[ansible] Avoid rdns on save
by Nicolas Chauvet
commit 8b267dc7c83b82e729f41b78838f44f2286269e0
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Nov 28 15:50:02 2016 +0100
Avoid rdns on save
files/moin/wikiconfig.py | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
---
diff --git a/files/moin/wikiconfig.py b/files/moin/wikiconfig.py
index 31a8f53..1a50c9e 100644
--- a/files/moin/wikiconfig.py
+++ b/files/moin/wikiconfig.py
@@ -211,4 +211,7 @@ class Config(multiconfig.DefaultConfig):
# Surge protection - https://moinmo.in/HelpOnConfiguration/SurgeProtection
surge_action_limits = None # disable surge protection
+ # Disable rdns https://moinmo.in/HowTo/Tune%20Performance
+ log_reverse_dns_lookups = False
+
8 years
[ansible] Add Howto and FAQ to the default
by Nicolas Chauvet
commit 4e634a94aab7b3f8b72f98a74d6369b3c1419f1b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Nov 28 15:49:44 2016 +0100
Add Howto and FAQ to the default
files/moin/wikiconfig.py | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
---
diff --git a/files/moin/wikiconfig.py b/files/moin/wikiconfig.py
index bc8d4fc..31a8f53 100644
--- a/files/moin/wikiconfig.py
+++ b/files/moin/wikiconfig.py
@@ -173,6 +173,8 @@ class Config(multiconfig.DefaultConfig):
#u'HelpContents',
u'Configuration',
u'ReportingBugs',
+ u'Howto',
+ u'FAQ',
]
# The default theme anonymous or new users get
8 years
[ansible] Disable surge protection - doesn't grab X-Forward-For as expected
by Nicolas Chauvet
commit 22d622f91588d0ed570cbe07685e91629cfddb33
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Mon Nov 28 15:30:22 2016 +0100
Disable surge protection - doesn't grab X-Forward-For as expected
files/moin/wikiconfig.py | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/files/moin/wikiconfig.py b/files/moin/wikiconfig.py
index 61cacf7..bc8d4fc 100644
--- a/files/moin/wikiconfig.py
+++ b/files/moin/wikiconfig.py
@@ -206,3 +206,7 @@ class Config(multiconfig.DefaultConfig):
# Enable graphical charts, requires gdchart.
#chart_options = {'width': 600, 'height': 300}
+ # Surge protection - https://moinmo.in/HelpOnConfiguration/SurgeProtection
+ surge_action_limits = None # disable surge protection
+
+
8 years
[ansible] Reverse sshonly_hsts logic
by Nicolas Chauvet
commit 2cafc8ca64afa8cebf2eee8412b74ae93e3ee559
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sun Nov 27 10:30:05 2016 +0100
Reverse sshonly_hsts logic
playbooks/include/proxies-websites.yml | 2 +-
roles/httpd/website/templates/website.conf | 2 +-
vars/global.yml | 1 +
3 files changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 04af19c..542ee6b 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -51,7 +51,7 @@
server_aliases:
- www.rpmfusion.org
sslonly: true
- sslonly_no_hsts: true
+ sslonly_hsts: false
cert_name: rpmfusion.org
SSLCertificateChainFile : rpmfusion.org-intermediate.cert
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index 9d87025..f001ec8 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -46,7 +46,7 @@
SSLCipherSuite {{ ssl_ciphers }}
{% if sslonly %}
-{% if not sslonly_no_hsts %}
+{% if sslonly_hsts %}
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
{% endif %}
{% endif %}
diff --git a/vars/global.yml b/vars/global.yml
index f889225..ce13e55 100644
--- a/vars/global.yml
+++ b/vars/global.yml
@@ -46,6 +46,7 @@ rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64
ssl_protocols: "-All +TLSv1 +TLSv1.1 +TLSv1.2"
ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
+sslonly_hsts: true
# Set a default hostname base to transient. Override in host vars or command line.
hostbase: transient
8 years
[ansible] disable hsts on rpmfusion.org top domain
by Nicolas Chauvet
commit baedaf53860510c52512b2b8106d244e6104f39b
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sun Nov 27 10:23:06 2016 +0100
disable hsts on rpmfusion.org top domain
playbooks/include/proxies-websites.yml | 8 +-------
1 files changed, 1 insertions(+), 7 deletions(-)
---
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 5301698..04af19c 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -51,6 +51,7 @@
server_aliases:
- www.rpmfusion.org
sslonly: true
+ sslonly_no_hsts: true
cert_name: rpmfusion.org
SSLCertificateChainFile : rpmfusion.org-intermediate.cert
@@ -68,13 +69,6 @@
- role: httpd/website
- name: fas.rpmfusion.org
- sslonly: true
- #cert_name: fas.rpmfusion.org
- cert_name: "{{wildcard_cert_name}}"
-
-
- - role: httpd/website
name: id.rpmfusion.org
#server_aliases:
#- "*.id.rpmfusion.org"
8 years
[ansible] Allow to disable hsts
by Nicolas Chauvet
commit ce39396ff6da99f54b2d62369f40a27549961fb6
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sun Nov 27 10:21:39 2016 +0100
Allow to disable hsts
roles/httpd/website/templates/website.conf | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
---
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index 6547452..9d87025 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -46,8 +46,10 @@
SSLCipherSuite {{ ssl_ciphers }}
{% if sslonly %}
+{% if not sslonly_no_hsts %}
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
{% endif %}
+{% endif %}
Include "conf.d/{{ name }}/*.conf"
</VirtualHost>
{% endif %}
8 years
[ansible] Sync with fedoara
by Nicolas Chauvet
commit 91ba0d02925ae1326966df173d3d3894fa7bdec7
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sun Nov 27 09:26:11 2016 +0100
Sync with fedoara
roles/httpd/website/templates/website.conf | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index e45e805..6547452 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -42,8 +42,8 @@
# https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
# If you change the protocols or cipher suites, you should probably update
# modules/squid/files/squid.conf-el6 too, to keep it in sync.
- SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+ SSLProtocol {{ ssl_protocols }}
+ SSLCipherSuite {{ ssl_ciphers }}
{% if sslonly %}
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
8 years
[ansible] Fixup rndc key
by Nicolas Chauvet
commit 4beeccb6a8391bbd21d9459844f3b6c6218f88d7
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 26 20:59:19 2016 +0100
Fixup rndc key
roles/dns/files/rndc.conf | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/roles/dns/files/rndc.conf b/roles/dns/files/rndc.conf
index ce30d35..b384018 100644
--- a/roles/dns/files/rndc.conf
+++ b/roles/dns/files/rndc.conf
@@ -23,11 +23,11 @@
options {
default-server localhost;
- default-key "rndckey";
+ default-key "rndc-key";
};
server localhost {
- key "rndckey";
+ key "rndc-key";
};
include "/etc/rndc.key";
8 years
[ansible] Add favicon
by Nicolas Chauvet
commit 7408bf1be87ca123746bda8e530990fee2a7cec1
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 26 13:59:39 2016 +0100
Add favicon
roles/moin/files/moin.conf | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
---
diff --git a/roles/moin/files/moin.conf b/roles/moin/files/moin.conf
index a1f3d8d..ad5b6b0 100644
--- a/roles/moin/files/moin.conf
+++ b/roles/moin/files/moin.conf
@@ -5,3 +5,5 @@
WSGIDaemonProcess moin user=apache group=apache processes=5 threads=10 maximum-requests=1000 umask=0007
WSGIScriptAlias / /var/www/moin/moin.wsgi
WSGIProcessGroup moin
+
+ Alias /favicon.ico /var/www/moin/favicon.ico
8 years
[puppet] Update dns to point to pkgs01
by Nicolas Chauvet
commit 4098f1a5b6731ab7924d7307905dba8c098ee00c
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Sat Nov 26 12:59:12 2016 +0100
Update dns to point to pkgs01
files/dns/rpmfusion.org | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
---
diff --git a/files/dns/rpmfusion.org b/files/dns/rpmfusion.org
index 60d3c93..d781737 100644
--- a/files/dns/rpmfusion.org
+++ b/files/dns/rpmfusion.org
@@ -1,6 +1,6 @@
$TTL 5M
@ IN SOA ns1.rpmfusion.net. matthias.saou.eu. (
- 2016090101 ; Serial
+ 2016112601 ; Serial
6H ; Refresh
1H ; Retry
5W ; Expire
@@ -13,10 +13,10 @@ $TTL 5M
@ 600 IN TXT "v=spf1 a mx ip4:46.105.55.71/32 ip6:2001:41d0:2:ad32::1/128 ~all"
-@ IN A 46.105.55.72 ; se02.ovh
- IN AAAA 2001:41d0:2:ad32::2 ; se02.ovh
-www IN A 46.105.55.72 ; se02.ovh
- IN AAAA 2001:41d0:2:ad32::2 ; se02.ovh
+@ IN A 212.129.31.198 ; pkgs01.online
+; IN AAAA 2001:41d0:2:ad32::2 ; se02.ovh
+www IN A 212.129.31.198 ; pkgs01.online
+; IN AAAA 2001:41d0:2:ad32::2 ; se02.ovh
;lists IN A 195.10.6.136 ; mx32b04
; IN MX 10 mx2.es6.egwn.net.
8 years