Commit Graph

617 Commits

Author SHA1 Message Date
d280859b0d
roles/common: minor updates to Debian 11 sshd_config 2023-08-09 21:55:04 +02:00
bca1629d2f
Minor comment updates for Debian 12 2023-08-09 21:51:53 +02:00
4fa82faf18
roles/common: adjust sshd_config for Debian 12
Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.
2023-08-09 21:27:19 +02:00
b8f0b4b1fb
roles/common: add vanilla sshd_config for Debian 12 2023-08-09 21:16:50 +02:00
446d402778
roles: minor fix to Debian version comparisons 2023-07-27 18:48:07 +03:00
fdb9a75489
roles/common: update tarsnap GPG key 2023-04-14 10:09:11 -07:00
c840ffe018
roles/caddy: improve vhost template
Support domain aliases that redirect to the main domain and allow
sites to say they are static sites where they only need a document
root.
2022-11-13 18:54:03 +03:00
4867d6da6a
Add basic caddy role 2022-11-02 22:29:30 +03:00
bc8c030700
roles/common: update Tarsnap GPG key 2022-11-02 22:11:37 +03:00
b663d27fd8
roles/common: rework firewall_Debian.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a
loop.
2022-09-12 17:25:40 +03:00
67c99dacf6
roles/common: rework firewall_Ubuntu.yml playbook
Use newer Ansible task format, move from apt to package module, and
do package installs in one transaction using a list instead of a loop.
2022-09-12 17:18:33 +03:00
b259f09cbd
roles/common: add SSH public key from other machine 2022-09-12 17:06:31 +03:00
f4b32e516b
roles/mariadb: use newer Ansible task syntax 2022-09-12 10:16:42 +03:00
fcb12ecee0
roles/mariadb: remove sources.list template 2022-09-12 10:13:27 +03:00
5bc03ceacc
roles/mariadb: install packages in single transaction
Using a list we can install these in a single apt transaction. Also
use the newer task format.
2022-09-12 10:12:07 +03:00
c317429f6d
roles/mariadb: rework package signing key and repo 2022-09-12 10:09:41 +03:00
b512a7f765
roles/common: create /etc/apt/keyrings
According the the Debian docs for third-party repositories we must
create this manually on distros before Debian 12 and Ubuntu 22.04.
This is due to changes in apt-secure and the deprecation of apt-key.

See: https://wiki.debian.org/DebianRepository/UseThirdParty
2022-09-12 10:05:12 +03:00
e3a87d4f79
roles/mariadb: MariaDB 10.6
See: https://mariadb.com/kb/en/mariadb-1069-release-notes/
See: https://mariadb.com/kb/en/upgrading-from-mariadb-105-to-mariadb-106/
2022-09-12 09:25:46 +03:00
34be0013b7
Remove Debian 10 support 2022-09-11 09:21:08 +03:00
399585f4e7
roles: don't compare literal true and false
I changed these yesterday when editing the truthy values, but acco-
rding to ansible-link we can just rely on them being true or false
without comparing.
2022-09-11 08:41:25 +03:00
0240897b1b
Remove Ubuntu 18.04 support 2022-09-10 23:30:04 +03:00
1da0da53ec
roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
2022-09-10 23:12:49 +03:00
677cc9f160
roles/php-fpm: fix truthy-ness in when 2022-09-10 23:12:26 +03:00
ffe7a872dd
roles: strict truthy values
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
2022-09-10 22:33:19 +03:00
fc0fcc5742 roles/common: fix unnamed blocks 2022-09-10 18:35:27 +03:00
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
a2d61abba2
roles/mariadb: update mirror
I started getting 'does not have a Release file' for the old repo-
sitory. Not sure why.
2022-08-14 22:09:47 -07:00
2961578a54
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-28 18:51:35 +03:00
9e737466c5
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I formatted the nftables files manually. Meh...
2022-02-04 21:47:37 +03:00
0ffb1b1a36
roles/common: use pyinotify backend for nginx fail2ban jail
This seems to be automatically selected, but on some other servers
I notice it is not. I will set it here explicitly so fail2ban does
not fall back to the inefficient "polling" or incorrect "systemd"
backends.
2022-01-04 15:10:02 +02:00
ebbde530d2
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Then I created the nftables files manually. Meh...
2021-12-22 11:40:27 +02:00
f070fd9a64
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml
2021-11-07 10:12:43 +02:00
ebd8b0632b
roles/common: Disable unsafe Diffie-Hellman SSH moduli
The WeakDH team showed (in 2015) that Diffie-Hellman key exchange
with prime number groups of 1024 bits or less were weaker than we
previously thought, and well within the reach of nation states. They
recommended (in 2015) using 2048-bit or higher prime groups.

