13b592dfcd
roles/common: Tune sshd_config to be more strict
...
Disable ECDSA as a signature algorithm and drop some older message
authentication algorithms.
See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-07 01:47:06 +03:00
a80cb49957
roles/common: Update sshd_config template to explicitly allow the provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-06 17:45:06 +03:00
3b6c9745ab
roles/common: Add provisioning user to sudoers
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-05 08:24:13 +03:00
36a3bbf36d
vars/Ubuntu.yml: Remove apt_mirror
...
It's better to just use Ubuntu's defaults, and then override on a
per-host basis.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 02:54:22 +03:00
0f5b088c08
roles/common: Add createhome:yes to provisioning user task
...
Need to make sure the user gets created on a fresh install, like on
Amazon EC2 or OpenStack images where the first user is `ubuntu' and
you can't assume `provisioning' is already created.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 02:24:53 +03:00
f219cf23fe
Move Debian.yml vars to Ubuntu.yml
...
I was using ansible_os_family to get settings for Debian-family
hosts, but this doesn't work so well when you have an apt_mirror
which is only Debian or Ubuntu, for example.
I don't have any Debian hosts here, but anyways, it's better this
way so I can be more flexible in the future.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 01:51:37 +03:00
55b1362f54
host_vars/web05: Bump WordPress version to 4.1
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-01-04 00:43:53 +03:00
6ccfdb99fa
roles/nginx: Enable OCSP stapling
...
Reduces round trip time for clients. Note: I am using a certificate
chain in the `ssl_certificate' directive, so as I understand it, I
don't need to use an explicit trusted intermediate + root CA cert
with the `ssl_trusted_certificate' option. See the nginx docs for
more[0]. Addresses GitHub Issue #5 .
Seems to be working, test with:
$ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status
Look for "OCSP Response" with "Cert Status: good".
[0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 23:28:05 +03:00
f23f0713d2
roles/nginx: Enable SPDY header compression
...
Recommended by Ilya Grigorik to be set to 6.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:40:39 +03:00
15603ba9e8
roles/nginx: Disable SSL session tickets
...
Session tickets increase performance, but decrease security, so
let's just turn them off. See the following posts:
- https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
- https://www.imperialviolet.org/2013/06/27/botchingpfs.html
- https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:37:00 +03:00
23d76a535f
roles/nginx: Set nginx SSL session timeout to 24 hours
...
Default is 5 minutes, but it seems like unless you're a high-traff-
ic site, there's no need to expire sessions so quickly. Also, the
istlsfastyet.com configs are using 24 hours, so surely we can.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:19:12 +03:00
d8cd31049b
roles/nginx: Format and add comments to nginx https config
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:17:52 +03:00
be6c76a2af
roles/nginx: Set nginx SSL buffer size to 1400
...
istlsfastyet.com recommends setting the buffer size to 1400 so it
can fit into a single MTU. nginx default is 16k!
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-06 22:16:07 +03:00
d04293a664
roles/nginx: Set nginx state to 'latest' in apt
...
This way we can upgrade nginx simply by running the nginx tags.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-12-02 18:48:11 +03:00
1073b8e1b6
host_vars/web05: Add mosh ports to iptables
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-21 00:29:08 +01:00
956fbefc1a
roles/nginx: Switch to nginx mainline (1.7)
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 01:02:44 +03:00
3f5634110a
roles/nginx: Add comment about try_files for serving static files from disk
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:41:07 +03:00
c870044584
roles/nginx: Adjust Cache-Control headers
...
Use "public" with "max-age" instead of Expires, as "max-age" is always
preferred if it's present. Note: setting "public" doesn't make the
resource "more cacheable", but it is just more explicit.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-11-07 00:29:53 +03:00
b71269e6cb
host_vars/web05: Add TLS keys back
...
The other method wasn't as clever as I had thought, as I couldn't
get it to work again!
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-27 21:19:53 +03:00
08a920d0cb
Revert "roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file"
...
This reverts commit 59b9bd70b8
.
Might not be so ingenious. Can't get this to work anymore...
2014-10-27 21:16:43 +03:00
54993d6d6b
Update tls cipher suite with latest string from Mozilla TLS guide
...
https://wiki.mozilla.org/Security/Server_Side_TLS states"
Version 3.3: ulfr: fix SHA256 prio, add POODLE details, update various templates
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-25 12:36:19 +03:00
c3f5e27642
roles/common: Add ECDSA public key for noma
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:25:48 +03:00
a265e48a9f
roles/common: Remove RSA public key
...
