#- name: install - Allow Apache to listen on tcp port 9090 # tags: install # seport: # ports: 9090 # proto: tcp # setype: http_port_t # state: present #- name: install - enable module openid # tags: install # shell: dnf module enable -y mod_auth_openidc # changed_when: false - name: install - packages tags: install package: state: present name: - apache2 - apache2-utils - modsecurity-crs - libapache2-mod-security2 - libapache2-mod-perl2 - fail2ban - whois - dialog - name: install - packages tags: install package: state: present name: - libapache2-mod-auth-openid when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "11") - name: install - packages tags: install package: state: present name: - libapache2-mod-auth-openidc when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "12") - name: install - enable fail2ban tags: install service: name=fail2ban state=started enabled=yes - name: install - dossier vhosts.d tags: install file: path: /etc/apache2/vhosts.d state: directory mode: 0660 - name: install - supprime vhost par défaut tags: install file: path: "{{ item }}" state: absent with_items: - /etc/apache2/sites-enabled/000-default.conf - /etc/apache2/sites-enabled/default-ssl.conf - name: configure - fail2ban tags: configure template: src: jail.local dest: /etc/fail2ban/jail.d/ notify: - restart fail2ban - name: configure - apache modules community.general.apache2_module: state: present ignore_configcheck: yes force: yes name: "{{ item }}" failed_when: false with_items: - access_compat - alias - auth_basic # - auth_openid - authn_core - authn_file - authnz_ldap - authz_core - authz_host - authz_user - autoindex - deflate - dir # - dump_io - env - filter - headers - include - lbmethod_byrequests - macro - md - mime - mpm_event - negotiation - proxy - proxy_ajp - proxy_balancer - proxy_connect - proxy_http - proxy_wstunnel - remoteip - reqtimeout - rewrite - security2 - setenvif - ssl - status - unique_id - name: configure - apache2 templates tags: configure template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: custom_reverse_proxy.conf, dest: /etc/apache2/conf-enabled/ } - { src: custom_ssl.conf, dest: /etc/apache2/conf-enabled/ } - { src: modsecurity.conf, dest: /etc/modsecurity/ } notify: - restart apache2 - name: configure - apache2 fichiers tags: configure copy: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: vhosts.d.template, dest: /etc/apache2/ } - { src: purge-apache2-tmp, dest: /etc/cron.d/ } notify: - restart apache2 - name: configure - httpd pages statiques tags: configure copy: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: images, dest: /var/www/html/rp_ressources/ } - { src: pacifico.ttf, dest: /var/www/html/rp_ressources/ } - name: configure - httpd pages statiques templates tags: configure template: src: "{{ item.src }}" dest: "{{ item.dest }}" with_items: - { src: rp_ressources/400.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/401.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/403.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/404.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/410.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/500.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/502.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/503.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/504.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/customization.css, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/header.html, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/robots_disabled.txt, dest: /var/www/html/rp_ressources/ } - { src: rp_ressources/robots_enabled.txt, dest: /var/www/html/rp_ressources/ } - { src: rp_maintenance/maintenance-generique.html, dest: /var/www/html/rp_maintenance/ } - { src: rp_maintenance/auth/index.html, dest: /var/www/html/rp_maintenance/auth } - name: configure - scripts et pages statiques tags: configure copy: src: "{{ item.src }}" dest: "{{ item.dest }}" mode: 0775 with_items: - { src: modsechelper.sh, dest: /usr/local/bin/ } - { src: maintenance.sh, dest: /usr/local/bin/ } - { src: purge-apache2-tmp.sh, dest: /usr/local/bin/ } - name: configure - dossier certs-conf tags: configure file: path: /etc/apache2/certs-conf state: directory mode: 0660 - name: Copie les certificats supplémentaires ansible.builtin.get_url: url: "{{ item.cert_chain_url }}" dest: "/etc/ssl/certs/{{ item.cert_filename }}" username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}" password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}" mode: u=rw,g=r,o=r owner: root group: root with_items: - "{{ reverse_proxy_additional_certificates }}" notify: - restart apache2 - name: Copie les clés des certificats supplémentaires ansible.builtin.get_url: url: "{{ item.key_url }}" dest: "/etc/ssl/private/{{ item.key_filename }}" username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}" password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}" mode: u=rw,g=r,o= owner: root group: root with_items: - "{{ reverse_proxy_additional_certificates }}" notify: - restart apache2 - name: Prépare les conf pour les certificats supplémentaires template: src: "cert_template.conf" dest: /etc/apache2/certs-conf/cert_{{ item.name }}.conf with_items: - "{{ reverse_proxy_additional_certificates }}" notify: - restart apache2 - name: install - active apache2 tags: install service: name=apache2 state=started enabled=yes