Commit Graph

453 Commits

Author SHA1 Message Date
5f8820bf9f
roles/common: Remove Ubuntu 14.04 logic
We're only supporting Ubuntu 16.04 now.
2017-11-05 01:11:37 +02:00
7fd6127d29
roles/common: Remove check for CentOS in sshd task
I'm not supporting CentOS here so we don't need to check this.
2017-11-05 01:01:37 +02:00
f76fc64afa
roles/common: Remove unused sshd_config templates
We're not supporting Ubuntu 14.04 or 15.04 anymore so we don't need
these templates.
2017-11-05 00:59:19 +02:00
77a3b1cff7
roles/common: Remove Debian 8 sshd_config template 2017-11-05 00:58:03 +02:00
b0524d2a2e
Remove references to Debian 8
I don't need or want to support Debian 8 anymore so I can remove all
references to it in comments and code.
2017-11-05 00:54:53 +02:00
b87f2e2fb0
roles/common: Use command module instead of shell
You should only use the "shell" module when you need shell functions
like flow control and redirects. Also, the "command" module is safer
because it is not affected by the user's environment.
2017-11-05 00:49:03 +02:00
58598f470c
roles/mariadb: Remove start/enable task
After installation the mariadb service is started and enabled, so we
don't need to do that explicitly.
2017-11-05 00:28:07 +02:00
9b4f662bc5 roles/nginx: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
2d6819986f roles/munin: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
0d694d44c8 roles/php-fpm: Update comment about Debian 9 2017-11-05 00:27:44 +02:00
51183617b8 roles/php-fpm: Reload service instead of restarting
No need to bounce the service for most config changes when we can just
tell the daemon to reload gracefully.
2017-11-05 00:27:44 +02:00
2a230ceff4 roles/php-fpm: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
7aafa1553b roles/mariadb: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
b6a54ca4d1 roles/common: Reload firewalld instead of restart
There is no need to bounce the service, just reload it.
2017-11-05 00:27:44 +02:00
0a92f3ae8f roles/common: Use systemd module instead of "service"
This was new in Ansible 2.2 but I didn't notice until now. All of our
servers are running distributions with systemd so let's just use this.
2017-11-05 00:27:44 +02:00
0e409792ca
roles/mariadb: Update comment with link to MySQL module docs 2017-11-05 00:26:32 +02:00
7b60e6d24f
Revert "Import OS-specific vars in tasks instead of play"
This reverts commit e30e4d4b1e.

I suspect this was a side effect of using Python 3 rather than an
issue in Ansible 2.4.0.0.
2017-11-04 23:53:38 +02:00
63c5477f85
Revert "roles/common: Use static imports for tasks"
This reverts commit 5147f4029b.

I think this was a side effect of using Python 3, not a regression in
Ansible 2.4.0.0.
2017-11-04 23:53:25 +02:00
620e8258ac
roles/common: Remove duplicate option in sshd_config 2017-11-01 13:22:18 +02:00
5147f4029b
roles/common: Use static imports for tasks
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

In practice this achieves the same function, but without the "magic"
ability to use one task for different operating systems.
2017-11-01 01:25:46 +02:00
e30e4d4b1e
Import OS-specific vars in tasks instead of play
Something seems to have happened as of Ansible 2.4.0.0 where this no
longer works. I suspect it is related to the major changes to static
and dynamic imports that landed around this same time.

We make sure that this tasks always runs by using the special tag of
the same name.
2017-11-01 01:21:48 +02:00
73e6d0b7ed
roles/nginx: Fix issue raised by ansible-lint
[ANSIBLE0006] systemctl used in place of systemd module

Also, move the functionality of the changed check to the systemd task,
because it has the ability to simply daemon-reload itself now.
2017-10-31 23:18:15 +02:00
4ad4d79b3d
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-10-31 22:41:40 +02:00
f362207616
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0002] Trailing whitespace
2017-10-31 22:39:34 +02:00
e043cd7dfe
roles/munin: Fix issue raised by ansible-lint
[ANSIBLE0010] Package installs should not use latest
2017-10-31 22:38:32 +02:00
15bf4727c1
roles/common: Add names to include tasks
I'm not sure why these weren't caught by ansible-lint.
2017-10-03 17:46:55 +03:00
e86e2c081b
roles/nginx: Use 'present' instead of 'latest' to install nginx
Raised by the following rule in ansible-lint:

