openstack/ansible-role-httpd
Code Issues Proposed changes

Initial commit to the role

Browse Source 
This implements bare minimal functionality for the HTTPD role. It needs
to be extended according to specific use-cases with follow-up patches

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/938571
Change-Id: I7c0dd550c82cc11d2edba724b3f3030a41c0d354
This commit is contained in:
Dmitriy Rabotyagov 2024-12-25 12:25:01 +01:00 committed by Dmitriy Rabotyagov
parent acf2944d92
commit 7573636fb8
35 changed files with 2246 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
.gitignore vendored Normal file
View File

@ -0,0 +1,69 @@
# Add patterns in here to exclude files created by tools integrated with this
# repository, such as test frameworks from the project's recommended workflow,
# rendered documentation and package builds.
#
# Don't add patterns to exclude files created by preferred personal tools
# (editors, IDEs, your operating system itself even). These should instead be
# maintained outside the repository, for example in a ~/.gitignore file added
# with:
#
# git config --global core.excludesfile '~/.gitignore'
# Compiled source #
###################
*.com
*.class
*.dll
*.exe
*.o
*.so
*.pyc
build/
dist/
doc/build/
# Packages #
############
# it's better to unpack these files and commit the raw source
# git has its own built in compression methods
*.7z
*.dmg
*.gz
*.iso
*.jar
*.rar
*.tar
*.zip
# Logs and databases #
######################
*.log
*.sql
*.sqlite
logs/*
# OS generated files #
######################
._*
.tox
*.egg-info
.eggs
# Generated by pbr while building docs
######################################
AUTHORS
ChangeLog
# Files created by releasenotes build
releasenotes/build
# Test temp files
tests/common
tests/*.retry
# Vagrant artifacts
.vagrant
# Git clones
openstack-ansible-ops
previous

100
CONTRIBUTING.rst Normal file
View File

@ -0,0 +1,100 @@
OpenStack-Ansible HTTPD
#######################
tags: ansible, openstack
:category: \*nix
contributor guidelines
^^^^^^^^^^^^^^^^^^^^^^
Filing Bugs
-----------
Bugs should be filed on Launchpad, not GitHub: "https://bugs.launchpad.net
/openstack-ansible"
When submitting a bug, or working on a bug, please ensure the following
criteria are met:
* The description clearly states or describes the original problem or root
cause of the problem.
* Include historical information on how the problem was identified.
* Any relevant logs are included.
* The provided information should be totally self-contained. External
access to web services/sites should not be needed.
* Steps to reproduce the problem if possible.
Submitting Code
---------------
Changes to the project should be submitted for review via the Gerrit tool,
following the workflow documented at:
"https://docs.openstack.org/infra/manual/developers.html#development-workflow"
Pull requests submitted through GitHub will be ignored and closed without
regard.
Extra
-----
Tags: If it's a bug that needs fixing in a branch in addition to Master, add a
'\<release\>-backport-potential' tag (eg ``juno-backport-potential``).
There are predefined tags that will autocomplete.
Status:
Please leave this alone, it should be New till someone triages the issue.
Importance:
Should only be touched if it is a Blocker/Gating issue. If it is, please
set to High, and only use Critical if you have found a bug that can take
down whole infrastructures.
Style guide
-----------
When creating tasks and other roles for use in Ansible please create then
using the YAML dictionary format.
Example YAML dictionary format:
.. code-block:: yaml
- name: The name of the tasks
module_name:
thing1: "some-stuff"
thing2: "some-other-stuff"
tags:
- some-tag
- some-other-tag
Example **NOT** in YAML dictionary format:
.. code-block:: yaml
- name: The name of the tasks
module_name: thing1="some-stuff" thing2="some-other-stuff"
tags:
- some-tag
- some-other-tag
Usage of the ">" and "|" operators should be limited to Ansible conditionals
and command modules such as the ansible ``shell`` module.
Issues
------
When submitting an issue, or working on an issue please ensure the following
criteria are met:
* The description clearly states or describes the original problem or root
cause of the problem.
* Include historical information on how the problem was identified.
* Any relevant logs are included.
* If the issue is a bug that needs fixing in a branch other than Master,
add the 'backport potential' tag TO THE ISSUE (not the PR).
* The provided information should be totally self-contained. External
access to web services/sites should not be needed.
* If the issue is needed for a hotfix release, add the 'expedite' label.
* Steps to reproduce the problem if possible.

