Commit Graph

127 Commits

Author SHA1 Message Date
e036349661
roles/nginx: Only check WordPress variables is vhost is using WordPress
This variable is used to control the FastCGI cache, and doesn't
need to be checked if the vhost isn't using WordPress.
2016-09-12 20:57:10 +03:00
8851f8f631 Revert "Only update packages indexes if the cache is 1 hour old"
This reverts commit 201165cff6.

Turns out this actually breaks initial deployments, because the
cache gets updated in the first task, then you add sources for
nginx and mariadb, but it doesn't update the indexes because the
cache is < 3600 seconds old, so you end up getting the distro's
versions of nginx and mariadb.
2016-08-25 12:58:15 +03:00
c8adba0580
roles/nginx: Add nginx signing key id to apt_key task
When you give Ansible the key id it will check if the key exists
before trying to download and add it. I got the long fingerprint
from `sudo apt-key finger`.
2016-08-22 16:20:10 +03:00
c9ef9e24f5
Use https:// for fetching apt package signing keys
I don't know why I wasn't using these before.
2016-08-22 16:06:13 +03:00
201165cff6
Only update packages indexes if the cache is 1 hour old
I have added cache_valid_time=3600 for the first task in each
tag that could be possibly running apt-related commands. For ex,
the "nginx" tag is also in the "packages" tag, but sometimes you
run the nginx tag by itself (perhaps repeatadely), so you'd want
to limit the update unless the cache was 1 hour old
2016-08-22 15:33:57 +03:00
aa8735e0ea
roles/nginx: Use explicity booleans for tests instead of "yes" and "no"
Better to be explict with booleans rather than being confused when
you mix up yes and "yes" with Ansible/Python testing of conditionals.
2016-08-17 12:55:14 +03:00
de704a917f
roles/nginx: use boolean for use_letsencrypt instead of string "yes"
This is very confusing when you forget about how Ansible/Python is
testing conditionals. Let's use actual booleans so it's more clear.
2016-08-17 12:42:48 +03:00
60c498f5ae
roles/nginx: Add sanity check to systemd service for renewing Let's Encrypt certs
Just in case, we'd better make sure that certbot is installed and
usable (+x) before we try running it.
2016-08-17 12:27:33 +03:00
2a78c5cf59
roles/nginx: Add sanity check for use_letsencrypt variable
Not all hosts will have this, so this task will flat out fail. We
better check to see if it exists before we try to use it. ;)
2016-08-17 12:27:24 +03:00
f798e47ad8
roles/nginx: Add 'force=yes' to WordPress git repo clone
I never modify file in the git repo, but the WordPress updater does
updates from the web (for example TwentySixteen theme), and this
always causes the task to fail when I switch WordPress versions.
2016-08-17 11:39:10 +03:00
8bee2d7a72
Revert "roles/nginx: Only run Let's Encrypt checks once a day"
This reverts commit a38d822fad.

The docs definitely recommend twice a day. From a note on certbot's
installation page:

> if you're setting up a cron or systemd job, we recommend running
> it twice per day (it won't do anything until your certificates
> are due for renewal or revoked, but running it regularly would
> give your site a chance of staying online in case a Let's
> Encrypt-initiated revocation happened for some reason). Please
> select a random minute within the hour for your renewal tasks.

See: https://certbot.eff.org/#ubuntuxenial-nginx
2016-08-17 11:30:10 +03:00
e343ddc9a6
Add 'packages' tag to any task doing package stuff
For idempotence we need to run all apt-related tasks, like editing
source files, adding keys, installing packages, etc, when running
the 'packages' tag.
2016-08-14 16:33:48 +03:00
b284098485
roles/nginx: Add mitigation for HTTPoxy vulnerability
Malicious requests including the HTTP_PROXY value will be able to
manipulate some server-side libraries. Better to just block them
in nginx.

See: https://httpoxy.org/
See: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
2016-07-21 14:45:41 +03:00
a38d822fad
roles/nginx: Only run Let's Encrypt checks once a day
I can't remember where I had seen it recommended to be twice a day,
but it seems overkill.
2016-07-08 13:50:11 +03:00
b2e2d7bb9e
roles/nginx: Better names for Let's Encrypt timer/service 2016-07-07 14:36:29 +03:00
78dbdae783
roles/nginx: Fix variable check in HTTPS template
Don't assume the variables for TLS certs exist.
2016-07-05 19:42:56 +03:00
0cd2735c82
roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00
1254cea195
roles/nginx: Replace "&" with "and" 2016-06-27 19:13:20 +03:00
b7ab2da08a
roles/nginx: Allow usage of Let's Encrypt certs
Hosts can specify use_letsencrypt: 'yes' in their host_vars. For
now this assumes that the certificates already exist (ie, you have
to manually run Let's Encrypt first to register/create the certs).
2016-06-27 19:07:48 +03:00
8f43bf28fd
roles/nginx: Add IPv6 DNS resolvers
From Linode's Frankfurt datacenter.
2016-06-27 18:40:25 +03:00
a0b31ee86c
roles/nginx: Prioritize DNS resolvers in Frankfurt
The server is in Linode's DE datacenter so let's use those resolvers
instead of the ones in London.
2016-06-27 18:32:59 +03:00
b41bd432df
roles/nginx: Add "ansible managed" string to configs
Generates a placeholder text to say that the file is managed by
ansible.
2016-06-27 17:50:49 +03:00
24ca33c605
roles/nginx: Disable rules for Yoast SEO
Not using Yoast anymore. Now using the much simpler SEO Framework:

