Initial commit

13 files changed, 209 insertions, 0 deletions

diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml
new file mode 100644
index 0000000..367f47c
--- /dev/null
+++ b/roles/sublab_web/defaults/main.yaml
@@ -0,0 +1,2 @@
+---
+sublab_web_server_name: "sublab.org"
diff --git a/roles/sublab_web/handlers/as_webuser.yaml b/roles/sublab_web/handlers/as_webuser.yaml
new file mode 100644
index 0000000..53c6444
--- /dev/null
+++ b/roles/sublab_web/handlers/as_webuser.yaml
@@ -0,0 +1,5 @@
+---
+- name: Rebuild subweb website
+  shell: python template.py
+  args:
+    chdir: "/var/www/{{sublab_web_server_name}}/htdocs/scripts"
diff --git a/roles/sublab_web/handlers/main.yaml b/roles/sublab_web/handlers/main.yaml
new file mode 100644
index 0000000..1ea02c8
--- /dev/null
+++ b/roles/sublab_web/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+- include: as_webuser.yaml
+  become: yes
+  become_method: su
+  become_user: sublab_web
diff --git a/roles/sublab_web/meta/main.yaml b/roles/sublab_web/meta/main.yaml
new file mode 100644
index 0000000..f185875
--- /dev/null
+++ b/roles/sublab_web/meta/main.yaml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: apache
+  - role: subdap
diff --git a/roles/sublab_web/tasks/as_webuser.yaml b/roles/sublab_web/tasks/as_webuser.yaml
new file mode 100644
index 0000000..44c209a
--- /dev/null
+++ b/roles/sublab_web/tasks/as_webuser.yaml
@@ -0,0 +1,7 @@
+---
+- name: Clone sublab website
+  git:
+    dest="/var/www/{{sublab_web_server_name}}/htdocs"
+    repo=git://git.sublab.org/website
+    accept_hostkey=yes
+  notify: Rebuild subweb website
diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml
new file mode 100644
index 0000000..5e52a65
--- /dev/null
+++ b/roles/sublab_web/tasks/main.yaml
@@ -0,0 +1,40 @@
+---
+# Deploy sublab web config
+- name: Place vhost config
+  template:
+    dest=/etc/apache2/sites-enabled/000-default_subweb.conf
+    src=vhost.conf.j2
+  notify: Reload apache
+
+- name: Create config snippet dir
+  file:
+    name=/etc/apache2/sites/{{ sublab_web_server_name }}
+    recurse=yes
+    state=directory
+
+- name: Place config snippets
+  template:
+    dest=/etc/apache2/sites/{{ sublab_web_server_name }}/{{ item }}
+    src={{ item }}.j2
+  with_items:
+  - dump.conf
+  - server.conf
+  - ssl.conf
+  - subdap-plain.conf
+  - subdap-ssl.conf
+  - wiki.conf
+  notify: Reload apache
+
+- name: Create Website group
+  group: name=sublab_web
+
+- name: Create Website user
+  user:
+    name=sublab_web
+    group=sublab_web
+    home="/var/www/{{sublab_web_server_name}}"
+
+- include: as_webuser.yaml
+  become: yes
+  become_method: su
+  become_user: sublab_web
diff --git a/roles/sublab_web/templates/dump.conf.j2 b/roles/sublab_web/templates/dump.conf.j2
new file mode 100644
index 0000000..e0d74f6
--- /dev/null
+++ b/roles/sublab_web/templates/dump.conf.j2
@@ -0,0 +1,7 @@
+Alias /dump /var/www/{{ sublab_web_server_name }}/dump
+<Directory /var/www/{{ sublab_web_server_name }}/dump>
+	AllowOverride None
+	Order allow,deny
+	Allow from all
+	Options +FollowSymLinks
+</Directory>
diff --git a/roles/sublab_web/templates/server.conf.j2 b/roles/sublab_web/templates/server.conf.j2
new file mode 100644
index 0000000..aee5ab4
--- /dev/null
+++ b/roles/sublab_web/templates/server.conf.j2
@@ -0,0 +1,73 @@
+ServerAdmin nobody@nowhere.ws
+ServerName {{ sublab_web_server_name }}
+ServerAlias www.{{ sublab_web_server_name }}
+
+DocumentRoot /var/www/{{ sublab_web_server_name }}/htdocs/public
+
+<Directory /var/www/{{ sublab_web_server_name }}/htdocs/public>
+  AllowOverride None
+  Require all granted
+</Directory>
+
+RewriteEngine On
+
+RewriteRule ^/lounge/?$ /sublounge [R=302]
+RewriteRule ^/phantomspeisung/?$ /vokue [R=301]
+RewriteRule ^/vokue/?$ /wiki/Phantomspeisung/ [R=301]
+
+RewriteRule ^/cryptocon14(/?|.*)$ https://cryptocon.org/14$1 [R=301,last]
+RewriteRule ^/cryptocon15(/?|.*)$ https://cryptocon.org/15$1 [R=301,last]
+
+# Allow the drop of .html
+RewriteRule ^/([^/\.]+)$ /$1.html
+
+# RewriteLog /tmp/rewrite-log
+# RewriteLogLevel 9
+
+ErrorDocument 401 /401.html
+ErrorDocument 404 /404.html
+
+<Location /server-status>
+    SetHandler server-status
+    Require ip 127.0.0.1
+</Location>
+<Location /server-info>
+    SetHandler server-info
+    Require ip 127.0.0.1
+</Location>
+Redirect 301 /sublab_status.json /status.json
+<Location /sublab_status.json>
+    Header set Access-Control-Allow-Origin *
+    Header set Cache-Control no-cache
+</Location>