201
LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

19
README.rst Normal file
View File

@ -0,0 +1,19 @@
======================
Apache Web Server role
======================
Ansible role to install and manage Apache Web Server (httpd). This role
is being maintained by OpenStack-Ansible project, though can be used
as a stand-alone role as well.
Documentation for the project can be found at:
https://docs.openstack.org/ansible-role-httpd/latest/
The project source code repository is located at:
https://opendev.org/openstack/ansible-role-httpd/
The project home is at:
https://launchpad.net/openstack-ansible
The bugs is at:
https://bugs.launchpad.net/openstack-ansible

147
defaults/main.yml Normal file
View File

@ -0,0 +1,147 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
cache_timeout: 300
# Generic configuration
httpd_conf_dir: "/etc/{{ httpd_system_service_name }}"
httpd_conf_file: "{{ _httpd_conf_file }}"
httpd_default_sites: "{{ _httpd_default_sites }}"
httpd_distro_packages: "{{ _httpd_distro_packages }}"
httpd_extra_conf_files: "{{ _httpd_extra_conf_files }}"
## List of modules and MPMs to enable/disable is defined only for DEB systems
httpd_default_modules: "{{ _httpd_default_modules }}"
httpd_extra_modules: []
httpd_modules: "{{ httpd_default_modules + httpd_extra_modules }}"
httpd_mpms: "{{ _httpd_mpms }}"
httpd_package_state: "{{ package_state | default('latest') }}"
httpd_security_conf: "{{ _httpd_security_conf }}"
httpd_server_name: "{{ ansible_facts['fqdn'] }}"
httpd_vhost_enable_path: "{{ _httpd_vhost_enable_path }}"
httpd_service_home_folder: "{{ _httpd_service_home_folder }}"
httpd_service_user_name: "{{ _httpd_service_user_name }}"
httpd_service_group_name: "{{ _httpd_service_group_name }}"
httpd_system_service_name: "{{ _httpd_system_service_name }}"
## vHost defenition example:
# httpd_vhosts:
# - address: ""
# document_root:
# directories:
# - path: "/"
# options: []
# headers: []
# locations:
# - path: "/"
# options: []
# options: []
# port: 80
# server_name: "{{ inventory_hostname }}"
# state: present
# enabled: false
# ssl:
# # In case `cert` or `key` is undefined, certificate will be generated.
# # You can use `san` key to adjust CNs for the generated certificate.
# # `ca` key is optional and can be ommited.
# # You can also set ``ssl: false`` to explicitly disable any TLS configuration
# # for vhost
# cert: /path/to/vhost.crt
# key: /path/to/key.crt
# ca: /path/to/ca.crt
httpd_vhosts: []
# Logging
httpd_custom_log_format: '"%h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""'
httpd_log_level: info
# MPM tunables
httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
httpd_mpm_max_conn_child: "{{ openstack_apache_max_conn_child | default(0) }}"
httpd_mpm_max_requests: "{{ httpd_mpm_server_limit | int * httpd_mpm_thread_child | int }}"
httpd_mpm_max_spare_threads: "{{ openstack_apache_max_spare_threads | default(75) }}"
httpd_mpm_min_spare_threads: "{{ openstack_apache_min_spare_threads | default(25) }}"
httpd_mpm_server_limit: "{{ [[ansible_facts['processor_vcpus'] | default(2) // 2, 1] | max, httpd_mpm_thread_max | int] | min }}"
httpd_mpm_start_servers: "{{ openstack_apache_start_servers | default(2) }}"
httpd_mpm_thread_child: "{{ openstack_apache_thread_child | default(25) }}"
httpd_mpm_thread_limit: "{{ openstack_apache_thread_limit | default(64) }}"
httpd_mpm_thread_max: "{{ openstack_apache_thread_max | default(16) }}"
# TLS configuration
httpd_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
## TLS v1.2 and below
httpd_ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}"
## TLS v1.3
httpd_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
httpd_pki_dir: "{{ openstack_pki_dir | default('/etc/pki') }}"
httpd_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
## Create a certificate authority if one does not already exist
httpd_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool and httpd_pki_create_certificates }}"
httpd_pki_regen_ca: ''
httpd_pki_authorities:
- name: "HTTPDRoot"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Apache HTTPD Root CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "HTTPDIntermediate"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Apache HTTPD Intermediate CA"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "HTTPDRoot"
# Installation details for certificate authorities
httpd_pki_install_ca:
- name: "HTTPDRoot"
condition: "{{ httpd_pki_create_ca }}"
# HTTPD server certificates to generate
httpd_pki_certs_path: "{{ httpd_pki_dir ~ '/certs/certs/' }}"
httpd_pki_certificates: "{{ _httpd_pki_generate_certificates_vhosts }}"
httpd_pki_create_certificates: "{{ httpd_pki_certificates | length > 0 }}"
httpd_pki_default_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn']) }}"
httpd_pki_keys_path: "{{ httpd_pki_dir ~ '/certs/private/' }}"
httpd_pki_regen_cert: ''
httpd_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HTTPDIntermediate') }}"
httpd_pki_intermediate_cert_path: "{{ httpd_pki_dir ~ '/roots/' ~ httpd_pki_intermediate_cert_name ~ '/certs/' ~ httpd_pki_intermediate_cert_name ~ '.crt' }}"
## Installation details for SSL certificates
httpd_pki_install_certificates: "{{ _httpd_pki_install_certificates_vhosts }}"
## Destination directories for SSL certificates
httpd_ssl_certs_dir: /etc/ssl/certs/
httpd_ssl_keys_dir: /etc/ssl/private/