Both client and server support ed25519, so there's no need to even
have the RSA key here.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-12 13:23:01 +03:00
b89e51d270
host_vars/web05: Remove TLS keys from host_vars
...
Now they live in one file, vars/tls_keys.yml.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:43:17 +03:00
59b9bd70b8
roles/nginx: Ingenius use of YAML hashes to derive TLS key from another file
...
This is kinda crazy, but makes the host_vars much easier to read.
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:42:44 +03:00
7ad41df199
Add host_var file for web05
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 15:03:56 +03:00
e24a987d3b
vars/Debian.yml: Update apt mirror to Linode one
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 14:20:37 +03:00
5e0da37542
roles/common: Remove task which removes irqbalance
...
Prevailing wisdom is actually that this *can* help virtual hosts,
especially when the VM guest has multiple CPUs.
See: http://wiki.xen.org/wiki/Network_Throughput_and_Performance_Guide
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:31:23 +03:00
1ee7b385bf
roles/common: Rename SSH keys
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 13:19:32 +03:00
1e2193efc9
roles/common: Add functionality to copy user keys to provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:13:45 +03:00
614f90a058
web.yml: Modify to incorporate provisioning user stuff
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:12:32 +03:00
c53dd18181
roles/common: Add role to manage provisioning user
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-11 12:11:44 +03:00
42b893b2a7
roles/nginx: Add expires to static files
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-10 11:05:42 +03:00
81a98596e3
Downgrade TLS configuration to Mozilla's "intermediate" spec
...
From looking at the list of clients who would be allowed to connect
when using the "modern" spec, I think I'd be doing more harm than
good to use that config right now...
https://www.ssllabs.com/ssltest/analyze.html?d=alaninkenya.org
https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 21:09:18 +03:00
d06ddf8a81
roles/nginx: Update TLS vhost task for Ansible > 1.7.1
...
Seems there is some YAML sublety that causes this syntax to insert
double spaces on the destination file... using native YAML hashes
are a workaround, see GitHub issues:
https://github.com/ansible/ansible/issues/9067
https://github.com/ansible/ansible/issues/9172
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:57:24 +03:00
ad8a704470
Update TLS configuration to Mozilla's "modern" spec
...
Details, see:
- https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines
- https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-09 20:56:08 +03:00
ad90f7f0fb
roles/nginx: Use HSTS for https vhosts
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-06 10:46:04 +03:00
06543b10d5
host_vars/web04: Re-generate alaninkenya TLS chain
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:58:05 +03:00
fd9c6f31cb
roles/nginx: Add index to munin vhost
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:47:14 +03:00
7956a1c6f6
web.yml: Use ubuntu user for now
...
This is the default with OpenStack hosts like Kili.io...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:39:12 +03:00
da2c8fc043
vars/Debian.yml: Switch to KENET Ubuntu mirror
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:25:45 +03:00
e741a77c00
roles/common: Add unzip to Ubuntu base packages
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 15:21:47 +03:00
c6ce4e6630
Add host_vars for web04
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-10-05 13:25:42 +03:00
ba751625d6
host_vars/web02: Remove anchor from chained TLS cert
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-15 22:00:26 +03:00
3c4aa85319
host_vars/web02: Update TLS certs for alaninkenya.org
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 23:54:00 +03:00
8362af0a02
Add web02
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 22:26:34 +03:00
6d07af97f3
roles/php5-fpm: Fix php.ini reconfiguration (pathinfo)
...
Use replace instead of lineinfile, addresses GitHub issue #1 .
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:34:44 +03:00
3d3b6c8a3f
roles/php5-fpm: Fix pool creation for vhosts
...
Now loops over both http and https vhosts properly. Fixes GitHub
issue #2 .
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-14 12:19:26 +03:00
e6ffdf8652
roles/nginx: Update nginx https stuff
...
- re-organize tls vhost configuration
- copy TLS cert from host_vars directly to file
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-13 23:16:54 +03:00
4e4f415acd
vars/Debian.yml: Add vim modeline
...
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2014-09-11 00:14:53 +03:00