From af66612e6014bea48458125cda72d73c51bc3c20 Mon Sep 17 00:00:00 2001 From: Christian Franke Date: Tue, 25 Aug 2015 19:23:43 +0200 Subject: Initial commit --- deploy_staging.sh | 2 + roles/apache/handlers/main.yaml | 3 + roles/apache/tasks/main.yaml | 34 ++++++++++++ roles/common/files/authorized_keys | 2 + roles/common/handlers/main.yaml | 6 ++ roles/common/tasks/main.yaml | 22 ++++++++ roles/kerberos/meta/main.yaml | 3 + roles/kerberos/tasks/main.yaml | 9 +++ roles/kerberos/templates/krb5_prop_xinetd.j2 | 11 ++++ roles/subdap/defaults/main.yaml | 12 ++++ roles/subdap/handlers/main.yaml | 5 ++ roles/subdap/meta/main.yaml | 3 + roles/subdap/tasks/as_subdap.yaml | 23 ++++++++ roles/subdap/tasks/main.yaml | 34 ++++++++++++ roles/subdap/templates/accountservice.py.j2 | 4 ++ roles/subdap/templates/subdap.service.j2 | 24 ++++++++ roles/sublab_web/defaults/main.yaml | 2 + roles/sublab_web/handlers/as_webuser.yaml | 5 ++ roles/sublab_web/handlers/main.yaml | 5 ++ roles/sublab_web/meta/main.yaml | 4 ++ roles/sublab_web/tasks/as_webuser.yaml | 7 +++ roles/sublab_web/tasks/main.yaml | 40 ++++++++++++++ roles/sublab_web/templates/dump.conf.j2 | 7 +++ roles/sublab_web/templates/server.conf.j2 | 73 +++++++++++++++++++++++++ roles/sublab_web/templates/ssl.conf.j2 | 20 +++++++ roles/sublab_web/templates/subdap-plain.conf.j2 | 1 + roles/sublab_web/templates/subdap-ssl.conf.j2 | 13 +++++ roles/sublab_web/templates/vhost.conf.j2 | 12 ++++ roles/sublab_web/templates/wiki.conf.j2 | 20 +++++++ roles/xinetd/handlers/main.yaml | 3 + roles/xinetd/tasks/main.yaml | 3 + site.yml | 14 +++++ staging | 1 + vars/encrypted.yaml | 8 +++ vars/ldap.yaml | 1 + 35 files changed, 436 insertions(+) create mode 100755 deploy_staging.sh create mode 100644 roles/apache/handlers/main.yaml create mode 100644 roles/apache/tasks/main.yaml create mode 100644 roles/common/files/authorized_keys create mode 100644 roles/common/handlers/main.yaml create mode 100644 roles/common/tasks/main.yaml create mode 100644 roles/kerberos/meta/main.yaml create mode 100644 roles/kerberos/tasks/main.yaml create mode 100644 roles/kerberos/templates/krb5_prop_xinetd.j2 create mode 100644 roles/subdap/defaults/main.yaml create mode 100644 roles/subdap/handlers/main.yaml create mode 100644 roles/subdap/meta/main.yaml create mode 100644 roles/subdap/tasks/as_subdap.yaml create mode 100644 roles/subdap/tasks/main.yaml create mode 100644 roles/subdap/templates/accountservice.py.j2 create mode 100644 roles/subdap/templates/subdap.service.j2 create mode 100644 roles/sublab_web/defaults/main.yaml create mode 100644 roles/sublab_web/handlers/as_webuser.yaml create mode 100644 roles/sublab_web/handlers/main.yaml create mode 100644 roles/sublab_web/meta/main.yaml create mode 100644 roles/sublab_web/tasks/as_webuser.yaml create mode 100644 roles/sublab_web/tasks/main.yaml create mode 100644 roles/sublab_web/templates/dump.conf.j2 create mode 100644 roles/sublab_web/templates/server.conf.j2 create mode 100644 roles/sublab_web/templates/ssl.conf.j2 create mode 100644 roles/sublab_web/templates/subdap-plain.conf.j2 create mode 100644 roles/sublab_web/templates/subdap-ssl.conf.j2 