Commit Graph

207 Commits

Author SHA1 Message Date
72b8b193b5
Remove support for Debian 9 and Ubuntu 16.04 2020-07-14 09:45:33 +03:00
a1f110c8bc
Add PHP 7.4 FPM support 2020-07-13 23:25:32 +03:00
9abfe80245 roles/nginx: Add pre and post hooks for Let's Encrypt on Ubuntu 20.04
Certbot will run any executables in the pre and post directories
during certificate renewal.
2020-06-08 12:15:29 +03:00
0587841476 roles/nginx: Adjust certbot tasks
It seems that it is no longer recommended/supported to install the
standalone certbot-auto client on Ubuntu 20.04. We apparently need
to use the one provided by Ubuntu, which luckily includes a service
and timer to renew the certs.
2020-06-08 12:15:29 +03:00
4b5d17ef8c
roles/nginx: Update comment about versions 2020-03-16 18:06:28 +02:00
e169a3744a
roles/nginx: Fix munin.conf for nginx_status
This config stopped working a few years ago probably when hosts started
getting IPv6 and we need to allow ::1. Make sure we're only listening
on local loopback interfaces also.
2020-03-10 12:23:12 +02:00
2dc195b33c
Use version() instad of version_compare()
This changed in Ansible 2.5 apparently.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html
2020-03-09 15:20:51 +02:00
aa1dac8c30
roles: Fix syntax for testing booleans
ansible-lint told me not to test equality with booleans using literal
"True" and "False", but it Ansible complains if I use "is True" also.
It seems that I need to adjust the syntax slightly.
2019-11-26 11:19:22 +02:00
1c631739e7
roles: Fix issue raised by ansible-lint
[601] Don't compare to literal True/False
2019-11-21 22:55:39 +02:00
eb7998fd12
roles/nginx: Fix hardcoded "stretch" release in sources
This was causing the stretch version to get installed on buster, w-
hich led to the cipher suite and ssl protocol support to behave st-
rangeley.
2019-09-15 16:03:17 +03:00
1ec6d07232
roles/nginx: Fix php7.3-fpm socket location on Debian 10 2019-09-15 15:55:42 +03:00
b59f7c0702
roles/nginx: Update certbot dependencies for Debian 10
Taken after a clean Debian 10 install on Linode.
2019-07-23 18:38:33 +03:00
2d98d70e02
Update nginx cipher suite and TLS protocols
Use latest Mozilla "intermediate" TLS settings. This configuration
works on (at least) Ubuntu 18.04 and Debian 10.

See: https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate&openssl-version=1.1.1
2019-07-23 17:53:22 +03:00
e124cac945
roles/nginx: Adjust formatting of apt sources template 2019-07-08 18:44:21 +03:00
70e736bdc5
roles/nginx: Use buster builds
nginx.org has buster builds now.
2019-07-08 18:43:43 +03:00
ca293289aa
roles/nginx: Fix logic error in apt sources template 2019-07-07 17:59:00 +03:00
5fe583541a roles/nginx: Set Let's Encrypt packages for Debian 10
Taken from the list of packages that the certbot-auto script wants
to bootstrap on a fresh Debian 10 "buster" install.
2019-07-06 21:16:19 +03:00
619f536cd8 roles/nginx: Use Debian 9 "stretch" builds on Debian 10 "buster"
There are no Debian 10 "buster" builds from nginx.org yet.
2019-07-06 21:16:19 +03:00
5957f5f2c5
roles: The apt cache_valid_time implies update_cache
See: https://docs.ansible.com/ansible/latest/modules/apt_module.html
2019-03-17 17:29:28 +02:00
c5b5cda3d3
Smarter updating of apt index during playbook execution
We can register changes when adding repositories and keys and then
update the apt package index conditionally. This should make it be
more consistent between initial host setup and subsequent re-runs.
2019-03-17 17:29:15 +02:00
bbab45ae6f
Adjust ansible_managed to use comment filter
We don't need to comment the ansible_managed block manually.
2019-01-10 12:50:54 +02:00
42fcd933a8
roles/nginx: Fix Jinja2 logic in apt sources template 2018-05-08 23:53:47 +03:00
3f0c45d504
roles/nginx: Force amd64 builds on apt sources
Avoids the following error in apt:

Skipping acquire of configured file 'nginx/binary-i386/Packages' as repository 'https://nginx.org/packages/ubuntu bionic InRelease' doesn't support architecture 'i386'
2018-05-08 23:41:25 +03:00
f5fbc4b8f1
roles/nginx: Use bionic builds on Ubuntu 18.04
NGINX finally published builds for Ubuntu 18.04 "bionic" so we don't
need to use the 17.10 "artful" ones anymore.
2018-05-08 23:39:59 +03:00
0a39051a95
roles/nginx: Allow custom resolvers for TLS stapling
Allows to specify custom DNS resolvers for TLS stapling, with a default
of Cloudflare's public DNS servers.
2018-04-30 18:04:17 +03:00
bda95b6a1c
roles/nginx: Default to Cloudflare public DNS for TLS stapling
No need to give Google even more data or free advertising by using
this as the default! In practice I always use the DNS servers from
the VPS provider anyways.
2018-04-30 17:51:59 +03:00
6208d1518c
roles/nginx: Use set_fact to set certbot dependencies
Instead of looping over a list of items to install, we can actually
just give a list directly to the apt module. This allows the module
to install all packages in one transaction, which is faster as well
as slightly safer for some dependency resolution scenarios.
2018-04-26 19:48:05 +03:00
baa5890d6d
roles/nginx: Add name to Let's Encrypt task
All tasks should have names, even if they are just including other
tasks.
2018-04-26 17:12:22 +03:00
fa5db39674
roles/nginx: Move WordPress tasks to separate file
Because of the shift from static imports to dynamic includes these
tags will never be reached unless they have their own task that is
tagged at the top-level (dynamic includes don't pass their tags to
their children).
2018-04-26 17:09:09 +03:00
7d950ade99
roles: Remove unreachable "packages" tags
After reörganizing for dynamic includes these tags will never be reached
because the children of dynamic includes do not inherit tags from their
parents as they did with static imports.
2018-04-26 16:31:06 +03:00
1738507ee9
roles/nginx: Use dynamic includes for Let's Encrypt
As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed
to introduce the notion of static imports and dynamic includes. If the
tasks doing the import is using variable interpolation or conditionals
then the task should be dynamic. This results in quicker playbook runs
due to less importing of unneccessary tasks.

