From d363026db203c5a5fd06b455b875d9b100860392 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 23 Apr 2022 15:30:40 -0500
Subject: [PATCH] websites: dustin.hatch.name: Deploy new site

Promoting the new site I have been working on at *dustin.hatch.is* to my
main domain, *dustin.hatch.name*.  The new site is just static content,
generated and uploaded by a Jenkins job.

Finally have a certificate for *dustin.hatch.name* now, too!
---
 .certs                                        |  2 +-
 certs/websites/dustin.hatch.name.cer          |  1 +
 certs/websites/dustin.hatch.name.key          |  1 +
 .../dustin.hatch.name/defaults/main.yml       |  1 +
 .../files/dustin.hatch.name.httpd.conf        | 37 +++++++-----
 .../dustin.hatch.name/handlers/main.yml       |  8 +--
 .../websites/dustin.hatch.name/tasks/main.yml | 58 +++++++++----------
 websites.yml                                  |  6 ++
 8 files changed, 59 insertions(+), 55 deletions(-)
 create mode 120000 certs/websites/dustin.hatch.name.cer
 create mode 120000 certs/websites/dustin.hatch.name.key
 create mode 100644 roles/websites/dustin.hatch.name/defaults/main.yml

diff --git a/.certs b/.certs
index 654b52b..13f97e4 160000
--- a/.certs
+++ b/.certs
@@ -1 +1 @@
-Subproject commit 654b52b6080c1a54b6466ac9cdc00da8d2c910d9
+Subproject commit 13f97e4fa1468623cde4cb9e91d616d8ecc57225
diff --git a/certs/websites/dustin.hatch.name.cer b/certs/websites/dustin.hatch.name.cer
new file mode 120000
index 0000000..5ea4c57
--- /dev/null
+++ b/certs/websites/dustin.hatch.name.cer
@@ -0,0 +1 @@
+../../.certs/acme.sh/dustin.hatch.name/fullchain.cer
\ No newline at end of file
diff --git a/certs/websites/dustin.hatch.name.key b/certs/websites/dustin.hatch.name.key
new file mode 120000
index 0000000..88d251a
--- /dev/null
+++ b/certs/websites/dustin.hatch.name.key
@@ -0,0 +1 @@
+../../.certs/acme.sh/dustin.hatch.name/dustin.hatch.name.key
\ No newline at end of file
diff --git a/roles/websites/dustin.hatch.name/defaults/main.yml b/roles/websites/dustin.hatch.name/defaults/main.yml
new file mode 100644
index 0000000..3d14309
--- /dev/null
+++ b/roles/websites/dustin.hatch.name/defaults/main.yml
@@ -0,0 +1 @@
+dchwww_publisher_keys: []
diff --git a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
index 3f57438..83a1a83 100644
--- a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
+++ b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
@@ -1,20 +1,25 @@
 # vim: set ft=apache :
 
-WSGIDaemonProcess dchwww \
-	user=webapp.dchwww \
-	group=webapp.dchwww \
-	python-home=/srv/www/dustin.hatch.name/venv \
-	display-name=%{GROUP}
+<VirtualHost _default_:80>
+ServerName dustin.hatch.name
 
