dev-tools/ansible/roles/httpd/tasks/main.yml - airavata - Git at Google


 # SELinux configuration
 - name: set selinux to enforcing
   selinux: state={{ httpd_selinux_mode }} policy=targeted
   become: yes
   when: ansible_os_family == "RedHat"

 - include: install_deps_{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml

 - name: allow httpd to connect out to the network
   seboolean:
     name: httpd_can_network_connect
     state: yes
     persistent: yes
   become: yes
   notify:
     - restart httpd
   when: ansible_os_family == "RedHat"

 - name: Create directory for default ssl vhost certificate public cert
   file: path="{{ httpd_default_ssl_vhost_certificate_dir[ansible_os_family] }}" state=directory owner="root" group="root" mode="755"
   become: yes

 - name: Create directory for default ssl vhost certificate private key
   file: path="{{ httpd_default_ssl_vhost_certificate_key_dir[ansible_os_family] }}" state=directory owner="root" group="root" mode="700"
   become: yes

 - name: check default ssl vhost certificate for expiration in next 90 days (7776000s = 90d)
   command: openssl x509 -checkend 7776000 -noout -in {{ httpd_default_ssl_vhost_certificate_location[ansible_os_family]}}
   become: yes
   register: default_vhost_ssl_cert_check
   ignore_errors: yes

 - name: create default ssl vhost certificate
   command: openssl req -x509 -sha256 -newkey rsa:2048 -keyout {{ httpd_default_ssl_vhost_certificate_key_location[ansible_os_family]}} -out {{ httpd_default_ssl_vhost_certificate_location[ansible_os_family]}} -days 1024 -nodes -subj '/CN={{ ansible_host }}'
   become: yes
   when: default_vhost_ssl_cert_check is failed

 - name: Change permissions for default ssl vhost certificate private key
   file: path="{{ httpd_default_ssl_vhost_certificate_key_location[ansible_os_family] }}" state=file owner="root" group="root" mode="600"
   become: yes

 - name: copy default virtual host file
   template: src={{ httpd_default_conf_template }} dest={{ httpd_default_conf_file_location[ansible_os_family] }} backup=yes
   become: yes
   notify:
     - restart httpd

 - name: copy modified ssl.conf file
   template: src={{ httpd_ssl_conf_template }} dest={{ httpd_ssl_conf_file_location[ansible_os_family] }} backup=yes
   become: yes
   notify:
     - restart httpd
   # TODO: make the same fix (disabling SSLv3) on Debian systems too
   when: ansible_os_family == "RedHat"

 # Gateway user data directory and SSH key
 - name: Create user data dir {{ real_user_data_dir }}
   file: path="{{ real_user_data_dir }}" state=directory owner="{{user}}" group="{{group}}"
   become: yes

 # TODO: create the parent directory of the symlink if missing
 - name: Symlink user data dir {{ user_data_dir }} to {{ real_user_data_dir }}
   file: src="{{ real_user_data_dir }}" dest="{{ user_data_dir }}" state=link owner="{{user}}" group="{{group}}"
   become: yes
   when: user_data_dir != real_user_data_dir

 - name: set selinux context to allow read/write on the user data directory
   sefcontext:
     # For SELinux file contexts, the real path without symbolic links must be used
     target: "{{ real_user_data_dir }}(/.*)?"
     setype: httpd_sys_rw_content_t
     state: present
   become: yes
   notify:
     - restart httpd
   when: ansible_os_family == "RedHat"

 - name: run restorecon on user data directory
   command: restorecon -F -R {{ real_user_data_dir }}
   become: yes
   when: ansible_os_family == "RedHat"

 # Firewall settings
 - name: Enable https and http service on public zone
   firewalld: service="{{ item }}" permanent=true state=enabled zone=public immediate=True
   with_items:
     - http
     - https
   become: yes
   when: ansible_os_family == "RedHat"