16
doc/requirements.txt Normal file
View File

@ -0,0 +1,16 @@
# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
# WARNING:
# This file is maintained in the openstack-ansible-tests repository.
# https://opendev.org/openstack/openstack-ansible-tests/src/branch/master/sync/doc/requirements.txt
# If you need to modify this file, update the one in the
# openstack-ansible-tests repository. Once it merges there, the changes will
# automatically be proposed to all the repositories which use it.
sphinx>=1.8.0,!=2.1.0 # BSD
sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD
openstackdocstheme>=1.32.1 # Apache-2.0
reno>=2.5.0 # Apache-2.0
doc8>=0.6.0 # Apache-2.0

290
doc/source/conf.py Normal file
View File

@ -0,0 +1,290 @@
#!/usr/bin/env python3
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'openstackdocstheme',
'sphinx.ext.autodoc',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
# source_suffix = ['.rst', '.md']
source_suffix = '.rst'
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
author = 'OpenStack-Ansible Contributors'
category = 'Miscellaneous'
copyright = '2024, OpenStack-Ansible Contributors'
description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.'
project = 'OpenStack-Ansible'
role_name = 'httpd'
target_name = 'ansible-role-httpd'
title = 'OpenStack-Ansible Documentation: ' + role_name
# openstackdocstheme options
openstackdocs_repo_name = 'openstack/' + target_name
openstackdocs_bug_project = project.lower()
openstackdocs_bug_tag = ''
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = 'en'
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
# today = ''
# Else, today_fmt is used as the format for a strftime call.
# today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = []
# The reST default role (used for this markup: `text`) to use for all
# documents.
# default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
# add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
# add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
# show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'native'
# A list of ignored prefixes for module index sorting.
# modindex_common_prefix = []
# If true, keep warnings as "system message" paragraphs in the built documents.
# keep_warnings = False
# If true, `todo` and `todoList` produce output, else they produce nothing.
todo_include_todos = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'openstackdocs'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
# html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
# html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
# html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
# html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
# html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
# html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
# html_static_path = ['_static']
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.
# html_extra_path = []
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
# html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
# html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
# html_additional_pages = {}
# If false, no module index is generated.
# html_domain_indices = True
# If false, no index is generated.
# html_use_index = True
# If true, the index is split into individual pages for each letter.
# html_split_index = False
# If true, links to the reST sources are added to the pages.
# html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
# html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
# html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
# html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
# html_file_suffix = None
# Language to be used for generating the HTML full-text search index.
# Sphinx supports the following languages:
# 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja'
# 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr'
# html_search_language = 'en'
# A dictionary with options for the search language support, empty by default.
# Now only 'ja' uses this config value
# html_search_options = {'type': 'default'}
# The name of a javascript file (relative to the configuration directory) that
# implements a search results scorer. If empty, the default will be used.
# html_search_scorer = 'scorer.js'
# Output file base name for HTML help builder.
htmlhelp_basename = target_name + '-docs'
# -- Options for LaTeX output ---------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
# 'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
# 'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
# 'preamble': '',
# Latex figure (float) alignment
# 'figure_align': 'htbp',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
(master_doc, target_name + '.tex',
title, author, 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
# latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
# latex_use_parts = False
# If true, show page references after internal links.
# latex_show_pagerefs = False
# If true, show URL addresses after external links.
# latex_show_urls = False
# Documents to append as an appendix to all manuals.
# latex_appendices = []
# If false, no module index is generated.
# latex_domain_indices = True
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
(master_doc, target_name,
title, [author], 1)
]
# If true, show URL addresses after external links.
# man_show_urls = False
# -- Options for Texinfo output -------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, target_name,
title, author, project,
description, category),
]
# Documents to append as an appendix to all manuals.
# texinfo_appendices = []
# If false, no module index is generated.
# texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
# texinfo_show_urls = 'footnote'
# If true, do not generate a @detailmenu in the "Top" node's menu.
# texinfo_no_detailmenu = False

