summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/deploy.yml6
-rw-r--r--roles/admin_ssh_keys/files/misc.pub1
-rw-r--r--roles/admin_ssh_keys/tasks/main.yml6
-rw-r--r--roles/base/tasks/main.yml15
-rw-r--r--roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch33
-rw-r--r--roles/httpd/defaults/main.yml2
-rw-r--r--roles/httpd/files/mod_filter.conf3
-rw-r--r--roles/httpd/files/name_vhost.conf2
-rw-r--r--roles/httpd/files/remove_sslv3.conf1
-rw-r--r--roles/httpd/handlers/main.yml3
-rw-r--r--roles/httpd/tasks/main.yml51
-rw-r--r--roles/httpd/templates/vhost.conf21
-rw-r--r--roles/httpd/templates/vhost_redirect.conf16
13 files changed, 160 insertions, 0 deletions
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
new file mode 100644
index 0000000..d0f8081
--- /dev/null
+++ b/playbooks/deploy.yml
@@ -0,0 +1,6 @@
+---
+- hosts: new
+ roles:
+ - base
+ - admin_ssh_keys
+ - httpd
diff --git a/roles/admin_ssh_keys/files/misc.pub b/roles/admin_ssh_keys/files/misc.pub
new file mode 100644
index 0000000..93597df
--- /dev/null
+++ b/roles/admin_ssh_keys/files/misc.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6XHbqNugBD9WlA3R6BZaouVsi6z9aK9aXu13I74zs9XL6DFLBZXlfAkTFPHDwcYbd5PB/0B8+T5AHmGYsBlEJGR8wFm2mUTVLoApmEKIo8m8Lf/M+vQxLOmkIqVvuMCWTb27dmLWVozKD+qtyzMXWsRT3aM6ok5WTFw/FNXM7XTOPxJaUfYexNXCRrNTt29LWc6TxIQUkeaMW/SAzttVwrQizE6Xip6nlOTT0g1yXsNajZAeQnADkmBu5CAjzGV3jsSrvEKIpXHzEVveCHRrgOXQWM7yWGTe3HGkMS9zgOJtHCQi92B/KBSeJksmWibNe5HHjjdhlmQujcHdKP4PR misc@kiora/tpm
diff --git a/roles/admin_ssh_keys/tasks/main.yml b/roles/admin_ssh_keys/tasks/main.yml
new file mode 100644
index 0000000..f07e4c2
--- /dev/null
+++ b/roles/admin_ssh_keys/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: install root ssh keys
+ authorized_key: user=root
+ key="{{ item }}"
+ with_file:
+ - misc.pub
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
new file mode 100644
index 0000000..7fd4b66
--- /dev/null
+++ b/roles/base/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: install base rpms
+ yum: pkg={{ item }} state=installed
+ with_items:
+ - screen
+ - htop
+ - iftop
+ - iotop
+ - strace
+ - vim-enhanced
+ - tcpdump
+ - chrony
+
+- service: name=chronyd state=running enabled=yes
+
diff --git a/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch
new file mode 100644
index 0000000..62607b5
--- /dev/null
+++ b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch
@@ -0,0 +1,33 @@
+From ce67394ccb7eaf138330c52f9ec5062698efb8aa Mon Sep 17 00:00:00 2001
+From: Michael Scherer <mscherer@redhat.com>
+Date: Tue, 14 Oct 2014 23:36:21 -0400
+Subject: [PATCH] Remove ssl v3, CVE-2014-3566
+
+---
+ roles/httpd/files/remove_sslv3.conf | 1 +
+ roles/httpd/tasks/main.yml | 1 +
+ 2 files changed, 2 insertions(+)
+ create mode 100644 roles/httpd/files/remove_sslv3.conf
+
+diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf
+new file mode 100644
+index 0000000..0872cbe
+--- /dev/null
++++ b/roles/httpd/files/remove_sslv3.conf
+@@ -0,0 +1 @@
++SSLProtocol all -SSLv2 -SSLv3
+diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
+index 98d6ade..7dfe89d 100644
+--- a/roles/httpd/tasks/main.yml
++++ b/roles/httpd/tasks/main.yml
+@@ -11,6 +11,7 @@
+ with_items:
+ - name_vhost.conf
+ - mod_filter.conf
++ - remove_sslv3.conf
+ notify: restart httpd
+
+ - template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644
+--
+1.8.3.1
+
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml
new file mode 100644
index 0000000..409440c
--- /dev/null
+++ b/roles/httpd/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+log_retention_week: 8
diff --git a/roles/httpd/files/mod_filter.conf b/roles/httpd/files/mod_filter.conf
new file mode 100644
index 0000000..cde8c84
--- /dev/null
+++ b/roles/httpd/files/mod_filter.conf
@@ -0,0 +1,3 @@
+# not enabled by default on centos 6
