From 64f279e592bc291ea76ff9e2246f1fc1760c6e83 Mon Sep 17 00:00:00 2001
From: Oleg Broytman <phd@phdru.name>
Date: Wed, 24 Jul 2019 22:44:21 +0300
Subject: [PATCH] Feat(apache): Install and configure Apache; add a virtual
 host

---
 playbooks/debian-add-apache-vhost             |  13 ++
 .../debian/roles/add_apache_vhost/README.txt  |   1 +
 .../roles/add_apache_vhost/handlers/main.yml  |   4 +
 .../roles/add_apache_vhost/tasks/main.yml     |  33 +++++
 .../add_apache_vhost/templates/vhost.conf     |  96 +++++++++++++
 playbooks/debian/roles/apache/README.txt      |   1 +
 .../debian/roles/apache/handlers/main.yml     |   4 +
 playbooks/debian/roles/apache/tasks/main.yml  |  44 ++++++
 .../roles/apache/templates/001-phd.conf       | 130 ++++++++++++++++++
 9 files changed, 326 insertions(+)
 create mode 100755 playbooks/debian-add-apache-vhost
 create mode 100644 playbooks/debian/roles/add_apache_vhost/README.txt
 create mode 100644 playbooks/debian/roles/add_apache_vhost/handlers/main.yml
 create mode 100644 playbooks/debian/roles/add_apache_vhost/tasks/main.yml
 create mode 100644 playbooks/debian/roles/add_apache_vhost/templates/vhost.conf
 create mode 100644 playbooks/debian/roles/apache/README.txt
 create mode 100644 playbooks/debian/roles/apache/handlers/main.yml
 create mode 100644 playbooks/debian/roles/apache/tasks/main.yml
 create mode 100644 playbooks/debian/roles/apache/templates/001-phd.conf

diff --git a/playbooks/debian-add-apache-vhost b/playbooks/debian-add-apache-vhost
new file mode 100755
index 0000000..cffad87
--- /dev/null
+++ b/playbooks/debian-add-apache-vhost
@@ -0,0 +1,13 @@
+#! /bin/sh
+
+if [ -z "$1" ]; then
+   echo "Usage: $0 vhost" >&2
+   exit 1
+fi
+
+vhost="$1"
+shift
+
+cd "`dirname \"$0\"`" &&
+ANSIBLE_ROLES_PATH=debian/roles \
+   exec ./run-role add_apache_vhost "$@" -e virtual_host="$vhost"
diff --git a/playbooks/debian/roles/add_apache_vhost/README.txt b/playbooks/debian/roles/add_apache_vhost/README.txt
new file mode 100644
index 0000000..8bc4b30
--- /dev/null
+++ b/playbooks/debian/roles/add_apache_vhost/README.txt
@@ -0,0 +1 @@
+Add Apache virtual host.
diff --git a/playbooks/debian/roles/add_apache_vhost/handlers/main.yml b/playbooks/debian/roles/add_apache_vhost/handlers/main.yml
new file mode 100644
index 0000000..c99bf62
--- /dev/null
+++ b/playbooks/debian/roles/add_apache_vhost/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Reload apache
+  service:
+    name: apache2
+    state: reloaded
diff --git a/playbooks/debian/roles/add_apache_vhost/tasks/main.yml b/playbooks/debian/roles/add_apache_vhost/tasks/main.yml
new file mode 100644
index 0000000..d5f9ddd
--- /dev/null
+++ b/playbooks/debian/roles/add_apache_vhost/tasks/main.yml
@@ -0,0 +1,33 @@
+- name: Check vhost
+  command: "test -L /etc/apache2/sites-enabled/{{ virtual_host }}.conf"
+  failed_when: false
+  register: vhost
+  changed_when: vhost.rc != 0
+
+- name: Configure site
+  become: true
+  template:
+    src: vhost.conf
+    dest: "/etc/apache2/sites-available/{{ virtual_host }}.conf"
+    owner: root
+    group: root
+    mode: '0640'
+    force: no
+  notify: Reload apache
+  when: vhost.rc != 0
+
+- name: Enable site
+  become: true
+  command: "a2ensite {{ virtual_host }}"
+  notify: Reload apache
+  when: vhost.rc != 0
+
+- name: Create log directory
+  become: true
+  file:
+    path: /var/log/apache2/{{ virtual_host }}
+    state: directory
+    owner: root
+    group: root
+    mode: '0640'
+  when: vhost.rc != 0