 - name: open firewall port {{ httpd_default_http_port }}
   firewalld: port="{{ httpd_default_http_port }}/tcp"
              zone=public permanent=true state=enabled immediate=yes
   become: yes
   when: ansible_os_family == "RedHat"

 - name: open firewall port {{ httpd_default_https_port }}
   firewalld: port="{{ httpd_default_https_port }}/tcp"
              zone=public permanent=true state=enabled immediate=yes
   become: yes
   when: ansible_os_family == "RedHat"

 # Issues with firewalld module oon Ubuntu https://github.com/ansible/ansible/issues/24855
 # So as workaround, just calling firewall-cmd directly for now
 - name: Enable https and http service on public zone (Debian)
   command: firewall-cmd --zone=public --add-service={{ item }}
   with_items:
     - http
     - https
   become: yes
   when: ansible_os_family == "Debian"

 - name: Enable https and http service on public zone permanently (Debian)
   command: firewall-cmd --zone=public --permanent --add-service={{ item }}
   with_items:
     - http
     - https
   become: yes
   when: ansible_os_family == "Debian"

 - name: open firewall port {{ httpd_default_http_port }} (Debian)
   command: firewall-cmd --zone=public --add-port={{ httpd_default_http_port}}/tcp
   become: yes
   when: ansible_os_family == "Debian"

 - name: open firewall port {{ httpd_default_http_port }} permanently (Debian)
   command: firewall-cmd --zone=public --permanent --add-port={{ httpd_default_http_port}}/tcp
   become: yes
   when: ansible_os_family == "Debian"

 - name: open firewall port {{ httpd_default_https_port }} (Debian)
   command: firewall-cmd --zone=public --add-port={{ httpd_default_https_port }}/tcp
   become: yes
   when: ansible_os_family == "Debian"

 - name: open firewall port {{ httpd_default_https_port  }} permanently (Debian)
   command: firewall-cmd --zone=public --permanent --add-port={{ httpd_default_https_port }}/tcp
   become: yes
   when: ansible_os_family == "Debian"

	# SELinux configuration
	- name: set selinux to enforcing
	selinux: state={{ httpd_selinux_mode }} policy=targeted
	become: yes
	when: ansible_os_family == "RedHat"

	- include: install_deps_{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml

	- name: allow httpd to connect out to the network
	seboolean:
	name: httpd_can_network_connect
	state: yes
	persistent: yes
	become: yes
	notify:
	- restart httpd
	when: ansible_os_family == "RedHat"

	- name: Create directory for default ssl vhost certificate public cert
	file: path="{{ httpd_default_ssl_vhost_certificate_dir[ansible_os_family] }}" state=directory owner="root" group="root" mode="755"
	become: yes

	- name: Create directory for default ssl vhost certificate private key
	file: path="{{ httpd_default_ssl_vhost_certificate_key_dir[ansible_os_family] }}" state=directory owner="root" group="root" mode="700"
	become: yes

	- name: check default ssl vhost certificate for expiration in next 90 days (7776000s = 90d)
	command: openssl x509 -checkend 7776000 -noout -in {{ httpd_default_ssl_vhost_certificate_location[ansible_os_family]}}
	become: yes
	register: default_vhost_ssl_cert_check
	ignore_errors: yes

	- name: create default ssl vhost certificate
	command: openssl req -x509 -sha256 -newkey rsa:2048 -keyout {{ httpd_default_ssl_vhost_certificate_key_location[ansible_os_family]}} -out {{ httpd_default_ssl_vhost_certificate_location[ansible_os_family]}} -days 1024 -nodes -subj '/CN={{ ansible_host }}'
	become: yes
	when: default_vhost_ssl_cert_check is failed

	- name: Change permissions for default ssl vhost certificate private key
	file: path="{{ httpd_default_ssl_vhost_certificate_key_location[ansible_os_family] }}" state=file owner="root" group="root" mode="600"
	become: yes