49
doc/source/index.rst Normal file
View File

@ -0,0 +1,49 @@
============================
OpenStack-Ansible HTTPD role
============================
This role installs a PKI infrastructure for maintaining a Root CA and
creating server certificates as required to enable secure communication
between components in a deployment.
To clone or view the source code for this repository, visit the role repository
for `pki <https://opendev.org/openstack/ansible-role-httpd>`_.
Sample configuration
~~~~~~~~~~~~~~~~~~~~
.. code:: yaml
httpd_extra_modules:
- name: proxy
state: present
httpd_vhosts:
- name: test_http
address: "127.0.1.1"
document_root: /var/www/test
directories:
- path: "/var/www/cgi-bin"
params:
- Options Indexes FollowSymLinks MultiViews
headers:
- Header set X-Content-Type-Options "nosniff"
params:
- Options +FollowSymLinks
port: 80
server_name: test_http.test_server
Default variables
~~~~~~~~~~~~~~~~~
.. literalinclude:: ../../defaults/main.yml
:language: yaml
:start-after: under the License.
Example playbook
~~~~~~~~~~~~~~~~
.. literalinclude:: ../../examples/playbook.yml
:language: yaml

6
examples/playbook.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Installing Apache Web Server
hosts: httpd
roles:
- role: "{{ playbook_dir | dirname | basename }}"

34
handlers/main.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Restart web server
ansible.builtin.service:
name: "{{ httpd_system_service_name }}"
enabled: true
state: "restarted"
daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}"
register: _httpd_restart
- name: Reload web server
ansible.builtin.service:
name: "{{ httpd_system_service_name }}"
enabled: true
state: "reloaded"
daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('no', omit) }}"
when:
- _httpd_restart is not defined or (_httpd_restart is defined and _httpd_restart is skipped)
listen:
- "httpd cert installed"
- "venv changed"

23
meta/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
galaxy_info:
author: OpenStack-Ansible Contributors
description: Installation and configuration of Apache Web Server
license: Apache2
role_name: httpd
namespace: openstack
min_ansible_version: "2.10"
platforms:
- name: Debian
versions:
- bookworm
- bullseye
- name: Ubuntu
versions:
- jammy
- noble
- name: EL
versions:
- "9"
galaxy_tags:
- cloud
- httpd

15
molecule/default/group_vars/all.yml Normal file
View File

@ -0,0 +1,15 @@
---
molecule_packages:
debian:
- ca-certificates
- python3-cryptography
- gnutls-bin
- iproute2
redhat:
- ca-certificates
- python3-cryptography
- gnutls-utils
- iproute
- procps
- sudo

49
molecule/default/group_vars/httpd.yml Normal file
View File

@ -0,0 +1,49 @@
---
httpd_pki_setup_host: "{{ inventory_hostname }}"
httpd_extra_modules:
- name: proxy
state: present
httpd_vhosts:
- name: test_http
address: "*"
document_root: /var/www/test_http
directories:
- path: "/var/www/cgi-bin"
options:
- Options Indexes FollowSymLinks MultiViews
headers:
- Header set X-Content-Type-Options "nosniff"
locations:
- path: "/Shibboleth.sso"
options:
- SetHandler shib
options:
- Options +FollowSymLinks
port: 8080
server_name: test_http
- name: test_https
address: "*"
document_root: /var/www/test_https
options:
- Options +FollowSymLinks
port: 8443
ssl:
san: "{{ httpd_pki_default_san }},DNS:noop.server"
server_name: secure_vhost
- name: absent_vhost
address: "*"
document_root: /var/www/absent
port: 8081
server_name: "absent"
state: absent
enabled: true
- name: disabled_vhost
address: "*"
document_root: /var/www/disabled
port: 8082
server_name: "disabled"
enabled: false
ssl: false

37
molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,37 @@
---
dependency:
name: galaxy
options:
requirements-file: requirements.yml
force: ${GALAXY_FORCE:-false}
driver:
name: docker
platforms:
- name: "httpd-${MOLECULE_SCENARIO_NAME}"
image: "${DOCKER_REGISTRY:-quay.io/gotmax23}/${DOCKER_IMAGE_TAG:-debian-systemd:bookworm}"
command: ${DOCKER_COMMAND:-""}
pre_build_image: true
privileged: true
systemd: true
groups:
- httpd
provisioner:
name: ansible
