Ansible Role to provision Apache2 sites

ansible ansible-role apache2 automation certbot certificates iac infrastructure-as-code webserver

Go to file

AnsibleGuy cb57621b33 updated setting/header overwrite		2021-12-06 23:55:45 +01:00
.github	updated apache role to function with ansibleguy.infra_django_apache	2021-11-06 22:39:25 +01:00
defaults	updated setting/header overwrite	2021-12-06 23:55:45 +01:00
filter_plugins	created role to configure multiple apache sites, using ansibleguy.infra_certs role to generate certificates	2021-11-06 02:10:44 +01:00
meta	init	2021-11-02 22:06:52 +01:00
tasks	simplified port config	2021-12-05 23:12:54 +01:00
templates/etc/apache2/sites-available	updated setting/header overwrite	2021-12-06 23:55:45 +01:00
LICENSE.txt	init	2021-11-02 22:06:52 +01:00
README.md	updated setting/header overwrite	2021-12-06 23:55:45 +01:00
playbook.yml	init	2021-11-02 22:06:52 +01:00
requirements.yml	created role to configure multiple apache sites, using ansibleguy.infra_certs role to generate certificates	2021-11-06 02:10:44 +01:00

README.md

Apache2 Role

Ansible role to install apache2 sites on the target server.

Tested:

Debian 11

Functionality

Package installation
- Ansible dependencies (minimal)
- Apache2
Configuration
- Support for multiple sites/servers
- Two config-modes:
  - serve (default)
  - redirect
- Default config:
  - Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
  - Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
  - Limits to prevent DDoS
  - Logging to syslog
  - Using a Self-Signed certificate
  - Modules: +ssl, headers, rewrite; -autoindex
- SSL modes (for more info see: CERT ROLE)
  - selfsigned => Generate self-signed ones
  - ca => Generate a minimal Certificate Authority and certificate signed by it
  - letsencrypt => Uses the LetsEncrypt certbot
  - existing => Copy certificate files or use existing ones
- Default opt-ins:
  - restricting methods to POST/GET/HEAD
- Default opt-outs:
  - Include the config file 'site_{{ site_name }}_app.conf' for advanced usage

Options to provide module config will be added in the future!
Also some basic mods will get a pre-config added. (prefork, evasive)

Info

Note: Most of this functionality can be opted in or out using the main defaults file and variables!
Note: this role currently only supports debian-based systems
Note: This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
Note: If you want all domain-names to get 'caught' by a site/server you need to add an underline '*' as alias or domain!
This will also be done automatically if no domain is supplied.
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
Warning: If you run a web application you might need to disable the 'Content-Security-Policy' header!
Info: To disable default settings and headers => just set their value to: ''

Requirements

Community collection and certificate role: ansible-galaxy install -r requirements.yml

Usage

Config

Define the apache dictionary as needed!

apache:
  headers:
    mySuperCustom: 'headerContent'

  modules:
    present: ['evasive', 'ssl', 'headers', 'rewrite']

  guys_statics:
    mode: 'serve'
    domain: 'static.guy.net'
    serve:
      path: '/var/www/static'

    ssl:
      mode: 'ca'  # create minimal ca with signed server-certificate

    config:
      KeepAliveTimeout: 10

  git_stuff:
    mode: 'redirect'
    domain: 'ansibleguy.net'
    aliases: ['www.ansibleguy.net']
    redirect:
      target: 'https://github.com/ansibleguy'

    ssl:
      mode: 'letsencrypt'

    letsencrypt:
      email: 'apache@template.ansibleguy.net'

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

There are also some useful tags available:

base => only configure basics; sites will not be touched
sites
config => configuration (base and instances)
certs