordpress subdirectory in the document
root, but I don't serve from the /wordpress URI.

Technically, all we need is the tweaks to the try_files:
    - `?args` passes query strings to php5-fpm
    - removing 404 from the vhost's try_files so we don't return 404
    when the requested file doesn't exist (obviously not all request
    URI's in WordPress are actual files on the disk)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 22:51:34 +03:00
df65172952
roles/common: Add lrzip to base packages
Provides good mix of compression/decompression speed with size,
see: http://ck.kolivas.org/apps/lrzip/README.benchmarks

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-07 16:32:06 +03:00
162197ad25
roles/nginx: Re-work vhost template to support HTTPS
Assumes you have a TLS cert for one domain, but not the others, ie:

    http://blah.com \
    http://blah.net  -> https://blah.io
    http://blah.org /

Otherwise, without https, it creates a vhost with all domain names.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-06 21:32:37 +03:00
05faeecc5d
roles/mariadb: Quote the password in .my.conf template
Ansible's mysql module can get this password and connect fine, but
`mysql` on the command line chokes if the password is slightly
complicated and is not quoted.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-01 12:41:56 +03:00
5166ebf219
roles/munin: Fix nginx template
Accidental syntax error came in when I removed the dns domain

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 22:08:32 +03:00
e24464941f
roles/mariadb: Create WordPress db/users when necessary
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 14:29:23 +03:00
850a6a8da3
roles/mariadb: Add plays for creating WordPress db/users
Relies on the host having a dict with appropriate values defined,
for example:

  wordpress_blogs:
    - site_name:            blah.com
      wordpress_version:    3.9.2
      wordpress_db_user:    db_user
      wordpress_db_name:    db_name
      wordpress_db_pass:    V9&XvvKu1hYl

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:47:30 +03:00
fafd475f6b
roles/nginx: Add index to vhost config
Without this, all requests to directory URIs throw 403 errors due
to directory listings not being allowed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 12:27:24 +03:00
41b1ab79c2
roles/php5-fpm: Update comment
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-28 11:25:35 +03:00
0b8e0c38bf
roles/nginx: Per-vhost logs
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:26:12 +03:00
5bbec6716c
roles/nginx: Use template to configure nginx vhosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:03:34 +03:00
75a705ac87
roles/nginx: Add defaults for nginx role
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:02:29 +03:00
ff95a34605
roles/nginx: Add vim modeline to main.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 20:00:42 +03:00
0689153bd9
roles/php5-fpm: Use template for pools
Each vhost has a separate pool.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 19:48:21 +03:00
2afa1ef2f3
roles/munin: Remove dns domain
Don't really need this, as we only have one server.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 15:57:28 +03:00
775f0e7f5f
roles/mariadb: Install python bindings for ansible's mysql module
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-27 15:56:54 +03:00
60b8ecdd4c
Initial commit
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-08-17 00:35:57 +03:00