diff --git a/README.md b/README.md index a951620..efaffe0 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ ansible-playbooks ================= -Repo for my Ansible playbooks +Repo for my Ansible playbooks. +nextgen branch is for Ubuntu 16.04 systems only as that is what I am standardizing on. diff --git a/debian/roles/appservers-php/files/www.conf b/debian/roles/appservers-php/files/www.conf deleted file mode 100644 index d035a7f..0000000 --- a/debian/roles/appservers-php/files/www.conf +++ /dev/null @@ -1,392 +0,0 @@ -; Start a new pool named 'www'. -; the variable $pool can we used in any directive and will be replaced by the -; pool name ('www' here) -[www] - -; Per pool prefix -; It only applies on the following directives: -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = www-data -group = www-data - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = 127.0.0.1:9000 - -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: 128 (-1 on FreeBSD and OpenBSD) -;listen.backlog = -1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -;listen.owner = www-data -;listen.group = www-data -;listen.mode = 0666 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; priority = -19 - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 5 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 3 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: ${prefix}/share/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = /var/log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: ouput header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/$pool.log.slow - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -chdir = / - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or /usr) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/fpm-php.www.log -;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M diff --git a/debian/roles/appservers-php/handlers/main.yml b/debian/roles/appservers-php/handlers/main.yml deleted file mode 100644 index f291f84..0000000 --- a/debian/roles/appservers-php/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: start php5-fpm - service: name=php5-fpm state=started diff --git a/debian/roles/appservers-php/tasks/main.yml b/debian/roles/appservers-php/tasks/main.yml deleted file mode 100644 index d97ebe2..0000000 --- a/debian/roles/appservers-php/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Install php5-fpm - apt: pkg=php5-fpm state=latest -- name: Stop the php5-fpm daemon for now and ensure it starts on boot - service: name=php5-fpm state=stopped enabled=yes -- name: Copy over the php5-fpm www pool config - copy: src=www.conf dest=/etc/php5/fpm/pool.d/www.conf backup=yes - notify: - - start php5-fpm diff --git a/debian/roles/appservers-uwsgi/files/uwsgi.init b/debian/roles/appservers-uwsgi/files/uwsgi.init deleted file mode 100644 index 442cd62..0000000 --- a/debian/roles/appservers-uwsgi/files/uwsgi.init +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: uwsgi -# Required-Start: $all -# Required-Stop: $all -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: starts the uwsgi app server -# Description: starts uwsgi app server using start-stop-daemon -### END INIT INFO - -PATH=/opt/uwsgi:/sbin:/bin:/usr/sbin:/usr/bin -DAEMON=/usr/local/bin/uwsgi - -OWNER=uwsgi - -NAME=uwsgi -DESC=uwsgi - -test -x $DAEMON || exit 0 - -# Include uwsgi defaults if available -if [ -f /etc/default/uwsgi ] ; then - . /etc/default/uwsgi -fi - -set -e - -#DAEMON_OPTS="-s 127.0.0.1:9001 -M 4 -t 30 -A 4 -p 4 -d /var/log/uwsgi.log --pythonpath $PYTHONPATH --module $MODULE" -DAEMON_OPTS="--emperor /etc/uwsgi/apps -d /var/log/uwsgi.log" -case "$1" in - start) - echo -n "Starting $DESC: " - start-stop-daemon --start --chuid $OWNER:$OWNER --user $OWNER \ - --exec $DAEMON -- $DAEMON_OPTS - echo "$NAME." - ;; - stop) - echo -n "Stopping $DESC: " - start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \ - --exec $DAEMON - echo "$NAME." - ;; - reload) - killall -1 $DAEMON - ;; - force-reload) - killall -15 $DAEMON - ;; - restart) - echo -n "Restarting $DESC: " - start-stop-daemon --signal 3 --user $OWNER --quiet --retry 2 --stop \ - --exec $DAEMON - sleep 1 - start-stop-daemon --user $OWNER --start --quiet --chuid $OWNER:$OWNER \ - --exec $DAEMON -- $DAEMON_OPTS - echo "$NAME." - ;; - status) - killall -10 $DAEMON - ;; - *) - N=/etc/init.d/$NAME - echo "Usage: $N {start|stop|restart|reload|force-reload|status}" >&2 - exit 1 - ;; - esac - exit 0 - - - diff --git a/debian/roles/appservers-uwsgi/files/uwsgi.logrotate b/debian/roles/appservers-uwsgi/files/uwsgi.logrotate deleted file mode 100644 index 904b975..0000000 --- a/debian/roles/appservers-uwsgi/files/uwsgi.logrotate +++ /dev/null @@ -1,9 +0,0 @@ -"/var/log/uwsgi/*.log" "/var/log/uwsgi/*/*.log" { - copytruncate - daily - rotate 5 - compress - delaycompress - missingok - notifempty -} diff --git a/debian/roles/appservers-uwsgi/handlers/main.yml b/debian/roles/appservers-uwsgi/handlers/main.yml deleted file mode 100644 index 98ae3e1..0000000 --- a/debian/roles/appservers-uwsgi/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: start uwsgi - service: name=uwsgi state=started diff --git a/debian/roles/appservers-uwsgi/tasks/main.yml b/debian/roles/appservers-uwsgi/tasks/main.yml deleted file mode 100644 index 492acf3..0000000 --- a/debian/roles/appservers-uwsgi/tasks/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Install virtualenv - apt: name=python-virtualenv state=latest -- name: Install uwsgi from PyPI - pip: name=uWSGI -- name: Add uwsgi group - group: name=uwsgi state=present -- name: Add uwsgi user - user: name=uwsgi shell=/sbin/nologin createhome=no group=uwsgi password=$6$Qu5GfWUlAPXh$Ie8Fd9Vzl.PpaFciUbRCI4sIryI6i0rDE29Vf86/WYHgPSWG7x9IIkVU.tG1Mtfq2OM9IeH2IuvOKCcnErMgC1 -- name: Copy over the uwsgi init script and logrotate config - copy: src={{ item.name }} dest={{ item.dir }} backup=yes - with_items: - - { name: 'uwsgi.init', dir: '/etc/init.d/uwsgi' } - - { name: 'uwsgi.logrotate', dir: '/etc/logrotate.d/uwsgi' } -- name: Make sure the init script is executable - file: path=/etc/init.d/uwsgi owner=root group=root mode=0755 -- name: Make configuration directory - file: path=/etc/uwsgi/apps state=directory -- name: Make log file with correct permissions - file: path=/var/log/uwsgi.log owner=uwsgi group=uwsgi mode=0750 state=touch -- name: Make sure uwsgi starts on boot - service: name=uwsgi enabled=yes - notify: - - start uwsgi diff --git a/debian/roles/common/files/resolv.conf b/debian/roles/common/files/resolv.conf deleted file mode 100644 index ae80778..0000000 --- a/debian/roles/common/files/resolv.conf +++ /dev/null @@ -1,2 +0,0 @@ -nameserver ::1 -nameserver 8.8.8.8 diff --git a/debian/roles/common/handlers/main.yml b/debian/roles/common/handlers/main.yml deleted file mode 100644 index 9395ddd..0000000 --- a/debian/roles/common/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart rsyslog - service: name=rsyslog state=restarted -- name: restart cron - service: name=cron state=restarted - diff --git a/debian/roles/common/tasks/main.yml b/debian/roles/common/tasks/main.yml deleted file mode 100644 index c2e1956..0000000 --- a/debian/roles/common/tasks/main.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# This playbook contains common plays that will be run all nodes. - -- name: Install python-apt, aptitude, and debconf-utils - shell: apt-get update && apt-get -y install python-apt aptitude debconf-utils -- name: Do any package upgrades - apt: upgrade=dist -- name: Set default locale to en_US.UTF-8 - debconf: name=locales question='locales/default_environment_locale' value=en_US.UTF-8 vtype='select' -- name: Generate locales - debconf: name=locales question='locales/locales_to_be_generated' value='en_US.UTF-8 UTF-8' vtype='multiselect' -- name: Set timezone area - debconf: name=tzdata question='tzdata/Areas' value='Etc' vtype='select' -- name: Set timezone - debconf: name=tzdata question='tzdata/Zones/Etc' value='UTC' vtype='select' - notify: - - restart rsyslog - - restart cron -- name: Install required packages - apt: pkg={{ item }} state=latest - with_items: - - most - - zsh - - vim - - vim-scripts - - git - - subversion - - tmux - - multitail - - mtr-tiny - - curl - - dnsutils - - sudo - - gnupg - - traceroute - - htop - - haveged - - python-pip - - unbound - - duplicity - - python-boto - - build-essential - - vnstat - - python-dev - - ntp -- name: Remove exim4 and consolekit - apt: pkg={{ item }} state=absent - with_items: - - exim4-daemon-light - - consolekit -- name: Ensure haveged, unbound, ntp, and vnstat are started on boot - service: name={{ item }} enabled=yes - with_items: - - haveged - - unbound - - vnstat - - ntp -- name: use local unbound instance for DNS and Google Public DNS as backup - copy: src=resolv.conf dest=/etc/resolv.conf diff --git a/debian/roles/webservers-nginx/files/0-catch-all b/debian/roles/webservers-nginx/files/0-catch-all deleted file mode 100644 index 92ba1ba..0000000 --- a/debian/roles/webservers-nginx/files/0-catch-all +++ /dev/null @@ -1,12 +0,0 @@ -# This file is a nginx catch-all vhost, probably put here in an automated -# fashion. -server { - listen 80; - listen [::]:80 ipv6only=on; - server_name _; # This is just an invalid value which will never trigger on a real hostname. - access_log /var/log/nginx/default.access.log; - index index.html; - server_name_in_redirect off; - root /srv/www/catch-all; -} - diff --git a/debian/roles/webservers-nginx/files/cloudflare.conf b/debian/roles/webservers-nginx/files/cloudflare.conf deleted file mode 100644 index 3526db8..0000000 --- a/debian/roles/webservers-nginx/files/cloudflare.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Cloudflare -set_real_ip_from 204.93.240.0/24; -set_real_ip_from 204.93.177.0/24; -set_real_ip_from 199.27.128.0/21; -set_real_ip_from 173.245.48.0/20; -set_real_ip_from 103.22.200.0/22; -set_real_ip_from 141.101.64.0/18; -set_real_ip_from 108.162.192.0/18; -set_real_ip_from 190.93.240.0/20; -real_ip_header CF-Connecting-IP; - diff --git a/debian/roles/webservers-nginx/files/nginx.conf b/debian/roles/webservers-nginx/files/nginx.conf deleted file mode 100644 index 0e7372f..0000000 --- a/debian/roles/webservers-nginx/files/nginx.conf +++ /dev/null @@ -1,63 +0,0 @@ -user www-data; -worker_processes auto; -pid /var/run/nginx.pid; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - ## - # Basic Settings - ## - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 70; - types_hash_max_size 2048; - server_tokens off; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; - - # Upstream to abstract backend connection(s) for PHP. - upstream php { -# server unix:/tmp/php-fpm.sock; - server 127.0.0.1:9000; - } - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -} diff --git a/debian/roles/webservers-nginx/files/php-generic.conf b/debian/roles/webservers-nginx/files/php-generic.conf deleted file mode 100644 index 70bb797..0000000 --- a/debian/roles/webservers-nginx/files/php-generic.conf +++ /dev/null @@ -1,14 +0,0 @@ -index index.php index.html index.htm; -location / { - try_files $uri $uri/ /index.php?$args; -} - -location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass php; - fastcgi_index index.php; -} - diff --git a/debian/roles/webservers-nginx/files/security-generic.conf b/debian/roles/webservers-nginx/files/security-generic.conf deleted file mode 100644 index 6680d90..0000000 --- a/debian/roles/webservers-nginx/files/security-generic.conf +++ /dev/null @@ -1,23 +0,0 @@ -location = /favicon.ico { - log_not_found off; - access_log off; -} - -location = /robots.txt { - allow all; - log_not_found off; - access_log off; -} - -# Directives to send expires headers and turn off 404 error logging. -location ~* \.(js|css|png|jpg|jpeg|gif|ico|html)$ { - expires 24h; -} - -# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). -location ~ /\. { - deny all; - access_log off; - log_not_found off; -} - diff --git a/debian/roles/webservers-nginx/files/wordpress-generic.conf b/debian/roles/webservers-nginx/files/wordpress-generic.conf deleted file mode 100644 index 2b6c4d1..0000000 --- a/debian/roles/webservers-nginx/files/wordpress-generic.conf +++ /dev/null @@ -1,39 +0,0 @@ -# WordPress single blog rules. -# Designed to be included in any server {} block. - -# This order might seem weird - this is attempted to match last if rules below fail. -# http://wiki.nginx.org/HttpCoreModule -location / { - try_files $uri $uri/ /index.php?$args; -} - -# Add trailing slash to */wp-admin requests. -rewrite /wp-admin$ $scheme://$host$uri/ permanent; - -# Directives to send expires headers and turn off 404 error logging. -location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { - expires 24h; -} - -# Uncomment one of the lines below for the appropriate caching plugin (if used). -#include global/wordpress-supercache.conf; -#include global/wordpress-w3cache.conf; - -# Pass all .php files onto a php-fpm/php-fcgi server. -location ~ \.php$ { - # Zero-day exploit defense. - # http://forum.nginx.org/read.php?2,88845,page=3 - # Won't work properly (404 error) if the file is not stored on this server, which is entirely possible with php-fpm/php-fcgi. - # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on another machine. And then cross your fingers that you won't get hacked. - try_files $uri =404; - - fastcgi_split_path_info ^(.