diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml index 70140cad..325e6056 100644 --- a/apache/defaults/main.yml +++ b/apache/defaults/main.yml @@ -4,3 +4,9 @@ apache_private_ipaddr_whitelist_absent: [] apache_private_htpasswd_present: [] apache_private_htpasswd_absent: [] + +apache_default_redirect_url: "http://evolix.fr" +apache_evolinux_default_enabled: True + +apache_phpmyadmin_suffix: "" +apache_serverstatus_suffix: "" diff --git a/apache/files/private_ipaddr_whitelist.conf b/apache/files/private_ipaddr_whitelist.conf index 34e7da20..6c42b58c 100644 --- a/apache/files/private_ipaddr_whitelist.conf +++ b/apache/files/private_ipaddr_whitelist.conf @@ -1,2 +1,2 @@ # Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it -#Allow from 192.0.2.42 +#Require ip 192.0.2.42 diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index dce83867..cf3dc16b 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -103,7 +103,7 @@ - name: add IP addresses to private IP whitelist lineinfile: dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Allow from {{ item }}" + line: "Require ip {{ item }}" state: present with_items: "{{ apache_private_ipaddr_whitelist_present }}" notify: reload apache @@ -113,13 +113,20 @@ - name: remove IP addresses from private IP whitelist lineinfile: dest: /etc/apache2/private_ipaddr_whitelist.conf - line: "Allow from {{ item }}" + line: "Require ip {{ item }}" state: absent with_items: "{{ apache_private_ipaddr_whitelist_absent }}" notify: reload apache tags: - apache +- name: include private IP whitelist for server-status + lineinfile: + dest: /etc/apache2/mods-available/status.conf + line: " include /etc/apache2/private_ipaddr_whitelist.conf" + insertafter: 'SetHandler server-status' + state: present + - name: Copy private_htpasswd copy: src: private_htpasswd @@ -152,6 +159,61 @@ tags: - apache +- name: default vhost is installed + template: + src: evolinux-default.conf.j2 + dest: /etc/apache2/sites-available/000-evolinux-default.conf + mode: "0640" + # force: yes + notify: reload apache + tags: + - apache + +- name: default vhost is enabled + file: + src: /etc/apache2/sites-available/000-evolinux-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf + state: link + force: yes + notify: reload apache + when: apache_evolinux_default_enabled + tags: + - apache + +- block: + - name: generate random string for phpmyadmin suffix + command: "apg -a 1 -M N -n 1" + changed_when: False + register: _random_phpmyadmin_suffix + + - name: overwrite apache_phpmyadmin_suffix + set_fact: + apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}" + when: apache_phpmyadmin_suffix == "" + +- name: replace phpmyadmin suffix in default site index + replace: + dest: /var/www/index.html + regexp: '__PHPMYADMIN_SUFFIX__' + replace: "{{ apache_phpmyadmin_suffix }}" + +# - block: +# - name: generate random string for serverstatus suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: _random_serverstatus_suffix +# +# - name: overwrite apache_serverstatus_suffix +# set_fact: +# apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}" +# when: apache_serverstatus_suffix == "" +# +# - name: replace server-status suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__SERVERSTATUS_SUFFIX__' +# replace: "{{ apache_serverstatus_suffix }}" + - name: is umask already present? command: "grep -E '^umask ' /etc/apache2/envvars" failed_when: False diff --git a/evolinux-base/templates/default_www/apache_default_site.j2 b/apache/templates/evolinux-default.conf.j2 similarity index 67% rename from evolinux-base/templates/default_www/apache_default_site.j2 rename to apache/templates/evolinux-default.conf.j2 index 8f29785a..744c4319 100644 --- a/evolinux-base/templates/default_www/apache_default_site.j2 +++ b/apache/templates/evolinux-default.conf.j2 @@ -1,35 +1,40 @@ - + ServerName {{ ansible_fqdn }} ServerAdmin webmaster@localhost + + RewriteEngine on + RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] + # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] + RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] + + + + ServerName {{ ansible_fqdn }} + ServerAdmin webmaster@localhost + DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /etc/ssl/certs/{{ ansible_fqdn }}.crt SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key - SSLProtocol all -SSLv2 -SSLv3 + # SSLProtocol all -SSLv2 -SSLv3 - # Redirect to HTTPS, execpt for server-status, because Munin plugin - # can't handle HTTPS! :( - RewriteEngine on - RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] - RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC] - RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent] - - - Options FollowSymLinks + + Options +Indexes +FollowSymLinks +MultiViews AllowOverride None - Deny from all + Include /etc/apache2/private_ipaddr_whitelist.conf - - Options Indexes FollowSymLinks MultiViews + Alias /munin /var/cache/munin/www + + Options +Indexes +FollowSymLinks +MultiViews AllowOverride None + + Include /etc/apache2/private_ipaddr_whitelist.conf - Deny from all - Allow from 127.0.0.1 Include /etc/apache2/private_ipaddr_whitelist.conf @@ -39,13 +44,13 @@ Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - ErrorDocument 403 {{ evolinux_default_www_redirect_url }} + ErrorDocument 403 {{ apache_default_redirect_url }} + CustomLog /var/log/apache2/access.log vhost_combined ErrorLog /var/log/apache2/error.log LogLevel warn - Alias /munin /var/cache/munin/www - Alias /phpmyadmin-SED_RANDOM /usr/share/phpmyadmin/ + Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/ IncludeOptional /etc/apache2/conf-available/phpmyadmin* diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml index 30ba8010..35cdcb6c 100644 --- a/evoadmin/defaults/main.yml +++ b/evoadmin/defaults/main.yml @@ -9,6 +9,6 @@ evoadmin_log_dir: "{{ evoadmin_home_dir }}/log" evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ evoadmin_host: "evoadmin.{{ ansible_fqdn }}" evoadmin_username: evoadmin -evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}" +evoadmin_ssl_subject: "/CN={{ evoadmin_host }}" evoadmin_enable_vhost: True diff --git a/evoadmin/tasks/ftp.yml b/evoadmin/tasks/ftp.yml index e4eacabf..83913d01 100644 --- a/evoadmin/tasks/ftp.yml +++ b/evoadmin/tasks/ftp.yml @@ -11,6 +11,7 @@ remote_src: no src: evolinux.conf.diff dest: /etc/proftpd/conf.d/z-evolinux.conf + # Why 440? Because should be edited with ftpasswd. # So, readonly when opened with vim. # Then readable by group. diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml index 7bbc67be..5c4795f0 100644 --- a/evoadmin/tasks/web.yml +++ b/evoadmin/tasks/web.yml @@ -40,3 +40,4 @@ user: name: www-evoadmin groups: shadow + append: yes diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 50635b05..26428674 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -135,14 +135,6 @@ evolinux_default_www_files: True evolinux_default_www_ssl_cert: True evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}" -evolinux_default_www_nginx_vhost: True -evolinux_default_www_nginx_enabled: False - -evolinux_default_www_apache_vhost: True -evolinux_default_www_apache_enabled: False - -evolinux_default_www_redirect_url: "http://evolix.fr" - # hardware evolinux_hardware_include: True diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 0fdf03f9..b6219772 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -48,67 +48,4 @@ creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt" when: evolinux_default_www_ssl_cert -# Nginx vhost - -- name: is Nginx installed? - stat: - path: /etc/nginx/sites-available - check_mode: no - register: nginx_sites_available - -- block: - - name: nginx vhost is installed - template: - src: default_www/nginx_default_site.j2 - dest: /etc/nginx/sites-available/000-default - mode: "0640" - # force: yes - notify: reload nginx - tags: - - nginx - - - name: nginx vhost is enabled - file: - src: /etc/nginx/sites-available/000-default - dest: /etc/nginx/sites-enabled/000-default - state: link - notify: reload nginx - when: evolinux_default_www_nginx_enabled - tags: - - nginx - - when: evolinux_default_www_nginx_vhost