lint:
name: ansible-lint
playbooks:
prepare: prepare.yml
converge: ../../examples/playbook.yml
verify: verify.yml
inventory:
links:
group_vars: ./group_vars/
config_options:
defaults:
inject_facts_as_vars: false
scenario:
name: default

14
molecule/default/prepare.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Prepare
hosts: all
tasks:
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
when:
- ansible_facts['os_family'] | lower == 'debian'
- name: Install packages
ansible.builtin.package:
name: "{{ molecule_packages[ansible_facts['os_family'] | lower] }}"

153
molecule/default/verify.yml Normal file
View File

@ -0,0 +1,153 @@
---
- name: Testing httpd deployment
hosts: httpd
vars:
_httpd_ctl_binary:
debian: apachectl
redhat: httpd
_httpd_vhost_present_dir:
debian: /etc/apache2/sites-available
redhat: /etc/httpd/sites-available
_httpd_vhost_enable_dir:
debian: "/etc/apache2/sites-enabled"
redhat: "/etc/httpd/conf.d"
_os_family: "{{ ansible_facts['os_family'] | lower }}"
tasks:
- name: Verify Apache configuration syntax
ansible.builtin.command: "{{ _httpd_ctl_binary[_os_family] }} -t"
changed_when: false
- name: Fetch list of listened ports
community.general.listen_ports_facts:
- name: Verify that expected ports are listened
vars:
tcp_ports: "{{ ansible_facts.tcp_listen | map(attribute='port') | list | unique }}"
ansible.builtin.assert:
that:
- "80 not in tcp_ports"
- "443 not in tcp_ports"
- "8080 in tcp_ports"
- "8081 not in tcp_ports"
- "8082 not in tcp_ports"
- "8443 in tcp_ports"
- name: Fetch list of loaded modules
ansible.builtin.command: "{{ _httpd_ctl_binary[_os_family] }} -D DUMP_MODULES"
register: _httpd_modules_results
changed_when: false
- name: Ensure expected modules are present
ansible.builtin.assert:
that:
- _httpd_modules_results.stdout_lines | select("match", "\sproxy_module\s.*") | length > 0
- _httpd_modules_results.stdout_lines | select("match", "\sssl_module\s.*") | length > 0
- _httpd_modules_results.stdout_lines | select("match", "\smpm_event_module\s.*") | length > 0
- name: Fetch vhost data
ansible.builtin.command: "{{ _httpd_ctl_binary[_os_family] }} -D DUMP_VHOSTS"
register: _httpd_vhosts_results
changed_when: false
- name: Ensure ServerName for all vhosts is set correctly
ansible.builtin.assert:
that:
- _httpd_vhosts_results.stdout_lines | select("match", "\*:8080\s*test_http\s.*") | length > 0
- _httpd_vhosts_results.stdout_lines | select("match", "\*:8443\s*secure_vhost\s.*") | length > 0
- _httpd_vhosts_results.stdout_lines | select("match", ".*\shttpd-default\s.*") | length == 0
- name: Check vhost paths of present vhosts
ansible.builtin.stat:
path: "{{ item }}"
loop:
- "{{ _httpd_vhost_present_dir[_os_family] }}/test_http.conf"
- "{{ _httpd_vhost_present_dir[_os_family] }}/test_https.conf"
- "{{ _httpd_vhost_present_dir[_os_family] }}/absent_vhost.conf"
- "{{ _httpd_vhost_present_dir[_os_family] }}/disabled_vhost.conf"
register: _vhost_present_conf_files
- name: Assert presence of vhost files
ansible.builtin.assert:
that:
- (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/test_http.conf') | first).stat.exists
- (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/test_https.conf') | first).stat.exists
- (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/disabled_vhost.conf') | first).stat.exists
- not (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/absent_vhost.conf') | first).stat.exists
- name: Check vhost paths of enabled vhosts
ansible.builtin.stat:
path: "{{ item }}"
loop:
- "{{ _httpd_vhost_enable_dir[_os_family] }}/test_http.conf"
- "{{ _httpd_vhost_enable_dir[_os_family] }}/test_https.conf"
- "{{ _httpd_vhost_enable_dir[_os_family] }}/absent_vhost.conf"
- "{{ _httpd_vhost_enable_dir[_os_family] }}/disabled_vhost.conf"
register: _vhost_enable_conf_files
- name: Assert enablement of vhost files
ansible.builtin.assert:
that:
- (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/test_http.conf') | first).stat.exists
- (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/test_https.conf') | first).stat.exists
