- name: Set up those proxy websites. My, my.. hosts: proxies-stg:proxies user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml handlers: - include: "{{ handlers }}/restart_services.yml" ### Put in the proxy website ip addresses vars: - fpo_ips: # Staging - "10.5.126.88" # Production - "10.5.126.52" # proxy01 - "85.236.55.6" # proxy02 - "[2001:4178:2:1269::fed2]" # proxy02 - "[2001:4178:2:1269::fed1]" # proxy02 - "66.35.62.162" # proxy03 - "152.19.134.142" # proxy04 - "[2610:28:3090:3001:dead:beef:cafe:fed3]" # proxy04 - "5.175.150.50" # proxy05 - "140.211.169.196" # proxy06 - "213.175.193.206" # proxy07 - "67.203.2.67" # proxy08 - "[2607:f188::dead:beef:cafe:fed1]" # proxy08 - "66.135.62.187" # proxy09 - "10.5.126.51" # proxy10 - "67.219.144.68" # proxy11 - wildcard_fpo_ips: # Staging - "10.5.126.88" # Production - "10.5.126.52" # proxy01 - "85.236.55.6" # proxy02 - "[2001:4178:2:1269::fed2]" # proxy02 - "66.35.62.162" # proxy03 - "152.19.134.142" # proxy04 - "[2610:28:3090:3001:dead:beef:cafe:fed3]" # proxy04 - "5.175.150.50" # proxy05 - "140.211.169.196" # proxy06 - "213.175.193.206" # proxy07 - "67.203.2.67" # proxy08 - "[2607:f188::dead:beef:cafe:fed1]" # proxy08 - "66.135.62.187" # proxy09 - "10.5.126.51" # proxy10 - "67.219.144.68" # proxy11 pre_tasks: - name: Install policycoreutils-python yum: pkg=policycoreutils-python state=present - name: Create /srv/web/ for all the goodies. file: > dest=/srv/web state=directory owner=root group=root mode=0755 tags: - httpd - httpd/website - name: check the selinux context of webdir command: matchpathcon /srv/web register: webdir always_run: yes changed_when: "1 != 1" tags: - config - selinux - httpd - httpd/website - name: /srv/web file contexts command: semanage fcontext -a -t httpd_sys_content_t "/srv/web(/.*)?" when: webdir.stdout.find('httpd_sys_content_t') == -1 tags: - config - selinux - httpd - httpd/website roles: - role: httpd/website name: fedoraproject.org ips: "{{fpo_ips}}" cert_name: "{{wildcard_cert_name}}" server_aliases: [stg.fedoraproject.org] # This is for all the other domains we own # that redirect to http://fedoraproject.org - role: httpd/website name: fedoraproject.com ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" server_aliases: - fedora.asia - fedora.com.my - fedora.community - fedora.cr - fedora.events - fedora.me - fedora.mobi - fedora.my - fedora.org - fedora.org.cn - fedora.pe - fedora.pt - fedora.redhat.com - fedora.software - fedora.tk - fedora.us - fedora.wiki - fedora.xxx - fedoracommunity.org - fedoralinux.com - fedoralinux.net - fedoralinux.org - fedoraproject.asia - fedoraproject.cn - fedoraproject.co.uk - fedoraproject.com - fedoraproject.com.cn - fedoraproject.com.gr - fedoraproject.com.my - fedoraproject.community - fedoraproject.cz - fedoraproject.eu - fedoraproject.gr - fedoraproject.info - fedoraproject.net - fedoraproject.net.cn - fedoraproject.org.uk - fedoraproject.org.uk - fedoraproject.pe - fedoraproject.su - fedoraproject.xxx - fedorasucks.com - projectofedora.org - www.fedora.asia - www.fedora.com.my - www.fedora.community - www.fedora.cr - www.fedora.events - www.fedora.me - www.fedora.mobi - www.fedora.org - www.fedora.org.cn - www.fedora.pe - www.fedora.pt - www.fedora.redhat.com - www.fedora.software - www.fedora.tk - www.fedora.us - www.fedora.wiki - www.fedoracommunity.org - www.fedoralinux.com - www.fedoralinux.net - www.fedoralinux.org - www.fedoraproject.asia - www.fedoraproject.cn - www.fedoraproject.co.uk - www.fedoraproject.com - www.fedoraproject.com.cn - www.fedoraproject.com.gr - www.fedoraproject.com.my - www.fedoraproject.community - www.fedoraproject.cz - www.fedoraproject.eu - www.fedoraproject.gr - www.fedoraproject.info - www.fedoraproject.net - www.fedoraproject.net.cn - www.fedoraproject.org - www.fedoraproject.org.uk - www.fedoraproject.pe - www.fedoraproject.su - www.projectofedora.org - role: httpd/website name: admin.fedoraproject.org server_aliases: [admin.stg.fedoraproject.org] sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: cloud.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: mirrors.fedoraproject.org server_aliases: [mirrors.stg.fedoraproject.org] - fedoramirror.net - www.fedoramirror.net ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: download.fedoraproject.org server_aliases: - download01.fedoraproject.org - download02.fedoraproject.org - download03.fedoraproject.org - download04.fedoraproject.org - download05.fedoraproject.org - download06.fedoraproject.org - download07.fedoraproject.org - download08.fedoraproject.org - download09.fedoraproject.org - download10.fedoraproject.org - download.stg.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: translate.fedoraproject.org server_aliases: [translate.stg.fedoraproject.org] sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: spins.fedoraproject.org server_aliases: - spins.stg.fedoraproject.org - spins-test.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: boot.fedoraproject.org server_aliases: [boot.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: boot.fedoraproject.org server_aliases: [boot.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: smolts.org ssl: false server_aliases: - smolt.fedoraproject.org - stg.smolts.org - www.smolts.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: docs.fedoraproject.org server_aliases: - doc.fedoraproject.org - docs.stg.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: bodhi.fedoraproject.org server_aliases: [bodhi.