+LoadModule filter_module modules/mod_filter.so
+
diff --git a/roles/httpd/files/name_vhost.conf b/roles/httpd/files/name_vhost.conf
new file mode 100644
index 0000000..d2d1c0d
--- /dev/null
+++ b/roles/httpd/files/name_vhost.conf
@@ -0,0 +1,2 @@
+NameVirtualHost *:443
+NameVirtualHost *:80
diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf
new file mode 100644
index 0000000..0872cbe
--- /dev/null
+++ b/roles/httpd/files/remove_sslv3.conf
@@ -0,0 +1 @@
+SSLProtocol all -SSLv2 -SSLv3
diff --git a/roles/httpd/handlers/main.yml b/roles/httpd/handlers/main.yml
new file mode 100644
index 0000000..e379288
--- /dev/null
+++ b/roles/httpd/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart httpd
+ service: name=httpd state=restarted
diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
new file mode 100644
index 0000000..b1e7342
--- /dev/null
+++ b/roles/httpd/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- yum: name={{ item }} state=installed
+ with_items:
+ - python-passlib
+ - httpd
+ - mod_ssl
+
+- service: name=httpd state=started enabled=yes
+
+- copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=apache mode=0644
+ with_items:
+ - name_vhost.conf
+ - mod_filter.conf
+ - remove_sslv3.conf
+ notify: restart httpd
+
+- template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644
+ notify: restart httpd
+ when: document_root is defined
+
+- template: src=vhost_redirect.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644
+ notify: restart httpd
+ when: redirect is defined
+
+- file: state=directory path={{ document_root }} setype=httpd_sys_content_t owner=root mode=755 group=root
+ when: document_root is defined
+
+- file: path=/etc/httpd/conf.d/{{ website_url }}.conf.d/ state=directory
+ when: website_url is defined
+
+# needed for newer apache, who requires at least 1 file for include
+- file: path=/etc/httpd/conf.d/{{ website_url }}.conf.d/placeholder.conf state=touch
+ when: website_url is defined
+
+- file: path=/etc/httpd/conf.d/password_protection.conf state=absent
+ notify: restart httpd
+
+- htpasswd: path=/etc/httpd/{{ website_url }}.htpasswd name={{ website_user }} password={{ website_password }} owner=root group=apache mode=0640
+ when: website_user is defined
+
+- shell: lokkit -s {{ item }}
+ with_items:
+ - http
+ - https
+ when: ansible_distribution_major_version == '6' and (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat')
+
+- firewalld: service={{ item }} permanent=true state=enabled
+ with_items:
+ - http
+ - https
+ when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7'
diff --git a/roles/httpd/templates/vhost.conf b/roles/httpd/templates/vhost.conf
new file mode 100644
index 0000000..21172c9
--- /dev/null
+++ b/roles/httpd/templates/vhost.conf
@@ -0,0 +1,21 @@
+<VirtualHost *:80>
+ {% if website_password is defined %}
+ <Location />
+
+ AuthType Basic
+ AuthName "Restricted access, contact OSAS for password"
+ AuthUserFile /etc/httpd/{{ website_url }}.htpasswd
+ Require valid-user
+ </Location>
+ {% endif %}
+
+ <Directory "{{ document_root }}">
+ AllowOverride All
+ </Directory>
+
+ ServerName {{ website_url }}
+ DocumentRoot {{ document_root }}
+ Include /etc/httpd/conf.d/{{ website_url}}.conf.d/*conf
+</VirtualHost>
+
+
diff --git a/roles/httpd/templates/vhost_redirect.conf b/roles/httpd/templates/vhost_redirect.conf
new file mode 100644
index 0000000..1c93343
--- /dev/null
+++ b/roles/httpd/templates/vhost_redirect.conf
@@ -0,0 +1,16 @@
+<VirtualHost *:80>
+ {% if website_password is defined %}
+ <Location />
+
+ AuthType Basic
+ AuthName "Restricted access, contact OSAS for password"
+ AuthUserFile /etc/httpd/{{ website_url }}.htpasswd
+ Require valid-user
+ </Location>
+ {% endif %}
+
+ ServerName {{ website_url }}
+ Redirect / {{ redirect }}
+</VirtualHost>
+
+