[ANSIBLE0010] Package installs should not use latest
2017-10-03 15:04:54 +03:00
5281d41445
Add names to include tasks
Raised by ansible-lint in the following rule:

[ANSIBLE0011] All tasks should be named
2017-10-03 15:03:09 +03:00
a38e2a4ff6
roles/mariadb: Use MariaDB 10.2 from vendor repo
I can't remember right now why I needed to use Debian's MariaDB build
but now I just want to use upstream's latest stable. Debian's version
is 10.1 and upstream has moved on to 10.2.
2017-09-26 15:15:27 +03:00
ff6253213a
roles/common: Rename "iptables" task to "firewall" 2017-09-26 14:32:21 +03:00
818cbfd533
roles/common: Enable firewalld in Debian 9 2017-09-26 14:30:18 +03:00
58245e3480
roles/common/tasks/main.yml: Remove comment 2017-09-22 15:53:01 +03:00
16a9ebf97f
Adjust playbooks for Ansible 2.4 import changes
Ansible 2.4 changes the way includes work. Now you have to use "import"
for playbooks and tasks that are static, and "include" for those that
are dynamic (ie, those that use variables, loops, etc).

See: http://docs.ansible.com/ansible/devel/playbooks_reuse_includes.html
2017-09-21 21:30:47 +03:00
d518bc51a4
Use nginx user instead of www-data on Debian 9
Using www-data was a temporary measure while I was waiting for the
official nginx.org packages to be released for Debian 9 and we had
to use Debian's own nginx package.
2017-06-19 18:36:13 +03:00
b945240756
roles/common: Harden sshd_config template for Debian 9 and Ubuntu 16.04
From: https://wiki.mozilla.org/Security/Guidelines/OpenSSH
2017-06-19 10:13:24 +03:00
b2d3984c5a
roles/nginx: Fix PHP-FPM socket location on Debian 9
Debian 9 and Ubuntu 16.04 use the same PHP-FPM configuration so we
can make use of that here.
2017-06-18 11:04:30 +03:00
4f22052afe
roles/common: Remove duplicate timezone task
We set it in the separate ntp.yml playbook now, as there are a few
different systems we cater to (systemd, old ntp, etc).
2017-06-18 09:30:05 +03:00
ffac0b8afd
roles/common: Update apt cache in tarsnap step
This fails on clean installs otherwise.
2017-06-18 09:27:53 +03:00
f9a0f9e6bf
roles/php-fpm: Update php7.0-php.ini.j2
Minor comment updates from the latest version from Ubuntu 16.04.
2017-05-28 15:46:15 +03:00
f85c5f3605
roles/php-fpm: Update defaults
Latest defaults from the PHP.net opcache documentation:

    https://secure.php.net/manual/en/opcache.installation.php
2017-05-28 15:45:05 +03:00
4ff2ac1737
roles/nginx: Update comment about nginx versions
Version 1.12.x is now stable and 1.13.x is now mainline.

See: https://www.nginx.com/blog/nginx-1-12-1-13-released/
2017-04-14 16:07:33 +03:00
a7a6fa38c9
roles/nginx: Official builds for Debian Stretch
Now that there are official nginx.org builds for Debian 9 we don't
need to use Debian's own nginx packages.
2017-04-14 16:06:32 +03:00
f53f3c8e7a
roles/php-fpm: Update php7.0-php.ini template
Sync with latest packaged version from Debian 9. Effectively this
only updates comments and disabled options, but having less changes
to look at during an apt upgrade is nice and reduces the chance of
adding errors.
2017-03-06 12:53:17 +02:00
5b51fcedc2
roles/nginx: Sort packages for Let's Encrypt deps on Ubuntu 2017-02-16 18:16:09 +02:00
a6f0d5f7d3
roles/nginx: Add package deps for Let's Encrypt on Debian 9
Taken from running certbot-auto on a clean Debian 9 installation.
2017-02-16 18:15:06 +02:00
d766c3dbbe
roles/common: Add tasks to install tarsnap
Now that Tarsnap has official packages this is one less thing that
needs to be manually installed from source after bringing a machine
up.

