initial commit

10 files changed, 303 insertions, 0 deletions

diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml
new file mode 100644
index 0000000..b0605ba
--- /dev/null
+++ b/roles/apache/defaults/main.yml
@@ -0,0 +1,11 @@
+apache_use_nfs: no
+apache_can_network_relay: yes
+apache_can_network_connect: no
+apache_can_network_connect_db: no
+apache_can_connect_ldap: no
+apache_can_sendmail: no
+apache_gssapi: no
+
+apache_sysaccount_username: apache
+
+apache_backup_dirs: []
diff --git a/roles/apache/files/etc/systemd/system/httpd.service.d/override.conf b/roles/apache/files/etc/systemd/system/httpd.service.d/override.conf
new file mode 100644
index 0000000..2b6650f
--- /dev/null
+++ b/roles/apache/files/etc/systemd/system/httpd.service.d/override.conf
@@ -0,0 +1,6 @@
+[Unit]
+Wants=httpd-init.service gssproxy.service
+After=network.target remote-fs.target nss-lookup.target httpd-init.service gssproxy.service
+
+[Service]
+Environment=GSS_USE_PROXY=yes
diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml
new file mode 100644
index 0000000..395e802
--- /dev/null
+++ b/roles/apache/handlers/main.yml
@@ -0,0 +1,9 @@
+- name: restart apache
+  systemd:
+    name: httpd
+    state: restarted
+
+- name: reload apache
+  systemd:
+    name: httpd
+    state: reloaded
diff --git a/roles/apache/meta/main.yml b/roles/apache/meta/main.yml
new file mode 100644
index 0000000..742c491
--- /dev/null
+++ b/roles/apache/meta/main.yml
@@ -0,0 +1,5 @@
+dependencies:
+  - role: freeipa_system_account
+    system_account_username: '{{ apache_sysaccount_username }}'
+    system_account_password: '{{ apache_sysaccount_password }}'
+    when: apache_gssapi
diff --git a/roles/apache/tasks/gssapi.yml b/roles/apache/tasks/gssapi.yml
new file mode 100644
index 0000000..c006d54
--- /dev/null
+++ b/roles/apache/tasks/gssapi.yml
@@ -0,0 +1,49 @@
+- name: create HTTP service principal
+  ipaservice:
+    ipaadmin_principal: '{{ ipa_user }}'
+    ipaadmin_password: '{{ ipa_pass }}'
+    name: 'HTTP/{{ ansible_fqdn }}'
+    state: present
+
+- name: retrieve HTTP keytab
+  include_role:
+    name: freeipa_keytab
+  vars:
+    keytab_principal: 'HTTP/{{ ansible_fqdn }}'
+    keytab_path: '{{ apache_keytab }}'
+
+- name: configure gssproxy for kerberized HTTP
+  include_role:
+    name: gssproxy_client
+  vars:
+    gssproxy_name: httpd
+    gssproxy_section: service/HTTP
+    gssproxy_keytab: '{{ apache_keytab }}'
+    gssproxy_cred_usage: accept
+    gssproxy_euid: apache
+    gssproxy_program: /usr/sbin/httpd
+
+- name: create systemd override directory
+  file:
+    path: /etc/systemd/system/httpd.service.d
+    state: directory
+
+- name: set GSS_USE_PROXY=yes in httpd environment
+  copy:
+    src: etc/systemd/system/httpd.service.d/override.conf
+    dest: /etc/systemd/system/httpd.service.d/override.conf
+  register: apache_systemd_unit
+  notify: restart apache
+
+- name: reload systemd units
+  systemd:
+    daemon_reload: yes
+  when: apache_systemd_unit.changed
+
+- name: create gssapi session directory
+  file:
+    path: '{{ apache_session_dir }}'
+    mode: 0700
+    owner: apache
+    group: apache
+    state: directory
diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
new file mode 100644
index 0000000..4892782
--- /dev/null
+++ b/roles/apache/tasks/main.yml
@@ -0,0 +1,63 @@
+- name: install packages
+  dnf:
+    name: '{{ apache_packages }}'
+    state: present
+  notify: restart apache
+
+- name: remove default configuration
+  copy:
+    content: |
+      # this file intentionally empty to avoid clobbering during package upgrades
+    dest: /etc/httpd/conf.d/welcome.conf
+  notify: reload apache
+
+- name: generate config files
+  template:
+    src: etc/httpd/{{ item }}.j2
+    dest: /etc/httpd/{{ item }}
+  loop:
+    - conf/httpd.conf
+    - conf.d/ssl.conf
+    - conf.d/letsencrypt.conf
+  register: apache_global_config
+
+- name: reload apache
+  systemd:
+    name: httpd
+    state: reloaded
+  when: apache_global_config.changed
+
+- name: set selinux booleans
+  seboolean:
+    name: '{{ item.sebool }}'
+    state: '{{ item.value }}'
+    persistent: yes
+  loop:
+    - { sebool: httpd_use_nfs,                value: '{{ apache_use_nfs }}' }
+    - { sebool: httpd_can_network_relay,      value: '{{ apache_can_network_relay }}' }
+    - { sebool: httpd_can_network_connect,    value: '{{ apache_can_network_connect }}' }
+    - { sebool: httpd_can_connect_ldap,       value: '{{ apache_gssapi or apache_can_connect_ldap}}' }
+    - { sebool: httpd_can_network_connect_db, value: '{{ apache_can_network_connect_db }}' }
+    - { sebool: httpd_can_sendmail,           value: '{{ apache_can_sendmail }}' }
+  tags: selinux
+
+- name: configure mod_gssapi
+  import_tasks: gssapi.yml
+  when: apache_gssapi or apache_use_nfs
+
+- name: enable apache
+  systemd:
+    name: httpd
+    enabled: yes
+    state: started
+
+- name: open firewall ports
+  firewalld:
+    service: '{{ item }}'
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop:
+    - http
+    - https
+  tags: firewalld
diff --git a/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2
new file mode 100644
index 0000000..60d092e
--- /dev/null
+++ b/roles/apache/templates/etc/httpd/conf.d/letsencrypt.conf.j2
@@ -0,0 +1,8 @@
+Alias /.well-known/acme-challenge/ {{ apache_letsencrypt_dir}}/.well-known/acme-challenge/
+ProxyPass /.well-known/acme-challenge/ !
