new hosting

Author: pushcx

LICENSE

@@ -11,7 +11,3 @@ ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-When running this software, it may attempt to connect to the prgmr.com
-network.  Hosting with prgmr.com is covered by an acceptable use policy
-(AUP): https://prgmr.com/aup.html

README.md

@@ -91,16 +91,3 @@ https://docs.ansible.com/ansible/latest/playbooks_reuse_roles.html
 To use this playbook, you'll need an account in the sysadm role
 along with an SSH key pair.
 
-    $ ssh-keygen
-    <++> ~/.ssh/config
-    Host lobsters.xen.prgmr.com
-      IdentityAgent none
-      IdentityFile ~/.ssh/id_rsa-lobste.rs
-      IdentitiesOnly yes
-
-    Host lobsters.console.xen.prgmr.com
-      IdentityAgent none
-      IdentityFile ~/.ssh/id_rsa-lobste.rs
-      IdentitiesOnly yes
-      User lobsters
-    <-->

Vagrantfile

@@ -1,7 +1,4 @@
-#backup_host: lobsters-backup.xen.prgmr.com
-console_host: lobsters.xen.prgmr.com
-db_host: lobsters.xen.prgmr.com
-#dns_host: 
-mx_host: lobsters.xen.prgmr.com
-smtp_host: lobsters.xen.prgmr.com
-www_host: lobsters.xen.prgmr.com
+db_host: web01
+mx_host: web01
+smtp_host: web01
+www_host: web01

group_vars/prod.yml

@@ -2,31 +2,23 @@
 env=production
 ps1_fg=red
 
-[backup]
-#lobsters-backup.xen.prgmr.com
-
-[console]
-lobsters.console.xen.prgmr.com
-
 [db]
-lobsters.xen.prgmr.com
-
-[dns]
+web01
 
 [mx]
-lobsters.xen.prgmr.com
+web01
 
 [search]
-lobsters-search.xen.prgmr.com
+web01
 
 [smtp]
-lobsters.xen.prgmr.com
+web01
 
 [www]
-lobsters.xen.prgmr.com
+web01
 
 [www_worker]
-lobsters.xen.prgmr.com
+web01
 
-[mockturtle]
-mockturtle.xen.prgmr.com
+#[mockturtle]
+#mockturtle.xen.prgmr.com

inventories/prod.ini

@@ -1,18 +1,4 @@
 ---
-- name: mariadb
-  tags: mariadb
-  become: yes
-  hosts: db
-  roles:
-    - { role: mariadb }
-
-# - name: dns
-#   tags: dns
-#   become: yes
-#   hosts: dns
-#   roles:
-#     - { role: dns }
-
 - name: lobsters
   tags: lobsters
   become: yes
@@ -41,51 +27,24 @@
   roles:
     - { role: postfix }
 
-# - name: prgmr
-#   tags: prgmr
-#   become: yes
-#   hosts: console
-#   roles:
-#     - { role: console }
-
-# - name: rsync
-#   tags: rsync
-#   become: yes
-#   hosts: backup
-#   roles:
-#     - { role: rsync,
-#         # don't back up the test system.
-#         when: "env == 'production'"
-#       }
-
-- name: search
-  tags: search
-  become: yes
-  hosts: search
-  roles:
-    - { role: search,
-        # search middleware not present on test.
-        when: "env == 'production'"
-      }
-
-- name: mockturtle
-  tags: mockturtle
-  become: yes
-  hosts: mockturtle
-  roles:
-    - { role: mockturtle }
+#- name: mockturtle
+#  tags: mockturtle
+#  become: yes
+#  hosts: mockturtle
+#  roles:
+#    - { role: mockturtle }
 
 - name: sysadm
   tags: sysadm
   become: yes
-  hosts: all:!console
+  hosts: all
   roles:
     - { role: sysadm }
 
 - name: tarsnap
   tags: tarsnap
   become: true
-  hosts: all:!console:!mockturtle
+  hosts: all:!mockturtle
   roles:
     - { role: tarsnap,
         # don't back up the test system.

inventories/test.ini

@@ -52,7 +52,6 @@ http {
 	##
 
 	gzip on;
-	# pre-prgmr: gzip_disable "MSIE [1-6]\.";
 	gzip_disable "msie6";
 
 	# gzip_vary on;

prod.yml

@@ -4,43 +4,44 @@ upstream lobsters_puma_server {
 
 # lobste.rs http->https redirection
 server {
-  listen 71.19.148.33:80;
-  listen [2605:2700:0:2:a800:ff:fe83:b1e7]:80;
-  server_name lobste.rs;
+  listen 80;
+  listen [::]:80;
+  server_name _;
   access_log /var/log/nginx/lobste.rs.access.log main;
   error_log /var/log/nginx/lobste.rs.error.log;
   rewrite ^/(.*)$ https://lobste.rs/$1 permanent;
   keepalive_timeout 0;
 }
 