	- name: copy default virtual host file
	template: src={{ httpd_default_conf_template }} dest={{ httpd_default_conf_file_location[ansible_os_family] }} backup=yes
	become: yes
	notify:
	- restart httpd

	- name: copy modified ssl.conf file
	template: src={{ httpd_ssl_conf_template }} dest={{ httpd_ssl_conf_file_location[ansible_os_family] }} backup=yes
	become: yes
	notify:
	- restart httpd
	# TODO: make the same fix (disabling SSLv3) on Debian systems too
	when: ansible_os_family == "RedHat"

	# Gateway user data directory and SSH key
	- name: Create user data dir {{ real_user_data_dir }}
	file: path="{{ real_user_data_dir }}" state=directory owner="{{user}}" group="{{group}}"
	become: yes

	# TODO: create the parent directory of the symlink if missing
	- name: Symlink user data dir {{ user_data_dir }} to {{ real_user_data_dir }}
	file: src="{{ real_user_data_dir }}" dest="{{ user_data_dir }}" state=link owner="{{user}}" group="{{group}}"
	become: yes
	when: user_data_dir != real_user_data_dir

	- name: set selinux context to allow read/write on the user data directory
	sefcontext:
	# For SELinux file contexts, the real path without symbolic links must be used
	target: "{{ real_user_data_dir }}(/.*)?"
	setype: httpd_sys_rw_content_t
	state: present
	become: yes
	notify:
	- restart httpd
	when: ansible_os_family == "RedHat"

	- name: run restorecon on user data directory
	command: restorecon -F -R {{ real_user_data_dir }}
	become: yes
	when: ansible_os_family == "RedHat"

	# Firewall settings
	- name: Enable https and http service on public zone
	firewalld: service="{{ item }}" permanent=true state=enabled zone=public immediate=True
	with_items:
	- http
	- https
	become: yes
	when: ansible_os_family == "RedHat"

	- name: open firewall port {{ httpd_default_http_port }}
	firewalld: port="{{ httpd_default_http_port }}/tcp"
	zone=public permanent=true state=enabled immediate=yes
	become: yes
	when: ansible_os_family == "RedHat"

	- name: open firewall port {{ httpd_default_https_port }}
	firewalld: port="{{ httpd_default_https_port }}/tcp"
	zone=public permanent=true state=enabled immediate=yes
	become: yes
	when: ansible_os_family == "RedHat"

	# Issues with firewalld module oon Ubuntu https://github.com/ansible/ansible/issues/24855
	# So as workaround, just calling firewall-cmd directly for now
	- name: Enable https and http service on public zone (Debian)
	command: firewall-cmd --zone=public --add-service={{ item }}
	with_items:
	- http
	- https
	become: yes
	when: ansible_os_family == "Debian"

	- name: Enable https and http service on public zone permanently (Debian)
	command: firewall-cmd --zone=public --permanent --add-service={{ item }}
	with_items:
	- http
	- https
	become: yes
	when: ansible_os_family == "Debian"

	- name: open firewall port {{ httpd_default_http_port }} (Debian)
	command: firewall-cmd --zone=public --add-port={{ httpd_default_http_port}}/tcp
	become: yes
	when: ansible_os_family == "Debian"

	- name: open firewall port {{ httpd_default_http_port }} permanently (Debian)
	command: firewall-cmd --zone=public --permanent --add-port={{ httpd_default_http_port}}/tcp
	become: yes
	when: ansible_os_family == "Debian"

	- name: open firewall port {{ httpd_default_https_port }} (Debian)
	command: firewall-cmd --zone=public --add-port={{ httpd_default_https_port }}/tcp
	become: yes
	when: ansible_os_family == "Debian"

	- name: open firewall port {{ httpd_default_https_port }} permanently (Debian)
	command: firewall-cmd --zone=public --permanent --add-port={{ httpd_default_https_port }}/tcp
	become: yes
	when: ansible_os_family == "Debian"