See: http://mail.tarsnap.com/tarsnap-announce/msg00037.html
2017-02-07 07:28:35 -08:00
47407188cb
roles/mariadb: Use Debian's MariaDB packages for now
MariaDB actually already has Debian 9 (stretch) packages, but they
seem to cause issues with how I'm deploying. I'll skip them for now
I think.
2017-01-30 16:54:22 +02:00
e13ef95f70
roles/nginx: Update nginx.conf.j2
This is to accomodate Debian's 9 nginx package, as it provides a
different system user/group than nginx.org's packages.
2017-01-30 15:45:50 +02:00
6de385021d
roles/nginx: Updates to accomodate Debian 9 (stretch)
There are currently no nginx.org builds for Debian 9, so we need to
use the package from Debian's repository. This package provides a
www-data user and group instead of an nginx one.

We can revert some of this after Debian 9 is released and official
builds come from nginx.org (though it might be useful to keep the
main nginx.conf as a template).
2017-01-30 15:43:03 +02:00
8c3a8fc26a
roles/php-fpm: Updates for Debian 9 (stretch)
Debian 9 is still in beta and doesn't have nginx.org builds yet, so
we need to use the nginx package in Debian's repositories, and that
required a bit of a different configuration.

After official nginx.org builds are released we can revert this.
2017-01-30 15:11:39 +02:00
1fef5c9b5a roles/common: Add sshd_config for Debian 9 (stretch)
Taken from base install and diffed against the current Ubuntu 16.04
and Debian 8 config templates.
2017-01-30 14:56:27 +02:00
9ca685a6af
roles/common: Adjust allowed user logic for Ubuntu 16.04 sshd_config 2017-01-30 12:54:35 +02:00
0d79769a5f
roles/php-fpm: Update php.ini template
Updates from upstream config.
2017-01-19 15:25:15 +02:00
50536af990
Use Ansible's version_compare instead of doing math on strings
I'm surprised this worked all these years actually. Since Ansible
version 1.6 it has been possible to use the version_compare filter
instead of doing math logic on strings.

See: https://docs.ansible.com/ansible/playbooks_tests.html
2016-12-20 15:04:47 +02:00
d694616cf3
roles/nginx: Make sure to set HSTS headers on WordPress static files
I realized the other day that due to complex logic in the location
blocks, various WordPress static files like images and stylesheets
didn't get the HTTP Strict Transport Security header set. We need
to include it on each level where we are setting headers, because
nginx overwrites headers if you set them again in a child block.
2016-11-20 17:25:01 +02:00
30a5744812
roles/nginx: Decrease gzip_min_length from 860 to 256
There was some knowledge floating around that 860 bytes was the
optimal size, I think it was from an Akamai engineer or something,
but the HTML 5 Boilerplate server configs use 256 bytes, and I
actually have HTML content that is less than 860 bytes, so I guess
I could benefit from compressing it. gzip compression is costly
for the compression side, but very quick for the client, so this
is a good thing.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:46:34 +02:00
c1cecd4cbf
roles/nginx: Update comment for gzip_comp_level
From the HTML 5 Boilerplate server configs, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:32:39 +02:00
61919745c8
roles/nginx: Update gzip compression types
Latest from the HTML 5 Boilerplate project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:28:18 +02:00
36c16e93bb
roles/nginx: Reduce gzip_comp_level from 6 to 5
After performing some tests[0] again I see that level 5 produces
the most acceptable results for my site currently. Others[1] are
using the same, so I'll gladly accept a little less CPU load for
a tradeoff of a few bits of file size.

[0] https://mjanja.ch/2015/03/finding-the-nginx-gzip_comp_level-sweet-spot/
[1] https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 12:08:21 +02:00
a94b14119e
roles/nginx: Increase error log level to warn
This will show warnings in the error log, as well as more severe
log messages.

See: http://nginx.org/en/docs/ngx_core_module.html#error_log
2016-11-14 11:58:51 +02:00
3d6844a7b7
roles/nginx: Update comments in nginx.conf
Update comments from latest copy of the HTML 5 Boilerplate's nginx
server configs repo.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2016-11-14 11:55:37 +02:00
3a8b64a5ab
roles/nginx: Remove 'public' from Cache-Control header
If a max-age is specified the 'public' is implicit.

See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
2016-11-14 07:58:46 +02:00
a5f8ab6182
roles/nginx: Harden security headers
Always add security headers, not just for successful HTTP response
codes. See the nginx `add_header` docs.
2016-11-13 23:45:42 +02:00
99caf49a90
roles/nginx: Minor typo in comment 2016-10-18 21:41:46 -04:00
3d6afc667d
roles/nginx/tasks/letsencrypt.yml: Add system deps for certbot
Shit ton of dependencies actually... wow.
2016-10-09 14:06:06 +03:00
651c01a29b
Set use_letsencrypt to true for nginx role
The variable name is misleading as this really does is install the
certbot client and its dependencies, and we generally want this to
always happen. If a host doesn't want it, they can override it in
their host vars.

