ansible/playbooks/groups/proxies-websites.yml

- name: Set up those proxy websites.  My, my..
  hosts: proxies-stg
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - include: "{{ handlers }}/restart_services.yml"

  vars:
  - ssl: true
  - SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert
  - fpo_ips:
    # Staging
    - "10.5.126.88"

    # Production
    - "85.236.55.5"
    - "[2001:4178:2:1269::fed1]"
    - "66.35.62.162"
    - "80.239.156.214"
    - "152.19.134.142"
    - "[2610:28:3090:3001:dead:beef:cafe:fed3]"
    - "140.211.169.196"
    - "213.175.193.205"
    - "[2001:2030:0:2::2]"
    - "10.5.126.52"
    - "85.236.55.6"
    - "[2001:4178:2:1269::fed2]"
    - "66.35.62.166"
    - "80.239.156.215"
    - "152.19.134.146"
    - "[2610:28:3090:3001:dead:beef:cafe:fed4]"
    - "140.211.169.197"
    - "213.175.193.206"
    - "[2001:2030:0:2::3]"
    - "67.203.2.67"
    - "[2607:f188::dead:beef:cafe:fed1]"
    - "192.168.122.2"

  - wildcard_fpo_ips:
    # Staging
    - "10.5.126.88"

    # Production
    - "10.5.126.52"
    - "85.236.55.6"
    - "[2001:4178:2:1269::fed2]"
    - "66.35.62.166"
    - "80.239.156.215"
    - "152.19.134.146"
    - "[2610:28:3090:3001:dead:beef:cafe:fed4]"
    - "140.211.169.197"
    - "213.175.193.206"
    - "[2001:2030:0:2::3]"
    - "67.203.2.67"
    - "[2607:f188::dead:beef:cafe:fed1]"
    - "192.168.122.2"

  # This is just a handy default.  If 'ips' is not specified to the
  # httpd/website role below, then it will use the wildcard list, which most do.
  - ips: "{{wildcard_fpo_ips}}"

  # This is another handy default.  wildcard_cert_name is defined in group_vars
  - cert_name: "{{wildcard_cert_name}}"


  pre_tasks:
  - name: Create /srv/web/ for all the goodies.
    file: >
        dest=/srv/web state=directory
        owner=root group=root mode=0755
    tags:
    - httpd
    - httpd/website
  - name: ..and apply the httpd_sys_content_t type recursively to it.
    file: >
        dest=/srv/web state=directory
        setype=httpd_sys_content_t recurse=True
    tags:
    - httpd
    - httpd/website

  roles:

  - role: httpd/website
    name: fedoraproject.org
    ips: "{{fpo_ips}}"
    server_aliases: [stg.fedoraproject.org]

  # This is for all the other domains we own
  # that redirect to http://fedoraproject.org
  - role: httpd/website
    name: fedoraproject.com
    server_aliases:
    - fedora.redhat.com
    - fedora.com.my
    - fedora.my
    - fedora.pe
    - fedora.pt
    - fedora.us
    - fedoralinux.com
    - fedoralinux.net
    - fedoralinux.net
    - fedoralinux.org
    - fedoraproject.org.uk
    - fedoraproject.com
    - fedoraproject.com.my
    - fedoraproject.net
    - projectofedora.org
    - www.fedora.pe
    - www.fedora.pt
    - www.fedora.redhat.com
    - www.fedora.us
    - www.fedoralinux.com
    - www.fedoralinux.net
    - www.fedoralinux.org
    - www.fedoraproject.com
    - www.fedoraproject.com
    - www.fedoraproject.net
    - www.fedoraproject.org
    - www.fedoraproject.org.uk
    - www.projectofedora.org

  - role: httpd/website
    name: admin.fedoraproject.org
    server_aliases: [admin.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: cloud.fedoraproject.org

  - role: httpd/website
    name: mirrors.fedoraproject.org
    server_aliases: [mirrors.stg.fedoraproject.org]

  - role: httpd/website
    name: download.fedoraproject.org
    server_aliases:
    - download01.fedoraproject.org
    - download02.fedoraproject.org
    - download03.fedoraproject.org
    - download04.fedoraproject.org
    - download05.fedoraproject.org
    - download06.fedoraproject.org
    - download07.fedoraproject.org
    - download08.fedoraproject.org
    - download09.fedoraproject.org
    - download10.fedoraproject.org
    - download.stg.fedoraproject.org

  - role: httpd/website
    name: translate.fedoraproject.org
    server_aliases: [translate.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: spins.fedoraproject.org
    server_aliases:
    - spins.stg.fedoraproject.org
    - spins-test.fedoraproject.org

  - role: httpd/website
    name: boot.fedoraproject.org
    server_aliases: [boot.stg.fedoraproject.org]

  - role: httpd/website
    name: boot.fedoraproject.org
    server_aliases: [boot.stg.fedoraproject.org]

  - role: httpd/website
    name: smolts.org
    ssl: false
    server_aliases:
    - smolt.fedoraproject.org
    - stg.smolts.org
    - www.smolts.org

  - role: httpd/website
    name: docs.fedoraproject.org
    server_aliases:
    - doc.fedoraproject.org
    - docs.stg.fedoraproject.org

