From dd06fb0a56feba126cce5ef75e84e23eb72fe7aa Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@ephaone.org>
Date: Wed, 15 Oct 2014 16:55:11 -0400
Subject: Add playbook and httpd and the rest

---
 playbooks/deploy.yml                               |  6 +++
 roles/admin_ssh_keys/files/misc.pub                |  1 +
 roles/admin_ssh_keys/tasks/main.yml                |  6 +++
 roles/base/tasks/main.yml                          | 15 +++++++
 roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch | 33 ++++++++++++++
 roles/httpd/defaults/main.yml                      |  2 +
 roles/httpd/files/mod_filter.conf                  |  3 ++
 roles/httpd/files/name_vhost.conf                  |  2 +
 roles/httpd/files/remove_sslv3.conf                |  1 +
 roles/httpd/handlers/main.yml                      |  3 ++
 roles/httpd/tasks/main.yml                         | 51 ++++++++++++++++++++++
 roles/httpd/templates/vhost.conf                   | 21 +++++++++
 roles/httpd/templates/vhost_redirect.conf          | 16 +++++++
 13 files changed, 160 insertions(+)
 create mode 100644 playbooks/deploy.yml
 create mode 100644 roles/admin_ssh_keys/files/misc.pub
 create mode 100644 roles/admin_ssh_keys/tasks/main.yml
 create mode 100644 roles/base/tasks/main.yml
 create mode 100644 roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch
 create mode 100644 roles/httpd/defaults/main.yml
 create mode 100644 roles/httpd/files/mod_filter.conf
 create mode 100644 roles/httpd/files/name_vhost.conf
 create mode 100644 roles/httpd/files/remove_sslv3.conf
 create mode 100644 roles/httpd/handlers/main.yml
 create mode 100644 roles/httpd/tasks/main.yml
 create mode 100644 roles/httpd/templates/vhost.conf
 create mode 100644 roles/httpd/templates/vhost_redirect.conf

diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
new file mode 100644
index 0000000..d0f8081
--- /dev/null
+++ b/playbooks/deploy.yml
@@ -0,0 +1,6 @@
+---
+- hosts: new
+  roles:
+  - base
+  - admin_ssh_keys
+  - httpd  
diff --git a/roles/admin_ssh_keys/files/misc.pub b/roles/admin_ssh_keys/files/misc.pub
new file mode 100644
index 0000000..93597df
--- /dev/null
+++ b/roles/admin_ssh_keys/files/misc.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6XHbqNugBD9WlA3R6BZaouVsi6z9aK9aXu13I74zs9XL6DFLBZXlfAkTFPHDwcYbd5PB/0B8+T5AHmGYsBlEJGR8wFm2mUTVLoApmEKIo8m8Lf/M+vQxLOmkIqVvuMCWTb27dmLWVozKD+qtyzMXWsRT3aM6ok5WTFw/FNXM7XTOPxJaUfYexNXCRrNTt29LWc6TxIQUkeaMW/SAzttVwrQizE6Xip6nlOTT0g1yXsNajZAeQnADkmBu5CAjzGV3jsSrvEKIpXHzEVveCHRrgOXQWM7yWGTe3HGkMS9zgOJtHCQi92B/KBSeJksmWibNe5HHjjdhlmQujcHdKP4PR misc@kiora/tpm
diff --git a/roles/admin_ssh_keys/tasks/main.yml b/roles/admin_ssh_keys/tasks/main.yml
new file mode 100644
index 0000000..f07e4c2
--- /dev/null
+++ b/roles/admin_ssh_keys/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: install root ssh keys
+  authorized_key: user=root
+                  key="{{ item }}"
+  with_file:
+  - misc.pub
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
new file mode 100644
index 0000000..7fd4b66
--- /dev/null
+++ b/roles/base/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: install base rpms
+  yum: pkg={{ item }} state=installed
+  with_items:
+  - screen
+  - htop
+  - iftop
+  - iotop
+  - strace
+  - vim-enhanced
+  - tcpdump
+  - chrony
+
+- service: name=chronyd state=running enabled=yes
+ 
diff --git a/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch
new file mode 100644
index 0000000..62607b5
--- /dev/null
+++ b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch
@@ -0,0 +1,33 @@
+From ce67394ccb7eaf138330c52f9ec5062698efb8aa Mon Sep 17 00:00:00 2001
+From: Michael Scherer <mscherer@redhat.com>
+Date: Tue, 14 Oct 2014 23:36:21 -0400
+Subject: [PATCH] Remove ssl v3, CVE-2014-3566
+
+---
+ roles/httpd/files/remove_sslv3.conf | 1 +
+ roles/httpd/tasks/main.yml          | 1 +
+ 2 files changed, 2 insertions(+)
+ create mode 100644 roles/httpd/files/remove_sslv3.conf
+
+diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf
+new file mode 100644
+index 0000000..0872cbe
+--- /dev/null
++++ b/roles/httpd/files/remove_sslv3.conf
+@@ -0,0 +1 @@
++SSLProtocol all -SSLv2 -SSLv3
+diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
+index 98d6ade..7dfe89d 100644
+--- a/roles/httpd/tasks/main.yml
++++ b/roles/httpd/tasks/main.yml
+@@ -11,6 +11,7 @@
+   with_items:
+   - name_vhost.conf
+   - mod_filter.conf
++  - remove_sslv3.conf
+   notify: restart httpd
+ 
+ - template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644
