From 089b7e66252d828de5c800688e366eff03a72b12 Mon Sep 17 00:00:00 2001 From: "Antonio J. Delgado" Date: Tue, 11 Oct 2022 10:18:51 +0300 Subject: [PATCH] Initial commit with previous code --- defaults/main.yml | 29 +++++++++++ files/default_host.conf | 18 +++++++ handlers/main.yml | 5 ++ tasks/configure.yml | 104 ++++++++++++++++++++++++++++++++++++ tasks/install.yml | 6 +++ tasks/main.yml | 5 ++ templates/vhost.conf.j2 | 113 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 280 insertions(+) create mode 100644 defaults/main.yml create mode 100644 files/default_host.conf create mode 100644 handlers/main.yml create mode 100644 tasks/configure.yml create mode 100644 tasks/install.yml create mode 100644 tasks/main.yml create mode 100644 templates/vhost.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..22aca34 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,29 @@ +--- +vhosts: [] + # - vhostname: default.host.example.org + # weight: 25 + # web_port: 80 + # ssl_port: 443 + # ssl: yes + # docroot: /var/www/host.example.org + # serveradmin: webmaster@example.org + # server_aliases: [] + # root_options: + # - '-Indexes' + # - '-FollowSymLinks' + # aliases: + # - dest: my_page + # src: /var/www/my_page + # directories: + # - path: /var/www/host.example.org/custom_dir + # options: + # - '-Indexes' + # - '-FollowSymLinks' + # allow_override: None + # require: 'all granted' + # custom_code: "" + # custom_code: "" + # ldap: + # url: ldap://ldap.example.org/ou=People,ou=Users,dc=example,dc=org?uid + # require: valid-user + # reverse_proxy: http://127.0.0.1:8080/ diff --git a/files/default_host.conf b/files/default_host.conf new file mode 100644 index 0000000..dd085bc --- /dev/null +++ b/files/default_host.conf @@ -0,0 +1,18 @@ +## Default docroot +DocumentRoot "/var/www/html/" + +## Directories, there should at least be a declaration for DocumentRoot + + + Options +FollowSymlinks -Indexes + AllowOverride All + + +## Logging +ErrorLog "/var/log/apache2/localhost_error.log" +ServerSignature Off +CustomLog "/var/log/apache2/localhost_access.log" combined + +## Redirect rules +RewriteEngine On +RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..0715d61 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart Apache + service: + name: apache2 + state: restarted \ No newline at end of file diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..f24adfe --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,104 @@ +--- +- name: Allow HTTP traffic + ufw: + rule: allow + port: 80 + +- name: Allow HTTPS traffic + ufw: + rule: allow + port: 443 + +- name: Enable Apache2 modules + community.general.apache2_module: + state: present + name: "{{ item }}" + loop: + - rewrite + - ssl + +- name: Stop Apache + service: + name: apache2 + state: stopped + +- name: Ensure SSL certificate exists + shell: "certbot certonly --agree-tos --email certs@susurrando.com -n --standalone -d {{ item.vhostname }}" + args: + creates: "/etc/letsencrypt/archive/{{ item.vhostname }}" + when: + - "'ssl' in item" + - item['ssl'] + with_items: "{{ vhosts }}" + +- name: Ensure default vhost root exists + file: + path: /var/www/html + state: directory + owner: www-data + group: www-data + mode: 0775 + +- name: Ensure default vhost is configured with SSL redirection + copy: + dest: /etc/apache2/conf-available/default_host.conf + src: files/default_host.conf + backup: yes + mode: 0644 + notify: + - Restart Apache + +- name: Ensure default vhost is enabled with SSL redirection + file: + dest: /etc/apache2/conf-enabled/default_host.conf + src: /etc/apache2/conf-available/default_host.conf + state: link + mode: 0644 + notify: + - Restart Apache + +- name: Start Apache + service: + name: apache2 + state: started + +- name: Ensure Apache modules are enabled + community.general.apache2_module: + state: present + force: True + name: "{{ item }}" + with_items: "{{ apache_modules }}" + when: apache_modules is defined + +- name: Ensure vhost docroot exists + file: + path: "{{ item.docroot }}" + state: directory + owner: www-data + group: www-data + mode: 0775 + loop: "{{ vhosts }}" + +- name: Ensure vhosts are configured + template: + src: templates/vhost.conf.j2 + dest: "/etc/apache2/sites-available/{{ item.weight }}-{{ item.vhostname }}.conf" + owner: root + group: root + mode: '0644' + backup: yes + with_items: "{{ vhosts }}" + notify: + - Restart Apache + +- name: Ensure vhost is enabled + file: + src: "/etc/apache2/sites-available/{{ item.weight }}-{{ item.vhostname }}.conf" + dest: "/etc/apache2/sites-enabled/{{ item.weight }}-{{ item.vhostname }}.conf" + state: link + with_items: "{{ vhosts }}" + notify: + - Restart Apache +# notfound.php +# error500.php +# error503.php diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..175f752 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,6 @@ +--- +- name: Ensure software is installed + apt: + name: + - apache2 + state: latest \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..cbe813e --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure installation + include_tasks: install.yml +- name: Ensure configuration + include_tasks: configure.yml \ No newline at end of file diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2 new file mode 100644 index 0000000..8366ef4 --- /dev/null +++ b/templates/vhost.conf.j2 @@ -0,0 +1,113 @@ +# ************************************ +# Vhost template in role apache_ssl_vhost +# Managed by Ansible +# ************************************ + + + ServerName {{ item.vhostname }} +{% if item.server_aliases is defined %} + ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %} +{% endif %} + + ## Directories, there should at least be a declaration for {{ item.docroot }}/ + + Options +FollowSymlinks + AllowOverride All + + + ## Logging + ErrorLog "/var/log/apache2/{{ item.vhostname }}_error.log" + ServerSignature Off + CustomLog "/var/log/apache2/{{ item.vhostname }}_access.log" combined + + ## Redirect rules + Redirect permanent / https://{{ item.vhostname }}/ + + + + ServerName {{ item.vhostname }} + ServerAdmin {{ item.serveradmin|default("webmaster@{{ item.vhostname }}") }} +{% if item.server_aliases is defined %} + ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %} +{% endif %} + +{% if item.aliases is defined %}{% for alias in item.aliases %} + Alias /{{ alias.dest }} "{{ alias.src }}" +{% endfor %}{% endif %} + + +{% if item.docroot %} ## Vhost docroot + DocumentRoot "{{ item.docroot|default("/var/www/{{ item.vhostname }}") }}/" + + ## Directories, there should at least be a declaration for {{ item.docroot }}/ + + +{% if item.root_options is defined %} + Options {% for option in item.root_options %}{{ option }} {% endfor %} +{% endif %} + +{% if item.root_custom_code is defined %} + {{ item.root_custom_code }} +{% endif %} + + AllowOverride All + {% endif %} + +{% if item.directories is defined %}{% for directory in item.directories %} + +{% if directory.options is defined %} + Options {% for option in directory.options %}{{ option }} {% endfor %} +{% endif %} + + AllowOverride {{ directory.allow_override | default("All") }} + Require {{ directory.require | default("all granted") }} + {{ directory.custom_code | default("") }} + {% endfor %}{% endif %} + + ## Logging + ErrorLog "/var/log/apache2/{{ item.vhostname }}_error_ssl.log" + ServerSignature Off + CustomLog "/var/log/apache2/{{ item.vhostname }}_access_ssl.log" combined + ErrorDocument 404 /notfound.php + ErrorDocument 500 /error500.php + ErrorDocument 503 /error503.php + ## Rewrite rules + RewriteEngine On + + + ## SSL directives + SSLEngine on + SSLCertificateFile "/etc/letsencrypt/live/{{ item.vhostname }}/fullchain.pem" + SSLCertificateKeyFile "/etc/letsencrypt/live/{{ item.vhostname }}/privkey.pem" + SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA + +{% if item.ldap is defined %} + ## LDAP authentication + + AuthType Basic + AuthName "Enter credentials" + AuthBasicProvider ldap + AuthLDAPGroupAttribute member + AuthLDAPSubGroupClass group + AuthLDAPGroupAttributeIsDN On + AuthLDAPURL {{ item.ldap.url }} #ldap://ldap.koti.site/ou=People,ou=Users,dc=koti,dc=site?uid + Require {{ item.ldap.require }} #valid-user + +{% endif %} + +{% if item.reverse_proxy is defined %} + ## Reverse proxy + SSLProxyEngine On + SSLProxyCheckPeerCN on + SSLProxyCheckPeerExpire on + ProxyPass / {{ item.reverse_proxy }} + ProxyPassReverse / {{ item.reverse_proxy }} +{% endif %} + +{% if item.custom_code is defined %} + ## Custom fragment +{{ item.custom_code }} + ## End of custom fragment +{% endif %} +