  - role: httpd/website
    name: bodhi.fedoraproject.org
    server_aliases: [bodhi.stg.fedoraproject.org]

  - role: httpd/website
    name: bugz.fedoraproject.org
    server_aliases: [bugz.stg.fedoraproject.org]

  - role: httpd/website
    name: fas.fedoraproject.org
    server_aliases:
    - fas.stg.fedoraproject.org
    - accounts.fedoraproject.org

  - role: httpd/website
    name: fas.fedoraproject.org
    server_aliases:
    - fas.stg.fedoraproject.org
    - accounts.fedoraproject.org

  - role: httpd/website
    name: fedoracommunity.org
    server_aliases:
    - www.fedoracommunity.org
    - stg.fedoracommunity.org
    ssl: false

  - role: httpd/website
    name: get.fedoraproject.org
    server_aliases: [get.stg.fedoraproject.org]

  - role: httpd/website
    name: help.fedoraproject.org
    server_aliases: [help.stg.fedoraproject.org]

  - role: httpd/website
    name: it.fedoracommunity.org
    server_aliases: [it.fedoracommunity.org]

  - role: httpd/website
    name: uk.fedoracommunity.org
    server_aliases:
    - uk.fedoracommunity.org
    - www.uk.fedoracommunity.org

  - role: httpd/website
    name: people.fedoraproject.org
    server_aliases: [people.fedoraproject.org]

  - role: httpd/website
    name: join.fedoraproject.org
    server_aliases: [join.stg.fedoraproject.org]

  - role: httpd/website
    name: l10n.fedoraproject.org
    server_aliases: [l10n.stg.fedoraproject.org]

  - role: httpd/website
    name: start.fedoraproject.org
    server_aliases: [start.stg.fedoraproject.org]

  - role: httpd/website
    name: kde.fedoraproject.org

  - role: httpd/website
    name: nightly.fedoraproject.org

  - role: httpd/website
    name: port389.org
    server_aliases:
    - www.port389.org
    - 389tcp.org
    - www.389tcp.org
    ssl: false
    
  - role: httpd/website
    name: fedoramagazine.org
    server_aliases: [www.fedoramagazine.org]
    cert_name: fedoramagazine.org
    SSLCertificateChainFile: fedoramagazine.org.intermediate.cert

  - role: httpd/website
    name: k12linux.org
    server_aliases:
    - www.k12linux.org
    ssl: false

  - role: httpd/website
    name: fonts.fedoraproject.org
    server_aliases: [fonts.stg.fedoraproject.org]

  - role: httpd/website
    name: meetbot.fedoraproject.org
    server_aliases: [meetbot.stg.fedoraproject.org]

  - role: httpd/website
    name: fudcon.fedoraproject.org
    server_aliases: [fudcon.stg.fedoraproject.org]

  - role: httpd/website
    name: ask.fedoraproject.org
    server_aliases: [ask.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: badges.fedoraproject.org
    server_aliases: [badges.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: darkserver.fedoraproject.org
    server_aliases: [darkserver.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: paste.fedoraproject.org
    server_aliases:
    - paste.stg.fedoraproject.org
    - fpaste.org
    - www.fpaste.org

  - role: httpd/website
    name: apps.fedoraproject.org
    server_aliases: [apps.stg.fedoraproject.org]
    sslonly: true
    gzip: true

  # Kinda silly that we have two entries here, one for prod and one for stg.
  # This is inherited from our puppet setup -- we can collapse them as soon as
  # is convenient.  -- threebean
  - role: httpd/website
    name: taskotron.fedoraproject.org
    server_aliases: [taskotron.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: taskotron.stg.fedoraproject.org
    server_aliases: [taskotron.stg.fedoraproject.org]
    # Set this explicitly to stg here.. as per the original puppet config.
    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
    sslonly: true
    when: env == "staging"

  - role: httpd/website
    name: lists.fedoraproject.org
    server_aliases: [lists.stg.fedoraproject.org]
    sslonly: true
    # Set this explicitly to stg here.. as per the original puppet config.
    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/website
    name: id.fedoraproject.org
    server_aliases:
    - "*.id.fedoraproject.org"
    cert_name: wildcard-2014.id.fedoraproject.org
    SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert

    when: env == "staging"
  - role: httpd/website
    name: id.stg.fedoraproject.org
    server_aliases:
    - "*.id.stg.fedoraproject.org"
    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/website
    name: getfedora.org
    ips: "{{fpo_ips}}"
    server_aliases: [stg.getfedora.org]
    sslonly: true
    cert_name: getfedora.org
    SSLCertificateChainFile: getfedora.org.intermediate.cert

  - role: httpd/website
    name: qa.fedoraproject.org
    ips: "{{fpo_ips}}"
    server_aliases: [qa.stg.fedoraproject.org]
    sslonly: true

  - role: httpd/website
    name: redirect.fedoraproject.org
    server_aliases: [redirect.stg.fedoraproject.org]
    sslonly: true
    gzip: true

  - role: httpd/website
    name: geoip.fedoraproject.org
    server_aliases: [geoip.stg.fedoraproject.org]
    sslonly: true