https://github.com/sybrew/the-seo-framework
2016-06-02 11:03:35 +03:00
1ed7d45c7f
roles/nginx: Fix comment about version numbers 2016-05-27 08:14:46 +03:00
93451e6c5e
roles/nginx: Use mainline branch by default
Has all the good stuff:

    http://nginx.org/en/CHANGES
2016-05-27 08:14:04 +03:00
6837b48fae
roles/nginx: Switch default version to 1.10.x (stable) 2016-04-27 15:05:19 +03:00
447db17e33
roles/nginx: Update apt sources for Ubuntu now that nginx 1.10.0 is out 2016-04-27 15:04:17 +03:00
81e6af8f2b
roles/nginx: Add IPv6 listener in default HTTPS vhost 2016-04-25 21:49:41 +03:00
1ffc4eebc9
roles/nginx: Use default_server instead of default
Seems to be the new keyword for quite some time now, despite not
causing an error:

    http://nginx.org/en/docs/http/server_names.html
2016-04-25 21:48:36 +03:00
03519831cb
roles/nginx: Return HTTP 444 for requests to invalid hostnames
444 is a special nginx return code that means the request was
closed without a response, see:

    http://nginx.org/en/docs/http/request_processing.html
2016-04-25 21:45:21 +03:00
37b4809546 roles/nginx: Add IPv6 DNS resolvers for OCSP stapling 2016-04-25 13:25:05 +03:00
cd77b088e9
Fix a few references to php5-fpm
Unless we really mean php5-fpm, let's just say php-fpm.
2016-04-25 12:33:12 +03:00
0bed8e4c0b
roles/nginx: Fix for path to PHP-FPM socket on Ubuntu 16.04 2016-04-22 18:19:30 +03:00
f90eff6b1a roles/nginx: Update sources.list template for Ubuntu 16.04
Use Ubuntu 15.10 builds for now.
2016-04-22 11:25:35 +03:00
ebf79c5b07
roles/nginx: Add missing nginx tag
The creation of the fastcgi cache dir is part of the nginx role and
should be labled as such. In situations where you only run nginx
tasks with `-t nginx` nginx will fail to start due to the missing
cache dir.
2016-04-15 12:29:35 +03:00
d50212c66c roles/nginx: Remove extra semi colon in HSTS preload header
Google's preload check application pointed out that there was an
extra semi colon in the HTTP header:

    $ hstspreload checkdomain alaninkenya.org

    Warning:

    1. Syntax warning: Header includes an empty directive or extra semicolon.

The tool can be downloaded here: https://github.com/chromium/hstspreload

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-31 13:35:44 +03:00
fe6c733cae
roles/nginx: Turn on tcp_nopush in nginx.conf
It seems tcp_nopush is meant to be used with sendfile in newer
versions of nginx.

See: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf
See: https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-14 00:07:35 +02:00
250b196bf8
roles/nginx: Add comment for sendfile option
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:27:56 +02:00
89bee2e6db
roles/nginx: Add comment for gzip_vary
From: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:25:57 +02:00
27a3ee9651
roles/nginx: Add cache control header for SVG images
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:17:40 +02:00
c6cc1f57bb
roles/nginx: Add image/svg+xml to gzip types
Google's PageSpeed Insights tool pointed out that the Genericons
in WordPress' Jetpack module could be compressed.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:16:23 +02:00
926cdf58cf
roles/nginx: keepalive_timeout is in seconds
See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-12 19:02:57 +02:00
6a3b8f0918
Update some bare variables in with_items loops to use Ansible 2.0 syntax
See: https://docs.ansible.com/ansible/porting_guide_2.0.html

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2016-03-11 18:53:07 +02:00
43a7039dc9
roles/nginx: Remove "enable_https" config logic
Everything is HTTPS now, whether self-signed or otherwise, so it
doesn't make sense to have a config switch for this.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:38:53 +02:00
940b2720da
Rename nginx_* variables underneath nginx_vhosts
It's just deduplication, since it's already obvious that the dict
is for nginx-related vars:

    - nginx_domain_name→domain_name
    - nginx_domain_aliases→domain_aliases
    - nginx_enable_https→enable_https
    - nginx_enable_hsts→enable_hsts

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:25:44 +02:00
41547defb9
Finish moving logic and variables from nginx_tls_vhosts to nginx_vhosts
Everything is TLS now (whether self-signed or not), so it's pointless
to distinguish.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-10 00:14:47 +02:00
7b9536838c
roles/nginx: Move nginx tls_vhosts.yml to vhosts.yml
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:56:50 +02:00
dc5c09036c
Change pattern from nginx_tls_vhosts→nginx_vhosts
All hosts should have TLS now, whether self-signed "snakeoil" certs
or otherwise.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:54:18 +02:00
27a4abfcfd
roles/nginx: Add comments about defaults in templates
It would be bettwe to set these defaults in the role's defaults, but
we can't because they exist in dicts for each of the host's sites.

Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:29:33 +02:00
86ee36da77
roles/nginx: Clean up template spacing
Signed-off-by: Alan Orth <alan.orth@gmail.com>
2015-12-09 23:25:38 +02:00