- not (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/disabled_vhost.conf') | first).stat.exists
- not (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/absent_vhost.conf') | first).stat.exists
- name: Place a noop file to serve via Apache
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
mode: "0644"
with_items:
- dest: /var/www/test_http/noop.txt
content: Hello, test_http!
- dest: /var/www/test_https/noop.txt
content: Hello, test_https!
- name: Fetch the noop file from HTTP vhost and ensure content
ansible.builtin.uri:
url: "http://127.0.0.1:8080/noop.txt"
follow_redirects: none
method: GET
return_content: true
register: test_http_noop
failed_when: test_http_noop is failed or test_http_noop.content != 'Hello, test_http!'
- name: Fetch the noop file from HTTPS vhost and ensure content
ansible.builtin.uri:
url: "https://{{ ansible_facts['fqdn'] }}:8443/noop.txt"
follow_redirects: none
method: GET
return_content: true
register: test_https_noop
failed_when: test_https_noop is failed or test_https_noop.content != 'Hello, test_https!'
- name: Check if certificates were generated
ansible.builtin.stat:
path: "{{ item }}"
loop:
- "/etc/ssl/certs/httpd_{{ inventory_hostname }}_test_http.pem"
- "/etc/ssl/certs/httpd_{{ inventory_hostname }}_test_https.pem"
- "/etc/ssl/certs/httpd_{{ inventory_hostname }}_disabled_vhost.pem"
register: _vhost_ssl_files
- name: Assert enablement of vhost files
ansible.builtin.assert:
that:
- not (_vhost_ssl_files.results | selectattr('item', 'eq', '/etc/ssl/certs/httpd_' ~ inventory_hostname ~ '_test_http.pem') | first).stat.exists
- (_vhost_ssl_files.results | selectattr('item', 'eq', '/etc/ssl/certs/httpd_' ~ inventory_hostname ~ '_test_https.pem') | first).stat.exists
- not (_vhost_ssl_files.results | selectattr('item', 'eq','/etc/ssl/certs/httpd_' ~ inventory_hostname ~ '_disabled_vhost.pem') | first).stat.exists
- name: Fetch details of generated certificate
community.crypto.x509_certificate_info:
path: "/etc/ssl/certs/httpd_{{ inventory_hostname }}_test_https.pem"
register: test_https_cert
- name: Verify generated cert details
ansible.builtin.assert:
that:
- test_https_cert['issuer']['commonName'] == 'Apache HTTPD Intermediate CA'
- test_https_cert['subject']['commonName'] == inventory_hostname
- "'DNS:noop.server' in test_https_cert['subject_alt_name']"
- "'DNS:httpd-default' in test_https_cert['subject_alt_name']"
- not test_https_cert['expired']

0
releasenotes/notes/.placeholder Normal file
View File

11
releasenotes/notes/httpd_common_role-a955fdfe516386ea.yaml Normal file
View File

@ -0,0 +1,11 @@
---
prelude: >
Implemented a standalone role ``httpd`` for Apache Web Server (HTTPD)
configuration that aims to be included in various roles that require
Apache2 (i.e. keystone, horizon, skyline, etc).
features:
- |
Created a common ``httpd`` role to unify approach for managing
Apache2 instalaltion and configuration across roles.
Role is written in relatively agnostic way and should be suitable
for usage outside of OpenStack-Ansible deployments as well.

0
releasenotes/source/_static/.placeholder Normal file
View File

0
releasenotes/source/_templates/.placeholder Normal file
View File

276
releasenotes/source/conf.py Normal file
View File

@ -0,0 +1,276 @@
#!/usr/bin/env python3
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
# sys.path.insert(0, os.path.abspath('.'))
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'openstackdocstheme',
'reno.sphinxext',
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix of source filenames.
source_suffix = '.rst'
# The encoding of source files.
# source_encoding = 'utf-8-sig'
# The master toctree document.
master_doc = 'index'
# General information about the project.
author = 'OpenStack-Ansible Contributors'
category = 'Miscellaneous'
copyright = '2014-2024, OpenStack-Ansible Contributors'
description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.'
project = 'OpenStack-Ansible'
role_name = 'httpd'
target_name = 'ansible-role-' + role_name
