infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/include/proxies-websites.yml
Patrick Uiterwijk 936e8b261a yum accepted pkg=, package calls it name= 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2017-10-09 00:38:26 +02:00

804 lines
22 KiB
YAML
Raw Blame History

- name: Set up those proxy websites. My, my..
hosts: proxies-stg:proxies
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- include: "{{ handlers_path }}/restart_services.yml"
pre_tasks:
- name: Install policycoreutils-python
package: name=policycoreutils-python state=present
- name: Create /srv/web/ for all the goodies.
file: >
dest=/srv/web state=directory
owner=root group=root mode=0755
tags:
- httpd
- httpd/website
- name: check the selinux context of webdir
command: matchpathcon /srv/web
register: webdir
check_mode: no
changed_when: "1 != 1"
tags:
- config
- selinux
- httpd
- httpd/website
- name: /srv/web file contexts
command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?"
when: webdir.stdout.find('httpd_sys_content_t') == -1
tags:
- config
- selinux
- httpd
- httpd/website
roles:
- role: httpd/website
name: fedoraproject.org
cert_name: "{{wildcard_cert_name}}"
server_aliases:
- stg.fedoraproject.org
- localhost
# This is for all the other domains we own
# that redirect to https://fedoraproject.org
- role: httpd/website
name: fedoraproject.com
cert_name: "{{wildcard_cert_name}}"
server_aliases:
- fedora.asia
- fedora.com.my
- fedora.cr
- fedora.events
- fedora.me
- fedora.mobi
- fedora.my
- fedora.org
- fedora.org.cn
- fedora.pe
- fedora.pt
- fedora.redhat.com
- fedora.software
- fedora.tk
- fedora.us
- fedora.wiki
- fedoralinux.com
- fedoralinux.net
- fedoralinux.org
- fedoraproject.asia
- fedoraproject.cn
- fedoraproject.co.uk
- fedoraproject.com
- fedoraproject.com.cn
- fedoraproject.com.gr
- fedoraproject.com.my
- fedoraproject.cz
- fedoraproject.eu
- fedoraproject.gr
- fedoraproject.info
- fedoraproject.net
- fedoraproject.net.cn
- fedoraproject.org.uk
- fedoraproject.pe
- fedoraproject.su
- projectofedora.org
- www.fedora.asia
- www.fedora.com.my
- www.fedora.cr
- www.fedora.events
- www.fedora.me
- www.fedora.mobi
- www.fedora.org
- www.fedora.org.cn
- www.fedora.pe
- www.fedora.pt
- www.fedora.redhat.com
- www.fedora.software
- www.fedora.tk
- www.fedora.us
- www.fedora.wiki
- www.fedoralinux.com
- www.fedoralinux.net
- www.fedoralinux.org
- www.fedoraproject.asia
- www.fedoraproject.cn
- www.fedoraproject.co.uk
- www.fedoraproject.com
- www.fedoraproject.com.cn
- www.fedoraproject.com.gr
- www.fedoraproject.com.my
- www.fedoraproject.cz
- www.fedoraproject.eu
- www.fedoraproject.gr
- www.fedoraproject.info
- www.fedoraproject.net
- www.fedoraproject.net.cn
- www.fedoraproject.org
- www.fedoraproject.org.uk
- www.fedoraproject.pe
- www.fedoraproject.su
- www.projectofedora.org
- www.getfedora.com
- getfedora.com
- www.getfedora.org
- fedoraplayground.org
- fedoraplayground.com
- role: httpd/website
name: admin.fedoraproject.org
server_aliases: [admin.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: cloud.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: mirrors.fedoraproject.org
server_aliases:
- mirrors.stg.fedoraproject.org
- fedoramirror.net
- www.fedoramirror.net
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: src.fedoraproject.org
server_aliases: [src.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
sslonly: true
- role: httpd/website
name: download.fedoraproject.org
server_aliases:
- download01.fedoraproject.org
- download02.fedoraproject.org
- download03.fedoraproject.org
- download04.fedoraproject.org
- download05.fedoraproject.org
- download06.fedoraproject.org
- download07.fedoraproject.org
- download08.fedoraproject.org
- download09.fedoraproject.org
- download10.fedoraproject.org
- download-rdu01.fedoraproject.org
- download.stg.fedoraproject.org
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: translate.fedoraproject.org
server_aliases: [translate.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: spins.fedoraproject.org
server_aliases:
- spins.stg.fedoraproject.org
- spins-test.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: labs.fedoraproject.org
server_aliases:
- labs.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: arm.fedoraproject.org
server_aliases:
- arm.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: budget.fedoraproject.org
server_aliases:
- budget.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: boot.fedoraproject.org
server_aliases: [boot.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: boot.fedoraproject.org
server_aliases: [boot.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: smolts.org
ssl: false
server_aliases:
- smolt.fedoraproject.org
- stg.smolts.org
- www.smolts.org
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: docs.fedoraproject.org
server_aliases:
- doc.fedoraproject.org
- docs.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: docs-old.fedoraproject.org
server_aliases:
- docs-old.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: bodhi.fedoraproject.org
sslonly: true
server_aliases: [bodhi.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: flocktofedora.org
server_aliases:
- flocktofedora.org
- www.flocktofedora.org
ssl: true
sslonly: true
cert_name: flocktofedora.org
SSLCertificateChainFile: flocktofedora.org.intermediate.cert
- role: httpd/website
name: flocktofedora.net
server_aliases:
- flocktofedora.com
- www.flocktofedora.net
- www.flocktofedora.com
ssl: false
- role: httpd/website
name: fedora.my
server_aliases:
- fedora.my
ssl: false
- role: httpd/website
name: copr.fedoraproject.org
ssl: true
# We need sslonly=false because copr-cli hardcoded http
sslonly: false
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: bugz.fedoraproject.org
server_aliases: [bugz.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: fas.fedoraproject.org
server_aliases:
- fas.stg.fedoraproject.org
- accounts.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: fedoracommunity.org
server_aliases:
- www.fedoracommunity.org
- stg.fedoracommunity.org
- fedoraproject.community
- fedora.community
- www.fedora.community
- www.fedoraproject.community
ssl: false
cert_name: fedoracommunity.org
SSLCertificateChainFile: fedoracommunity.org.intermediate.cert
- role: httpd/website
name: get.fedoraproject.org
server_aliases: [get.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: help.fedoraproject.org
server_aliases: [help.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: it.fedoracommunity.org
server_aliases: [it.fedoracommunity.org]
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: uk.fedoracommunity.org
server_aliases:
- uk.fedoracommunity.org
- www.uk.fedoracommunity.org
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: tw.fedoracommunity.org
server_aliases:
- tw.fedoracommunity.org
- www.tw.fedoracommunity.org
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: communityblog.fedoraproject.org
server_aliases: [communityblog.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: people.fedoraproject.org
server_aliases: [people.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: join.fedoraproject.org
server_aliases: [join.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: l10n.fedoraproject.org
server_aliases: [l10n.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: start.fedoraproject.org
server_aliases: [start.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: kde.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: nightly.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: store.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: port389.org
server_aliases:
- www.port389.org
- 389tcp.org
- www.389tcp.org
ssl: false
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: whatcanidoforfedora.org
server_aliases:
- www.whatcanidoforfedora.org
ssl: false
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: fedoramagazine.org
server_aliases: [www.fedoramagazine.org stg.fedoramagazine.org]
cert_name: fedoramagazine.org
SSLCertificateChainFile: fedoramagazine.org.intermediate.cert
sslonly: true
- role: httpd/website
name: k12linux.org
server_aliases:
- www.k12linux.org
ssl: false
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: fonts.fedoraproject.org
server_aliases: [fonts.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: meetbot.fedoraproject.org
server_aliases: [meetbot.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: meetbot-raw.fedoraproject.org
server_aliases: [meetbot-raw.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: fudcon.fedoraproject.org
server_aliases: [fudcon.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: ask.fedoraproject.org
