ansible-personal

Author	SHA1	Message	Date
Alan Orth	2367b843d9	roles/common: Remove I/O scheduler logic from rc.local It's better to set this using udev rules anyways Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:40:54 +03:00
Alan Orth	4a1158e163	roles/common: Remove CentOS rclocal task No CentOS hosts here! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:40:07 +03:00
Alan Orth	891bd35171	roles/common: Move tags from subtask to main one Child tasks inherit the tag of the parent. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:34:13 +03:00
Alan Orth	4efb6edb7e	roles/common: Indent some yaml stuff in main.yml Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:31:29 +03:00
Alan Orth	b70ae58f48	roles/common: Simplify `when` logic in main template Less syntax is more readable syntax. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:29:41 +03:00
Alan Orth	58222706ba	roles/common: Remove logic for TCP congestion avoidance on early kernels in sysctl We don't have anything near 2.6.32 anymore. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:25:33 +03:00
Alan Orth	60ba4dacbd	roles/common: Add TCP/IP tweaks to sysctl template Disable TCP slow start and increase the number of ports available for client connections. See: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html See: http://www.chromium.org/spdy/spdy-best-practices Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-15 17:23:10 +03:00
Alan Orth	942f45834f	roles/nginx: Use a more descriptive variable name for bypassing the proxy_cache Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-11 13:51:48 +03:00
Alan Orth	3dcc5e1411	roles/nginx: Move some common fastcgi settings out of vhost template Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-10 11:59:43 +03:00
Alan Orth	2b02d94254	roles/nginx: Don't cache 404 errors in munin config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 13:32:09 +03:00
Alan Orth	41f055306f	roles/nginx: Re-order $request_method in fastcgi_cache_key Everyone else on the Internet has it this way, so why not. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 13:18:02 +03:00
Alan Orth	53d2c85bf0	roles/nginx: Adjust fastcgi_cache_valid Only cache 200, 301, and 302 requests! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:23:48 +03:00
Alan Orth	066bf6fa85	roles/nginx: Set gzip_comp_level to 6 Seems to be the sweet spot, as gzip itself defaults to this. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:21:34 +03:00
Alan Orth	bb92bd080d	roles/nginx: Add $request_method to nginx fastcgi_cache_key nginx is caching HEAD requests, then when users come along and do a GET request they get an HTTP 200 with no request body. It seems setting fastcgi_request_methods to GET doesn't stop nginx from caching HEADs, so for now just add the $request_method to the key. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-03-09 10:19:34 +03:00
Alan Orth	1174db87bc	roles/nginx: Add task to clone WordPress git Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:39:17 +03:00
Alan Orth	d08a37526f	roles/nginx: Don't send OCSP responses for hosts using self-signed certs Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:38:30 +03:00
Alan Orth	cd65475d0d	roles/nginx: Add protection for PHP scripts in uploads directory By the way, :? starts a non-capturing group (ie, don't save the back references). Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 17:05:50 +03:00
Alan Orth	19f5b60cb7	Remove references to provisioning.yml We aren't managing the provisioning user anymore, it is just assumed to be there. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:53:48 +03:00
Alan Orth	29f7a76545	roles/nginx: Update location regex for PHP scripts Just use the same one as the Nginx wiki and some other resources. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-26 16:40:38 +03:00
Alan Orth	55fddf03b3	Remove provisioning user management It's just too tricky to manage this. Ubuntu / RedHat preseeds and kickstarts can create the user and add it to groups, but only when we control the initial boot environment (ie not on Linode, Digital Ocean, etc), so let's just say we assume this user exists and can get root with sudo by the some we are running ansible on it. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-20 15:06:45 +03:00
Alan Orth	6b528ecc92	roles/php5-fpm: Fix creation of pool configs for both tls and non-tls vhosts Ansible's union thing only works on sets and lists, here we have a dict. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 19:41:48 +03:00
Alan Orth	b93da27fde	roles/nginx: Create fastcgi cache dir Or else nginx doesn't start. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:49:39 +03:00
Alan Orth	d8b6222527	host_vars/web05: Re-organize variables for wordpress_version logic Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-19 18:42:47 +03:00
Alan Orth	0b90bad6a9	roles/nginx: Add fastcgi caching Bypasses caching for logged in users (right now only for sessions where the "wordpress_logged_in" cookie is set. Doubles the trans- actions per second as measured by siege: $ siege -d1 -t1M -c50 https://mjanja.ch Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-02-10 23:04:28 +03:00
Alan Orth	4ea152bf51	roles/nginx: Add HTTP headers for web application security See: https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/extra-security.conf See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 13:05:42 +03:00
