ansible-role-reverse_proxy/tasks/main.yml

234 lines
6.3 KiB
YAML

#- name: install - Allow Apache to listen on tcp port 9090
# tags: install
# seport:
# ports: 9090
# proto: tcp
# setype: http_port_t
# state: present
#- name: install - enable module openid
# tags: install
# shell: dnf module enable -y mod_auth_openidc
# changed_when: false
- name: install - packages
tags: install
package:
state: present
name:
- apache2
- apache2-utils
- modsecurity-crs
- libapache2-mod-security2
- libapache2-mod-perl2
- fail2ban
- whois
- dialog
- name: install - packages
tags: install
package:
state: present
name:
- libapache2-mod-auth-openid
when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "11")
- name: install - packages
tags: install
package:
state: present
name:
- libapache2-mod-auth-openidc
when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "12")
- name: install - enable fail2ban
tags: install
service: name=fail2ban state=started enabled=yes
- name: install - dossier vhosts.d
tags: install
file:
path: /etc/apache2/vhosts.d
state: directory
mode: 0660
- name: install - supprime vhost par défaut
tags: install
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/apache2/sites-enabled/000-default.conf
- /etc/apache2/sites-enabled/default-ssl.conf
- name: configure - fail2ban
tags: configure
template:
src: jail.local
dest: /etc/fail2ban/jail.d/
notify:
- restart fail2ban
- name: configure - apache modules
community.general.apache2_module:
state: present
ignore_configcheck: yes
force: yes
name: "{{ item }}"
failed_when: false
with_items:
- access_compat
- alias
- auth_basic
# - auth_openid
- authn_core
- authn_file
- authnz_ldap
- authz_core
- authz_host
- authz_user
- autoindex
- deflate
- dir
# - dump_io
- env
- filter
- headers
- include
- lbmethod_byrequests
- macro
- md
- mime
- mpm_event
- negotiation
- proxy
- proxy_ajp
- proxy_balancer
- proxy_connect
- proxy_http
- proxy_wstunnel
- remoteip
- reqtimeout
- rewrite
- security2
- setenvif
- ssl
- status
- unique_id
- name: configure - apache2 templates
tags: configure
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: custom_reverse_proxy.conf, dest: /etc/apache2/conf-enabled/ }
- { src: custom_ssl.conf, dest: /etc/apache2/conf-enabled/ }
- { src: modsecurity.conf, dest: /etc/modsecurity/ }
notify:
- restart apache2
- name: configure - apache2 fichiers
tags: configure
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: vhosts.d.template, dest: /etc/apache2/ }
- { src: purge-apache2-tmp, dest: /etc/cron.d/ }
notify:
- restart apache2
- name: configure - httpd pages statiques
tags: configure
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: images, dest: /var/www/html/rp_ressources/ }
- { src: pacifico.ttf, dest: /var/www/html/rp_ressources/ }
- name: configure - httpd pages statiques templates
tags: configure
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: rp_ressources/400.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/401.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/403.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/404.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/410.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/500.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/502.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/503.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/504.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/customization.css, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/header.html, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/robots_disabled.txt, dest: /var/www/html/rp_ressources/ }
- { src: rp_ressources/robots_enabled.txt, dest: /var/www/html/rp_ressources/ }
- { src: rp_maintenance/maintenance-generique.html, dest: /var/www/html/rp_maintenance/ }
- { src: rp_maintenance/auth/index.html, dest: /var/www/html/rp_maintenance/auth }
- name: configure - scripts et pages statiques
tags: configure
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: 0775
with_items:
- { src: modsechelper.sh, dest: /usr/local/bin/ }
- { src: maintenance.sh, dest: /usr/local/bin/ }
- { src: purge-apache2-tmp.sh, dest: /usr/local/bin/ }
- name: configure - dossier certs-conf
tags: configure
file:
path: /etc/apache2/certs-conf
state: directory
mode: 0660
- name: Copie les certificats supplémentaires
ansible.builtin.get_url:
url: "{{ item.cert_chain_url }}"
dest: "/etc/ssl/certs/{{ item.cert_filename }}"
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
mode: u=rw,g=r,o=r
owner: root
group: root
with_items:
- "{{ reverse_proxy_additional_certificates }}"
notify:
- restart apache2
- name: Copie les clés des certificats supplémentaires
ansible.builtin.get_url:
url: "{{ item.key_url }}"
dest: "/etc/ssl/private/{{ item.key_filename }}"
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
mode: u=rw,g=r,o=
owner: root
group: root
with_items:
- "{{ reverse_proxy_additional_certificates }}"
notify:
- restart apache2
- name: Prépare les conf pour les certificats supplémentaires
template:
src: "cert_template.conf"
dest: /etc/apache2/certs-conf/cert_{{ item.name }}.conf
with_items:
- "{{ reverse_proxy_additional_certificates }}"
notify:
- restart apache2
- name: install - active apache2
tags: install
service: name=apache2 state=started enabled=yes