| |
| # SELinux configuration |
| - name: set selinux to enforcing |
| selinux: state={{ httpd_selinux_mode }} policy=targeted |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| - include: install_deps_{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml |
| |
| - name: allow httpd to connect out to the network |
| seboolean: |
| name: httpd_can_network_connect |
| state: yes |
| persistent: yes |
| become: yes |
| notify: |
| - restart httpd |
| when: ansible_os_family == "RedHat" |
| |
| - name: Create directory for default ssl vhost certificate public cert |
| file: path="{{ httpd_default_ssl_vhost_certificate_dir[ansible_os_family] }}" state=directory owner="root" group="root" mode="755" |
| become: yes |
| |
| - name: Create directory for default ssl vhost certificate private key |
| file: path="{{ httpd_default_ssl_vhost_certificate_key_dir[ansible_os_family] }}" state=directory owner="root" group="root" mode="700" |
| become: yes |
| |
| - name: check default ssl vhost certificate for expiration in next 90 days (7776000s = 90d) |
| command: openssl x509 -checkend 7776000 -noout -in {{ httpd_default_ssl_vhost_certificate_location[ansible_os_family]}} |
| become: yes |
| register: default_vhost_ssl_cert_check |
| ignore_errors: yes |
| |
| - name: create default ssl vhost certificate |
| command: openssl req -x509 -sha256 -newkey rsa:2048 -keyout {{ httpd_default_ssl_vhost_certificate_key_location[ansible_os_family]}} -out {{ httpd_default_ssl_vhost_certificate_location[ansible_os_family]}} -days 1024 -nodes -subj '/CN={{ ansible_host }}' |
| become: yes |
| when: default_vhost_ssl_cert_check is failed |
| |
| - name: Change permissions for default ssl vhost certificate private key |
| file: path="{{ httpd_default_ssl_vhost_certificate_key_location[ansible_os_family] }}" state=file owner="root" group="root" mode="600" |
| become: yes |
| |
| - name: copy default virtual host file |
| template: src={{ httpd_default_conf_template }} dest={{ httpd_default_conf_file_location[ansible_os_family] }} backup=yes |
| become: yes |
| notify: |
| - restart httpd |
| |
| - name: copy modified ssl.conf file |
| template: src={{ httpd_ssl_conf_template }} dest={{ httpd_ssl_conf_file_location[ansible_os_family] }} backup=yes |
| become: yes |
| notify: |
| - restart httpd |
| # TODO: make the same fix (disabling SSLv3) on Debian systems too |
| when: ansible_os_family == "RedHat" |
| |
| # Gateway user data directory and SSH key |
| - name: Create user data dir {{ real_user_data_dir }} |
| file: path="{{ real_user_data_dir }}" state=directory owner="{{user}}" group="{{group}}" |
| become: yes |
| |
| # TODO: create the parent directory of the symlink if missing |
| - name: Symlink user data dir {{ user_data_dir }} to {{ real_user_data_dir }} |
| file: src="{{ real_user_data_dir }}" dest="{{ user_data_dir }}" state=link owner="{{user}}" group="{{group}}" |
| become: yes |
| when: user_data_dir != real_user_data_dir |
| |
| - name: set selinux context to allow read/write on the user data directory |
| sefcontext: |
| # For SELinux file contexts, the real path without symbolic links must be used |
| target: "{{ real_user_data_dir }}(/.*)?" |
| setype: httpd_sys_rw_content_t |
| state: present |
| become: yes |
| notify: |
| - restart httpd |
| when: ansible_os_family == "RedHat" |
| |
| - name: run restorecon on user data directory |
| command: restorecon -F -R {{ real_user_data_dir }} |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| # Firewall settings |
| - name: Enable https and http service on public zone |
| firewalld: service="{{ item }}" permanent=true state=enabled zone=public immediate=True |
| with_items: |
| - http |
| - https |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| - name: open firewall port {{ httpd_default_http_port }} |
| firewalld: port="{{ httpd_default_http_port }}/tcp" |
| zone=public permanent=true state=enabled immediate=yes |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| - name: open firewall port {{ httpd_default_https_port }} |
| firewalld: port="{{ httpd_default_https_port }}/tcp" |
| zone=public permanent=true state=enabled immediate=yes |
| become: yes |
| when: ansible_os_family == "RedHat" |
| |
| # Issues with firewalld module oon Ubuntu https://github.com/ansible/ansible/issues/24855 |
| # So as workaround, just calling firewall-cmd directly for now |
| - name: Enable https and http service on public zone (Debian) |
| command: firewall-cmd --zone=public --add-service={{ item }} |
| with_items: |
| - http |
| - https |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| - name: Enable https and http service on public zone permanently (Debian) |
| command: firewall-cmd --zone=public --permanent --add-service={{ item }} |
| with_items: |
| - http |
| - https |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| - name: open firewall port {{ httpd_default_http_port }} (Debian) |
| command: firewall-cmd --zone=public --add-port={{ httpd_default_http_port}}/tcp |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| - name: open firewall port {{ httpd_default_http_port }} permanently (Debian) |
| command: firewall-cmd --zone=public --permanent --add-port={{ httpd_default_http_port}}/tcp |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| - name: open firewall port {{ httpd_default_https_port }} (Debian) |
| command: firewall-cmd --zone=public --add-port={{ httpd_default_https_port }}/tcp |
| become: yes |
| when: ansible_os_family == "Debian" |
| |
| - name: open firewall port {{ httpd_default_https_port }} permanently (Debian) |
| command: firewall-cmd --zone=public --permanent --add-port={{ httpd_default_https_port }}/tcp |
| become: yes |
| when: ansible_os_family == "Debian" |