From 241f3f13fd58aa5ae39d1de52415609907ff52f0 Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Tue, 11 Oct 2016 15:46:35 +0200
Subject: [PATCH] Improvments on Apache role

---
 apache/defaults/main.yml           |  1 +
 apache/files/ipaddr_whitelist.conf |  1 +
 apache/files/zzz_evolix.conf       |  5 +++++
 apache/tasks/main.yml              | 25 +++++++++++++++++++++----
 vagrant.yml                        | 15 +++++++--------
 5 files changed, 35 insertions(+), 12 deletions(-)
 create mode 100644 apache/defaults/main.yml
 create mode 100644 apache/files/zzz_evolix.conf

diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml
new file mode 100644
index 00000000..2183b7dd
--- /dev/null
+++ b/apache/defaults/main.yml
@@ -0,0 +1 @@
+apache_ipaddr_whitelist: [ "1.2.3.4" ]
diff --git a/apache/files/ipaddr_whitelist.conf b/apache/files/ipaddr_whitelist.conf
index 828a1671..34e7da20 100644
--- a/apache/files/ipaddr_whitelist.conf
+++ b/apache/files/ipaddr_whitelist.conf
@@ -1 +1,2 @@
+# Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it
 #Allow from 192.0.2.42
diff --git a/apache/files/zzz_evolix.conf b/apache/files/zzz_evolix.conf
new file mode 100644
index 00000000..def69d90
--- /dev/null
+++ b/apache/files/zzz_evolix.conf
@@ -0,0 +1,5 @@
+#MaxClients 500
+#ServerLimit 500
+#StartServers 100
+#MinSpareServers 40
+#MaxSpareServers 60
diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml
index 392f5aa6..e253d759 100644
--- a/apache/tasks/main.yml
+++ b/apache/tasks/main.yml
@@ -13,14 +13,31 @@
   changed_when: false
 
 - name : copy Apache default config
-  copy: src=z_evolix.conf  dest=/etc/apache2/conf-available/z_evolix.conf owner=root group=root mode=0644
+  copy: src=z_evolix.conf dest=/etc/apache2/conf-available/z_evolix.conf owner=root group=root mode=0644
+
+- name : copy Apache override config
+  copy: src=zzz_evolix.conf  dest=/etc/apache2/conf-available/zzz_evolix.conf owner=root group=root mode=0640 force=no
 
 - name: ensure Apache default config is enabled
-  command: a2enconf z_evolix.conf
+  command: a2enconf z_evolix.conf zzz_evolix.conf
   changed_when: false
 
 - name: init ipaddr_whitelist.conf file
   copy: src=ipaddr_whitelist.conf dest=/etc/apache2/ipaddr_whitelist.conf owner=root group=root mode=0640 force=no
 
-- name : ensure umask is in envvars
-  lineinfile: dest=/etc/apache2/envvars regexp="^umask" line="umask 077"
+- name: add IP addresses to private IP whitelist
+  lineinfile:
+    dest: /etc/apache2/ipaddr_whitelist.conf
+    line: "Allow from {{ item }}"
+    state: present
+  with_items: "{{ apache_ipaddr_whitelist }}"
+
+- name: add a mark in envvars for umask
+  blockinfile:
+    dest: /etc/apache2/envvars
+    block: |
+      ## Set umask for writing by Apache user.
+      ## Set rights on files and directories written by Apache
+
+- name : ensure umask is set in envvars (default is umask 007)
+  lineinfile: dest=/etc/apache2/envvars regexp="^umask" line="umask 007"
diff --git a/vagrant.yml b/vagrant.yml
index 222dec3a..d968dcad 100644
--- a/vagrant.yml
+++ b/vagrant.yml
@@ -2,13 +2,12 @@
 - hosts: all
   gather_facts: yes
   become: yes
-  # vars_files:
-  #   - 'vars/main.yml'
 
   roles:
-    # - { role: apt-upgrade, apt_upgrade_mode: safe }
-    - apt-upgrade
-    - munin
-    - monit
-    - redis
-    - { role: rbenv, username: 'vagrant' }
+    #- { role: apt-upgrade, apt_upgrade_mode: safe }
+    #- apt-upgrade
+    #- munin
+    #- monit
+    #- redis
+    #- { role: rbenv, username: 'vagrant' }
+    #- apache