Perhaps I should rename this variable to "bootstrap_letsencrypt" or
something so it is more accurate.
2016-10-09 11:59:21 +03:00
75ef77e3cc
roles/common: Don't set up apt sources on arm
The package archives appear to be different for some reason.
2016-09-29 16:47:44 +03:00
158df52e35
roles/nginx: Fix systemd unit for renewing Let's Encrypt certs
The `ConditionFileIsExecutable` goes in the [Unit] section! This
fixes the error:

  systemd[1]: [/etc/systemd/system/renew-letsencrypt.service:6] Unknown lvalue 'ConditionFileIsExecutable' in section 'Service'
2016-09-25 15:55:45 +03:00
422caec2a7
roles/nginx: Only add PHP configuration on vhosts that need it 2016-09-13 15:59:24 +03:00
586ad76d6b
roles/nginx: Only use index.php on hosts that need it
Otherwise, use index.html.
2016-09-13 15:58:40 +03:00
bf7accdade
roles/php-fpm: Only create pools for vhosts that need PHP
Only vhosts running WordPress, etc need PHP. Make sure to set the
appopriate variables for each vhost in the host's vars, ie:

  nginx_vhosts:
    - domain_name:   example.com
      has_wordpress: True

    - domain_name:   example.net
      needs_php:     True

You can set either of them, but not both—needing WordPress implies
needing PHP.
2016-09-13 15:58:09 +03:00
740e5195a0
roles/nginx: Add new variable "needs_php"
Used to indicate if a vhost needs PHP configuration or not, like
for a static site. Set in the hosts's nginx_vhosts block. Defaults
to "False" if unset.
2016-09-13 14:53:12 +03:00
4866083539
roles/nginx: Update comment for option variables 2016-09-13 14:51:49 +03:00
d1871d9706
roles/nginx: Check for variable existence before testing
Some vhosts might not have WordPress so we need to be better about
testing for this before checking its value.
2016-09-12 20:58:21 +03:00
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
5f656285c0
roles/common: Add a dedicated playbook for ntp tasks
Hosts with systemd should use its NTP client and explicitly remove
the `ntp` packages. Hosts with older init systems should use `ntp`.
2016-08-25 14:19:51 +03:00
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
da6d1e05b9
roles/common: Don't use ansible facts when we don't need to
No use testing the distro version only to use an ansible fact to
find the correct template.
2016-08-24 10:11:13 +03:00
861b5c5413
roles/common: Remove old comment from main playbook 2016-08-22 16:35:02 +03:00
6c6ff1b112
roles/common: Use ansible facts to reduce includes 2016-08-22 16:34:05 +03:00
bd318c5754
Use long GPG key id fingerprints 2016-08-22 16:30:20 +03:00
14de9caed8
roles/common: Use https for Ubuntu Extras repo signing key
Missed this in the earlier commit where I changed to https:// for
transporting apt keys.
2016-08-22 16:28:24 +03:00
c8adba0580
roles/nginx: Add nginx signing key id to apt_key task
When you give Ansible the key id it will check if the key exists
before trying to download and add it. I got the long fingerprint
from `sudo apt-key finger`.
2016-08-22 16:20:10 +03:00
c9ef9e24f5
Use https:// for fetching apt package signing keys
I don't know why I wasn't using these before.
2016-08-22 16:06:13 +03:00
96500a6e33
roles/mariadb: Use Ubuntu 16.04 (xenial) builds
When I originally deployed Ubuntu 16.04 there were no public xenial
MariaDB builds yet, so I used wily (15.10). Now there are official
xenial builds so we can use them instead.
2016-08-22 16:00:45 +03:00
201165cff6
Only update packages indexes if the cache is 1 hour old
I have added cache_valid_time=3600 for the first task in each
tag that could be possibly running apt-related commands. For ex,
the "nginx" tag is also in the "packages" tag, but sometimes you
run the nginx tag by itself (perhaps repeatadely), so you'd want
to limit the update unless the cache was 1 hour old
2016-08-22 15:33:57 +03:00
8a70b526ee
roles/common: Remove extra systemd-timesyncd task
Now it runs in the main play for all Ubuntu and Debian hosts, as
currently they all use systemd.
2016-08-22 15:29:36 +03:00
0445c3cdee
roles/php-fpm: Set timezone in php.ini template
Since we're using a variable for the timezone for systemd-timesyncd
anyways, we can also use it for PHP's config.
2016-08-22 12:56:50 +03:00
d3a6e71ab8
roles/common: Use service module to enable systemd NTP client instead of timedatectl
The `timedatectl set-ntp on` command is actually just enabling the
systemd service anyways, so it's better we use Ansible's service
module.
2016-08-22 12:49:00 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
2016-08-17 12:27:33 +03:00
2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
2016-08-17 12:27:24 +03:00
f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
2016-08-17 11:39:10 +03:00
8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day"
This reverts commit a38d822fad.

