From af66612e6014bea48458125cda72d73c51bc3c20 Mon Sep 17 00:00:00 2001 From: Christian Franke Date: Tue, 25 Aug 2015 19:23:43 +0200 Subject: Initial commit --- roles/sublab_web/defaults/main.yaml | 2 + roles/sublab_web/handlers/as_webuser.yaml | 5 ++ roles/sublab_web/handlers/main.yaml | 5 ++ roles/sublab_web/meta/main.yaml | 4 ++ roles/sublab_web/tasks/as_webuser.yaml | 7 +++ roles/sublab_web/tasks/main.yaml | 40 ++++++++++++++ roles/sublab_web/templates/dump.conf.j2 | 7 +++ roles/sublab_web/templates/server.conf.j2 | 73 +++++++++++++++++++++++++ roles/sublab_web/templates/ssl.conf.j2 | 20 +++++++ roles/sublab_web/templates/subdap-plain.conf.j2 | 1 + roles/sublab_web/templates/subdap-ssl.conf.j2 | 13 +++++ roles/sublab_web/templates/vhost.conf.j2 | 12 ++++ roles/sublab_web/templates/wiki.conf.j2 | 20 +++++++ 13 files changed, 209 insertions(+) create mode 100644 roles/sublab_web/defaults/main.yaml create mode 100644 roles/sublab_web/handlers/as_webuser.yaml create mode 100644 roles/sublab_web/handlers/main.yaml create mode 100644 roles/sublab_web/meta/main.yaml create mode 100644 roles/sublab_web/tasks/as_webuser.yaml create mode 100644 roles/sublab_web/tasks/main.yaml create mode 100644 roles/sublab_web/templates/dump.conf.j2 create mode 100644 roles/sublab_web/templates/server.conf.j2 create mode 100644 roles/sublab_web/templates/ssl.conf.j2 create mode 100644 roles/sublab_web/templates/subdap-plain.conf.j2 create mode 100644 roles/sublab_web/templates/subdap-ssl.conf.j2 create mode 100644 roles/sublab_web/templates/vhost.conf.j2 create mode 100644 roles/sublab_web/templates/wiki.conf.j2 (limited to 'roles/sublab_web') diff --git a/roles/sublab_web/defaults/main.yaml b/roles/sublab_web/defaults/main.yaml new file mode 100644 index 0000000..367f47c --- /dev/null +++ b/roles/sublab_web/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +sublab_web_server_name: "sublab.org" diff --git a/roles/sublab_web/handlers/as_webuser.yaml b/roles/sublab_web/handlers/as_webuser.yaml new file mode 100644 index 0000000..53c6444 --- /dev/null +++ b/roles/sublab_web/handlers/as_webuser.yaml @@ -0,0 +1,5 @@ +--- +- name: Rebuild subweb website + shell: python template.py + args: + chdir: "/var/www/{{sublab_web_server_name}}/htdocs/scripts" diff --git a/roles/sublab_web/handlers/main.yaml b/roles/sublab_web/handlers/main.yaml new file mode 100644 index 0000000..1ea02c8 --- /dev/null +++ b/roles/sublab_web/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- include: as_webuser.yaml + become: yes + become_method: su + become_user: sublab_web diff --git a/roles/sublab_web/meta/main.yaml b/roles/sublab_web/meta/main.yaml new file mode 100644 index 0000000..f185875 --- /dev/null +++ b/roles/sublab_web/meta/main.yaml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: apache + - role: subdap diff --git a/roles/sublab_web/tasks/as_webuser.yaml b/roles/sublab_web/tasks/as_webuser.yaml new file mode 100644 index 0000000..44c209a --- /dev/null +++ b/roles/sublab_web/tasks/as_webuser.yaml @@ -0,0 +1,7 @@ +--- +- name: Clone sublab website + git: + dest="/var/www/{{sublab_web_server_name}}/htdocs" + repo=git://git.sublab.org/website + accept_hostkey=yes + notify: Rebuild subweb website diff --git a/roles/sublab_web/tasks/main.yaml b/roles/sublab_web/tasks/main.yaml new file mode 100644 index 0000000..5e52a65 --- /dev/null +++ b/roles/sublab_web/tasks/main.yaml @@ -0,0 +1,40 @@ +--- +# Deploy sublab web config +- name: Place vhost config + template: + dest=/etc/apache2/sites-enabled/000-default_subweb.conf + src=vhost.conf.j2 + notify: Reload apache + +- name: Create config snippet dir + file: + name=/etc/apache2/sites/{{ sublab_web_server_name }} + recurse=yes + state=directory + +- name: Place config snippets + template: + dest=/etc/apache2/sites/{{ sublab_web_server_name }}/{{ item }} + src={{ item }}.j2 + with_items: + - dump.conf + - server.conf + - ssl.conf + - subdap-plain.conf + - subdap-ssl.conf + - wiki.conf + notify: Reload apache + +- name: Create Website group + group: name=sublab_web + +- name: Create Website user + user: + name=sublab_web + group=sublab_web + home="/var/www/{{sublab_web_server_name}}" + +- include: as_webuser.yaml + become: yes + become_method: su + become_user: sublab_web diff --git a/roles/sublab_web/templates/dump.conf.j2 b/roles/sublab_web/templates/dump.conf.j2 new file mode 100644 index 0000000..e0d74f6 --- /dev/null +++ b/roles/sublab_web/templates/dump.conf.j2 @@ -0,0 +1,7 @@ +Alias /dump /var/www/{{ sublab_web_server_name }}/dump + + AllowOverride None + Order allow,deny + Allow from all + Options +FollowSymLinks + diff --git a/roles/sublab_web/templates/server.conf.j2 b/roles/sublab_web/templates/server.conf.j2 new file mode 100644 index 0000000..aee5ab4 --- /dev/null +++ b/roles/sublab_web/templates/server.conf.j2 @@ -0,0 +1,73 @@ +ServerAdmin nobody@nowhere.ws +ServerName {{ sublab_web_server_name }} +ServerAlias www.