and nginx_sites_available.stat.exists - - -# Apache vhost - -- name: is Apache installed? - stat: - path: /etc/apache2/sites-available - check_mode: no - register: apache_sites_available - -- block: - - name: Apache vhost is installed - template: - src: default_www/apache_default_site.j2 - dest: /etc/apache2/sites-available/000-default.conf - mode: "0640" - # force: yes - notify: reload apache - tags: - - apache - - - name: Apache vhost is enabled - file: - src: /etc/apache2/sites-available/000-default.conf - dest: /etc/apache2/sites-enabled/000-default.conf - state: link - notify: reload apache - when: evolinux_default_www_apache_enabled - tags: - - apache - - when: evolinux_default_www_apache_vhost and apache_sites_available.stat.exists - - meta: flush_handlers diff --git a/evolinux-base/templates/default_www/index.html.j2 b/evolinux-base/templates/default_www/index.html.j2 index 25a967b4..dc8e0ce3 100644 --- a/evolinux-base/templates/default_www/index.html.j2 +++ b/evolinux-base/templates/default_www/index.html.j2 @@ -6,50 +6,49 @@ {{ ansible_hostname }} @@ -57,15 +56,15 @@

{{ ansible_hostname }}

-
    + diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index bff60300..10a4b83e 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -4,3 +4,9 @@ nginx_private_ipaddr_whitelist_absent: [] nginx_private_htpasswd_present: [] nginx_private_htpasswd_absent: [] + +nginx_default_redirect_url: "http://evolix.fr" +nginx_evolinux_default_enabled: True + +# nginx_phpmyadmin_suffix: "" +# nginx_serverstatus_suffix: "" diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index caffaad1..0fe672a7 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -109,6 +109,60 @@ tags: - nginx +- name: nginx vhost is installed + template: + src: evolinux-default.conf.j2 + dest: /etc/nginx/sites-available/evolinux-default.conf + mode: "0640" + notify: reload nginx + tags: + - nginx + +- name: default vhost is enabled + file: + src: /etc/nginx/sites-available/evolinux-default.conf + dest: /etc/nginx/sites-enabled/default.conf + state: link + force: yes + notify: reload nginx + when: nginx_evolinux_default_enabled + tags: + - nginx + +# - block: +# - name: generate random string for phpmyadmin suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: random_phpmyadmin_suffix +# +# - name: overwrite nginx_phpmyadmin_suffix +# set_fact: +# nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}" +# when: nginx_phpmyadmin_suffix == "" +# +# - name: replace phpmyadmin suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__PHPMYADMIN_SUFFIX__' +# replace: "{{ nginx_phpmyadmin_suffix }}" +# +# - block: +# - name: generate random string for serverstatus suffix +# command: "apg -a 1 -M N -n 1" +# changed_when: False +# register: random_serverstatus_suffix +# +# - name: overwrite nginx_serverstatus_suffix +# set_fact: +# nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}" +# when: nginx_serverstatus_suffix == "" +# +# - name: replace server-status suffix in default site index +# replace: +# dest: /var/www/index.html +# regexp: '__SERVERSTATUS_SUFFIX__' +# replace: "{{ nginx_serverstatus_suffix }}" + - name: Verify that the service is enabled and started service: name: nginx diff --git a/evolinux-base/templates/default_www/nginx_default_site.j2 b/nginx/templates/evolinux-default.conf.j2 similarity index 95% rename from evolinux-base/templates/default_www/nginx_default_site.j2 rename to nginx/templates/evolinux-default.conf.j2 index 803ff4ad..1e1ceab5 100644 --- a/evolinux-base/templates/default_www/nginx_default_site.j2 +++ b/nginx/templates/evolinux-default.conf.j2 @@ -18,7 +18,7 @@ server { access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - error_page 403 {{ evolinux_default_www_redirect_url }}; + error_page 403 {{ nginx_default_redirect_url }}; root /var/www; diff --git a/packweb-apache/tasks/web-add.yml b/packweb-apache/tasks/web-add.yml deleted file mode 100644 index 60bc20a8..00000000 --- a/packweb-apache/tasks/web-add.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -# TODO: ...