The docs definitely recommend twice a day. From a note on certbot's
installation page:

> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.

See: https://certbot.eff.org/#ubuntuxenial-nginx
2016-08-17 11:30:10 +03:00
b7c92e4dc1
roles/common: Remove 128-bit Ciphers and MACs from sshd_config
I had removed them from Debian 8 and Ubuntu 14.04 configs last year
when the NSA's Suite B crypto guidelines dropped 128-bit algorithms
but those changes didn't make it to my new Ubuntu 16.04 config.

It is probably overkill and paranoid, but this server is mine, so I
can make those decisions (and I only connect from modern clients).
2016-08-16 14:28:58 +03:00
33cdcc9ad1
roles/common: Add a few SHA-2 MACs to sshd_config
Fixes a problem with Paramiko, which Ansible uses for transport.

See: http://www.paramiko.org/changelog.html#1.16.0
See: https://github.com/ilri/rmg-ansible-public/issues/37
2016-08-16 14:24:53 +03:00
e343ddc9a6
Add 'packages' tag to any task doing package stuff
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
2016-08-14 16:33:48 +03:00
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00
a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
2016-07-08 13:50:11 +03:00
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00
1254cea195
roles/nginx: Replace "&" with "and" 2016-06-27 19:13:20 +03:00
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers
From Linode's Frankfurt datacenter.
2016-06-27 18:40:25 +03:00
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
2016-06-27 18:32:59 +03:00
09feb9a40c
roles/mariadb: Add "ansible managed" header to managed files 2016-06-27 18:09:04 +03:00
2efe2479ad
roles/mariadb: Use mariadb_databases instead of wordpress_blogs for variable 2016-06-27 18:08:02 +03:00
b41bd432df
roles/nginx: Add "ansible managed" string to configs
Generates a placeholder text to say that the file is managed by
ansible.
2016-06-27 17:50:49 +03:00
06034a8b8b
roles/common: Use systemd's timedatectl for time stuff
Debian 8 and Ubuntu 16.04 use systemd, so we can make use of its
NTP stuff rather than using the standalone `ntp` package.
2016-06-27 10:30:11 +03:00
24ca33c605
roles/nginx: Disable rules for Yoast SEO
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
2016-06-02 11:03:35 +03:00
1ed7d45c7f
roles/nginx: Fix comment about version numbers 2016-05-27 08:14:46 +03:00
93451e6c5e
roles/nginx: Use mainline branch by default
Has all the good stuff:

