apache: Initial version of module
This commit is contained in:
parent
677db41af0
commit
480822619d
5 changed files with 134 additions and 0 deletions
|
|
@ -11,3 +11,4 @@
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- base
|
- base
|
||||||
|
- apache
|
||||||
|
|
|
||||||
46
roles/apache/files/ssl.conf
Normal file
46
roles/apache/files/ssl.conf
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
##
|
||||||
|
## SSL Global Context
|
||||||
|
##
|
||||||
|
## All SSL configuration in this context applies both to
|
||||||
|
## the main server and all SSL-enabled virtual hosts.
|
||||||
|
##
|
||||||
|
|
||||||
|
Listen 443
|
||||||
|
|
||||||
|
# Pass Phrase Dialog:
|
||||||
|
# Configure the pass phrase gathering process.
|
||||||
|
# The filtering dialog program (`builtin' is a internal
|
||||||
|
# terminal dialog) has to provide the pass phrase on stdout.
|
||||||
|
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
||||||
|
|
||||||
|
# Inter-Process Session Cache:
|
||||||
|
# Configure the SSL Session Cache: First the mechanism
|
||||||
|
# to use and second the expiring timeout (in seconds).
|
||||||
|
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
||||||
|
SSLSessionCacheTimeout 300
|
||||||
|
|
||||||
|
# Pseudo Random Number Generator (PRNG):
|
||||||
|
# Configure one or more sources to seed the PRNG of the
|
||||||
|
# SSL library. The seed data should be of good random quality.
|
||||||
|
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||||
|
# is available. This means you then cannot use the /dev/random device
|
||||||
|
# because it would lead to very long connection times (as long as
|
||||||
|
# it requires to make more entropy available). But usually those
|
||||||
|
# platforms additionally provide a /dev/urandom device which doesn't
|
||||||
|
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||||
|
# Manual for more details.
|
||||||
|
SSLRandomSeed startup file:/dev/urandom 256
|
||||||
|
SSLRandomSeed connect builtin
|
||||||
|
#SSLRandomSeed startup file:/dev/random 512
|
||||||
|
#SSLRandomSeed connect file:/dev/random 512
|
||||||
|
#SSLRandomSeed connect file:/dev/urandom 512
|
||||||
|
|
||||||
|
#
|
||||||
|
# Use "SSLCryptoDevice" to enable any supported hardware
|
||||||
|
# accelerators. Use "openssl engine -v" to list supported
|
||||||
|
# engine names. NOTE: If you enable an accelerator and the
|
||||||
|
# server does not start, consult the error logs and ensure
|
||||||
|
# your accelerator is functioning properly.
|
||||||
|
#
|
||||||
|
SSLCryptoDevice builtin
|
||||||
|
#SSLCryptoDevice ubsec
|
||||||
5
roles/apache/handlers/main.yml
Normal file
5
roles/apache/handlers/main.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: restart apache
|
||||||
|
service:
|
||||||
|
name: httpd
|
||||||
|
state: restarted
|
||||||
67
roles/apache/tasks/main.yml
Normal file
67
roles/apache/tasks/main.yml
Normal file
|
|
@ -0,0 +1,67 @@
|
||||||
|
---
|
||||||
|
- name: install apache
|
||||||
|
package:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: installed
|
||||||
|
with_items:
|
||||||
|
- httpd
|
||||||
|
- mod_ssl
|
||||||
|
|
||||||
|
- name: disable plain http and default included configs
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/httpd/conf/httpd.conf
|
||||||
|
line: "#{{ item }}"
|
||||||
|
regexp: "^#?{{ item|replace('*', '\\*') }}"
|
||||||
|
with_items:
|
||||||
|
- "Listen 80"
|
||||||
|
- "IncludeOptional conf.d/*.conf"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: include local configs
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/httpd/conf/httpd.conf
|
||||||
|
line: "IncludeOptional conf.local.d/*.conf"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: fix selinux contexts from data directory
|
||||||
|
sefcontext:
|
||||||
|
path: /srv/web(/.*)?
|
||||||
|
setype: httpd_sys_content_t
|
||||||
|
when: ansible_selinux_python_present == true
|
||||||
|
- name: create data and config directories
|
||||||
|
file:
|
||||||
|
state: directory
|
||||||
|
path: "{{ item }}"
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
seuser: _default
|
||||||
|
setype: _default
|
||||||
|
with_items:
|
||||||
|
- /srv/web
|
||||||
|
- "/srv/web/{{ inventory_hostname }}"
|
||||||
|
- "/etc/httpd/conf.local.d"
|
||||||
|
|
||||||
|
- name: create ssl config
|
||||||
|
copy:
|
||||||
|
src: ssl.conf
|
||||||
|
dest: /etc/httpd/conf.local.d/ssl.conf
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: create site config
|
||||||
|
template:
|
||||||
|
src: site.conf.j2
|
||||||
|
dest: "/etc/httpd/conf.local.d/{{ inventory_hostname }}.conf"
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: "{{ ansible_wheel }}"
|
||||||
|
notify: restart apache
|
||||||
|
|
||||||
|
- name: enable apache
|
||||||
|
service:
|
||||||
|
name: httpd
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
15
roles/apache/templates/site.conf.j2
Normal file
15
roles/apache/templates/site.conf.j2
Normal file
|
|
@ -0,0 +1,15 @@
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerName {{ inventory_hostname }}
|
||||||
|
DocumentRoot /srv/web/{{ inventory_hostname }}
|
||||||
|
|
||||||
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
|
SSLCipherSuite {{ tls_ciphers }}
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
|
SSLCertificateKeyFile {{ tls_private }}/{{ inventory_hostname }}.key
|
||||||
|
SSLCertificateFile {{ tls_certs }}/{{ inventory_hostname }}.crt
|
||||||
|
</VirtualHost>
|
||||||
Loading…
Add table
Reference in a new issue