-
-<VirtualHost *:80>
-	ServerName dustin.hatch.name
-
-	WSGIScriptAlias / /srv/www/dustin.hatch.name/site.py \
-		process-group=dchwww
-	Alias /static /srv/www/dustin.hatch.name/static
-
-	<Location />
-		Require all granted
-	</Location>
+RewriteEngine On
+RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+ServerName dustin.hatch.name
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /etc/pki/tls/private/dustin.hatch.name.key
+SSLCertificateFile /etc/pki/tls/certs/dustin.hatch.name.cer
+
+<IfModule mod_headers.c>
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+</IfModule>
+
+DocumentRoot /srv/www/dustin.hatch.name/htdocs
+<Directory /srv/www/dustin.hatch.name/htdocs>
+    Require all granted
+</Directory>
 </VirtualHost>
diff --git a/roles/websites/dustin.hatch.name/handlers/main.yml b/roles/websites/dustin.hatch.name/handlers/main.yml
index 68662db..a648c3a 100644
--- a/roles/websites/dustin.hatch.name/handlers/main.yml
+++ b/roles/websites/dustin.hatch.name/handlers/main.yml
@@ -1,8 +1,4 @@
-- name: restart httpd
-  service:
-    name=httpd
-    state=restarted
 - name: reload httpd
   service:
-    name=httpd
-    state=reloaded
+    name: httpd
+    state: reloaded
diff --git a/roles/websites/dustin.hatch.name/tasks/main.yml b/roles/websites/dustin.hatch.name/tasks/main.yml
index 2bce504..703e13f 100644
--- a/roles/websites/dustin.hatch.name/tasks/main.yml
+++ b/roles/websites/dustin.hatch.name/tasks/main.yml
@@ -1,36 +1,36 @@
-- name: ensure mod_wsgi is installed
-  package:
-    name=python3-mod_wsgi
-    state=present
-  notify: restart httpd
-  tags:
-  - install
-
 - name: ensure rsync is installed
   package:
-    name=rsync
-    state=present
+    name: rsync
+    state: present
   tags:
   - install
 
 - name: ensure app group exists
   group:
-    name=webapp.dchwww
-    state=present
+    name: webapp.dchwww
+    state: present
 - name: ensure app user exists
   user:
-    name=webapp.dchwww
-    group=webapp.dchwww
-    home=/srv/www/dustin.hatch.name
-    createhome=yes
-    state=present
+    name: webapp.dchwww
+    group: webapp.dchwww
+    home: /srv/www/dustin.hatch.name
+    createhome: true
+    state: present
 
 - name: ensure app home directory permissions are set
   file:
-    path=/srv/www/dustin.hatch.name
-    mode=0755
-    state=directory
+    path: /srv/www/dustin.hatch.name
+    mode: u=rwx,go=rx
+    state: directory
 
+- name: ensure app ssh home directory exists
+  file:
+    path: /srv/www/dustin.hatch.name/.ssh
+    mode: '0700'
+    owner: webapp.dchwww
+    group: webapp.dchwww
+    setype: ssh_home_t
+    state: directory
 - name: ensure publisher keys are trusted
   authorized_key:
     key: "{{ dchwww_publisher_keys|join('\n') }}"
@@ -39,22 +39,16 @@
 - name: ensure authorized_keys file permissions are correct
   file:
     path: /srv/www/dustin.hatch.name/.ssh/authorized_keys
-    mode: '0600'
+    mode: u=rw,go=
     owner: webapp.dchwww
     group: webapp.dchwww
     setype: ssh_home_t
 
-- name: ensure virtualenv exists
-  become: true
-  become_user: webapp.dchwww
-  pip:
-    name: pip
-    virtualenv: /srv/www/dustin.hatch.name/venv
-    virtualenv_command: /usr/bin/python3 -m venv
-
 - name: ensure apache is configured to serve dustin.hatch.name
   copy:
-    src=dustin.hatch.name.httpd.conf
-    dest=/etc/httpd/conf.d/dustin.hatch.name.conf
-    mode=0644
+    src: dustin.hatch.name.httpd.conf
+    dest: /etc/httpd/conf.d/dustin.hatch.name.conf
+    mode: u=rw,go=r
   notify: reload httpd
+  tags:
+  - httpd-config
diff --git a/websites.yml b/websites.yml
index d34a803..51c7140 100755
--- a/websites.yml
+++ b/websites.yml
@@ -7,6 +7,12 @@
     tags: formsubmit
   - role: websites/pyrocufflink.net
     tags: websites/pyrocufflink.net
+  - role: cert
+    cert_src: websites/dustin.hatch.name.cer
+    cert_dest: /etc/pki/tls/certs/dustin.hatch.name.cer
+    cert_key_src: websites/dustin.hatch.name.key
+    cert_key_dest: /etc/pki/tls/private/dustin.hatch.name.key
+    tags: websites/dustin.hatch.name
   - role: websites/dustin.hatch.name
     tags: websites/dustin.hatch.name
   - role: websites/ebonfire.com