+<Location /status.json>
+    Header set Access-Control-Allow-Origin *
+    Header set Cache-Control no-cache
+</Location>
+<Location /css/nautilus.status.css>
+    Header set Cache-Control no-cache
+</Location>
+<Location /css/sublab.status.css>
+    Header set Cache-Control no-cache
+</Location>
+<Location /css/trieste.status.css>
+    Header set Cache-Control no-cache
+</Location>
+<Location /css/taifun.status.css>
+    Header set Cache-Control no-cache
+</Location>
+<Location /api/status>
+    Header set Cache-Control no-cache
+</Location>
+<Location /img/thumb.tempgraph.png>
+    Header set Cache-Control no-cache
+</Location>
+<Location /img/thumb.street.webcam.jpg>
+    Header set Cache-Control no-cache
+</Location>
+<Location /img/street.webcam.jpg>
+    Header set Cache-Control no-cache
+</Location>
+<Location /img/tempgraph.png>
+    Header set Cache-Control no-cache
+</Location>
diff --git a/roles/sublab_web/templates/ssl.conf.j2 b/roles/sublab_web/templates/ssl.conf.j2
new file mode 100644
index 0000000..5d02eed
--- /dev/null
+++ b/roles/sublab_web/templates/ssl.conf.j2
@@ -0,0 +1,20 @@
+SSLEngine		On
+
+SSLCertificateChainFile	/etc/apache2/sites/{{ sublab_web_server_name }}/ssl/chain.pem
+SSLCertificateFile	/etc/apache2/sites/{{ sublab_web_server_name }}/ssl/cert.pem
+SSLCertificateKeyFile	/etc/apache2/sites/{{ sublab_web_server_name }}/ssl/key.pem
+
+SSLEngine On
+SSLHonorCipherOrder on
+SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv3 -SSLv2
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+SSLCompression off
+
+#Header always set Strict-Transport-Security "max-age=15984000"
+
+SSLOptions		StdEnvVars
+
+BrowserMatch "MSIE [2-6]" \
+	nokeepalive ssl-unclean-shutdown \
+	downgrade-1.0 force-response-1.0
+BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
diff --git a/roles/sublab_web/templates/subdap-plain.conf.j2 b/roles/sublab_web/templates/subdap-plain.conf.j2
new file mode 100644
index 0000000..c79370d
--- /dev/null
+++ b/roles/sublab_web/templates/subdap-plain.conf.j2
@@ -0,0 +1 @@
+RedirectMatch permanent ^/(subdap(/?|/.*))$     https://{{ sublab_web_server_name }}/$1
diff --git a/roles/sublab_web/templates/subdap-ssl.conf.j2 b/roles/sublab_web/templates/subdap-ssl.conf.j2
new file mode 100644
index 0000000..bec8c54
--- /dev/null
+++ b/roles/sublab_web/templates/subdap-ssl.conf.j2
@@ -0,0 +1,13 @@
+<Location "/subdap/">
+    ProxyPass "http://127.0.0.1:8001/"
+</Location>
+<Location "/subdap/static">
+    ProxyPass "!"
+</Location>
+
+Alias /subdap/static /var/subdap/src/static
+<Directory /var/subdap/src/static>
+  Options -Indexes -ExecCGI
+  AllowOverride None
+  Require all granted
+</Directory>
diff --git a/roles/sublab_web/templates/vhost.conf.j2 b/roles/sublab_web/templates/vhost.conf.j2
new file mode 100644
index 0000000..6c3851d
--- /dev/null
+++ b/roles/sublab_web/templates/vhost.conf.j2
@@ -0,0 +1,12 @@
+<VirtualHost *:80>
+        Include sites/{{ sublab_web_server_name }}/subdap-plain.conf
+        Include sites/{{ sublab_web_server_name }}/server.conf
+        Include sites/{{ sublab_web_server_name }}/wiki.conf
+        Include sites/{{ sublab_web_server_name }}/dump.conf
+</VirtualHost>
+<VirtualHost *:443>
+        Include sites/{{ sublab_web_server_name }}/ssl.conf
+        Include sites/{{ sublab_web_server_name }}/subdap-ssl.conf
+        Include sites/{{ sublab_web_server_name }}/server.conf
+        Include sites/{{ sublab_web_server_name }}/wiki.conf
+</VirtualHost>
diff --git a/roles/sublab_web/templates/wiki.conf.j2 b/roles/sublab_web/templates/wiki.conf.j2
new file mode 100644
index 0000000..90a2f1d
--- /dev/null
+++ b/roles/sublab_web/templates/wiki.conf.j2
@@ -0,0 +1,20 @@
+Alias /wiki/ /home/wiki-{{ sublab_web_server_name }}/wiki-html/
+<Directory /home/wiki-{{ sublab_web_server_name }}/wiki-html>
+        AllowOverride None
+        Order allow,deny
+        allow from all
+        AddHandler cgi-script .cgi
+        Options +ExecCGI
+</Directory>
+<Directory /home/wiki-{{ sublab_web_server_name }}/wiki-html/auth>
+        AuthType basic
+        AuthBasicProvider ldap
+        AuthName "LDAP Login"
+        AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org"
+        AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}"
+        AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org"
+        # AuthzLDAPAuthoritative on
+        # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org
+        Require valid-user
+</Directory>
+LDAPTrustedMode TLS