create mode 100644 roles/sublab_web/templates/vhost.conf.j2 create mode 100644 roles/sublab_web/templates/wiki.conf.j2 create mode 100644 roles/xinetd/handlers/main.yaml create mode 100644 roles/xinetd/tasks/main.yaml create mode 100644 site.yml create mode 100644 staging create mode 100644 vars/encrypted.yaml create mode 100644 vars/ldap.yaml diff --git a/deploy_staging.sh b/deploy_staging.sh new file mode 100755 index 0000000..93337ef --- /dev/null +++ b/deploy_staging.sh @@ -0,0 +1,2 @@ +#!/bin/sh +python2 $(which ansible-playbook) -i staging --vault-password-file=~/.vault-pass.txt "$@" site.yml diff --git a/roles/apache/handlers/main.yaml b/roles/apache/handlers/main.yaml new file mode 100644 index 0000000..ca5b41d --- /dev/null +++ b/roles/apache/handlers/main.yaml @@ -0,0 +1,3 @@ +--- +- name: Reload apache + service: name=apache2 state=reloaded diff --git a/roles/apache/tasks/main.yaml b/roles/apache/tasks/main.yaml new file mode 100644 index 0000000..0125a08 --- /dev/null +++ b/roles/apache/tasks/main.yaml @@ -0,0 +1,34 @@ +--- +# Setup apache +- name: Install apache + apt: name={{ item }} state=present + with_items: + - apache2 + - apache2-mpm-event + +- name: Enable Apache Modules + apache2_module: name={{ item }} state=present + with_items: + - authnz_ldap + - authz_groupfile + - cgid + - headers + - info + - proxy + - proxy_http + - reqtimeout + - rewrite + - ssl + notify: Reload apache + +- name: Disable standard vhost + file: + name=/etc/apache2/sites-enabled/000-default.conf + state=absent + notify: Reload apache + +- name: Configure OCSP Stapling cache + lineinfile: + dest=/etc/apache2/mods-enabled/ssl.conf + line="SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ocsp_scache(128000)" + notify: Reload apache diff --git a/roles/common/files/authorized_keys b/roles/common/files/authorized_keys new file mode 100644 index 0000000..d5e26d8 --- /dev/null +++ b/roles/common/files/authorized_keys @@ -0,0 +1,2 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAldmZ6RY1mcFslBGBg93L97BFcSu/KJPg9NplhctDxGRPQn3LtrkSHdjzMQ9w97lPJxCec32ZlCLBNABYIbvQOHQXvPXuKaHoAjT1wysLRzSOM4iMCevjKsU9ry22kYm1mox7VSMJzDwBRqSI0iKJERezIeJLV+0kFzwKreEU27uTt4vzC65es6wLhygSc1bckaA3OIeiQAgLXr+nKzO0AWULTQOKL37RIUzSstWGcIrlKKb25riKTzJ/VMSVl3WkRAXdpy4AwZNBQ8NyKiB5BvSKe8lQf2ChXHg1xtQzvVEyOHTU3o9y20f+yD/oPT1LST2ZlLd/hBYXBB+L+xfQpv3XETtJBKBNeKNv6+7bWanHh39hIVvQSRJvhTwN2cn8QeqeuwMs8i4HRWUYKJs4bQBTf6SWE21Q1mbddVhD8hPQN5cDdfZsTaugSQ8/KYvCkP/+BvvYG/hS0lsMoLn18CEx/E1XYfQ3FN+OjIk9DVh/rMJBPc5/RKkqVFfyu/JlHfY8SIqiES3XcYoNQPVf/E5nAiCOh9lazwBuGnP1gP5GDuQR0xkVxrpV0Pv//RX8HnyxOHNAZWYZBhRUFkMJP5DHypCckCGD/uM6A9if75IGafC+E0ymgmOsHanhXtuH/JLI8VUQr38i7tk/hAwKvny6JSu0xioKwWflzal319U= nihilus@home +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA16LUBnVTkVJsvvo9/5Gl6ppyCwmVGsApUp4u8/UcCtkXEXue+FSRbEP8uUGeaSMvHbyJ+gsCL9ZImUVRr6+w3OFI1EKJMQGLdl5LnV/O4pbdRn2xhiE1VU2oipxnp6u4VHN47I0J01h3WMjsZMtxs7li2UsBlcM4+EVHzgDnbF0gw/3BddfC23wQDDhe4+gfSCUc8NMbTj0jIfIaW1O0TYj8DebLWoszDHHOxwCfJXXWo31IffeQLoOtEIwswfvgzADVT4+W3GeY2pghg2gCSnVEtkPj4kBh813Lf+yn0aG5RAp29vfe+aIjJXVyvblqX2t/TyQ2qaefNHIa3WG3msCwVMwgYIX1pS2YNw2dAm3XRXiyvlRyjERlQtt6TOWWzWDeOc4eKgxFxxYI/nsVbOxdtUapMUiGZUHN3WZ00cPGionvmtoDat5hBs+79iKrfO1BjR9p3YjfYVa7JMtQg4OAcNABjW20XT1X7UMR3qE5KkwlSb+SFRjv04kKzZRAC34Czq9sLC3Eh/skGZAp66LmABq4239RqFdQL6Ou6IjvsLuPtKHsu7IA1WeZbBg2OUEjCPhUNZQrUf7e+Pd4rZ3HKOdzrouy9DZ4rN7wpBW37cmiEqFEIyYMHIZ7buFwniLjsbM1UEfuISaCoJmeBXgHISqkbgGd5qCbPML/vhk= nihilus@mobile diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml new file mode 100644 index 0000000..c5d467a --- /dev/null +++ b/roles/common/handlers/main.yaml @@ -0,0 +1,6 @@ +--- +- name: restart ssh + service: name=ssh state=restarted + +- name: Reload systemd daemons + shell: systemctl daemon-reload diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml new file mode 100644 index 0000000..3bcffb7 --- /dev/null +++ b/roles/common/tasks/main.yaml @@ -0,0 +1,22 @@ +--- +# General setup for my hosts +- name: Install common packages + apt: name={{ item }} state=present + with_items: + - htop + - mtr + - ntp + - strace + - tcpdump + - vim + +- name: Setup SSH access + authorized_key: user=root + exclusive=yes + key="{{ lookup('file', 'authorized_keys') }}" + +- name: Require Key for Login + lineinfile: dest=/etc/ssh/sshd_config + regexp=PasswordAuthentication + line="PasswordAuthentication no" + notify: restart ssh diff --git a/roles/kerberos/meta/main.yaml b/roles/kerberos/meta/main.yaml new file mode 100644 index 0000000..98bb83d --- /dev/null +++ b/roles/kerberos/meta/main.yaml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: xinetd } diff --git a/roles/kerberos/tasks/main.yaml b/roles/kerberos/tasks/main.yaml new file mode 100644 index 0000000..3bf3105 --- /dev/null +++ b/roles/kerberos/tasks/main.yaml @@ -0,0 +1,9 @@ +--- +# Setup kerberos +- name: Install MIT Kerberos + apt: name=krb5-kdc state=present + +# Configure kerberos krb5_prop xinetd +- name: Configure xinetd for krb5_prop + template: dest=/etc/xinetd.d/krb5_prop src=krb5_prop_xinetd.j2 + notify: Restart xinetd diff --git a/roles/kerberos/templates/krb5_prop_xinetd.j2 b/roles/kerberos/templates/krb5_prop_xinetd.j2 new file mode 100644 index 0000000..b614046 --- /dev/null +++ b/roles/kerberos/templates/krb5_prop_xinetd.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} +service krb5_prop +{ + id = krb5_prop + socket_type = stream + protocol = tcp + user = root + wait = no + bind = {{ ansible_default_ipv6.address }} + server = /usr/sbin/kpropd +} diff --git a/roles/subdap/defaults/main.yaml b/roles/subdap/defaults/main.yaml new file mode 100644 index 0000000..828e81c --- /dev/null +++ b/roles/subdap/defaults/main.yaml @@ -0,0 +1,12 @@ +$ANSIBLE_VAULT;1.1;AES256 +62323037313838613830313931326130393539323938383666373962343732336439653966313737 +6133313937316365626561396430626531653134613263660a333036313661653265633732323162 +33613362343163396232336365643133333961313638303038616130363166323834633933306234 +6633326634643636620a623961313665613366646535303238326138373464393937643036336531 +35316163353236393164393539616636393937663339306261393532616336376664343632656331 +30316335356662643630653465326234383438343531666635636333383230653634613138623230 +30383036313962633032636663363638663634363934623161303635646336633039343136613265 +62366363373463373066343961646438343438353231393866346539333631353731653634366364 +32333065336237313537323365653865326663613862326537376536666633616636376565613131 +32346266333365326366613762363764356464303262363332326433626539663631333261396537 +373435333366643561623432336339346462 diff --git a/roles/subdap/handlers/main.yaml b/roles/subdap/handlers/main.yaml new file mode 100644 index 0000000..7e7eb38 --- /dev/null +++ b/roles/subdap/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: Restart subdap + service: + name: subdap + state: restarted diff --git a/roles/subdap/meta/main.yaml b/roles/subdap/meta/main.yaml new file mode 100644 index 0000000..fdda41b --- /dev/null +++ b/roles/subdap/meta/main.yaml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: common diff --git a/roles/subdap/tasks/as_subdap.yaml b/roles/subdap/tasks/as_subdap.yaml new file mode 100644 index 0000000..f0b9073 --- /dev/null +++ b/roles/subdap/tasks/as_subdap.yaml @@ -0,0 +1,23 @@ +--- +- name: Clone subdap code + git: + dest=/var/subdap/src + repo=git://git.sublab.org/subdap + accept_hostkey=yes + +- name: Setup virtualenv for subdap + pip: + name={{ item }} + virtualenv=/var/subdap/venv + virtualenv_site_packages=yes + with_items: + - cherrypy + - egenix-mx-base + - genshi + - gunicorn + +- name: Create accountservice.py + template: + dest=/var/subdap/src/accountservice.py + src=accountservice.py.j2 + mode=0600 diff --git a/roles/subdap/tasks/main.yaml b/roles/subdap/tasks/main.yaml new file mode 100644 index 0000000..6375e6e --- /dev/null +++ b/roles/subdap/tasks/main.yaml @@ -0,0 +1,34 @@ +--- +- apt: name={{ item }} state=present + with_items: + - git + - python-ldap + - python-lxml + - python-m2crypto + - virtualenv + +- name: Create subdap group + group: name=subdap + +- name: Create subdap user + user: name=subdap group=subdap home=/var/subdap + +- include: as_subdap.yaml + become: yes + become_method: su + become_user: subdap + notify: + - Restart subdap + +- name: Create systemd service + template: + src=subdap.service.j2 + dest=/etc/systemd/system/subdap.service + notify: + - Reload systemd daemons + - Restart subdap + +- name: Enable systemd service + service: + name: subdap + enabled: yes diff --git a/roles/subdap/templates/accountservice.py.j2 b/roles/subdap/templates/accountservice.py.j2 new file mode 100644 index 0000000..2f6e8f1 --- /dev/null +++ b/roles/subdap/templates/accountservice.py.j2 @@ -0,0 +1,4 @@ +import xmlrpclib + +url = '{{ subdap_accountservice_url }}' +accountservice = xmlrpclib.ServerProxy(url) diff --git a/roles/subdap/templates/subdap.service.j2 b/roles/subdap/templates/subdap.service.j2 new file mode 100644 index 0000000..068570d --- /dev/null +++ b/roles/subdap/templates/subdap.service.j2 @@ -0,0 +1,24 @@ +[Unit] +Description=subdap ldap frontend application server +After=network.target + +[Service] +PIDFile=/var/subdap/gunicorn.pid +User=subdap +Group=subdap +WorkingDirectory=/var/subdap/src +Environment=VIRTUAL_ENV="/var/subdap/venv" +Environment=PATH="$VIRTUAL_ENV/bin:$PATH" +ExecStart=/var/subdap/venv/bin/gunicorn \ + --pid /var/subdap/gunicorn.pid \ + --log-syslog \ + --max-requests 1000 \ + -w 10 -t 120 \ + -b 127.0.0.1:8001 \ + index +ExecReload=/bin/kill -HUP $MAINPID +ExecStop=/bin/kill -TERM $MAINPID +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml new file mode 100644 index 0000000..367f47c --- /dev/null +++ b/roles/sublab_web/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +sublab_web_server_name: "sublab.org" diff --git a/roles/sublab_web/handlers/as_webuser.yaml b/roles/sublab_web/handlers/as_webuser.yaml new file mode 100644 index 0000000..53c6444 --- /dev/null +++ b/roles/sublab_web/handlers/as_webuser.yaml @@ -0,0 +1,5 @@ +--- +- name: Rebuild subweb website + shell: python template.py + args: + chdir: "/var/www/{{sublab_web_server_name}}/htdocs/scripts" diff --git a/roles/sublab_web/handlers/main.yaml b/roles/sublab_web/handlers/main.yaml new file mode 100644 index 0000000..1ea02c8 --- /dev/null +++ b/roles/sublab_web/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- include: as_webuser.yaml + become: yes + become_method: su + become_user: sublab_web diff --git a/roles/sublab_web/meta/main.yaml b/roles/sublab_web/meta/main.yaml new file mode 100644 index 0000000..f185875 --- /dev/null +++ b/roles/sublab_web/meta/main.yaml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: apache + - role: subdap diff --git a/roles/sublab_web/tasks/as_webuser.yaml b/roles/sublab_web/tasks/as_webuser.yaml new file mode 100644 index 0000000..44c209a --- /dev/null +++ b/roles/sublab_web/tasks/as_webuser.yaml @@ -0,0 +1,7 @@ +--- +- name: Clone sublab website + git: + dest="/var/www/{{sublab_web_server_name}}/htdocs" + repo=git://git.sublab.org/website + accept_hostkey=yes + notify: Rebuild subweb website diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml new file mode 100644 index 0000000..5e52a65 --- /dev/null +++ b/roles/sublab_web/tasks/main.yaml @@ -0,0 +1,40 @@ +--- +# Deploy sublab web config +- name: Place vhost config + template: + dest=/etc/apache2/sites-enabled/000-default_subweb.conf + src=vhost.conf.j2 + notify: Reload apache + +- name: Create config snippet dir + file: + name=/etc/apache2/sites/{{ sublab_web_server_name }} + recurse=yes + state=directory + +- name: Place config snippets + template: + dest=/etc/apache2/sites/{{ sublab_web_server_name }}/{{ item }} + src={{ item }}.j2 + with_items: + - dump.conf + - server.conf + - ssl.conf + - subdap-plain.conf + - subdap-ssl.conf + - wiki.conf + notify: Reload apache + +- name: Create Website group + group: name=sublab_web + +- name: Create Website user + user: + name=sublab_web + group=sublab_web + home="/var/www/{{sublab_web_server_name}}" + +- include: as_webuser.yaml + become: yes + become_method: su + become_user: sublab_web diff --git a/roles/sublab_web/templates/dump.conf.j2 b/roles/sublab_web/templates/dump.conf.j2 new file mode 100644 index 0000000..e0d74f6 --- /dev/null +++ b/roles/sublab_web/templates/dump.conf.j2 @@ -0,0 +1,7 @@ +Alias /dump /var/www/{{ sublab_web_server_name }}/dump + + AllowOverride None + Order allow,deny + Allow from all + Options +FollowSymLinks + diff --git a/roles/sublab_web/templates/server.conf.j2 b/roles/sublab_web/templates/server.conf.j2 new file mode 100644 index 0000000..aee5ab4 --- /dev/null +++ b/roles/sublab_web/templates/server.conf.j2 @@ -0,0 +1,73 @@ +ServerAdmin nobody@nowhere.ws +ServerName {{ sublab_web_server_name }} +ServerAlias www.