+<Directory "{{ apache_letsencrypt_dir }}/.well-known/acme-challenge/">
+  Options None
+  AllowOverride None
+  ForceType text/plain
+  RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
+</Directory>
diff --git a/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2 b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2
new file mode 100644
index 0000000..eb85a29
--- /dev/null
+++ b/roles/apache/templates/etc/httpd/conf.d/ssl.conf.j2
@@ -0,0 +1,17 @@
+Listen 443 https
+
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+SSLCryptoDevice builtin
+
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
+
+# Stapling causes all kinds of hard-to-debug problems on Android clients!
+#SSLUseStapling On
+#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
diff --git a/roles/apache/templates/etc/httpd/conf/httpd.conf.j2 b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2
new file mode 100644
index 0000000..d34c4a9
--- /dev/null
+++ b/roles/apache/templates/etc/httpd/conf/httpd.conf.j2
@@ -0,0 +1,98 @@
+ServerRoot "/etc/httpd"
+
+Listen 80
+
+Include conf.modules.d/*.conf
+
+User apache
+Group apache
+
+ServerAdmin root@localhost
+ServerName {{ ansible_fqdn }}
+
+ServerTokens Prod
+ServerSignature Off
+
+# default deny
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "{{ apache_public_dir }}/html"
+
+KeepAlive On
+
+# relax access to content within {{ apache_public_dir }}.
+<Directory "{{ apache_public_dir }}">
+    AllowOverride None
+    Require all granted
+</Directory>
+
+# further relax access to the default document root:
+<Directory "{{ apache_public_dir }}/html">
+    Options FollowSymLinks
+
+    AllowOverride None
+
+    Require all granted
+</Directory>
+
+# serve index.html if a directory is requested
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+# deny .htaccess, .htpasswd
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog "logs/error_log"
+
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule alias_module>
+    ScriptAlias /cgi-bin/ "{{ apache_public_dir }}/cgi-bin/"
+
+</IfModule>
+
+<Directory "{{ apache_public_dir }}/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+EnableSendfile on
+
+AddOutputFilterByType DEFLATE {{ apache_gzip_types | join(" ") }}
+
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
diff --git a/roles/apache/vars/main.yml b/roles/apache/vars/main.yml
new file mode 100644
index 0000000..fa0a293
--- /dev/null
+++ b/roles/apache/vars/main.yml
@@ -0,0 +1,37 @@
+apache_packages:
+  - httpd
+  - mod_ssl
+  - mod_auth_gssapi
+  - mod_session
+  - mod_ldap
+
+apache_public_dir: /var/www
+
+apache_session_dir: /var/lib/httpd/session
+apache_gssapi_session_key: '{{ apache_session_dir }}/gssapi.key'
+apache_letsencrypt_dir: '{{ apache_public_dir }}/letsencrypt'
+apache_keytab: /var/lib/gssproxy/clients/apache.keytab
+
+apache_gzip_types:
+  - application/javascript
+  - application/json
+  - application/rss+xml
+  - application/vnd.ms-fontobject
+  - application/x-font
+  - application/x-font-opentype
+  - application/x-font-otf
+  - application/x-font-truetype
+  - application/x-font-ttf
+  - application/x-javascript
+  - application/xhtml+xml
+  - application/xml
+  - font/opentype
+  - font/otf
+  - font/ttf
+  - image/svg+xml
+  - image/x-icon
+  - text/css
+  - text/html
+  - text/javascript
+  - text/plain
+  - text/xml