Create vhosts, users, and document roots

2021-10-25 21:41:35 -05:00 · 2021-10-25 21:41:35 -05:00 · 4afbe76369
commit 4afbe76369
parent d92c35b296
4 changed files with 149 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -11,7 +11,21 @@ Any pre-requisites that may not be covered by Ansible itself or the role should
 Role Variables
 --------------

-A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+* main variable of type list
+  * http_vhost
+* required dictionary elements
+  * fqdn : The FQDN of the website
+* optional dictionary elements
+  * aliases : list of alternative FQDN for the website
+  * proxy : URL to direct traffic for the FQDN to, e.g. http://localhost:8080
+
+~~~
+http_vhost:
+  - fqdn: 'www.example.com'
+    aliases:
+      - 'exmaple.com'
+    proxy: 'http://localhost:8080'
+~~~

 Dependencies
 ------------
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -114,6 +114,33 @@
  loop: '{{ ensure_apache.firewall_list }}'
  loop_control:
    label: '{{ item.service }} will be {{ item.state }}'
+- name: 'ensure users'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_apache is defined
+    - http_vhost is defined
+    - http_vhost is iterable
+  ansible.builtin.user:
+    name: '{{ item.fqdn }}'
+  loop: '{{ http_vhost }}'
+  loop_control:
+    label: '{{ item.fqdn }} will be ensured'
+- name: 'ensure vhost document roots'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_apache is defined
+    - http_vhost is defined
+    - http_vhost is iterable
+  ansible.builtin.file:
+    group: '{{ item.fqdn }}'
+    owner: '{{ item.fqdn }}'
+    mode: '2775'
+    path: '/srv/http/{{ item.fqdn }}'
+    state: 'directory'
+    setype: 'httpd_sys_content_t'
+  loop: '{{ http_vhost }}'
+  loop_control:
+    label: '/srv/http/{{ item.fqdn }} will be ensured'
 - name: 'ensure services'
  when:
    - ansible_system == 'Linux'
--- a/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
+++ b/templates/Fedora/34/etc/httpd/conf.d/vhost.conf
@ -0,0 +1,102 @@
+<Directory "/srv/http">
+    AllowOverride None
+    Require all granted
+</Directory>
+
+{% for item in http_vhost %}
+<Directory "/srv/http/{{ item.fqdn }}">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+{% endfor %}
+{% for item in http_vhost %}
+{% if item.aliases is defined %}
+{% for item_alias in item.aliases %}
+<VirtualHost *:80>
+  ServerName {{ item_alias }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
+</VirtualHost>
+
+{% endfor %}
+{% endif %}
+<VirtualHost *:80>
+  ServerName {{ item.fqdn }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
+</VirtualHost>
+
+{% if item.aliases is defined %}
+{% for item_alias in item.aliases %}
+<VirtualHost *:443>
+  SSLEngine on
+  SSLProtocol all -TLSv1.1
+  SSLProxyProtocol all -TLSv1.1
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+  ServerName {{ item_alias }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  RedirectMatch permanent "^(?!/\.well-known/acme-challenge/).*" https://{{ item.fqdn }}$0
+  <Location /.ansible>
+    Require all denied
+  </Location>
+  <Location /.config>
+    Require all denied
+  </Location>
+  <Location /.ssh>
+    Require all denied
+  </Location>
+</VirtualHost>
+
+{% endfor %}
+{% endif %}
+<VirtualHost *:443>
+  SSLEngine on
+  SSLProtocol all -TLSv1.1
+  SSLProxyProtocol all -TLSv1.1
+  SSLHonorCipherOrder on
+  SSLCipherSuite PROFILE=SYSTEM
+  SSLProxyCipherSuite PROFILE=SYSTEM
+  # SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+  # SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+  ServerName {{ item.fqdn }}
+  ServerAdmin webmaster@firedragonenterprises.com
+  DocumentRoot /srv/http/{{ item.fqdn }}
+  Alias /error/ "/var/www/error/"
+{% if item.proxy is defined %}
+  ProxyPass "/.well-known" "!"
+  ProxyPass "/phpMyAdmin" "!"
+  ProxyPass "/phpmyadmin" "!"
+  ProxyPass "/" "{{ item.proxy }}"
+  ProxyPassReverse "/" "{{ item.proxy }}"
+  ProxyTimeout 300
+{% endif %}
+  <Location /.ansible>
+    Require all denied
+  </Location>
+  <Location /.cache>
+    Require all denied
+  </Location>
+  <Location /.config>
+    Require all denied
+  </Location>
+  <Location /.local>
+    Require all denied
+  </Location>
+  <Location /.git>
+    Require all denied
+  </Location>
+  <Location /.ssh>
+    Require all denied
+  </Location>
+</VirtualHost>
+
+{% endfor %}
--- a/vars/Fedora-34-default.yml
+++ b/vars/Fedora-34-default.yml
@ -39,6 +39,11 @@ template_list:
    mode: '0644'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/README'
+  - dest: '/etc/httpd/conf.d/vhost.conf'
+    group: 'root'
+    mode: '0644'
+    owner: 'root'
+    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/httpd/conf.d/vhost.conf'
  - dest: '/etc/httpd/conf.d/ssl.conf'
    group: 'root'
    mode: '0644'