diff --git a/.certs b/.certs index 654b52b..13f97e4 160000 --- a/.certs +++ b/.certs @@ -1 +1 @@ -Subproject commit 654b52b6080c1a54b6466ac9cdc00da8d2c910d9 +Subproject commit 13f97e4fa1468623cde4cb9e91d616d8ecc57225 diff --git a/certs/websites/dustin.hatch.name.cer b/certs/websites/dustin.hatch.name.cer new file mode 120000 index 0000000..5ea4c57 --- /dev/null +++ b/certs/websites/dustin.hatch.name.cer @@ -0,0 +1 @@ +../../.certs/acme.sh/dustin.hatch.name/fullchain.cer \ No newline at end of file diff --git a/certs/websites/dustin.hatch.name.key b/certs/websites/dustin.hatch.name.key new file mode 120000 index 0000000..88d251a --- /dev/null +++ b/certs/websites/dustin.hatch.name.key @@ -0,0 +1 @@ +../../.certs/acme.sh/dustin.hatch.name/dustin.hatch.name.key \ No newline at end of file diff --git a/roles/websites/dustin.hatch.name/defaults/main.yml b/roles/websites/dustin.hatch.name/defaults/main.yml new file mode 100644 index 0000000..3d14309 --- /dev/null +++ b/roles/websites/dustin.hatch.name/defaults/main.yml @@ -0,0 +1 @@ +dchwww_publisher_keys: [] diff --git a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf index 3f57438..83a1a83 100644 --- a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf +++ b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf @@ -1,20 +1,25 @@ # vim: set ft=apache : -WSGIDaemonProcess dchwww \ - user=webapp.dchwww \ - group=webapp.dchwww \ - python-home=/srv/www/dustin.hatch.name/venv \ - display-name=%{GROUP} + +ServerName dustin.hatch.name - - - ServerName dustin.hatch.name - - WSGIScriptAlias / /srv/www/dustin.hatch.name/site.py \ - process-group=dchwww - Alias /static /srv/www/dustin.hatch.name/static - - - Require all granted - +RewriteEngine On +RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L] + + + +ServerName dustin.hatch.name + +Include conf.d/ssl.include +SSLCertificateKeyFile /etc/pki/tls/private/dustin.hatch.name.key +SSLCertificateFile /etc/pki/tls/certs/dustin.hatch.name.cer + + + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" + + +DocumentRoot /srv/www/dustin.hatch.name/htdocs + + Require all granted + diff --git a/roles/websites/dustin.hatch.name/handlers/main.yml b/roles/websites/dustin.hatch.name/handlers/main.yml index 68662db..a648c3a 100644 --- a/roles/websites/dustin.hatch.name/handlers/main.yml +++ b/roles/websites/dustin.hatch.name/handlers/main.yml @@ -1,8 +1,4 @@ -- name: restart httpd - service: - name=httpd - state=restarted - name: reload httpd service: - name=httpd - state=reloaded + name: httpd + state: reloaded diff --git a/roles/websites/dustin.hatch.name/tasks/main.yml b/roles/websites/dustin.hatch.name/tasks/main.yml index 2bce504..703e13f 100644 --- a/roles/websites/dustin.hatch.name/tasks/main.yml +++ b/roles/websites/dustin.hatch.name/tasks/main.yml @@ -1,36 +1,36 @@ -- name: ensure mod_wsgi is installed - package: - name=python3-mod_wsgi - state=present - notify: restart httpd - tags: - - install - - name: ensure rsync is installed package: - name=rsync - state=present + name: rsync + state: present tags: - install - name: ensure app group exists group: - name=webapp.dchwww - state=present + name: webapp.dchwww + state: present - name: ensure app user exists user: - name=webapp.dchwww - group=webapp.dchwww - home=/srv/www/dustin.hatch.name - createhome=yes - state=present + name: webapp.dchwww + group: webapp.dchwww + home: /srv/www/dustin.hatch.name + createhome: true + state: present - name: ensure app home directory permissions are set file: - path=/srv/www/dustin.hatch.name - mode=0755 - state=directory + path: /srv/www/dustin.hatch.name + mode: u=rwx,go=rx + state: directory +- name: ensure app ssh home directory exists + file: + path: /srv/www/dustin.hatch.name/.ssh + mode: '0700' + owner: webapp.dchwww + group: webapp.dchwww + setype: ssh_home_t + state: directory - name: ensure publisher keys are trusted authorized_key: key: "{{ dchwww_publisher_keys|join('\n') }}" @@ -39,22 +39,16 @@ - name: ensure authorized_keys file permissions are correct file: path: /srv/www/dustin.hatch.name/.ssh/authorized_keys - mode: '0600' + mode: u=rw,go= owner: webapp.dchwww group: webapp.dchwww setype: ssh_home_t -- name: ensure virtualenv exists - become: true - become_user: webapp.dchwww - pip: - name: pip - virtualenv: /srv/www/dustin.hatch.name/venv - virtualenv_command: /usr/bin/python3 -m venv - - name: ensure apache is configured to serve dustin.hatch.name copy: - src=dustin.hatch.name.httpd.conf - dest=/etc/httpd/conf.d/dustin.hatch.name.conf - mode=0644 + src: dustin.hatch.name.httpd.conf + dest: /etc/httpd/conf.d/dustin.hatch.name.conf + mode: u=rw,go=r notify: reload httpd + tags: + - httpd-config diff --git a/websites.yml b/websites.yml index d34a803..51c7140 100755 --- a/websites.yml +++ b/websites.yml @@ -7,6 +7,12 @@ tags: formsubmit - role: websites/pyrocufflink.net tags: websites/pyrocufflink.net + - role: cert + cert_src: websites/dustin.hatch.name.cer + cert_dest: /etc/pki/tls/certs/dustin.hatch.name.cer + cert_key_src: websites/dustin.hatch.name.key + cert_key_dest: /etc/pki/tls/private/dustin.hatch.name.key + tags: websites/dustin.hatch.name - role: websites/dustin.hatch.name tags: websites/dustin.hatch.name - role: websites/ebonfire.com