From 244482ac52dadf71b0e48244ddb0bb2e29bfafc6 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 30 Nov 2022 22:04:29 -0600
Subject: [PATCH] websites: Add hatchlearningcenter.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is the website for Tabitha's new hybrid private school! 👩‍🎓
---
 certs/websites/hatchlearningcenter.org.cer    |  1 +
 certs/websites/hatchlearningcenter.org.key    |  1 +
 group_vars/public-web/main.yml                |  1 +
 .../files/hatchlearningcenter.org.httpd.conf  | 64 +++++++++++++++++++
 .../hatchlearningcenter.org/meta/main.yml     |  7 ++
 .../hatchlearningcenter.org/tasks/main.yml    | 51 +++++++++++++++
 websites.yml                                  |  3 +
 7 files changed, 128 insertions(+)
 create mode 120000 certs/websites/hatchlearningcenter.org.cer
 create mode 120000 certs/websites/hatchlearningcenter.org.key
 create mode 100644 roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
 create mode 100644 roles/websites/hatchlearningcenter.org/meta/main.yml
 create mode 100644 roles/websites/hatchlearningcenter.org/tasks/main.yml

diff --git a/certs/websites/hatchlearningcenter.org.cer b/certs/websites/hatchlearningcenter.org.cer
new file mode 120000
index 0000000..b9a21b5
--- /dev/null
+++ b/certs/websites/hatchlearningcenter.org.cer
@@ -0,0 +1 @@
+../lego/hatchlearningcenter.org.crt
\ No newline at end of file
diff --git a/certs/websites/hatchlearningcenter.org.key b/certs/websites/hatchlearningcenter.org.key
new file mode 120000
index 0000000..1637775
--- /dev/null
+++ b/certs/websites/hatchlearningcenter.org.key
@@ -0,0 +1 @@
+../lego/hatchlearningcenter.org.key
\ No newline at end of file
diff --git a/group_vars/public-web/main.yml b/group_vars/public-web/main.yml
index 0a13af9..39734e4 100644
--- a/group_vars/public-web/main.yml
+++ b/group_vars/public-web/main.yml
@@ -10,3 +10,4 @@ userdir_proxy_backend: http://files.pyrocufflink.blue
 tabitha_publisher_keys:
 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbeVaQ5eGTaQU9P0sqo9R2IISoe50qS/Hv/vvFdt3ce tabitha@Tabithas-MacBook-Pro.local
 dustinandtabitha_publisher_keys: '{{ tabitha_publisher_keys + dchwww_publisher_keys }}'
+hlc_publisher_keys: '{{ tabitha_publisher_keys }}'
diff --git a/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf b/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
new file mode 100644
index 0000000..dc86bc1
--- /dev/null
+++ b/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
@@ -0,0 +1,64 @@
+# vim: set ft=apache sw=4 ts=4 sts=4 et :
+<VirtualHost *:80>
+    ServerName hatchlearningcenter.org
+    ServerAlias \
+        www.hatchlearningcenter.org \
+        hatchlearningcenter.com \
+        www.hatchlearningcenter.com \
+        hlcks.org \
+        www.hlcks.org \
+        hlcks.com \
+        www.hlcks.com \
+        hlckc.org \
+        www.hlckc.org \
+        hlckc.com \
+        www.hlckc.com
+
+    RewriteEngine on
+    RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+    ServerName hatchlearningcenter.org
+    ServerAlias \
+        hatchlearningcenter.com \
+        www.hatchlearningcenter.com \
+        hlcks.org \
+        www.hlcks.org \
+        hlcks.com \
+        www.hlcks.com \
+        hlckc.org \
+        www.hlckc.org \
+        hlckc.com \
+        www.hlckc.com
+
+    Include conf.d/ssl.include
+
+    SSLCertificateFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+    SSLCertificateKeyFile /etc/pki/tls/private/hatchlearningcenter.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+    RewriteEngine On
+    RewriteRule /.* https://www.hatchlearningcenter.org$0 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+    ServerName www.hatchlearningcenter.org
+
+    Include conf.d/ssl.include
+
+    SSLCertificateFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+    SSLCertificateKeyFile /etc/pki/tls/private/hatchlearningcenter.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+    DocumentRoot /srv/www/hatchlearningcenter.org/htdocs
+    <Directory /srv/www/hatchlearningcenter.org/htdocs>
+        Require all granted
+    </Directory>
+</VirtualHost>
diff --git a/roles/websites/hatchlearningcenter.org/meta/main.yml b/roles/websites/hatchlearningcenter.org/meta/main.yml
new file mode 100644
index 0000000..4d6317c
--- /dev/null
+++ b/roles/websites/hatchlearningcenter.org/meta/main.yml
@@ -0,0 +1,7 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/hatchlearningcenter.org.cer
+    cert_dest: /etc/pki/tls/certs/hatchlearningcenter.org.cer
+    cert_key_src: websites/hatchlearningcenter.org.key
+    cert_key_dest: /etc/pki/tls/private/hatchlearningcenter.org.key
diff --git a/roles/websites/hatchlearningcenter.org/tasks/main.yml b/roles/websites/hatchlearningcenter.org/tasks/main.yml
new file mode 100644
index 0000000..77c73c9
--- /dev/null
+++ b/roles/websites/hatchlearningcenter.org/tasks/main.yml
@@ -0,0 +1,51 @@
+- name: ensure app group exists
+  group:
+    name: webapp.hlc
+    state: present
+  tags:
+  - group
+  - user
+
+- name: ensure app user exists
+  user:
+    name: webapp.hlc
+    group: webapp.hlc
+    home: /srv/www/hatchlearningcenter.org
+    createhome: true
+    state: present
+  tags:
+  - user
+
+- name: ensure app home directory permissions are set
+  file:
+    path: /srv/www/hatchlearningcenter.org
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ hlc_publisher_keys|join('\n') }}"
+    user: webapp.hlc
+    exclusive: true
+  tags:
+  - sshkey
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/hatchlearningcenter.org/.ssh/authorized_keys
+    mode: u=rw,go=
+    owner: webapp.hlc
+    group: webapp.hlc
+    setype: ssh_home_t
+  tags:
+  - sshkey
+
+- name: ensure apache is configured to serve hatchlearningcenter.org
+  copy:
+    src: hatchlearningcenter.org.httpd.conf
+    dest: /etc/httpd/conf.d/hatchlearningcenter.org.conf
+    mode: u=rw,go=r
+  notify: reload httpd
+  tags:
+  - apache-config
diff --git a/websites.yml b/websites.yml
index 51c7140..32e39f6 100755
--- a/websites.yml
+++ b/websites.yml
@@ -59,6 +59,9 @@
   - role: websites/dustinandtabitha.com
     tags:
     - websites/dustinandtabitha
+  - role: websites/hatchlearningcenter.org
+    tags:
+    - websites/hatchlearningcenter.org
   tasks:
   - name: ensure httpd service is running
     service: