diff --git a/playbooks/devel.yml b/playbooks/devel.yml index 3bbaec9..43be9b7 100644 --- a/playbooks/devel.yml +++ b/playbooks/devel.yml @@ -11,3 +11,4 @@ roles: - base + - apache diff --git a/roles/apache/files/ssl.conf b/roles/apache/files/ssl.conf new file mode 100644 index 0000000..053e4aa --- /dev/null +++ b/roles/apache/files/ssl.conf @@ -0,0 +1,46 @@ +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +Listen 443 + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +SSLSessionCache shmcb:/run/httpd/sslcache(512000) +SSLSessionCacheTimeout 300 + +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the +# SSL library. The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + +# +# Use "SSLCryptoDevice" to enable any supported hardware +# accelerators. Use "openssl engine -v" to list supported +# engine names. NOTE: If you enable an accelerator and the +# server does not start, consult the error logs and ensure +# your accelerator is functioning properly. +# +SSLCryptoDevice builtin +#SSLCryptoDevice ubsec diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml new file mode 100644 index 0000000..1280944 --- /dev/null +++ b/roles/apache/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart apache + service: + name: httpd + state: restarted diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml new file mode 100644 index 0000000..d6dd03c --- /dev/null +++ b/roles/apache/tasks/main.yml @@ -0,0 +1,67 @@ +--- +- name: install apache + package: + name: "{{ item }}" + state: installed + with_items: + - httpd + - mod_ssl + +- name: disable plain http and default included configs + lineinfile: + path: /etc/httpd/conf/httpd.conf + line: "#{{ item }}" + regexp: "^#?{{ item|replace('*', '\\*') }}" + with_items: + - "Listen 80" + - "IncludeOptional conf.d/*.conf" + notify: restart apache + +- name: include local configs + lineinfile: + path: /etc/httpd/conf/httpd.conf + line: "IncludeOptional conf.local.d/*.conf" + notify: restart apache + +- name: fix selinux contexts from data directory + sefcontext: + path: /srv/web(/.*)? + setype: httpd_sys_content_t + when: ansible_selinux_python_present == true +- name: create data and config directories + file: + state: directory + path: "{{ item }}" + mode: 0755 + owner: root + group: "{{ ansible_wheel }}" + seuser: _default + setype: _default + with_items: + - /srv/web + - "/srv/web/{{ inventory_hostname }}" + - "/etc/httpd/conf.local.d" + +- name: create ssl config + copy: + src: ssl.conf + dest: /etc/httpd/conf.local.d/ssl.conf + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: restart apache + +- name: create site config + template: + src: site.conf.j2 + dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf" + mode: 0644 + owner: root + group: "{{ ansible_wheel }}" + notify: restart apache + +- name: enable apache + service: + name: httpd + state: started + enabled: true diff --git a/roles/apache/templates/site.conf.j2 b/roles/apache/templates/site.conf.j2 new file mode 100644 index 0000000..7771162 --- /dev/null +++ b/roles/apache/templates/site.conf.j2 @@ -0,0 +1,15 @@ + + ServerName {{ inventory_hostname }} + DocumentRoot /srv/web/{{ inventory_hostname }} + + Protocols h2 http/1.1 + + SSLEngine on + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite {{ tls_ciphers }} + SSLHonorCipherOrder off + SSLSessionTickets off + + SSLCertificateKeyFile {{ tls_private }}/{{ inventory_hostname }}.key + SSLCertificateFile {{ tls_certs }}/{{ inventory_hostname }}.crt +