public_git
/
ansibleguy.infra_apache
mirror of https://github.com/ansibleguy/infra_apache.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Ansible Role to provision Apache2 sites
99 Commits 1 Branch 0 Tags 278 KiB
Jinja 84.6%
Python 15.4%
Go to file
Rath Pascal 2be30f1ab0 update ci 2025-02-15 13:03:59 +01:00
.github update ci 2025-02-15 13:03:59 +01:00
defaults/main remove deprecated X-XSS-Protection header 2024-09-06 14:33:18 +02:00
filter_plugins lint fixes 2023-01-21 17:34:57 +01:00
meta change role licenses 2024-07-20 18:39:03 +02:00
molecule/default update default cert-type to snakeoil 2024-08-05 21:51:53 +02:00
tasks updated user-input matching 2024-05-04 18:20:21 +02:00
templates/etc/apache2/sites-available added denial of TRACE and CONNECT methods 2023-08-25 19:27:14 +02:00
.ansible-lint.yml lint fixes 2023-01-05 21:38:08 +01:00
.pylintrc update pylint config 2024-10-06 13:40:27 +02:00
.yamllint update ci 2025-02-15 12:57:29 +01:00
LICENSE.txt update role license 2024-07-21 07:14:40 +02:00
README.md update ci 2025-02-15 09:25:38 +01:00
playbook.yml lint fix 2023-06-28 21:19:58 +02:00
requirements.yml lint fix 2023-01-21 17:43:41 +01:00
requirements_lint.txt added lints as github-workflow 2023-06-28 20:56:17 +02:00

README.md

Apache2

Ansible Role - Apache2 Webserver

Ansible Role to deploy one or multiple Apache2 sites on a linux server.

Lint Ansible Galaxy

Molecule Integration-Tests:

Internal CI: Tester Role | Jobs API

Tested:

  • Debian 11
  • Debian 12

Install

# latest
ansible-galaxy role install git+https://github.com/ansibleguy/infra_apache

# from galaxy
ansible-galaxy install ansibleguy.infra_apache

# or to custom role-path
ansible-galaxy install ansibleguy.infra_apache --roles-path ./roles

# install dependencies
ansible-galaxy install -r requirements.yml

Advertisement

Usage

Config

Define the apache dictionary as needed!

apache:
  headers:
    mySuperCustom: 'headerContent'

  modules:
    present: ['evasive', 'ssl', 'headers', 'rewrite']

  guys_statics:
    mode: 'serve'
    domain: 'static.guy.net'
    serve:
      path: '/var/www/site_guys_statics'

    ssl:
      mode: 'snakeoil'

    config:  # add settings as key-value pairs
      KeepAliveTimeout: 10
    config_additions:   # add a list of custom lines of config
      - 'location = / { return 301 /kitty.jpg; }'

  git_stuff:
    mode: 'redirect'
    domain: 'ansibleguy.net'
    aliases: ['www.ansibleguy.net']
    redirect:
      target: 'https://github.com/ansibleguy'

    ssl:
      mode: 'letsencrypt'

    letsencrypt:
      email: 'apache@template.ansibleguy.net'

    security:
      restrict_methods: false

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

There are also some useful tags available:

  • base => only configure basics; sites will not be touched
  • sites
  • config => configuration (base and instances)
  • certs

To debug errors - you can set the 'debug' variable at runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

Functionality

  • Package installation

    • Ansible dependencies (minimal)
    • Apache2

  • Configuration

    • Support for multiple sites/servers

    • Two config-modes:

      • serve (default)
      • redirect

    • Support for specific configurations using the 'config' and 'config_additions' parameters

    • Default config:

      • Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
      • Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
      • Limits to prevent DDoS
      • Using a Self-Signed certificate
      • Modules: +ssl, +http2, headers, rewrite; -autoindex
      • HTTP2 enabled with fallback to HTTP1.1
      • IPv6 support disabled (at least one ipv6 address MUST EXIST)

    • SSL modes (for more info see: CERT ROLE)

      • selfsigned => Generate self-signed ones
      • ca => Generate a minimal Certificate Authority and certificate signed by it
      • letsencrypt => Uses the LetsEncrypt certbot
      • existing => Copy certificate files or use existing ones

    • Default opt-ins:

      • restricting methods to POST/GET/HEAD
      • status-page listener on localhost
      • Logging to syslog
      • http2

    • Default opt-outs:

      • Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage

Options to provide module config will be added in the future!
Also some basic mods will get a pre-config added. (prefork, evasive)

Info

  • Note: Most of the role's functionality can be opted in or out.

    For all available options - see the default-config located in the main/site defaults-file!

  • Note: this role currently only supports debian-based systems

  • Note: This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.

  • Note: If you want any requested domain to get handled by a site/server you need to add a wildcard '*' as alias!

    BUT: You still have to provide a main domain!

  • Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

  • Info: To disable default settings and headers => just set their value to: ''

  • Info: For LetsEncrypt renewal to work, you must allow outgoing connections to:

    80/tcp, 443/tcp+udp to acme-v02.api.letsencrypt.org, staging-v02.api.letsencrypt.org (debug mode) and r3.o.lencr.org