{{ sublab_web_server_name }} + +DocumentRoot /var/www/{{ sublab_web_server_name }}/htdocs/public + + + AllowOverride None + Require all granted + + +RewriteEngine On + +RewriteRule ^/lounge/?$ /sublounge [R=302] +RewriteRule ^/phantomspeisung/?$ /vokue [R=301] +RewriteRule ^/vokue/?$ /wiki/Phantomspeisung/ [R=301] + +RewriteRule ^/cryptocon14(/?|.*)$ https://cryptocon.org/14$1 [R=301,last] +RewriteRule ^/cryptocon15(/?|.*)$ https://cryptocon.org/15$1 [R=301,last] + +# Allow the drop of .html +RewriteRule ^/([^/\.]+)$ /$1.html + +# RewriteLog /tmp/rewrite-log +# RewriteLogLevel 9 + +ErrorDocument 401 /401.html +ErrorDocument 404 /404.html + + + SetHandler server-status + Require ip 127.0.0.1 + + + SetHandler server-info + Require ip 127.0.0.1 + +Redirect 301 /sublab_status.json /status.json + + Header set Access-Control-Allow-Origin * + Header set Cache-Control no-cache + + + Header set Access-Control-Allow-Origin * + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + diff --git a/roles/sublab_web/templates/ssl.conf.j2 b/roles/sublab_web/templates/ssl.conf.j2 new file mode 100644 index 0000000..5d02eed --- /dev/null +++ b/roles/sublab_web/templates/ssl.conf.j2 @@ -0,0 +1,20 @@ +SSLEngine On + +SSLCertificateChainFile /etc/apache2/sites/{{ sublab_web_server_name }}/ssl/chain.pem +SSLCertificateFile /etc/apache2/sites/{{ sublab_web_server_name }}/ssl/cert.pem +SSLCertificateKeyFile /etc/apache2/sites/{{ sublab_web_server_name }}/ssl/key.pem + +SSLEngine On +SSLHonorCipherOrder on +SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv3 -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK +SSLCompression off + +#Header always set Strict-Transport-Security "max-age=15984000" + +SSLOptions StdEnvVars + +BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 +BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown diff --git a/roles/sublab_web/templates/subdap-plain.conf.j2 b/roles/sublab_web/templates/subdap-plain.conf.j2 new file mode 100644 index 0000000..c79370d --- /dev/null +++ b/roles/sublab_web/templates/subdap-plain.conf.j2 @@ -0,0 +1 @@ +RedirectMatch permanent ^/(subdap(/?|/.*))$ https://{{ sublab_web_server_name }}/$1 diff --git a/roles/sublab_web/templates/subdap-ssl.conf.j2 b/roles/sublab_web/templates/subdap-ssl.conf.j2 new file mode 100644 index 0000000..bec8c54 --- /dev/null +++ b/roles/sublab_web/templates/subdap-ssl.conf.j2 @@ -0,0 +1,13 @@ + + ProxyPass "http://127.0.0.1:8001/" + + + ProxyPass "!" + + +Alias /subdap/static /var/subdap/src/static + + Options -Indexes -ExecCGI + AllowOverride None + Require all granted + diff --git a/roles/sublab_web/templates/vhost.conf.j2 b/roles/sublab_web/templates/vhost.conf.j2 new file mode 100644 index 0000000..6c3851d --- /dev/null +++ b/roles/sublab_web/templates/vhost.conf.j2 @@ -0,0 +1,12 @@ + + Include sites/{{ sublab_web_server_name }}/subdap-plain.conf + Include sites/{{ sublab_web_server_name }}/server.conf + Include sites/{{ sublab_web_server_name }}/wiki.conf + Include sites/{{ sublab_web_server_name }}/dump.conf + + + Include sites/{{ sublab_web_server_name }}/ssl.conf + Include sites/{{ sublab_web_server_name }}/subdap-ssl.conf + Include sites/{{ sublab_web_server_name }}/server.conf + Include sites/{{ sublab_web_server_name }}/wiki.conf + diff --git a/roles/sublab_web/templates/wiki.conf.j2 b/roles/sublab_web/templates/wiki.conf.j2 new file mode 100644 index 0000000..90a2f1d --- /dev/null +++ b/roles/sublab_web/templates/wiki.conf.j2 @@ -0,0 +1,20 @@ +Alias /wiki/ /home/wiki-{{ sublab_web_server_name }}/wiki-html/ + + AllowOverride None + Order allow,deny + allow from all + AddHandler cgi-script .cgi + Options +ExecCGI + + + AuthType basic + AuthBasicProvider ldap + AuthName "LDAP Login" + AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" + AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" + AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" + # AuthzLDAPAuthoritative on + # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org + Require valid-user + +LDAPTrustedMode TLS diff --git a/roles/xinetd/handlers/main.yaml b/roles/xinetd/handlers/main.yaml new file mode 100644 index 0000000..55d6cb3 --- /dev/null +++ b/roles/xinetd/handlers/main.yaml @@ -0,0 +1,3 @@ +--- +- name: Restart xinetd + service: name=xinetd state=restarted diff --git a/roles/xinetd/tasks/main.yaml b/roles/xinetd/tasks/main.yaml new file mode 100644 index 0000000..44a7678 --- /dev/null +++ b/roles/xinetd/tasks/main.yaml @@ -0,0 +1,3 @@ +# Setup Xinetd +- name: Install Xinetd + apt: name=xinetd state=present diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..93376d9 --- /dev/null +++ b/site.yml @@ -0,0 +1,14 @@ +--- +# Global playbook config + +- name: apply wolpertinger roles + hosts: all + roles: + - common + - kerberos + - sublab_web + vars_files: + - vars/encrypted.yaml + - vars/ldap.yaml + vars: + sublab_web_server_name: "wolpertinger.nowhere.ws" diff --git a/staging b/staging new file mode 100644 index 0000000..c59ee06 --- /dev/null +++ b/staging @@ -0,0 +1 @@ +wolpertinger.nowhere.ws ansible_ssh_user=root diff --git a/vars/encrypted.yaml b/vars/encrypted.yaml new file mode 100644 index 0000000..90c2734 --- /dev/null +++ b/vars/encrypted.yaml @@ -0,0 +1,8 @@ +$ANSIBLE_VAULT;1.1;AES256 +31616635363835663636363161393832636333333264633339613464616437353734373634623035 +3730363961356637376462396631366162353163333161350a333834396563666430393033653931 +65346431373539633238616462393265346231313633386432613530336162373563636436366431 +3963656637636232360a373439356263363662633234363231366132616637346165323334376361 +36316464356264363062323662386137646538613235333830316261633436623136363337343665 +62316662343435316334666362666362303431346463306161373534396438383334323766666139 +333437613434346566663330373534383230 diff --git a/vars/ldap.yaml b/vars/ldap.yaml new file mode 100644 index 0000000..7c484e9 --- /dev/null +++ b/vars/ldap.yaml @@ -0,0 +1 @@ +ldap_url: "ldap://oberon.local.sublab.org" -- cgit v1.2.1