Alan Orth	0dc4d3f147	roles/nginx: Add a second OCSP stapling responder Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:44:27 +03:00
Alan Orth	7457ac3b93	roles/nginx: Always set HSTS header nginx 1.7.5 allows us to always set HTTP headers: See: http://mailman.nginx.org/pipermail/nginx-announce/2014/000145.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-24 12:40:48 +03:00
Alan Orth	c3bc6d949d	roles/nginx: Add nginx rewrites for Yoast WordPress SEO plugin Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-23 12:26:24 +03:00
Alan Orth	171798c76d	roles/common: Add DSA/ECDSA cleanup to ssh tasks We don't want to support these signature algorithms! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-20 16:31:37 +03:00
Alan Orth	0d2763fb59	roles/common: Remove ECDSA SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:49 +03:00
Alan Orth	d7dd81bc84	roles/common: Add ED25519 SSH public key for aorth@noma Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-12 18:19:21 +03:00
Alan Orth	13b592dfcd	roles/common: Tune sshd_config to be more strict Disable ECDSA as a signature algorithm and drop some older message authentication algorithms. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-07 01:47:06 +03:00
Alan Orth	a80cb49957	roles/common: Update sshd_config template to explicitly allow the provisioning user Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-06 17:45:06 +03:00
Alan Orth	3b6c9745ab	roles/common: Add provisioning user to sudoers Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-05 08:24:13 +03:00
Alan Orth	36a3bbf36d	vars/Ubuntu.yml: Remove apt_mirror It's better to just use Ubuntu's defaults, and then override on a per-host basis. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:54:22 +03:00
Alan Orth	0f5b088c08	roles/common: Add createhome:yes to provisioning user task Need to make sure the user gets created on a fresh install, like on Amazon EC2 or OpenStack images where the first user is `ubuntu' and you can't assume `provisioning' is already created. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 02:24:53 +03:00
Alan Orth	f219cf23fe	Move Debian.yml vars to Ubuntu.yml I was using ansible_os_family to get settings for Debian-family hosts, but this doesn't work so well when you have an apt_mirror which is only Debian or Ubuntu, for example. I don't have any Debian hosts here, but anyways, it's better this way so I can be more flexible in the future. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 01:51:37 +03:00
Alan Orth	55b1362f54	host_vars/web05: Bump WordPress version to 4.1 Signed-off-by: Alan Orth <alan.orth@gmail.com>	2015-01-04 00:43:53 +03:00
Alan Orth	6ccfdb99fa	roles/nginx: Enable OCSP stapling Reduces round trip time for clients. Note: I am using a certificate chain in the `ssl_certificate' directive, so as I understand it, I don't need to use an explicit trusted intermediate + root CA cert with the `ssl_trusted_certificate' option. See the nginx docs for more[0]. Addresses GitHub Issue #5. Seems to be working, test with: $ openssl s_client -connect mjanja.ch:443 -servername mjanja.ch -tls1 -tlsextdebug -status Look for "OCSP Response" with "Cert Status: good". [0] http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 23:28:05 +03:00
Alan Orth	f23f0713d2	roles/nginx: Enable SPDY header compression Recommended by Ilya Grigorik to be set to 6. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:40:39 +03:00
Alan Orth	15603ba9e8	roles/nginx: Disable SSL session tickets Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:37:00 +03:00
Alan Orth	23d76a535f	roles/nginx: Set nginx SSL session timeout to 24 hours Default is 5 minutes, but it seems like unless you're a high-traff- ic site, there's no need to expire sessions so quickly. Also, the istlsfastyet.com configs are using 24 hours, so surely we can. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:19:12 +03:00
Alan Orth	d8cd31049b	roles/nginx: Format and add comments to nginx https config Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:17:52 +03:00
Alan Orth	be6c76a2af	roles/nginx: Set nginx SSL buffer size to 1400 istlsfastyet.com recommends setting the buffer size to 1400 so it can fit into a single MTU. nginx default is 16k! http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-06 22:16:07 +03:00
Alan Orth	d04293a664	roles/nginx: Set nginx state to 'latest' in apt This way we can upgrade nginx simply by running the nginx tags. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-12-02 18:48:11 +03:00
Alan Orth	1073b8e1b6	host_vars/web05: Add mosh ports to iptables Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-21 00:29:08 +01:00
Alan Orth	956fbefc1a	roles/nginx: Switch to nginx mainline (1.7) Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 01:02:44 +03:00
Alan Orth	3f5634110a	roles/nginx: Add comment about try_files for serving static files from disk Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:41:07 +03:00
Alan Orth	c870044584	roles/nginx: Adjust Cache-Control headers Use "public" with "max-age" instead of Expires, as "max-age" is always preferred if it's present. Note: setting "public" doesn't make the resource "more cacheable", but it is just more explicit. Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-11-07 00:29:53 +03:00
Alan Orth	b71269e6cb	host_vars/web05: Add TLS keys back The other method wasn't as clever as I had thought, as I couldn't get it to work again! Signed-off-by: Alan Orth <alan.orth@gmail.com>	2014-10-27 21:19:53 +03:00

... 15 16 17 18 19

919 Commits