One side effect of this is that child tasks of dynamic includes do not
inherit their parents' tags so you must tag them explicitly or a block.

Also, I had to move the letsencrypt tasks to the main task file so the
tags were available (due to dynamic tasks not inheriting tags).
2018-04-26 11:00:47 +03:00
2da7f39bb4
roles/nginx: Use dynamic includes for tasks
As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed
to introduce the notion of static imports and dynamic includes. If the
tasks doing the import is using variable interpolation or conditionals
then the task should be dynamic. This results in quicker playbook runs
due to less importing of unneccessary tasks.

One side effect of this is that child tasks of dynamic includes do not
inherit their parents' tags so you must tag them explicitly or a block.
2018-04-26 10:45:01 +03:00
c608331e3c
roles/nginx: Rename Let's Encrypt dependency lists 2018-04-26 08:26:58 +03:00
e50f413f5e
roles/nginx: Use dynamic include_tasks for Let's Encrypt
Use dynamic includes instead of static imports when you are running
tasks conditionally or using variable interpolation. The down side
is that you need to then tag the parent task as well as all child
tasks, as tags only apply to children of statically imported tasks.
2018-04-25 20:03:32 +03:00
ebda406de3
roles/nginx: Separate Debian 9 "stretch" Let's Encrypt deps
Instead of iterating over fifteen packages with a loop that does fifteen
separate apt transactions, it is better to give the apt module a list so
it can install them all in one transaction. This is both quicker and te-
chnically more safe for dependency resolution.
2018-04-25 20:02:42 +03:00
f427350feb
roles/nginx: Separate Ubuntu 16.04 "Xenial" Let's Encrypt deps
Instead of iterating over fifteen packages with a loop that does fifteen
separate apt transactions, it is better to give the apt module a list so
it can install them all in one transaction. This is both quicker and te-
chnically more safe for dependency resolution.
2018-04-25 20:01:39 +03:00
12711afac9
roles/nginx: Add dependencies for certbot on Ubuntu 18.04
Taken from running the Let's Encrypt certbot-auto client on a freshly
installed Ubuntu 18.04 system.
2018-04-25 19:40:33 +03:00
913f59ced6
group_vars/dspace: Update comment for nginx branch
NGINX 1.14.0 was released and is the current "stable" version. The
next "mainline" version should be 1.15.0.

See: https://nginx.org/en/CHANGES-1.14
2018-04-18 16:58:33 +03:00
632aa1cf14 Fix a few more Jinja2 filters used as tests
I had created these earlier in this branch before rebasing it on top
of the Ansible 2.5.0 readiness branch.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-05 12:17:26 +03:00
d1ba60e15d Use version_compare to test for Ubuntu 18.04 "bionic"
It just feels more correct, plus I usually forget the release code
name from time to time.
2018-04-05 12:17:26 +03:00
ed607aab68 roles/nginx: Use correct php-fpm socket on Ubuntu 18.04 2018-04-05 12:17:26 +03:00
5c3553e684 roles/nginx: Use Ubuntu 17.10's packages on Ubuntu 18.04
There are no nginx packages for Ubuntu 18.04 "bionic" yet so we
should use Ubuntu 17.10 "artful".
2018-04-05 12:17:25 +03:00
57120308dc
Update with_items loops to use new-ish "loop" keyword
Ansible 2.4 and 2.5 are moving away from specialized loop functions
and the old syntax will eventually be deprecated and removed. I did
not change the with_fileglob loops because I'm not sure about their
syntax yet.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
2018-04-02 15:52:51 +03:00
ffee9250ee
Use new syntax for Jinja2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-04-02 15:37:37 +03:00
d155898bb1
Use new syntax for Jinj2 filters that are used as tests
Ansible 2.5.0 uses a new syntax for Jinja2 filters that are used as
tests.

See: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.5.html
2018-03-21 21:17:21 +02:00
a5e6513be3
roles/dspace: Update gzip_types formatting
From the H5BP project, see:

https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
2017-11-14 12:44:56 +02:00
97aca2cad2
roles/nginx: Remove Internet Explorer 6 gzip disable
I have zero idea if we have IE6 clients any more, but according to the
H5BP community IE6 actually did support gzip and only represents 0.1%
of Internet traffic in 2015 (!) anyways.

See: https://github.com/h5bp/server-configs-nginx/issues/125
2017-11-14 12:43:02 +02:00
d15c9851db
roles/nginx: Use https for apt repository 2017-11-05 01:30:49 +02:00
9b4f662bc5 roles/nginx: Use systemd module instead of service 2017-11-05 00:27:44 +02:00
73e6d0b7ed
roles/nginx: Fix issue raised by ansible-lint
[ANSIBLE0006] systemctl used in place of systemd module

Also, move the functionality of the changed check to the systemd task,
because it has the ability to simply daemon-reload itself now.
2017-10-31 23:18:15 +02:00