Create vhosts, users, and document roots

README.md

@@ -11,7 +11,21 @@ Any pre-requisites that may not be covered by Ansible itself or the role should
 Role Variables
 --------------
 
-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+* main variable of type list
+  * http_vhost
+* required dictionary elements
+  * fqdn : The FQDN of the website
+* optional dictionary elements
+  * aliases : list of alternative FQDN for the website
+  * proxy : URL to direct traffic for the FQDN to, e.g. http://localhost:8080
+
+~~~
+http_vhost:
+  - fqdn: 'www.example.com'
+    aliases:
+      - 'exmaple.com'
+    proxy: 'http://localhost:8080'
+~~~
 
 Dependencies
 ------------

tasks/main.yml

@@ -114,6 +114,33 @@
   loop: '{{ ensure_apache.firewall_list }}'
   loop_control:
     label: '{{ item.service }} will be {{ item.state }}'
+- name: 'ensure users'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_apache is defined
+    - http_vhost is defined
+    - http_vhost is iterable
+  ansible.builtin.user:
+    name: '{{ item.fqdn }}'
+  loop: '{{ http_vhost }}'
+  loop_control:
+    label: '{{ item.fqdn }} will be ensured'
+- name: 'ensure vhost document roots'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_apache is defined
+    - http_vhost is defined
+    - http_vhost is iterable
+  ansible.builtin.file:
+    group: '{{ item.fqdn }}'
+    owner: '{{ item.fqdn }}'
+    mode: '2775'
+    path: '/srv/http/{{ item.fqdn }}'
+    state: 'directory'
+    setype: 'httpd_sys_content_t'
+  loop: '{{ http_vhost }}'
+  loop_control:
+    label: '/srv/http/{{ item.fqdn }} will be ensured'
 - name: 'ensure services'
   when:
     - ansible_system == 'Linux'

templates/Fedora/34/etc/httpd/conf.d/vhost.conf

@@ -0,0 +1,102 @@
+<Directory "/srv/http">
+    AllowOverride None
+    Require all granted
+</Directory>
+
+{% for item in http_vhost %}
+<Directory "/srv/http/{{ item.fqdn }}">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+{% endfor %}
+{% for item in http_vhost %}
+{% if item.aliases is defined %}
+{% for item_alias in item.aliases %}
+<VirtualHost *:80>
+  ServerName {{ item_alias }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
+</VirtualHost>
+
+{% endfor %}
+{% endif %}
+<VirtualHost *:80>
+  ServerName {{ item.fqdn }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
+</VirtualHost>
+
+{% if item.aliases is defined %}
+{% for item_alias in item.aliases %}
+<VirtualHost *:443>
+  SSLEngine on
+  SSLProtocol all -TLSv1.1
+  SSLProxyProtocol all -TLSv1.1
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+  ServerName {{ item_alias }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
+  <Location /.ansible>
+    Require all denied
+  </Location>
+  <Location /.config>
+    Require all denied
+  </Location>
+  <Location /.ssh>
+    Require all denied
+  </Location>
+</VirtualHost>
+
+{% endfor %}
+{% endif %}
+<VirtualHost *:443>
+  SSLEngine on
+  SSLProtocol all -TLSv1.1
+  SSLProxyProtocol all -TLSv1.1
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  # SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+  # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+  ServerName {{ item.fqdn }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  Alias /error/ "/var/www/error/"
+{% if item.proxy is defined %}
+  ProxyPass "/.well-known" "!"
+  ProxyPass "/phpMyAdmin" "!"
+  ProxyPass "/phpmyadmin" "!"
+  ProxyPass "/" "{{ item.proxy }}"
+  ProxyPassReverse "/" "{{ item.proxy }}"
+  ProxyTimeout 300
+{% endif %}
+  <Location /.ansible>
+    Require all denied
+  </Location>
+  <Location /.cache>
+    Require all denied
+  </Location>
+  <Location /.config>
+    Require all denied
+  </Location>
+  <Location /.local>
+    Require all denied
+  </Location>
+  <Location /.git>
+    Require all denied
+  </Location>
+  <Location /.ssh>
+    Require all denied
+  </Location>
+</VirtualHost>
+
+{% endfor %}

vars/Fedora-34-default.yml

@@ -39,6 +39,11 @@ template_list:
     mode: '0644'
     owner: 'root'
     src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/README'
+  - dest: '/etc/httpd/conf.d/vhost.conf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/vhost.conf'
   - dest: '/etc/httpd/conf.d/ssl.conf'
     group: 'root'
     mode: '0644'