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: bugz.fedoraproject.org server_aliases: [bugz.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: fas.fedoraproject.org server_aliases: - fas.stg.fedoraproject.org - accounts.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: fedoracommunity.org server_aliases: - www.fedoracommunity.org - stg.fedoracommunity.org ssl: false ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: get.fedoraproject.org server_aliases: [get.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: help.fedoraproject.org server_aliases: [help.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: it.fedoracommunity.org server_aliases: [it.fedoracommunity.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: uk.fedoracommunity.org server_aliases: - uk.fedoracommunity.org - www.uk.fedoracommunity.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: people.fedoraproject.org server_aliases: [people.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: join.fedoraproject.org server_aliases: [join.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: l10n.fedoraproject.org server_aliases: [l10n.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: start.fedoraproject.org server_aliases: [start.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: kde.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: nightly.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: store.fedoraproject.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: port389.org server_aliases: - www.port389.org - 389tcp.org - www.389tcp.org ssl: false ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: fedoramagazine.org server_aliases: [www.fedoramagazine.org stg.fedoramagazine.org] cert_name: fedoramagazine.org SSLCertificateChainFile: fedoramagazine.org.intermediate.cert ips: "{{wildcard_fpo_ips}}" - role: httpd/website name: k12linux.org server_aliases: - www.k12linux.org ssl: false ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: fonts.fedoraproject.org server_aliases: [fonts.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: meetbot.fedoraproject.org server_aliases: [meetbot.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: fudcon.fedoraproject.org server_aliases: [fudcon.stg.fedoraproject.org] ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: ask.fedoraproject.org server_aliases: [ask.stg.fedoraproject.org] sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: badges.fedoraproject.org server_aliases: [badges.stg.fedoraproject.org] sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: darkserver.fedoraproject.org server_aliases: [darkserver.stg.fedoraproject.org] sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: paste.fedoraproject.org server_aliases: - paste.stg.fedoraproject.org - fpaste.org - www.fpaste.org ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: apps.fedoraproject.org server_aliases: [apps.stg.fedoraproject.org] sslonly: true gzip: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" # Kinda silly that we have two entries here, one for prod and one for stg. # This is inherited from our puppet setup -- we can collapse them as soon as # is convenient. -- threebean - role: httpd/website name: taskotron.fedoraproject.org server_aliases: [taskotron.fedoraproject.org] sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: taskotron.stg.fedoraproject.org server_aliases: [taskotron.stg.fedoraproject.org] # Set this explicitly to stg here.. as per the original puppet config. SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert sslonly: true ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" when: env == "staging" - role: httpd/website name: lists.fedoraproject.org server_aliases: [lists.stg.fedoraproject.org] sslonly: true # Set this explicitly to stg here.. as per the original puppet config. SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert ips: "{{wildcard_fpo_ips}}" cert_name: "{{wildcard_cert_name}}" when: env == "staging" - role: httpd/website name: id.fedoraproject.org server_aliases: - "*.id.fedoraproject.org" ips: "{{wildcard_fpo_ips}}" # Must not be sslonly, because example.id.fedoraproject.org must be reachable # via plain http for openid identity support cert_name: wildcard-2014.id.fedoraproject.org SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert - role: httpd/website name: id.stg.fedoraproject.org server_aliases: - "*.id.stg.fedoraproject.org" ips: "{{wildcard_fpo_ips}}" # Must not be sslonly, because example.id.fedoraproject.org must be reachable # via plain http for openid identity support cert_name: "{{wildcard_cert_name}}" SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert when: env == "staging" - role: httpd/website name: getfedora.org server_aliases: [stg.getfedora.org] sslonly: true ips: "{{fpo_ips}}" cert_name: getfedora.org SSLCertificateChainFile: getfedora.org.intermediate.cert - role: httpd/website name: qa.fedoraproject.org ips: "{{fpo_ips}}" cert_name: "{{wildcard_cert_name}}" server_aliases: [qa.stg.fedoraproject.org] sslonly: true - role: httpd/website name: redirect.fedoraproject.org server_aliases: [redirect.stg.fedoraproject.org] sslonly: true gzip: true ips: "{{fpo_ips}}" cert_name: "{{wildcard_cert_name}}" - role: httpd/website name: geoip.fedoraproject.org server_aliases: [geoip.stg.fedoraproject.org] sslonly: true ips: "{{fpo_ips}}" cert_name: "{{wildcard_cert_name}}"