diff --git a/playbooks/debian/roles/add_apache_vhost/templates/vhost.conf b/playbooks/debian/roles/add_apache_vhost/templates/vhost.conf
new file mode 100644
index 0000000..2f3dd5b
--- /dev/null
+++ b/playbooks/debian/roles/add_apache_vhost/templates/vhost.conf
@@ -0,0 +1,96 @@
+<VirtualHost 127.0.0.1:80 {{ virtual_host }}:80>
+ServerName {{ virtual_host }}
+Redirect permanent / https://{{ virtual_host }}/
+ErrorLog /var/log/apache2/{{ virtual_host }}/error_log
+CustomLog /var/log/apache2/{{ virtual_host }}/access_log common
+</VirtualHost>
+
+<VirtualHost 127.0.0.1:80 {{ virtual_host }}:80>
+ServerName www.{{ virtual_host }}
+Redirect permanent / https://{{ virtual_host }}/
+ErrorLog /var/log/apache2/{{ virtual_host }}/error_log
+CustomLog /var/log/apache2/{{ virtual_host }}/access_log common
+</VirtualHost>
+
+<VirtualHost 127.0.0.1:443 {{ virtual_host }}:443>
+ServerName {{ virtual_host }}
+
+DocumentRoot /home/phd/Internet/WWW/htdocs/{{ virtual_host }}
+ScriptAlias /cgi-bin /home/phd/Internet/WWW/cgi-bin/{{ virtual_host }}
+ErrorLog /var/log/apache2/{{ virtual_host }}/error_log
+CustomLog /var/log/apache2/{{ virtual_host }}/access_log common
+
+<Directory /home/phd/Internet/WWW/htdocs/{{ virtual_host }}>
+Require all granted
+</Directory>
+
+<Directory /home/phd/Internet/WWW/cgi-bin/{{ virtual_host }}>
+Require all granted
+</Directory>
+
+<Location /Bookmarks>
+ErrorDocument 404 http://{{ virtual_host }}/Bookmarks/notfound.html
+</Location>
+
+<Location /Software/Python/m_librarian/docs>
+AddDefaultCharset utf-8
+</Location>
+
+<IfModule mod_proxy.c>
+<Proxy *>
+   Require all denied
+</Proxy>
+
+ProxyRequests Off
+</IfModule>
+
+SSLEngine on
+#Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+#Header always set X-Content-Type-Options nosniff
+#Header always set X-Frame-Options DENY
+#SSLCipherSuite HIGH:MEDIUM:RSA:!EXP:!aNULL:!NULL:+SHA1:+HIGH:+MEDIUM:-LOW
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLCompression off
+SSLHonorCipherOrder On
+SSLOptions +StrictRequire
+SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+SSLProxyEngine off
+#SSLRandomSeed connect file:/dev/urandom 1024
+#SSLRandomSeed startup file:/dev/urandom 1024
+#SSLSessionCache shm:/var/log/apache2/ssl_cache_shm
+#SSLSessionCacheTimeout 600
+#SSLSessionTickets Off
+#SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+#SSLUseStapling on
+SSLVerifyClient none
+
+SSLCACertificateFile /etc/apache2/ssl/CA.crt
+SSLCertificateFile /etc/apache2/ssl/{{ virtual_host }}.crt
+SSLCertificateKeyFile /etc/apache2/ssl/{{ virtual_host }}.key
+
+<Directory />
+   SSLRequireSSL
+</Directory>
+
+<Directory /home/phd/Internet/WWW/cgi-bin/{{ virtual_host }}>
+   SSLOptions +StdEnvVars
+</Directory>
+
+#<IfModule mime.c>
+#   AddType application/x-x509-ca-cert      .crt
+#   AddType application/x-pkcs7-crl         .crl
+#</IfModule>
+
+BrowserMatch "MSIE [2-6]" \
+   nokeepalive ssl-unclean-shutdown \
+   downgrade-1.0 force-response-1.0
+# MSIE 7 and newer should be able to use keepalive
+BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+</VirtualHost>
+
+<VirtualHost 127.0.0.1:443 {{ virtual_host }}:443>
+ServerName www.{{ virtual_host }}
+Redirect permanent / https://{{ virtual_host }}/
+ErrorLog /var/log/apache2/{{ virtual_host }}/error_log
+CustomLog /var/log/apache2/{{ virtual_host }}/access_log common
+</VirtualHost>
diff --git a/playbooks/debian/roles/apache/README.txt b/playbooks/debian/roles/apache/README.txt
new file mode 100644
index 0000000..a39c362
--- /dev/null
+++ b/playbooks/debian/roles/apache/README.txt
@@ -0,0 +1 @@
+Setup Apache web server.