title = 'OpenStack-Ansible Release Notes: ' + role_name + 'role'
# Release notes do not need a version number in the title, they
# cover multiple releases.
# The full version, including alpha/beta/rc tags.
release = ''
# The short X.Y version.
version = ''
# openstackdocstheme options
openstackdocs_repo_name = 'openstack/' + target_name
openstackdocs_bug_project = project.lower()
openstackdocs_bug_tag = ''
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
# language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
# today = ''
# Else, today_fmt is used as the format for a strftime call.
# today_fmt = '%B %d, %Y'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = []
# The reST default role (used for this markup: `text`) to use for all
# documents.
# default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
# add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
# add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
# show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'native'
# A list of ignored prefixes for module index sorting.
# modindex_common_prefix = []
# If true, keep warnings as "system message" paragraphs in the built documents.
# keep_warnings = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'openstackdocs'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
# html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
# html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
# html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
# html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
# html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
# html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.
# html_extra_path = []
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
# html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
# html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
# html_additional_pages = {}
# If false, no module index is generated.
# html_domain_indices = True
# If false, no index is generated.
# html_use_index = True
# If true, the index is split into individual pages for each letter.
# html_split_index = False
# If true, links to the reST sources are added to the pages.
# html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
# html_show_sphinx = True
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
# html_show_copyright = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
# html_use_opensearch = ''
# This is the file name suffix for HTML files (e.g. ".xhtml").
# html_file_suffix = None
# Output file base name for HTML help builder.
htmlhelp_basename = target_name + '-docs'
# -- Options for LaTeX output ---------------------------------------------
latex_elements = {
# The paper size ('letterpaper' or 'a4paper').
# 'papersize': 'letterpaper',
# The font size ('10pt', '11pt' or '12pt').
# 'pointsize': '10pt',
# Additional stuff for the LaTeX preamble.
# 'preamble': '',
}
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title,
# author, documentclass [howto, manual, or own class]).
latex_documents = [
(master_doc, target_name + '.tex',
title, author, 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
# latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
# latex_use_parts = False
# If true, show page references after internal links.
# latex_show_pagerefs = False
# If true, show URL addresses after external links.
# latex_show_urls = False
# Documents to append as an appendix to all manuals.
# latex_appendices = []
# If false, no module index is generated.
# latex_domain_indices = True
# -- Options for manual page output ---------------------------------------
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
(master_doc, target_name,
title, [author], 1)
]
# If true, show URL addresses after external links.
# man_show_urls = False
# -- Options for Texinfo output -------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
# (source start file, target name, title, author,
# dir menu entry, description, category)
texinfo_documents = [
(master_doc, target_name,
title, author, project,
