diff options
author | Michael Scherer <misc@ephaone.org> | 2014-10-15 16:55:11 -0400 |
---|---|---|
committer | Michael Scherer <misc@ephaone.org> | 2014-10-15 16:55:11 -0400 |
commit | dd06fb0a56feba126cce5ef75e84e23eb72fe7aa (patch) | |
tree | f20f7774e7d7ce6ec22eeb8d62e510842c613733 /roles | |
parent | 56599284ed73be3661796003d89c3ed73aa24cbd (diff) |
Add playbook and httpd and the rest
Diffstat (limited to 'roles')
-rw-r--r-- | roles/admin_ssh_keys/files/misc.pub | 1 | ||||
-rw-r--r-- | roles/admin_ssh_keys/tasks/main.yml | 6 | ||||
-rw-r--r-- | roles/base/tasks/main.yml | 15 | ||||
-rw-r--r-- | roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch | 33 | ||||
-rw-r--r-- | roles/httpd/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/httpd/files/mod_filter.conf | 3 | ||||
-rw-r--r-- | roles/httpd/files/name_vhost.conf | 2 | ||||
-rw-r--r-- | roles/httpd/files/remove_sslv3.conf | 1 | ||||
-rw-r--r-- | roles/httpd/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/httpd/tasks/main.yml | 51 | ||||
-rw-r--r-- | roles/httpd/templates/vhost.conf | 21 | ||||
-rw-r--r-- | roles/httpd/templates/vhost_redirect.conf | 16 |
12 files changed, 154 insertions, 0 deletions
diff --git a/roles/admin_ssh_keys/files/misc.pub b/roles/admin_ssh_keys/files/misc.pub new file mode 100644 index 0000000..93597df --- /dev/null +++ b/roles/admin_ssh_keys/files/misc.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6XHbqNugBD9WlA3R6BZaouVsi6z9aK9aXu13I74zs9XL6DFLBZXlfAkTFPHDwcYbd5PB/0B8+T5AHmGYsBlEJGR8wFm2mUTVLoApmEKIo8m8Lf/M+vQxLOmkIqVvuMCWTb27dmLWVozKD+qtyzMXWsRT3aM6ok5WTFw/FNXM7XTOPxJaUfYexNXCRrNTt29LWc6TxIQUkeaMW/SAzttVwrQizE6Xip6nlOTT0g1yXsNajZAeQnADkmBu5CAjzGV3jsSrvEKIpXHzEVveCHRrgOXQWM7yWGTe3HGkMS9zgOJtHCQi92B/KBSeJksmWibNe5HHjjdhlmQujcHdKP4PR misc@kiora/tpm diff --git a/roles/admin_ssh_keys/tasks/main.yml b/roles/admin_ssh_keys/tasks/main.yml new file mode 100644 index 0000000..f07e4c2 --- /dev/null +++ b/roles/admin_ssh_keys/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: install root ssh keys + authorized_key: user=root + key="{{ item }}" + with_file: + - misc.pub diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml new file mode 100644 index 0000000..7fd4b66 --- /dev/null +++ b/roles/base/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: install base rpms + yum: pkg={{ item }} state=installed + with_items: + - screen + - htop + - iftop + - iotop + - strace + - vim-enhanced + - tcpdump + - chrony + +- service: name=chronyd state=running enabled=yes + diff --git a/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch new file mode 100644 index 0000000..62607b5 --- /dev/null +++ b/roles/httpd/0001-Remove-ssl-v3-CVE-2014-3566.patch @@ -0,0 +1,33 @@ +From ce67394ccb7eaf138330c52f9ec5062698efb8aa Mon Sep 17 00:00:00 2001 +From: Michael Scherer <mscherer@redhat.com> +Date: Tue, 14 Oct 2014 23:36:21 -0400 +Subject: [PATCH] Remove ssl v3, CVE-2014-3566 + +--- + roles/httpd/files/remove_sslv3.conf | 1 + + roles/httpd/tasks/main.yml | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 roles/httpd/files/remove_sslv3.conf + +diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf +new file mode 100644 +index 0000000..0872cbe +--- /dev/null ++++ b/roles/httpd/files/remove_sslv3.conf +@@ -0,0 +1 @@ ++SSLProtocol all -SSLv2 -SSLv3 +diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml +index 98d6ade..7dfe89d 100644 +--- a/roles/httpd/tasks/main.yml ++++ b/roles/httpd/tasks/main.yml +@@ -11,6 +11,7 @@ + with_items: + - name_vhost.conf + - mod_filter.conf ++ - remove_sslv3.conf + notify: restart httpd + + - template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644 +-- +1.8.3.1 + diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml new file mode 100644 index 0000000..409440c --- /dev/null +++ b/roles/httpd/defaults/main.yml @@ -0,0 +1,2 @@ +--- +log_retention_week: 8 diff --git a/roles/httpd/files/mod_filter.conf b/roles/httpd/files/mod_filter.conf new file mode 100644 index 0000000..cde8c84 --- /dev/null +++ b/roles/httpd/files/mod_filter.conf @@ -0,0 +1,3 @@ +# not enabled by default on centos 6 +LoadModule filter_module modules/mod_filter.so + diff --git a/roles/httpd/files/name_vhost.conf b/roles/httpd/files/name_vhost.conf new file mode 100644 index 0000000..d2d1c0d --- /dev/null +++ b/roles/httpd/files/name_vhost.conf @@ -0,0 +1,2 @@ +NameVirtualHost *:443 +NameVirtualHost *:80 diff --git a/roles/httpd/files/remove_sslv3.conf b/roles/httpd/files/remove_sslv3.conf new file mode 100644 index 0000000..0872cbe --- /dev/null +++ b/roles/httpd/files/remove_sslv3.conf @@ -0,0 +1 @@ +SSLProtocol all -SSLv2 -SSLv3 diff --git a/roles/httpd/handlers/main.yml b/roles/httpd/handlers/main.yml new file mode 100644 index 0000000..e379288 --- /dev/null +++ b/roles/httpd/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart httpd + service: name=httpd state=restarted diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml new file mode 100644 index 0000000..b1e7342 --- /dev/null +++ b/roles/httpd/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- yum: name={{ item }} state=installed + with_items: + - python-passlib + - httpd + - mod_ssl + +- service: name=httpd state=started enabled=yes + +- copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=apache mode=0644 + with_items: + - name_vhost.conf + - mod_filter.conf + - remove_sslv3.conf + notify: restart httpd + +- template: src=vhost.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644 + notify: restart httpd + when: document_root is defined + +- template: src=vhost_redirect.conf dest=/etc/httpd/conf.d/{{ website_url }}.conf owner=root group=apache mode=0644 + notify: restart httpd + when: redirect is defined + +- file: state=directory path={{ document_root }} setype=httpd_sys_content_t owner=root mode=755 group=root + when: document_root is defined + +- file: path=/etc/httpd/conf.d/{{ website_url }}.conf.d/ state=directory + when: website_url is defined + +# needed for newer apache, who requires at least 1 file for include +- file: path=/etc/httpd/conf.d/{{ website_url }}.conf.d/placeholder.conf state=touch + when: website_url is defined + +- file: path=/etc/httpd/conf.d/password_protection.conf state=absent + notify: restart httpd + +- htpasswd: path=/etc/httpd/{{ website_url }}.htpasswd name={{ website_user }} password={{ website_password }} owner=root group=apache mode=0640 + when: website_user is defined + +- shell: lokkit -s {{ item }} + with_items: + - http + - https + when: ansible_distribution_major_version == '6' and (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') + +- firewalld: service={{ item }} permanent=true state=enabled + with_items: + - http + - https + when: ansible_distribution == 'Fedora' or ansible_distribution_major_version == '7' diff --git a/roles/httpd/templates/vhost.conf b/roles/httpd/templates/vhost.conf new file mode 100644 index 0000000..21172c9 --- /dev/null +++ b/roles/httpd/templates/vhost.conf @@ -0,0 +1,21 @@ +<VirtualHost *:80> + {% if website_password is defined %} + <Location /> + + AuthType Basic + AuthName "Restricted access, contact OSAS for password" + AuthUserFile /etc/httpd/{{ website_url }}.htpasswd + Require valid-user + </Location> + {% endif %} + + <Directory "{{ document_root }}"> + AllowOverride All + </Directory> + + ServerName {{ website_url }} + DocumentRoot {{ document_root }} + Include /etc/httpd/conf.d/{{ website_url}}.conf.d/*conf +</VirtualHost> + + diff --git a/roles/httpd/templates/vhost_redirect.conf b/roles/httpd/templates/vhost_redirect.conf new file mode 100644 index 0000000..1c93343 --- /dev/null +++ b/roles/httpd/templates/vhost_redirect.conf @@ -0,0 +1,16 @@ +<VirtualHost *:80> + {% if website_password is defined %} + <Location /> + + AuthType Basic + AuthName "Restricted access, contact OSAS for password" + AuthUserFile /etc/httpd/{{ website_url }}.htpasswd + Require valid-user + </Location> + {% endif %} + + ServerName {{ website_url }} + Redirect / {{ redirect }} +</VirtualHost> + + |