    http://nginx.org/en/CHANGES
2016-05-27 08:14:04 +03:00
33f22b32a4
roles/common: Update sources for cron-apt
The system's apt configuration is using restricted and multiverse
so the security sources list should as well.
2016-05-05 12:16:37 +03:00
6837b48fae
roles/nginx: Switch default version to 1.10.x (stable) 2016-04-27 15:05:19 +03:00
447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
1ffc4eebc9
roles/nginx: Use default_server instead of default
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
2016-04-25 21:48:36 +03:00
03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
2016-04-25 21:45:21 +03:00
37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
cd77b088e9
Fix a few references to php5-fpm
Unless we really mean php5-fpm, let's just say php-fpm.
2016-04-25 12:33:12 +03:00
6bf9aec64e
roles/php-fpm: Add some packages needed by Piwik on PHP7 2016-04-24 19:04:29 +03:00
0bed8e4c0b
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 18:19:30 +03:00
4a99c73d62 roles/php-fpm: Add php.ini and pool.conf for PHP 7 2016-04-22 11:25:35 +03:00
da63e67614 roles/php-fpm: Split up task for Debian and Ubuntu
Debian 8 and Ubuntu 16.04 use PHP 5.6 and 7.0, respectively, and
the php-fpm versions use slightly different configs and service
names.
2016-04-22 11:25:35 +03:00
904bb9c094 roles/php-fpm: Rename tags from php5-fpm to php-fpm 2016-04-22 11:25:35 +03:00
8d4ee6f430 Rename php5-fpm role to php-fpm
In Ubuntu 16.04 the package is now called just "php-fpm" and it
makes more sense to just have this role be called that.
2016-04-22 11:25:35 +03:00
f90eff6b1a roles/nginx: Update sources.list template for Ubuntu 16.04
Use Ubuntu 15.10 builds for now.
2016-04-22 11:25:35 +03:00
419d0c7e9a roles/mariadb: Remove old MariaDB sources.list 2016-04-22 11:25:35 +03:00
35d0bee6cf roles/mariadb: Use a template for sources
When you use the apt_repository module it adds a sources.list with
an annoying filename, and also it's just easier to use a template
when we have different distros/versions to support.
2016-04-22 11:25:35 +03:00
a0bb4c2f57 roles/common: Add sshd_config for Ubuntu 16.04 2016-04-22 11:25:35 +03:00
d265b522e8 roles/common: Update iptables for Ubuntu 16.04
Basically, anything after 15.04 is using firewalld.
2016-04-22 11:25:35 +03:00
ad232a7a8b
roles/common: Remove old SSH key 2016-04-22 11:24:35 +03:00
bedc820312
roles/mariadb: Manage /etc/mysql/my.cnf
Set some sane defaults and manage the config file with a template.
2016-04-22 10:08:32 +03:00
ebf79c5b07
roles/nginx: Add missing nginx tag
The creation of the fastcgi cache dir is part of the nginx role and
should be labled as such. In situations where you only run nginx
tasks with `-t nginx` nginx will fail to start due to the missing
cache dir.
2016-04-15 12:29:35 +03:00
c8d2783159
roles/php5-fpm: Update php.ini from latest upstream
Debian 8.4 shipped with a new php.ini. It's mostly just updates to
comments and default values.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-04-02 20:14:53 +03:00
d50212c66c roles/nginx: Remove extra semi colon in HSTS preload header
Google's preload check application pointed out that there was an
extra semi colon in the HTTP header:

    $ hstspreload checkdomain alaninkenya.org

    Warning:

    1. Syntax warning: Header includes an empty directive or extra semicolon.

The tool can be downloaded here: https://github.com/chromium/hstspreload

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-31 13:35:44 +03:00
fe6c733cae
roles/nginx: Turn on tcp_nopush in nginx.conf
It seems tcp_nopush is meant to be used with sendfile in newer
versions of nginx.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
See: https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 00:07:35 +02:00
250b196bf8
roles/nginx: Add comment for sendfile option
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:27:56 +02:00
89bee2e6db
roles/nginx: Add comment for gzip_vary
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:25:57 +02:00
27a3ee9651
roles/nginx: Add cache control header for SVG images
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:17:40 +02:00
c6cc1f57bb
roles/nginx: Add image/svg+xml to gzip types
Google's PageSpeed Insights tool pointed out that the Genericons
in WordPress' Jetpack module could be compressed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:16:23 +02:00
926cdf58cf
roles/nginx: keepalive_timeout is in seconds
See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:02:57 +02:00
6a3b8f0918
Update some bare variables in with_items loops to use Ansible 2.0 syntax
See: https://docs.ansible.com/ansible/porting_guide_2.0.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:53:07 +02:00
869d7f6c7e
roles/php5-fpm: Disable always_populate_raw_post_data
Deprecated in PHP 5.6 and causes problems with Piwik. I'm not sure
if WordPress needs this, but I did find some references in its code
to $HTTP_RAW_POST_DATA.