+\.php)(/.+)$; - #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - - include fastcgi_params; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -# fastcgi_intercept_errors on; - fastcgi_pass php; -} - diff --git a/debian/roles/webservers-nginx/files/wordpress-security.conf b/debian/roles/webservers-nginx/files/wordpress-security.conf deleted file mode 100644 index b898b05..0000000 --- a/debian/roles/webservers-nginx/files/wordpress-security.conf +++ /dev/null @@ -1,34 +0,0 @@ -# Global restrictions configuration file. -# Designed to be included in any server {} block.

-location = /favicon.ico { - log_not_found off; - access_log off; -} - -location = /robots.txt { - allow all; - log_not_found off; - access_log off; -} - -# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). -location ~ /\. { - deny all; - access_log off; - log_not_found off; -} - -# Deny access to any files with a .php extension in the uploads directory -location ~* ^/wp-content/uploads/.*.php$ { - deny all; - access_log off; - log_not_found off; -} - -# Deny access to any files with a .php extension in the uploads directory for multisite -location ~* /files/(.*).php$ { - deny all; - access_log off; - log_not_found off; -} - diff --git a/debian/roles/webservers-nginx/handlers/main.yml b/debian/roles/webservers-nginx/handlers/main.yml deleted file mode 100644 index c28e040..0000000 --- a/debian/roles/webservers-nginx/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: start nginx - service: name=nginx state=started diff --git a/debian/roles/webservers-nginx/tasks/main.yml b/debian/roles/webservers-nginx/tasks/main.yml deleted file mode 100644 index c9f3b9c..0000000 --- a/debian/roles/webservers-nginx/tasks/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: Add nginx upstream repo key - apt_key: url=http://nginx.org/keys/nginx_signing.key state=present -- name: Add nginx upstream repository - apt_repository: repo='deb http://nginx.org/packages/debian/ wheezy nginx' state=present update_cache=yes -- name: Install nginx package - apt: pkg=nginx state=latest -- name: Stop nginx for now and also make it start on boot - service: name=nginx state=stopped enabled=yes -- name: Make nginx related dirs - file: path={{ item }} state=directory - with_items: - - /etc/nginx/global - - /etc/nginx/sites-available - - /etc/nginx/sites-enabled - - /srv/www/catch-all -- name: Clean out default vhost file in enabled and available dirs - file: path={{ item }} state=absent - with_items: - - /etc/nginx/sites-enabled/default - - /etc/nginx/sites-available/default -- name: Copy over all nginx configuration files - copy: src={{ item.name }} dest={{ item.dir }} - with_items: - - { name: 'nginx.conf', dir: '/etc/nginx/nginx.conf' } - - { name: '0-catch-all', dir: '/etc/nginx/sites-available/0-catch-all' } - - { name: 'cloudflare.conf', dir: '/etc/nginx/global/cloudflare.conf' } - - { name: 'php-generic.conf', dir: '/etc/nginx/global/php-generic.conf' } - - { name: 'security-generic.conf', dir: '/etc/nginx/global/security-generic.conf' } - - { name: 'wordpress-generic.conf', dir: '/etc/nginx/global/wordpress-generic.conf' } - - { name: 'wordpress-security.conf', dir: '/etc/nginx/global/wordpress-security.conf' } -- name: Symlink the default catch-all vhost - file: src=/etc/nginx/sites-available/0-catch-all dest=/etc/nginx/sites-enabled/0-catch-all state=link - notify: - - start nginx diff --git a/debian/site.yml b/debian/site.yml deleted file mode 100644 index c322ce2..0000000 --- a/debian/site.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -- name: apply common configuration to all nodes - hosts: all - user: root - - roles: - - common - -- name: apply configuration to web servers (nginx) - hosts: webservers-nginx - user: root - - roles: - - webservers-nginx - -- name: apply configuration to PHP app servers - hosts: appservers-php - user: root - - roles: - - appservers-php - -- name: apply configuration to uwsgi app servers - hosts: appservers-uwsgi - user: root - - roles: - - appservers-uwsgi