{{ sublab_web_server_name }} + +DocumentRoot /var/www/{{ sublab_web_server_name }}/htdocs/public + + + AllowOverride None + Require all granted + + +RewriteEngine On + +RewriteRule ^/lounge/?$ /sublounge [R=302] +RewriteRule ^/phantomspeisung/?$ /vokue [R=301] +RewriteRule ^/vokue/?$ /wiki/Phantomspeisung/ [R=301] + +RewriteRule ^/cryptocon14(/?|.*)$ https://cryptocon.org/14$1 [R=301,last] +RewriteRule ^/cryptocon15(/?|.*)$ https://cryptocon.org/15$1 [R=301,last] + +# Allow the drop of .html +RewriteRule ^/([^/\.]+)$ /$1.html + +# RewriteLog /tmp/rewrite-log +# RewriteLogLevel 9 + +ErrorDocument 401 /401.html +ErrorDocument 404 /404.html + + + SetHandler server-status + Require ip 127.0.0.1 + + + SetHandler server-info + Require ip 127.0.0.1 + +Redirect 301 /sublab_status.json /status.json + + Header set Access-Control-Allow-Origin * + Header set Cache-Control no-cache + + + Header set Access-Control-Allow-Origin * + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + + + Header set Cache-Control no-cache + diff --git a/roles/sublab_web/templates/ssl.conf.j2 b/roles/sublab_web/templates/ssl.conf.j2 new file mode 100644 index 0000000..5d02eed --- /dev/null +++ b/roles/sublab_web/templates/ssl.conf.j2 @@ -0,0 +1,20 @@ +SSLEngine On + +SSLCertificateChainFile /etc/apache2/sites/{{ sublab_web_server_name }}/ssl/chain.pem +SSLCertificateFile /etc/apache2/sites/{{ sublab_web_server_name }}/ssl/cert.pem +SSLCertificateKeyFile /etc/apache2/sites/{{ sublab_web_server_name }}/ssl/key.pem + +SSLEngine On +SSLHonorCipherOrder on +SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv3 -SSLv2 +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK +SSLCompression off + +#Header always set Strict-Transport-Security "max-age=15984000" + +SSLOptions StdEnvVars + +BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 +BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown diff --git a/roles/sublab_web/templates/subdap-plain.conf.j2 b/roles/sublab_web/templates/subdap-plain.conf.j2 new file mode 100644 index 0000000..c79370d --- /dev/null +++ b/roles/sublab_web/templates/subdap-plain.conf.j2 @@ -0,0 +1 @@ +RedirectMatch permanent ^/(subdap(/?|/.*))$ https://{{ sublab_web_server_name }}/$1 diff --git a/roles/sublab_web/templates/subdap-ssl.conf.j2 b/roles/sublab_web/templates/subdap-ssl.conf.j2 new file mode 100644 index 0000000..bec8c54 --- /dev/null +++ b/roles/sublab_web/templates/subdap-ssl.conf.j2 @@ -0,0 +1,13 @@ + + ProxyPass "http://127.0.0.1:8001/" + + + ProxyPass "!" + + +Alias /subdap/static /var/subdap/src/static + + Options -Indexes -ExecCGI + AllowOverride None + Require all granted + diff --git a/roles/sublab_web/templates/vhost.conf.j2 b/roles/sublab_web/templates/vhost.conf.j2 new file mode 100644 index 0000000..6c3851d --- /dev/null +++ b/roles/sublab_web/templates/vhost.conf.j2 @@ -0,0 +1,12 @@ + + Include sites/{{ sublab_web_server_name }}/subdap-plain.conf + Include sites/{{ sublab_web_server_name }}/server.conf + Include sites/{{ sublab_web_server_name }}/wiki.conf + Include sites/{{ sublab_web_server_name }}/dump.conf + + + Include sites/{{ sublab_web_server_name }}/ssl.conf + Include sites/{{ sublab_web_server_name }}/subdap-ssl.conf + Include sites/{{ sublab_web_server_name }}/server.conf + Include sites/{{ sublab_web_server_name }}/wiki.conf + diff --git a/roles/sublab_web/templates/wiki.conf.j2 b/roles/sublab_web/templates/wiki.conf.j2 new file mode 100644 index 0000000..90a2f1d --- /dev/null +++ b/roles/sublab_web/templates/wiki.conf.j2 @@ -0,0 +1,20 @@ +Alias /wiki/ /home/wiki-{{ sublab_web_server_name }}/wiki-html/ + + AllowOverride None + Order allow,deny + allow from all + AddHandler cgi-script .cgi + Options +ExecCGI + + + AuthType basic + AuthBasicProvider ldap + AuthName "LDAP Login" + AuthLDAPBindDN "cn=apache-{{ ansible_nodename }},ou=service,dc=sublab,dc=org" + AuthLDAPBindPassword "{{ ldap_credentials["apache-" + ansible_nodename] }}" + AuthLDAPURL "{{ ldap_url }}/ou=people,dc=sublab,dc=org" + # AuthzLDAPAuthoritative on + # Require ldap-group cn=members,ou=groups,dc=sublab,dc=org + Require valid-user + +LDAPTrustedMode TLS -- cgit v1.2.1