server_aliases: [ask.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: badges.fedoraproject.org
server_aliases: [badges.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: darkserver.fedoraproject.org
server_aliases: [darkserver.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: paste.fedoraproject.org
server_aliases:
- paste.stg.fedoraproject.org
- modernpaste.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
#
# Make a website here so we can redirect it to paste.fedoraproject.org
#
- role: httpd/website
name: fpaste.org
server_aliases:
- www.fpaste.org
cert_name: fpaste.org
SSLCertificateChainFile: fpaste.org.intermediate.cert
when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
- role: httpd/website
name: fpaste.org
server_aliases:
- www.fpaste.org
cert_name: "{{wildcard_cert_name}}"
when: inventory_hostname != 'proxy01.phx2.fedoraproject.org'
- role: httpd/website
name: koji.fedoraproject.org
sslonly: true
server_aliases:
- koji.stg.fedoraproject.org
- kojipkgs.stg.fedoraproject.org
- buildsys.fedoraproject.org
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: ppc.koji.fedoraproject.org
sslonly: true
certbot: true
server_aliases:
- ppcpkgs.fedoraproject.org
cert_name: secondary.koji.fedoraproject.org.letsencrypt
SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
tags:
- ppc.koji.fedoraproject.org
- role: httpd/website
name: s390.koji.fedoraproject.org
sslonly: true
certbot: true
server_aliases:
- s390pkgs.fedoraproject.org
cert_name: secondary.koji.fedoraproject.org.letsencrypt
SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
tags:
- s390.koji.fedoraproject.org
- role: httpd/website
name: arm.koji.fedoraproject.org
sslonly: true
certbot: true
server_aliases:
- armpkgs.fedoraproject.org
cert_name: secondary.koji.fedoraproject.org.letsencrypt
SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
tags:
- arm.koji.fedoraproject.org
- role: httpd/website
name: kojipkgs.fedoraproject.org
sslonly: true
server_aliases:
- kojipkgs01.fedoraproject.org
- kojipkgs02.fedoraproject.org
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: apps.fedoraproject.org
server_aliases: [apps.stg.fedoraproject.org]
sslonly: true
gzip: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: pdc.fedoraproject.org
server_aliases: [pdc.stg.fedoraproject.org]
sslonly: true
gzip: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: developer.fedoraproject.org
server_aliases: [developer.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
# This is just a redirect to developer, to make it easier for people to get
# here from Red Hat's developers.redhat.com (ticket #5216).
- role: httpd/website
name: developers.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: osbs.fedoraproject.org
server_aliases: [osbs.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: os.fedoraproject.org
server_aliases: [os.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
tags:
- os.fedoraproject.org
- role: httpd/website
name: app.os.fedoraproject.org
server_aliases: ["*.app.os.fedoraproject.org", "*.app.os.stg.fedoraproject.org"]
sslonly: true
cert_name: "{{os_wildcard_cert_name}}"
SSLCertificateChainFile: "{{os_wildcard_int_file}}"
tags:
- app.os.fedoraproject.org
- role: httpd/website
name: registry.fedoraproject.org
server_aliases: [registry.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: candidate-registry.fedoraproject.org
server_aliases: [candidate-registry.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: retrace.fedoraproject.org
server_aliases: [retrace.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
when: env == "staging"
- role: httpd/website
name: faf.fedoraproject.org
server_aliases: [faf.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
when: env == "staging"
- role: httpd/website
name: alt.fedoraproject.org
server_aliases:
- alt.stg.fedoraproject.org
sslonly: true
cert_name: "{{wildcard_cert_name}}"
# Kinda silly that we have two entries here, one for prod and one for stg.
# This is inherited from our puppet setup -- we can collapse them as soon as
# is convenient. -- threebean
- role: httpd/website
name: taskotron.fedoraproject.org
server_aliases: [taskotron.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: taskotron.stg.fedoraproject.org
server_aliases: [taskotron.stg.fedoraproject.org]