 # www.lobste.rs -> lobste.rs redirection
-server {
-  listen 71.19.148.33:443 ssl;
-  listen [2605:2700:0:2:a800:ff:fe83:b1e7]:443 ssl;
-  server_name www.lobste.rs;
-  access_log /var/log/nginx/lobste.rs.access.log main;
-  error_log /var/log/nginx/lobste.rs.error.log;
-  keepalive_timeout 0;
-  server_tokens off;
-
-  ssl on;
-  ssl_certificate /etc/letsencrypt/live/lobste.rs/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/lobste.rs/privkey.pem;
-  ssl_protocols TLSv1.2;
-  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
-  ssl_prefer_server_ciphers on;
-  ssl_dhparam /etc/ssl/dhparams-2048.pem;
-  ssl_stapling on;
-
-  rewrite ^/(.*)$ https://lobste.rs/$1 permanent;
-  # needs libnginx-mod-http-headers-more-filter available in zesty.
-  #more_set_headers 'X-Frame-Options: DENY' 'Strict-Transport-Security: max-age=15552000; includeSubDomains; preload';
-}
+#server {
+#  #listen 443 ssl http2 default_server;
+#  #listen [::]:443 ssl http2 default_server;
+#  listen 67.205.128.5 http2 default_server;
+#  listen [2604:a880:400:d0::1dc9:f001]:443 http2 default_server;
+#  server_name www.lobste.rs;
+#  access_log /var/log/nginx/lobste.rs.access.log main;
+#  error_log /var/log/nginx/lobste.rs.error.log;
+#  keepalive_timeout 0;
+#  server_tokens off;
+#
+#  #ssl_certificate /etc/letsencrypt/live/lobste.rs/fullchain.pem;
+#  #ssl_certificate_key /etc/letsencrypt/live/lobste.rs/privkey.pem;
+#  ssl_protocols TLSv1.2;
+#  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
+#  ssl_prefer_server_ciphers on;
+#  ssl_dhparam /etc/ssl/dhparams.pem;
+#  ssl_stapling on;
+#
+#  rewrite ^/(.*)$ https://lobste.rs/$1 permanent;
+#  # needs libnginx-mod-http-headers-more-filter available in zesty.
+#  #more_set_headers 'X-Frame-Options: DENY' 'Strict-Transport-Security: max-age=15552000; includeSubDomains; preload';
+#}
 
 # main lobste.rs
 server {
-  listen 71.19.148.33:443 ssl http2 default_server;
-  listen [2605:2700:0:2:a800:ff:fe83:b1e7]:443 ssl http2 default_server;
+  listen 443 ssl http2 default_server;
+  listen [::]:443 ssl http2 default_server;
   server_name lobste.rs;
 
   access_log /var/log/nginx/lobste.rs.access.log main;
@@ -53,14 +54,13 @@ server {
     return 503;
   }
 
-  ssl on;
   ssl_certificate /etc/letsencrypt/live/lobste.rs/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/lobste.rs/privkey.pem;
 
   ssl_protocols TLSv1.2;
   ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
   ssl_prefer_server_ciphers on;
-  ssl_dhparam /etc/ssl/dhparams-2048.pem;
+  ssl_dhparam /etc/ssl/dhparams.pem;
   ssl_stapling on;
 
   if ($http_user_agent ~* "Brave") { return 400 "Blocked cryptocurrency scam."; }

roles/nginx/files/_env/nginx/nginx.conf

@@ -5,7 +5,7 @@ upstream lobsters_puma_server {
 server {
   listen 71.19.144.172:80 default_server;
   listen [2605:2700:0:2:a800:ff:fec3:aba2]:80 default_server;
-  server_name lobsters-test.xen.prgmr.com;
+  server_name test.lobste.rs;
   access_log /var/log/nginx/lobste.rs.access.log main;
   error_log /var/log/nginx/lobste.rs.error.log;
 

roles/nginx/files/production/nginx/sites-available/lobste.rs

@@ -1,4 +1,5 @@
 ---
 required_packages:
   - nginx
+  - certbot
 # - libnginx-mod-http-headers-more-filter

roles/nginx/files/test/nginx/sites-available/lobste.rs

@@ -14,8 +14,8 @@ UMask			002
 #KeyFile		/etc/dkimkeys/dkim.key
 #Selector		2007
 Domain			lobste.rs
-KeyFile			/etc/dkimkeys/prgmr-0.key
-Selector		prgmr-0
+KeyFile			/etc/dkimkeys/lobsters.web01.key
+Selector		lobsters.web01
 
 # Commonly-used options; the commented-out versions show the defaults.
 #Canonicalization	simple

roles/nginx/vars/main.yml

@@ -1,9 +1,6 @@
 - name: apt-get install postfix
   apt:
-    name: "{{ item }}"
+    name: ['opendkim', 'postfix']
     state: latest
     update_cache: yes
   tags: pkg
-  with_items:
-    - opendkim
-    - postfix