101 lines
2.3 KiB
YAML
101 lines
2.3 KiB
YAML
- name: ensure apache httpd is installed
|
|
package:
|
|
name=httpd,mod_ssl
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure http service keytab is in place
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/httpd/krb5.keytab
|
|
mode=0440
|
|
owner=root
|
|
group=apache
|
|
with_fileglob:
|
|
- '{{ inventory_hostname }}.keytab'
|
|
|
|
- name: ensure tls private key exists
|
|
copy:
|
|
src={{ item }}
|
|
dest={{ apache_ssl_certificate_key }}
|
|
mode=0400
|
|
setype=cert_t
|
|
with_fileglob:
|
|
- '{{ inventory_hostname }}.key'
|
|
notify: reload httpd
|
|
- name: ensure tls certificate exists
|
|
copy:
|
|
src={{ item }}
|
|
dest={{ apache_ssl_certificate }}
|
|
mode=0644
|
|
setype=cert_t
|
|
with_fileglob:
|
|
- '{{ inventory_hostname }}.cer'
|
|
notify: reload httpd
|
|
- name: ensure tls ca certificate exists
|
|
copy:
|
|
src={{ item }}
|
|
dest={{ apache_ssl_ca_certificate }}
|
|
mode=0644
|
|
setype=cert_t
|
|
when: apache_ssl_ca_certificate is defined
|
|
with_fileglob:
|
|
- '{{ inventory_hostname }}-ca.crt'
|
|
notify: reload httpd
|
|
- name: ensure ssl.include is populated
|
|
template:
|
|
src=ssl.include.j2
|
|
dest=/etc/httpd/conf.d/ssl.include
|
|
mode=0644
|
|
notify: reload httpd
|
|
- name: ensure mod_ssl is configured
|
|
template:
|
|
src=ssl.conf.j2
|
|
dest=/etc/httpd/conf.d/ssl.conf
|
|
mode=0644
|
|
setype=httpd_config_t
|
|
notify: reload httpd
|
|
|
|
- name: ensure apache mpm module is configured
|
|
template:
|
|
src=mpm.httpd.conf.j2
|
|
dest=/etc/httpd/conf.d/00-mpm.conf
|
|
mode=0644
|
|
setype=httpd_config_t
|
|
notify: reload httpd
|
|
- name: ensure apache server name is set
|
|
template:
|
|
src=servername.httpd.conf.j2
|
|
dest=/etc/httpd/conf.d/00-servername.conf
|
|
mode=0644
|
|
setype=httpd_config_t
|
|
notify: reload httpd
|
|
|
|
- name: ensure httpd service starts at boot
|
|
service:
|
|
name=httpd
|
|
enabled=yes
|
|
|
|
- name: ensure web ports are open in firewall
|
|
firewalld: >-
|
|
port={{ item if '/' in item else omit }}
|
|
service={{ item if '/' not in item else omit }}
|
|
permanent=no
|
|
immediate=yes
|
|
state=enabled
|
|
with_items: '{{ web_ports }}'
|
|
notify: save firewalld configuration
|
|
|
|
- meta: flush_handlers
|
|
- name: ensure httpd service is running
|
|
service:
|
|
name=httpd
|
|
state=started
|
|
|
|
- name: ensure old apache logs are rotated
|
|
template:
|
|
src=httpd.logrotate.j2
|
|
dest=/etc/logrotate.d/httpd
|
|
mode=0644
|