The SSH audit project recommends that we should use 3072-bit now.

See: https://weakdh.org/
See: https://github.com/jtesta/ssh-audit/
2021-10-10 16:57:05 +03:00
df26b6c17e
roles/common: notify fail2ban after updating firewall
We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
2021-09-28 10:45:51 +03:00
d92151b8a6
roles/common: Update list of abusive IP addresses
This comes from the AbuseIPDB with a confidence level of 95%. I use
the following command to download and sort the IPs:

  $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \
    confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \
    -H "Accept: text/plain" | sort | sed -e '/:/w /tmp/ipv6.txt' \
    -e '/:/d' > /tmp/ipv4.txt

I manually add the XML formatting to each file and run them through
tidy:

  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml
  $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml

Note: there were no IPv6 addresses in the top 10,000 this time so I
used a dummy address for the nftables set so the syntax was valid.
2021-09-28 10:28:02 +03:00
b13ead0657
roles/common: use a range for mosh ports in nftables
This is better than a loop in Jinja (though that is useful!).
2021-09-28 07:34:25 +03:00
89fd642b78
roles/nginx: minor rework of acme.sh tasks
After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
2021-09-27 13:40:17 +03:00
65e6dd34cd
roles/common: Add missing section to Debian 11 sshd_config
We need to be able to configure the list of SSH users.
2021-09-27 12:59:27 +03:00
d5eed5055e
roles/nginx: Add support for gitea
gitea hosts are basically webservers, but we need to proxy pass. I
am setting up gitea itself manually for now.
2021-09-27 12:15:47 +03:00
f8752bb3e7
roles/nginx: add todo about document roots
We assume it's always /var/www/$domain_name but it can be overriden
in the host_vars...
2021-09-27 12:05:53 +03:00
170e591701
roles/common: Install rsync and lsof 2021-09-27 11:36:40 +03:00
8d6c3c57c3
roles/nginx: install acme.sh after downloading
This is basically just bootstrapping it. I used to do this by hand
before requesting the certs.
2021-09-27 11:28:02 +03:00
79b29f0c51
roles/nginx: generate snakeoil cert manually
The ssl-cert does this, but it includes the hostname of the server
as the subject name in the cert, which is a huge leak of privacy.
2021-09-27 10:48:24 +03:00
a4acc85704
roles/common: Remove iptables on newer Debian 2021-09-27 10:35:38 +03:00
f7b9aa67f5
roles/common: Fix comment about Debian 10 firewall 2021-09-27 10:31:31 +03:00
341a1bf11e
roles/php-fpm: Install php7.4-xml
The RSS feeds in the WordPress admin dashboard need this.
2021-09-13 10:19:33 +03:00
6ee389eda5
roles/php-fpm: Use concrete dependencies
The php-gd, php-mysql, etc packages are meta packages that just end
up installing the concrete ones for our specific version.
2021-09-13 10:18:40 +03:00
20cd6f213c
roles/common: cache_valid_time explicitly sets update_cache
See: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/apt_module.html
2021-09-08 21:59:51 +03:00
34a30c4d13
roles/common: Don't update apt cache when removing packages 2021-09-08 17:05:48 +03:00
c03e75d736
roles/common: explicitly install systemd-timesyncd
It is a standalone package on (at least) Ubuntu 20.04 and Debian 11
and some cloud images do not have it installed by default (for exa-
mple Scaleway).
2021-09-08 17:04:46 +03:00