See: https://secure.php.net/manual/en/migration56.deprecated.php#migration56.deprecated.raw-post-data
See: https://www.bram.us/2014/10/26/php-5-6-automatically-populating-http_raw_post_data-is-deprecated-and-will-be-removed-in-a-future-version/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:50:32 +02:00
43a7039dc9
roles/nginx: Remove "enable_https" config logic
Everything is HTTPS now, whether self-signed or otherwise, so it
doesn't make sense to have a config switch for this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:38:53 +02:00
940b2720da
Rename nginx_* variables underneath nginx_vhosts
It's just deduplication, since it's already obvious that the dict
is for nginx-related vars:

    - nginx_domain_name→domain_name
    - nginx_domain_aliases→domain_aliases
    - nginx_enable_https→enable_https
    - nginx_enable_hsts→enable_hsts

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:25:44 +02:00
41547defb9
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts
Everything is TLS now (whether self-signed or not), so it's pointless
to distinguish.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:14:47 +02:00
7b9536838c
roles/nginx: Move nginx tls_vhosts.yml to vhosts.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:56:50 +02:00
dc5c09036c
Change pattern from nginx_tls_vhosts→nginx_vhosts
All hosts should have TLS now, whether self-signed "snakeoil" certs
or otherwise.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:54:18 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
86ee36da77
roles/nginx: Clean up template spacing
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:25:38 +02:00
a8005404f1
roles/nginx: Use more consistent naming for per-host nginx options
The `enable_https` option in host_vars becomes `nginx_enable_https`
to be more consistent with other nginx options used in host_vars.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:21:19 +02:00
d80399d152
roles/php5-fpm: Increase memory allocation
I added another WordPress blog so I need more memory for caching
now. Eventually I wonder if I should deduplicate these somehow...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 21:08:34 +02:00
805db6a9ef
roles/mariadb: Create utf8mb4 databases by default
This is better for supporting Unicode values in the database, see:

https://mathiasbynens.be/notes/mysql-utf8mb4

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:27:37 +02:00
a7094e0964
roles/nginx: Adjust spacing in template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:19:46 +02:00
98afeddbbf
roles/nginx: Allow using self-signed TLS certs with dev hosts
Set `use_snakeoil_cert: 'yes'` in host_vars. This is good for dev
hosts where we don't have real domains or real certs. But everything
should have TLS.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 17:18:21 +02:00
4507e20155 roles/nginx: Change owner/group of WordPress folder to nginx after cloning
Otherwise stuff like theme and plugin installs won't work.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-08 16:58:54 +02:00
60c37821d6
roles/nginx: Only use Linode DNS resolvers for OCSP if it's a linode host
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 17:40:32 +02:00
5f71991259
roles/common: Use httpredir.debian.org as default Debian mirror
Automatically uses the best mirror for your location, see:

    http://httpredir.debian.org/demo.html

Should be much better than any hardcoded default for most hosts.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-30 09:34:16 +02:00
c0431d4247 Switch HTTPS vhosts to Let's Encrypt certificates
For now I generated the certs manually, but in the future the play-
book should run the letsencrypt-auto client for us!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-11-07 20:53:39 +03:00
13a1889017
roles/mariadb: Upgrade to MariaDB 10.1
10.1 was marked as stable:

https://blog.mariadb.org/mariadb-10-1-is-stable-ga/

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-10-19 21:54:26 +01:00
229dd499dd
roles/php5-fpm: Remove default www pool
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 01:28:47 +03:00
cb67d6aa40
Rename 'use_https' to 'enable_https'
To be consistent with other similar variables.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:34:40 +03:00
52dc0c357b
roles/nginx: Add HSTS check to vhost template
We need to actually check if HSTS was requested before setting the
header in the block handing PHP requests. We check in the main vhost
block, but nginx headers are only inherited if you don't set ANY
headers in child blocks (ie, headers set in parent blocks are cleared
if you set any new ones in the child).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:27:41 +03:00
48978407b8
roles/nginx: Move HTTP Strict Transport Security toggle to vhosts
This is really a per-site setting, so it doesn't make sense to have
a role default. Anyways, HSTS is kinda tricky and potentially dang-
erous, so unless a vhost explicitly sets it to "yes" we shouldn't
enable it.

Note: also switch from using a boolean to using a string; it is st-
ill declarative, but at least now I don't have to guess whether it
is being treated as a bool or not.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-27 00:24:58 +03:00
f16b143eac
roles/munin: Update munin-node.conf template
We actually need to use /var/log/munin for munin-node on Debian
too, as that's what is created by the package manager during
installation.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-26 23:30:22 +03:00
24a3724dfe roles/nginx: Remove spdy_headers_comp
It was deprecated when nginx added support for HTTP/2.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-23 18:20:38 +03:00
a3e71e75d2
roles/nginx: SPDY -> HTTP/2
nginx 1.9.5 mainline adds support for HTTP/2 and deprecates SPDY.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-22 19:40:30 +03:00
973b37be4e
roles/common: Tweak sshd_config to match NSA Suite B recommendations
NSA stopped recommending AES-128 in August, 2015...

