From 4afbe763699f5a4527bcba26608dbcc8d7dbce4a Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 25 Oct 2021 21:41:35 -0500 Subject: [PATCH] Create vhosts, users, and document roots --- README.md | 16 ++- tasks/main.yml | 27 +++++ .../Fedora/34/etc/httpd/conf.d/vhost.conf | 102 ++++++++++++++++++ vars/Fedora-34-default.yml | 5 + 4 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 templates/Fedora/34/etc/httpd/conf.d/vhost.conf diff --git a/README.md b/README.md index 225dd44..0c44795 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,21 @@ Any pre-requisites that may not be covered by Ansible itself or the role should Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +* main variable of type list + * http_vhost +* required dictionary elements + * fqdn : The FQDN of the website +* optional dictionary elements + * aliases : list of alternative FQDN for the website + * proxy : URL to direct traffic for the FQDN to, e.g. http://localhost:8080 + +~~~ +http_vhost: + - fqdn: 'www.example.com' + aliases: + - 'exmaple.com' + proxy: 'http://localhost:8080' +~~~ Dependencies ------------ diff --git a/tasks/main.yml b/tasks/main.yml index 0bb3962..2c252e8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -114,6 +114,33 @@ loop: '{{ ensure_apache.firewall_list }}' loop_control: label: '{{ item.service }} will be {{ item.state }}' +- name: 'ensure users' + when: + - ansible_system == 'Linux' + - ensure_apache is defined + - http_vhost is defined + - http_vhost is iterable + ansible.builtin.user: + name: '{{ item.fqdn }}' + loop: '{{ http_vhost }}' + loop_control: + label: '{{ item.fqdn }} will be ensured' +- name: 'ensure vhost document roots' + when: + - ansible_system == 'Linux' + - ensure_apache is defined + - http_vhost is defined + - http_vhost is iterable + ansible.builtin.file: + group: '{{ item.fqdn }}' + owner: '{{ item.fqdn }}' + mode: '2775' + path: '/srv/http/{{ item.fqdn }}' + state: 'directory' + setype: 'httpd_sys_content_t' + loop: '{{ http_vhost }}' + loop_control: + label: '/srv/http/{{ item.fqdn }} will be ensured' - name: 'ensure services' when: - ansible_system == 'Linux' diff --git a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf new file mode 100644 index 0000000..a3d257a --- /dev/null +++ b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf @@ -0,0 +1,102 @@ + + AllowOverride None + Require all granted + + +{% for item in http_vhost %} + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +{% endfor %} +{% for item in http_vhost %} +{% if item.aliases is defined %} +{% for item_alias in item.aliases %} + + ServerName {{ item_alias }} + ServerAdmin webmaster@firedragonenterprises.com + DocumentRoot /srv/http/{{ item.fqdn }} + RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 + + +{% endfor %} +{% endif %} + + ServerName {{ item.fqdn }} + ServerAdmin webmaster@firedragonenterprises.com + DocumentRoot /srv/http/{{ item.fqdn }} + RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 + + +{% if item.aliases is defined %} +{% for item_alias in item.aliases %} + + SSLEngine on + SSLProtocol all -TLSv1.1 + SSLProxyProtocol all -TLSv1.1 + SSLHonorCipherOrder on + SSLCipherSuite PROFILE=SYSTEM + SSLProxyCipherSuite PROFILE=SYSTEM + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + ServerName {{ item_alias }} + ServerAdmin webmaster@firedragonenterprises.com + DocumentRoot /srv/http/{{ item.fqdn }} + RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0 + + Require all denied + + + Require all denied + + + Require all denied + + + +{% endfor %} +{% endif %} + + SSLEngine on + SSLProtocol all -TLSv1.1 + SSLProxyProtocol all -TLSv1.1 + SSLHonorCipherOrder on + SSLCipherSuite PROFILE=SYSTEM + SSLProxyCipherSuite PROFILE=SYSTEM + # SSLCertificateFile /etc/pki/tls/certs/localhost.crt + # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + ServerName {{ item.fqdn }} + ServerAdmin webmaster@firedragonenterprises.com + DocumentRoot /srv/http/{{ item.fqdn }} + Alias /error/ "/var/www/error/" +{% if item.proxy is defined %} + ProxyPass "/.well-known" "!" + ProxyPass "/phpMyAdmin" "!" + ProxyPass "/phpmyadmin" "!" + ProxyPass "/" "{{ item.proxy }}" + ProxyPassReverse "/" "{{ item.proxy }}" + ProxyTimeout 300 +{% endif %} + + Require all denied + + + Require all denied + + + Require all denied + + + Require all denied + + + Require all denied + + + Require all denied + + + +{% endfor %} diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml index bce01b2..826a3be 100644 --- a/vars/Fedora-34-default.yml +++ b/vars/Fedora-34-default.yml @@ -39,6 +39,11 @@ template_list: mode: '0644' owner: 'root' src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/README' + - dest: '/etc/httpd/conf.d/vhost.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/vhost.conf' - dest: '/etc/httpd/conf.d/ssl.conf' group: 'root' mode: '0644'