234 lines
6.3 KiB
YAML
234 lines
6.3 KiB
YAML
#- name: install - Allow Apache to listen on tcp port 9090
|
|
# tags: install
|
|
# seport:
|
|
# ports: 9090
|
|
# proto: tcp
|
|
# setype: http_port_t
|
|
# state: present
|
|
|
|
#- name: install - enable module openid
|
|
# tags: install
|
|
# shell: dnf module enable -y mod_auth_openidc
|
|
# changed_when: false
|
|
|
|
- name: install - packages
|
|
tags: install
|
|
package:
|
|
state: present
|
|
name:
|
|
- apache2
|
|
- apache2-utils
|
|
- modsecurity-crs
|
|
- libapache2-mod-security2
|
|
- libapache2-mod-perl2
|
|
- fail2ban
|
|
- whois
|
|
- dialog
|
|
|
|
- name: install - packages
|
|
tags: install
|
|
package:
|
|
state: present
|
|
name:
|
|
- libapache2-mod-auth-openid
|
|
when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "11")
|
|
|
|
- name: install - packages
|
|
tags: install
|
|
package:
|
|
state: present
|
|
name:
|
|
- libapache2-mod-auth-openidc
|
|
when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "12")
|
|
|
|
- name: install - enable fail2ban
|
|
tags: install
|
|
service: name=fail2ban state=started enabled=yes
|
|
|
|
- name: install - dossier vhosts.d
|
|
tags: install
|
|
file:
|
|
path: /etc/apache2/vhosts.d
|
|
state: directory
|
|
mode: 0660
|
|
|
|
- name: install - supprime vhost par défaut
|
|
tags: install
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- /etc/apache2/sites-enabled/000-default.conf
|
|
- /etc/apache2/sites-enabled/default-ssl.conf
|
|
|
|
- name: configure - fail2ban
|
|
tags: configure
|
|
template:
|
|
src: jail.local
|
|
dest: /etc/fail2ban/jail.d/
|
|
notify:
|
|
- restart fail2ban
|
|
|
|
- name: configure - apache modules
|
|
community.general.apache2_module:
|
|
state: present
|
|
ignore_configcheck: yes
|
|
force: yes
|
|
name: "{{ item }}"
|
|
failed_when: false
|
|
with_items:
|
|
- access_compat
|
|
- alias
|
|
- auth_basic
|
|
# - auth_openid
|
|
- authn_core
|
|
- authn_file
|
|
- authnz_ldap
|
|
- authz_core
|
|
- authz_host
|
|
- authz_user
|
|
- autoindex
|
|
- deflate
|
|
- dir
|
|
# - dump_io
|
|
- env
|
|
- filter
|
|
- headers
|
|
- include
|
|
- lbmethod_byrequests
|
|
- macro
|
|
- md
|
|
- mime
|
|
- mpm_event
|
|
- negotiation
|
|
- proxy
|
|
- proxy_ajp
|
|
- proxy_balancer
|
|
- proxy_connect
|
|
- proxy_http
|
|
- proxy_wstunnel
|
|
- remoteip
|
|
- reqtimeout
|
|
- rewrite
|
|
- security2
|
|
- setenvif
|
|
- ssl
|
|
- status
|
|
- unique_id
|
|
|
|
- name: configure - apache2 templates
|
|
tags: configure
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: custom_reverse_proxy.conf, dest: /etc/apache2/conf-enabled/ }
|
|
- { src: custom_ssl.conf, dest: /etc/apache2/conf-enabled/ }
|
|
- { src: modsecurity.conf, dest: /etc/modsecurity/ }
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: configure - apache2 fichiers
|
|
tags: configure
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: vhosts.d.template, dest: /etc/apache2/ }
|
|
- { src: purge-apache2-tmp, dest: /etc/cron.d/ }
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: configure - httpd pages statiques
|
|
tags: configure
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: images, dest: /var/www/html/rp_ressources/ }
|
|
- { src: pacifico.ttf, dest: /var/www/html/rp_ressources/ }
|
|
|
|
- name: configure - httpd pages statiques templates
|
|
tags: configure
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- { src: rp_ressources/400.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/401.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/403.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/404.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/410.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/500.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/502.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/503.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/504.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/customization.css, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/header.html, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/robots_disabled.txt, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_ressources/robots_enabled.txt, dest: /var/www/html/rp_ressources/ }
|
|
- { src: rp_maintenance/maintenance-generique.html, dest: /var/www/html/rp_maintenance/ }
|
|
- { src: rp_maintenance/auth/index.html, dest: /var/www/html/rp_maintenance/auth }
|
|
|
|
|
|
- name: configure - scripts et pages statiques
|
|
tags: configure
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
mode: 0775
|
|
with_items:
|
|
- { src: modsechelper.sh, dest: /usr/local/bin/ }
|
|
- { src: maintenance.sh, dest: /usr/local/bin/ }
|
|
- { src: purge-apache2-tmp.sh, dest: /usr/local/bin/ }
|
|
|
|
|
|
- name: configure - dossier certs-conf
|
|
tags: configure
|
|
file:
|
|
path: /etc/apache2/certs-conf
|
|
state: directory
|
|
mode: 0660
|
|
|
|
|
|
- name: Copie les certificats supplémentaires
|
|
ansible.builtin.get_url:
|
|
url: "{{ item.cert_chain_url }}"
|
|
dest: "/etc/ssl/certs/{{ item.cert_filename }}"
|
|
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
|
|
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
|
|
mode: u=rw,g=r,o=r
|
|
owner: root
|
|
group: root
|
|
with_items:
|
|
- "{{ reverse_proxy_additional_certificates }}"
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: Copie les clés des certificats supplémentaires
|
|
ansible.builtin.get_url:
|
|
url: "{{ item.key_url }}"
|
|
dest: "/etc/ssl/private/{{ item.key_filename }}"
|
|
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
|
|
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
|
|
mode: u=rw,g=r,o=
|
|
owner: root
|
|
group: root
|
|
with_items:
|
|
- "{{ reverse_proxy_additional_certificates }}"
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: Prépare les conf pour les certificats supplémentaires
|
|
template:
|
|
src: "cert_template.conf"
|
|
dest: /etc/apache2/certs-conf/cert_{{ item.name }}.conf
|
|
with_items:
|
|
- "{{ reverse_proxy_additional_certificates }}"
|
|
notify:
|
|
- restart apache2
|
|
|
|
|
|
- name: install - active apache2
|
|
tags: install
|
|
service: name=apache2 state=started enabled=yes
|