adding static site virtualhosts to qadevel-stg

2015-07-17 19:41:56 +00:00 · 2015-07-17 19:41:56 +00:00 · b0c2c02420
commit b0c2c02420
parent 43017c255f
3 changed files with 106 additions and 0 deletions
--- a/files/httpd/newvirtualhost.conf.j2
+++ b/files/httpd/newvirtualhost.conf.j2
@ -0,0 +1,71 @@
+<VirtualHost *:443>
+  # Change this to the domain which points to your host.
+  ServerName {{ item.name }}
+
+  # Use separate log files for the SSL virtual host; note that LogLevel
+  # is not inherited from httpd.conf.
+  ErrorLog logs/{{ item.name }}_error_log
+  TransferLog logs/{{ item.name }}_access_log
+  LogLevel warn
+
+  #   SSL Engine Switch:
+  #   Enable/Disable SSL for this virtual host.
+  SSLEngine on
+
+  #   SSL Protocol support:
+  # List the enable protocol levels with which clients will be able to
+  # connect.  Disable SSLv2 access by default:
+  SSLProtocol all -SSLv2
+
+  #   SSL Cipher Suite:
+  # List the ciphers that the client is permitted to negotiate.
+  # See the mod_ssl documentation for a complete list.
+  #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+  #   Server Certificate:
+  # Point SSLCertificateFile at a PEM encoded certificate.  If
+  # the certificate is encrypted, then you will be prompted for a
+  # pass phrase.  Note that a kill -HUP will prompt again.  A new
+  # certificate can be generated using the genkey(1) command.
+  SSLCertificateFile /etc/pki/tls/certs/{{ sslcertfile }}
+
+  #   Server Private Key:
+  #   If the key is not combined with the certificate, use this
+  #   directive to point at the key file.  Keep in mind that if
+  #   you've both a RSA and a DSA private key you can configure
+  #   both in parallel (to also allow the use of DSA ciphers, etc.)
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ sslkeyfile }}
+
+  #   Server Certificate Chain:
+  #   Point SSLCertificateChainFile at a file containing the
+  #   concatenation of PEM encoded CA certificates which form the
+  #   certificate chain for the server certificate. Alternatively
+  #   the referenced file can be the same as SSLCertificateFile
+  #   when the CA certificates are directly appended to the server
+  #   certificate for convinience.
+  #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+  {% if sslintermediatecertfile is defined %}
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ sslintermediatecertfile }}
+  {% endif %}
+
+  #   Certificate Authority (CA):
+  #   Set the CA certificate verification path where to find CA
+  #   certificates for client authentication or alternatively one
+  #   huge file containing all of them (file must be PEM encoded)
+  #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+  DocumentRoot {{ item.document_root }}
+
+</VirtualHost>
+
+
+<VirtualHost *:80>
+  # Change this to the domain which points to your host.
+  ServerName {{ item.name }}
+  {% if sslonly %}
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+  {% endif %}
+</VirtualHost>
--- a/inventory/group_vars/qadevel-stg
+++ b/inventory/group_vars/qadevel-stg
@ -75,4 +75,9 @@ buildslave_name: 'qadevel-stg'
 deployment_type: qadevel-stg
 tcp_ports: [ 80, 222, 443, "{{ buildslave_port }}", 3306 ]

+# static sites
+static_sites:
+  - name: docs.{{ external_hostname }}
+    document_root: /var/www/docs
+
 freezes: false
--- a/playbooks/groups/qadevel-stg.yml
+++ b/playbooks/groups/qadevel-stg.yml
@ -52,6 +52,7 @@
 - name: configure phabricator
  hosts: qadevel-stg
  user: root
+
  gather_facts: True

  vars_files:
@ -85,3 +86,32 @@

  handlers:
   - include: "{{ handlers }}/restart_services.yml"
+
+- name: configure static sites for qadevel-stg
+  hosts: qadevel-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+   - include: "{{ handlers }}/restart_services.yml"
+
+  tasks:
+    - name: ensure ServerName is set in ssl.conf
+      replace: dest=/etc/httpd/conf.d/ssl.conf regexp='^#ServerName .*$' replace='ServerName {{ external_hostname }}:443'
+
+    - name: ensure ServerName is set in httpd.conf
+      replace: dest=/etc/httpd/conf/httpd.conf regexp='^#ServerName .*$' replace='ServerName {{ external_hostname }}:443'
+
+
+    - name: create dirs for static sites
+      file: path={{ item.document_root }} state=directory owner=apache group=apache mode=1755
+      with_items: static_sites
+
+   - name: generate virtualhosts for static sites
+     template:  src={{ files }}/httpd/newvirtualhost.conf.j2 dest=/etc/httpd/conf.d/{{ item.name }}.conf owner=root group=root mode=0644
+     with_items: static_sites