--- - name: Install needed packages yum: name: - mod_ssl - mod_evasive - mod_security - mod_security_crs tags: [package,web] - name: List httpd SSL ports set_fact: httpd_ssl_ports={{ httpd_ssl_ports + (httpd_ansible_vhosts | selectattr('ssl','defined') | selectattr('ssl.port','defined') | map(attribute='ssl.port') | list) | unique }} tags: [firewall,web] - name: Allow httpd to bind on ssl ports seport: ports={{ httpd_ssl_ports | join(',') }} proto=tcp setype=http_port_t state=present when: ansible_selinux.status == 'enabled' tags: [firewall,web] - set_fact: httpd_cert_path={{ '/var/lib/dehydrated/certificates/certs/' + httpd_letsencrypt_cert + '/cert.pem' }} when: httpd_letsencrypt_cert is defined tags: [cert,web,conf] - set_fact: httpd_key_path={{ '/var/lib/dehydrated/certificates/certs/' + httpd_letsencrypt_cert + '/privkey.pem' }} when: httpd_letsencrypt_cert is defined tags: [cert,web,conf] - set_fact: httpd_chain_path={{ '/var/lib/dehydrated/certificates/certs/' + httpd_letsencrypt_cert + '/chain.pem' }} when: httpd_letsencrypt_cert is defined tags: [cert,web,conf] - name: Deploy configuration fragments template: src={{ item.src }} dest={{ item.dest }} with_items: - src: ssl.conf.j2 dest: /etc/httpd/ansible_conf.d/10-ssl.conf - src: evasive.conf.j2 dest: /etc/httpd/ansible_conf.d/10-evasive.conf - src: security.conf.j2 dest: /etc/httpd/ansible_conf.d/10-security.conf - src: common_filter.inc.j2 dest: /etc/httpd/ansible_conf.d/common_filter.inc - src: common_perf.inc.j2 dest: /etc/httpd/ansible_conf.d/common_perf.inc - src: common_cache.inc.j2 dest: /etc/httpd/ansible_conf.d/common_cache.inc - src: common_force_ssl.inc.j2 dest: /etc/httpd/ansible_conf.d/common_force_ssl.inc - src: common_maintenance.inc.j2 dest: /etc/httpd/ansible_conf.d/common_maintenance.inc - src: common_mod_security2.inc.j2 dest: /etc/httpd/ansible_conf.d/common_mod_security2.inc - src: vhost_downtime.conf.j2 dest: /etc/httpd/ansible_conf.d/21-vhost_downtime.conf - src: 01-front.conf.j2 dest: /etc/httpd/ansible_conf.modules.d/01-front.conf - src: 02-evasive.conf.j2 dest: /etc/httpd/ansible_conf.modules.d/02-evasive.conf notify: reload httpd tags: [conf,web] - name: Check if default cert exists stat: path={{ httpd_cert_path }} register: httpd_default_cert tags: [conf,cert,web] - name: Create default self signed cert include_tasks: ../includes/create_selfsigned_cert.yml vars: cert_path: "{{ httpd_cert_path }}" cert_key_path: "{{ httpd_key_path }}" when: not httpd_default_cert.stat.exists tags: [conf,cert,web] - name: Check if Let's Encrypt' cert exist stat: path=/var/lib/dehydrated/certificates/certs/{{ item.ssl.letsencrypt_cert }}/cert.pem register: httpd_letsencrypt_certs with_items: "{{ httpd_ansible_vhosts }}" when: - item.ssl is defined - item.ssl.letsencrypt_cert is defined tags: [cert,web,conf] - name: Create directories for missing Let's Encrypt cert file: path=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }} state=directory with_items: "{{ httpd_letsencrypt_certs.results }}" when: - item.stat is defined - not item.stat.exists tags: [cert,web,conf] - name: Link missing Let's Encrypt cert to the default one file: src={{ httpd_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/cert.pem state=link with_items: "{{ httpd_letsencrypt_certs.results }}" when: - item.stat is defined - not item.stat.exists tags: [cert,web,conf] - name: Link missing Let's Encrypt key to the default one file: src={{ httpd_key_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/privkey.pem state=link with_items: "{{ httpd_letsencrypt_certs.results }}" when: - item.stat is defined - not item.stat.exists tags: [cert,web,conf] - name: Link missing Let's Encrypt chain to the default cert file: src={{ httpd_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item.ssl.letsencrypt_cert }}/chain.pem state=link with_items: "{{ httpd_letsencrypt_certs.results }}" when: - item.stat is defined - not item.stat.exists tags: [cert,web,conf] - name: Create dehydrated hooks dir file: path=/etc/dehydrated/hooks_deploy_cert.d/ state=directory tags: [cert,web] - name: Deploy dehydrated hook copy: src=dehydrated_deploy_hook dest=/etc/dehydrated/hooks_deploy_cert.d/10httpd.sh mode=755 tags: [cert,web] - name: Remove old iptables rule iptables_raw: name: httpd_ssl_port state: absent when: iptables_manage | default(True) tags: [firewall,web] - name: Handle HTTPS ports iptables_raw: name: httpd_ssl_ports state: "{{ (httpd_ssl_src_ip | length > 0) | ternary('present','absent') }}" rules: "-A INPUT -m state --state new -p tcp -m multiport --dports {{ httpd_ssl_ports | join(',') }} -s {{ httpd_ssl_src_ip | join(',') }} -j ACCEPT" when: iptables_manage | default(True) tags: [firewall,web] - name: Deploy the Cache cleaner configuration template: src=htcacheclean.j2 dest=/etc/sysconfig/htcacheclean notify: restart htcacheclean tags: [conf,web] - name: Enable the htcacheclean service service: name=htcacheclean state=started enabled=yes tags: web ...