Before: https://web.archive.org/web/20150403110658/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
After: https://web.archive.org/web/20150815072948/https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

I don't see why we shouldn't follow suit; maybe they know something
we don't!

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 16:55:51 +03:00
8b336352d7
roles/common: Only allow ssh access by provisioning user
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-02 12:24:11 +03:00
bc28cd008c
roles/munin: Allow running on Debian hosts
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-09-01 00:10:16 +03:00
9c70ab29e3
roles/nginx: Rename nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:24:43 +03:00
b214bdfae8
roles/nginx: Add Debian support to nginx sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:22:36 +03:00
9ad8209fd4
roles/mariadb: Allow MariaDB repo installation on Debian and Ubuntu
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 13:14:46 +03:00
c480075789
roles/common: Use "interface" instead of "alias" to get interface name in firewalld template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 12:06:47 +03:00
9266d48c9f
roles/common: Separate firewalld tasks for Ubuntu and Debian
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 12:06:25 +03:00
18ca44193d
roles/common: Add sysctl template for Debian hosts
Note: I've only tested this on a Debian container, and you can't
set these sysctls on containers (the host controls them). To make
matters worse, there is no fact to make ansible skip this on hosts
that are running in containers. For now I will just skip it on
hosts that are "virtualization" servers... even though we actually
do have KVM running on Debian on real hardware. *sigh*

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:12:17 +03:00
56df8b38ca roles/common: Use new cron-apt tasks
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:40 +03:00
96fe209843 roles/common: Fix mode on Debian 8 sshd_config
Accidentally added it with 777.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
7519995153 roles/common: Add Debian 8 sshd_config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
dc24285ec6 roles/common: Use apt_mirror variable in Debian sources
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
28f61d589e roles/common: Add Debian support to sources.list template
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
e15d1be867 roles/common: Add playbook for Debian packages
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
1fc2453703 roles/common: Add firewalld support
Needed in Ubuntu 15.04 where iptables-persistent is going away. I
have added translations of the current IPv4 and IPv6 iptables rules.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:39 +03:00
16a0bb9086 roles/nginx: Use utopic (14.10) nginx builds on 15.04
Upstream hasn't made 15.04 builds yet...

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
9aaad366f5 roles/common: Only add extras repo on Ubuntu 14.04
The Extras repo was discontinued after 14.10 (but the latest we
deploy is 14.04).

See: https://lists.ubuntu.com/archives/technical-board/2015-January/002063.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
e84f777a6b roles/common: Bring Ubuntu 15.04 sshd_config up to date with standards
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
b2dbd138f7 roles/common: Add Ubuntu 15.04 sshd_config
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:02:38 +03:00
68493beba3
roles/common: Reload sshd instead of restarting
No need to restart for a config change.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:01:17 +03:00
8e0a292b1d
roles/common: Move sshd tasks to their own playbook
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-23 00:00:43 +03:00
7f929d5b80
roles/common: Remove unused cron-apt files
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:42:03 +03:00
fc586a2297
roles/common: Adjust cron-apt stuff
- Don't run the static files as templates
- Use a separate playbook for related tasks
- Use a template for security.sources.list

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-22 23:39:22 +03:00
ce1d64ce66
roles/php5-fpm: Hide HTTP X-Powered-By PHP header
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-08-09 20:10:11 +03:00
78cb49c88b roles/nginx: Add missing nginx tag to blank vhost task
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
151fb29687 roles/nginx: Add blank vhost
For security and predictability clients should only get a reponse
if they request a hostname we are actually hosting.

If TLS is in use then this will use a self-signed snakeoil cert for
an HTTPS-enabled blank, default vhost.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
8b77fd7f94 roles/nginx: Templatize SSL parameters using role defaults
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-06 00:07:50 +03:00
ae10677b65
roles/common: Specify default apt_mirror for fallback in sources.list template
New hosts often fail due to not having an apt_mirror, because there
isn't one defined for their group and their host_vars haven't over-
ridden it.

We want new hosts to deploy successfully, so let's just use a default
apt_mirror if there isn't one defined. Rather have a slow mirror than
a failed deployment. And in any case, Linode can download from KENET's
mirror at 10MB/sec. ;)

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-04 21:57:11 +03:00
fe765f5d3a
roles/nginx: Fix TLS cert loop to use the current item
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-06-01 14:46:06 +03:00