diff --git a/playbooks/debian/roles/apache/handlers/main.yml b/playbooks/debian/roles/apache/handlers/main.yml
new file mode 100644
index 0000000..c99bf62
--- /dev/null
+++ b/playbooks/debian/roles/apache/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: Reload apache
+  service:
+    name: apache2
+    state: reloaded
diff --git a/playbooks/debian/roles/apache/tasks/main.yml b/playbooks/debian/roles/apache/tasks/main.yml
new file mode 100644
index 0000000..1c6bd2f
--- /dev/null
+++ b/playbooks/debian/roles/apache/tasks/main.yml
@@ -0,0 +1,44 @@
+- name: Check apache
+  command: test -L /etc/apache2/conf-enabled/001-phd.conf
+  failed_when: false
+  register: apache
+  changed_when: apache.rc != 0
+
+- debug:
+    msg: "apache has already been configured"
+  when: apache.rc == 0
+
+- name: Install apache
+  become: true
+  apt:
+    autoclean: yes
+    autoremove: yes
+    install_recommends: no
+    name: apache2
+    purge: yes
+    state: latest
+    update_cache: yes
+  when: apache.rc != 0
+
+- name: Enable SSL module
+  become: true
+  command: a2enmod ssl
+  notify: Reload apache
+  when: apache.rc != 0
+
+- name: Configure apache
+  become: true
+  template:
+    src: 001-phd.conf
+    dest: /etc/apache2/conf-available
+    owner: root
+    group: root
+    mode: '0640'
+    force: no
+  when: apache.rc != 0
+
+- name: Enable config
+  become: true
+  command: a2enconf 001-phd
+  notify: Reload apache
+  when: apache.rc != 0
diff --git a/playbooks/debian/roles/apache/templates/001-phd.conf b/playbooks/debian/roles/apache/templates/001-phd.conf
new file mode 100644
index 0000000..5eb26f6
--- /dev/null
+++ b/playbooks/debian/roles/apache/templates/001-phd.conf
@@ -0,0 +1,130 @@
+ServerAdmin phd@{{ inventory_hostname }}
+MaxConnectionsPerChild 10
+
+<IfModule prefork.c>
+StartServers         2
+MinSpareServers      2
+MaxSpareServers      5
+MaxRequestWorkers    20
+</IfModule>
+
+<IfModule threaded.c>
+StartServers         2
+MaxRequestWorkers    5
+MinSpareThreads      2
+MaxSpareThreads     10
+ThreadsPerChild     25
+</IfModule>
+
+<IfModule perchild.c>
+NumServers           2
+StartThreads         2
+MinSpareThreads      2
+MaxSpareThreads     10
+MaxThreadsPerChild  25
+</IfModule>
+
+User www-data
+Group www-data
+
+AddDefaultCharset koi8-r
+
+<Location /cgi-bin/printenv>
+    AuthType Basic
+    AuthName Apache
+    AuthUserFile /usr/local/apache2/data/apache.passwd
+    <RequireAll>
+    Require ip 127.0.0.1 {{ inventory_hostname }}
+    Require user phd
+    </RequireAll>
+</Location>
+
+<IfModule mod_cgid.c>
+Scriptsock            data/cgisock
+</IfModule>
+
+<IfModule mod_dir.c>
+   DirectoryIndex index.shtml index.html index.htm
+</IfModule>
+
+<IfModule mod_mime.c>
+   AddHandler cgi-script .cgi
+</IfModule>
+
+<IfModule mod_include.c>
+   <Files *.shtml>
+   Options +IncludesNOEXEC
+   </Files>
+   AddType text/html .shtml
+   AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+<IfModule mod_info.c>
+<Location /server-info>
+    SetHandler server-info
+    Require ip 127.0.0.1 {{ inventory_hostname }}
+</Location>
+</IfModule>
+
+<IfModule mod_status.c>
+<Location /server-status>
+    SetHandler server-status
+    Require ip 127.0.0.1 {{ inventory_hostname }}
+</Location>
+
+ExtendedStatus On
+</IfModule>
+
+<Location /printenv.shtml>
+    Require ip 127.0.0.1 {{ inventory_hostname }}
+</Location>
+
+<IfModule mod_env.c>
+SetEnv LC_CTYPE ru_RU.KOI8-R
+SetEnv LC_COLLATE ru_RU.KOI8-R
+</IfModule>
+
+<IfModule mod_proxy.c>
+<Proxy *>
+   Require ip 127.0.0.1
+</Proxy>
+
+ProxyRequests Off
+</IfModule>
+
+LanguagePriority ru en
+
+<IfModule mod_userdir.c>
+UserDir public_html
+</IfModule>
+
+<Directory /home>
+Options Indexes FollowSymLinks
+RemoveHandler .py
+</Directory>
+
+<Location /~phd/Bookmarks>
+ErrorDocument 404 /~phd/Bookmarks/notfound.html
+</Location>
+
+<VirtualHost {{ inventory_hostname }}:80>
+ServerName unknown.invalid
+DocumentRoot /home/phd/Internet/WWW/htdocs/_default_/
+ErrorDocument 404 /nothing.html
+
+<Directory /home/phd/Internet/WWW/htdocs/_default_/>
+Require all granted
+</Directory>
+</VirtualHost>
+
+<VirtualHost _default_:*>
+DocumentRoot /home/phd/Internet/WWW/htdocs/_default_/
+ErrorDocument 404 /nothing.html
+
+<Directory /home/phd/Internet/WWW/htdocs/_default_/>
+Require all granted
+</Directory>
+</VirtualHost>
+
+# non-SNI clients
+SSLStrictSNIVHostCheck off
-- 
2.39.2