ansible-roles/apache/tasks/main.yml

208 lines
4.7 KiB
YAML

- name: packages are installed
apt:
name: '{{ item }}'
state: present
with_items:
- apache2
- apache2-mpm-prefork
- apachetop
- libwww-perl
tags:
- apache
- name: manually disable mpm_event
command: a2dismod mpm_event
register: cmd_disable_event
changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
- name: manually enable mpm_prefork
command: a2enmod mpm_prefork
register: cmd_disable_prefork
changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
# With Ansible 2.2 the module check the config for conflicts
# With 2.3 it can be disabled.
# https://docs.ansible.com/ansible/apache2_module_module.html
# - name: mpm_event modules is disabled
# apache2_module:
# name: '{{ item }}'
# state: absent
# with_items:
# - mpm_event
# tags:
# - apache
- name: basic modules are enabled
apache2_module:
name: '{{ item }}'
state: present
with_items:
- rewrite
- expires
- headers
- cgi
- ssl
tags:
- apache
- name: Copy Apache defaults config file
copy:
src: evolinux-defaults.conf
dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
owner: root
group: root
mode: "0644"
force: yes
tags:
- apache
- name: Copy Apache custom config file
copy:
src: evolinux-custom.conf
dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
owner: root
group: root
mode: "0644"
force: no
tags:
- apache
- name: Copy Apache SSL (strong security) config file
copy:
src: evolinux-ssl.conf
dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
owner: root
group: root
mode: "0644"
force: no
tags:
- apache
- name: Ensure Apache config files are enabled
command: "a2enconf {{ item }}"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
with_items:
- z-evolinux-defaults.conf
- zzz-evolinux-custom.conf
- evolinux-ssl.conf
tags:
- apache
- name: Init private_ipaddr_whitelist.conf file
copy:
src: private_ipaddr_whitelist.conf
dest: /etc/apache2/private_ipaddr_whitelist.conf
owner: root
group: root
mode: "0640"
force: no
tags:
- apache
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/apache2/private_ipaddr_whitelist.conf
line: "Allow from {{ item }}"
state: present
with_items: "{{ apache_private_ipaddr_whitelist_present }}"
notify: reload apache
tags:
- apache
- name: remove IP addresses from private IP whitelist
lineinfile:
dest: /etc/apache2/private_ipaddr_whitelist.conf
line: "Allow from {{ item }}"
state: absent
with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
notify: reload apache
tags:
- apache
- name: Copy private_htpasswd
copy:
src: private_htpasswd
dest: /etc/apache2/private_htpasswd
owner: root
group: root
mode: "0640"
force: no
notify: reload apache
tags:
- apache
- name: add user:pwd to private htpasswd
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: present
with_items: "{{ apache_private_htpasswd_present }}"
notify: reload apache
tags:
- apache
- name: remove user:pwd from private htpasswd
lineinfile:
dest: /etc/apache2/private_htpasswd
line: "{{ item }}"
state: absent
with_items: "{{ apache_private_htpasswd_absent }}"
notify: reload apache
tags:
- apache
- name: default vhost is installed
template:
src: evolinux-default.conf.j2
dest: /etc/apache2/sites-available/000-evolinux-default.conf
mode: "0640"
# force: yes
notify: reload apache
tags:
- apache
- name: default vhost is enabled
file:
src: /etc/apache2/sites-available/000-evolinux-default.conf
dest: /etc/apache2/sites-enabled/000-default.conf
state: link
force: yes
notify: reload apache
when: apache_evolinux_default_enabled
tags:
- apache
- name: replace phpmyadmin suffix in default site index
replace:
dest: /var/www/index.html
regexp: '__PHPMYADMIN_SUFFIX__'
replace: "{{ apache_phpmyadmin_suffix }}"
- name: replace server-status suffix in default site index
replace:
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False
changed_when: False
register: envvar_grep_umask
check_mode: no
tags:
- apache
- name: Add a mark in envvars for umask
blockinfile:
dest: /etc/apache2/envvars
marker: "## {mark} ANSIBLE MANAGED BLOCK"
block: |
## Set umask for writing by Apache user.
## Set rights on files and directories written by Apache
umask 007
when: envvar_grep_umask.rc != 0
tags:
- apache