+-- 
+1.8.3.1
+
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml
new file mode 100644
index 0000000..409440c
--- /dev/null
+++ b/roles/httpd/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+log_retention_week: 8
diff --git a/roles/httpd/files/mod_filter.conf b/roles/httpd/files/mod_filter.conf
new file mode 100644
index 0000000..cde8c84
--- /dev/null
+++ b/roles/httpd/files/mod_filter.conf
@@ -0,0 +1,3 @@
+# not enabled by default on centos 6
+LoadModule filter_module modules/mod_filter.so
+
diff --git a/roles/httpd/files/name_vhost.conf b/roles/httpd/files/name_vhost.conf
new file mode 100644
index 0000000..d2d1c0d
--- /dev/null
+++ b/roles/httpd/files/name_vhost.conf
@@ -0,0 +1,2 @@
+NameVirtualHost *:443
+NameVirtualHost *:80
diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf
new file mode 100644
index 0000000..0872cbe
--- /dev/null
+++ b/roles/httpd/files/remove_sslv3.conf
@@ -0,0 +1 @@
+SSLProtocol all -SSLv2 -SSLv3
diff --git a/roles/httpd/handlers/main.yml b/roles/httpd/handlers/main.yml
new file mode 100644
index 0000000..e379288
--- /dev/null
+++ b/roles/httpd/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: restart httpd
+  service: name=httpd state=restarted
diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
new file mode 100644
index 0000000..b1e7342
--- /dev/null
+++ b/roles/httpd/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- yum: name={{ item }} state=installed
+  with_items:
+  - python-passlib
+  - httpd
+  - mod_ssl
+
+- service: name=httpd state=started enabled=yes
+
+- copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=apache mode=0644
+  with_items:
+  - name_vhost.conf
+  - mod_filter.conf
+  - remove_sslv3.conf
+  notify: restart httpd
+
+- template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644
+  notify: restart httpd
+  when: document_root is defined
+
+- template: src=vhost_redirect.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644
+  notify: restart httpd
+  when: redirect is defined
+
+- file: state=directory path={{ document_root }} setype=httpd_sys_content_t owner=root mode=755 group=root
+  when: document_root is defined
+
+- file:  path=/etc/httpd/conf.d/{{ website_url }}.conf.d/ state=directory
+  when: website_url is defined
+
+# needed for newer apache, who requires at least 1 file for include
+- file:  path=/etc/httpd/conf.d/{{ website_url }}.conf.d/placeholder.conf state=touch
+  when: website_url is defined
+
+- file: path=/etc/httpd/conf.d/password_protection.conf state=absent
+  notify: restart httpd
+
+- htpasswd: path=/etc/httpd/{{ website_url }}.htpasswd name={{ website_user }} password={{ website_password }} owner=root group=apache mode=0640
+  when: website_user is defined
+
+- shell: lokkit -s {{ item }}
+  with_items:
+  - http
+  - https
+  when: ansible_distribution_major_version == '6' and (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat')
+
+- firewalld: service={{ item }} permanent=true state=enabled
+  with_items:
+  - http
+  - https
+  when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7'
diff --git a/roles/httpd/templates/vhost.conf b/roles/httpd/templates/vhost.conf
new file mode 100644
index 0000000..21172c9
--- /dev/null
+++ b/roles/httpd/templates/vhost.conf
@@ -0,0 +1,21 @@
+<VirtualHost *:80>
+        {% if website_password is defined %}
+        <Location />
+
+            AuthType Basic
+            AuthName "Restricted access, contact OSAS for password"
+            AuthUserFile /etc/httpd/{{ website_url }}.htpasswd
+            Require valid-user
+        </Location>
+        {% endif %}
+
+        <Directory "{{ document_root }}">
+                AllowOverride All
+        </Directory>
+
+        ServerName {{ website_url }}
+        DocumentRoot {{ document_root }}
+        Include /etc/httpd/conf.d/{{ website_url}}.conf.d/*conf
+</VirtualHost>
+
+
diff --git a/roles/httpd/templates/vhost_redirect.conf b/roles/httpd/templates/vhost_redirect.conf
new file mode 100644
index 0000000..1c93343
--- /dev/null
+++ b/roles/httpd/templates/vhost_redirect.conf
@@ -0,0 +1,16 @@
+<VirtualHost *:80>
+        {% if website_password is defined %}
+        <Location />
+
+            AuthType Basic
+            AuthName "Restricted access, contact OSAS for password"
+            AuthUserFile /etc/httpd/{{ website_url }}.htpasswd
+            Require valid-user
+        </Location>
+        {% endif %}
+
+        ServerName {{ website_url }}
+        Redirect / {{ redirect }}
+</VirtualHost>
+
+
-- 
cgit