# Set this explicitly to stg here.. as per the original puppet config.
SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
sslonly: true
cert_name: "{{wildcard_cert_name}}"
when: env == "staging"
- role: httpd/website
name: lists.fedoraproject.org
server_aliases: [lists.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: lists.fedorahosted.org
server_aliases: [lists.stg.fedorahosted.org]
sslonly: true
SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert
cert_name: wildcard-2017.fedorahosted.org
- role: httpd/website
name: id.fedoraproject.org
server_aliases:
- "*.id.fedoraproject.org"
# Must not be sslonly, because example.id.fedoraproject.org must be reachable
# via plain http for openid identity support
cert_name: wildcard-2017.id.fedoraproject.org
SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert
- role: httpd/website
name: id.stg.fedoraproject.org
server_aliases:
- "*.id.stg.fedoraproject.org"
# Must not be sslonly, because example.id.fedoraproject.org must be reachable
# via plain http for openid identity support
cert_name: "{{wildcard_cert_name}}"
SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
when: env == "staging"
- role: httpd/website
name: getfedora.org
server_aliases: [stg.getfedora.org]
sslonly: true
cert_name: getfedora.org
SSLCertificateChainFile: getfedora.org.intermediate.cert
- role: httpd/website
name: qa.fedoraproject.org
cert_name: "{{wildcard_cert_name}}"
sslonly: true
- role: httpd/website
name: openqa.fedoraproject.org
cert_name: "{{wildcard_cert_name}}"
server_aliases: [openqa.stg.fedoraproject.org]
sslonly: true
- role: httpd/website
name: redirect.fedoraproject.org
server_aliases: [redirect.stg.fedoraproject.org]
sslonly: true
gzip: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: geoip.fedoraproject.org
server_aliases: [geoip.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: codecs.fedoraproject.org
server_aliases: [codecs.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: beaker.qa.fedoraproject.org
server_aliases: [beaker.qa.fedoraproject.org]
# Set this explicitly to stg here.. as per the original puppet config.
SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert
sslonly: true
cert_name: "qa.fedoraproject.org"
- role: httpd/website
name: beaker.stg.fedoraproject.org
server_aliases: [beaker.stg.fedoraproject.org]
# Set this explicitly to stg here.. as per the original puppet config.
SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
sslonly: true
cert_name: "{{wildcard_cert_name}}"
when: env == "staging"
- role: httpd/website
name: qa.stg.fedoraproject.org
server_aliases: [qa.stg.fedoraproject.org]
cert_name: qa.stg.fedoraproject.org
SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert
sslonly: true
when: env == "staging"
- role: httpd/website
name: phab.qa.stg.fedoraproject.org
server_aliases: [phab.qa.stg.fedoraproject.org]
cert_name: qa.stg.fedoraproject.org
SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert
sslonly: true
when: env == "staging"
- role: httpd/website
name: docs.qa.stg.fedoraproject.org
server_aliases: [docs.qa.stg.fedoraproject.org]
cert_name: qa.stg.fedoraproject.org
SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert
sslonly: true
when: env == "staging"
- role: httpd/website
name: phab.qa.fedoraproject.org
server_aliases: [phab.qa.fedoraproject.org]
cert_name: qa.fedoraproject.org
SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert
sslonly: true
- role: httpd/website
name: data-analysis.fedoraproject.org
server_aliases: [data-analysis.stg.fedoraproject.org]
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: docs.qa.fedoraproject.org
server_aliases: [docs.qa.fedoraproject.org]
cert_name: qa.fedoraproject.org
SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert
sslonly: true
- role: httpd/website
name: nagios.fedoraproject.org
server_aliases: [nagios.stg.fedoraproject.org]
SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
sslonly: true
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: mbs.fedoraproject.org
sslonly: true
server_aliases: [mbs.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
- role: httpd/website
name: odcs.fedoraproject.org
sslonly: true
server_aliases: [odcs.stg.fedoraproject.org]
cert_name: "{{wildcard_cert_name}}"
when: env == "staging"
# fedorahosted is retired. We have the site here so we can redirect it.
- role: httpd/website
name: fedorahosted.org
sslonly: true
server_aliases: [bzr.fedorahosted.org hg.fedorahosted.org svn.fedorahosted.org]
SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert
cert_name: wildcard-2017.fedorahosted.org
- role: httpd/website
name: git.fedorahosted.org
sslonly: true
SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert
cert_name: wildcard-2017.fedorahosted.org
Reference in a new issue View git blame Copy permalink