description, category),
]
# Documents to append as an appendix to all manuals.
# texinfo_appendices = []
# If false, no module index is generated.
# texinfo_domain_indices = True
# How to display URL addresses: 'footnote', 'no', or 'inline'.
# texinfo_show_urls = 'footnote'
# If true, do not generate a @detailmenu in the "Top" node's menu.
# texinfo_no_detailmenu = False
# -- Options for Internationalization output ------------------------------
locale_dirs = ['locale/']

5
releasenotes/source/index.rst Normal file
View File

@ -0,0 +1,5 @@
==============================
Current Series Release Notes
==============================
.. release-notes::

17
requirements.yml Normal file
View File

@ -0,0 +1,17 @@
---
roles:
- name: pki
version: master
scm: git
src: https://opendev.org/openstack/ansible-role-pki
collections:
# for the PKI role
- name: community.crypto
source: https://github.com/ansible-collections/community.crypto
type: git
version: 2.23.0
# for the httpd role
- name: community.general
source: https://github.com/ansible-collections/community.general
type: git
version: 10.2.0

112
tasks/httpd_configure_vhosts.yml Normal file
View File

@ -0,0 +1,112 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Disabling vhosts that are marked as absent or not enabled
ansible.builtin.file:
path: "{{ httpd_vhost_enable_path }}/{{ vhost['name'] }}.conf"
state: absent
loop: >-
{{
httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'absent') +
httpd_vhosts | selectattr('enabled', 'defined') | selectattr('enabled', 'false')
}}
loop_control:
loop_var: vhost
label: "{{ loop_label | to_json }}"
vars:
loop_label:
vhost: "{{ vhost['name'] }}"
notify:
- Reload web server
- name: Removing vhost defenitions which are marked as absent
ansible.builtin.file:
path: "{{ httpd_conf_dir }}/sites-available/{{ vhost['name'] }}.conf"
state: absent
loop: "{{ httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'absent') }}"
loop_control:
loop_var: vhost
label: "{{ loop_label | to_json }}"
vars:
loop_label:
vhost: "{{ vhost['name'] }}"
notify:
- Reload web server
- name: Create and install SSL certificates
ansible.builtin.include_role:
name: pki
tasks_from: main_certs.yml
apply:
tags:
- httpd-config
- pki
vars:
pki_setup_host: "{{ httpd_pki_setup_host }}"
pki_dir: "{{ httpd_pki_dir }}"
pki_create_certificates: "{{ httpd_pki_create_certificates }}"
pki_regen_cert: "{{ httpd_pki_regen_cert }}"
pki_certificates: "{{ httpd_pki_certificates }}"
pki_install_certificates: "{{ httpd_pki_install_certificates }}"
pki_handler_cert_installed: "httpd cert installed"
when:
- httpd_pki_install_certificates | length > 0
tags:
- httpd-config
- pki
- name: Placing vhost files that should be present
ansible.builtin.template:
src: httpd_vhost.conf.j2
dest: "{{ httpd_conf_dir }}/sites-available/{{ vhost['name'] }}.conf"
owner: "{{ httpd_service_user_name }}"
group: "{{ httpd_service_group_name }}"
mode: "0640"
loop: >-
{{
httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'present') +
httpd_vhosts | selectattr('state', 'undefined')
}}
loop_control:
loop_var: vhost
label: "{{ loop_label | to_json }}"
vars:
loop_label:
vhost: "{{ vhost['name'] }}"
notify:
- Reload web server
- name: Enable required vhosts
ansible.builtin.file:
src: "{{ httpd_conf_dir }}/sites-available/{{ vhost['name'] }}.conf"
dest: "{{ httpd_vhost_enable_path }}/{{ vhost['name'] }}.conf"
state: link
loop: >-
{{
(
httpd_vhosts | selectattr('enabled', 'defined') | selectattr('enabled', 'true') +
httpd_vhosts | selectattr('enabled', 'undefined')
) | rejectattr('name', 'in', absent_vhosts)
}}
loop_control:
loop_var: vhost
label: "{{ loop_label | to_json }}"
vars:
loop_label:
vhost: "{{ vhost['name'] }}"
absent_vhosts: >-
{{ httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'absent') | map(attribute='name') }}
notify:
- Reload web server

82
tasks/httpd_post_install.yml Normal file
View File

@ -0,0 +1,82 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure apache2 MPM for Debian/Ubuntu
community.general.apache2_module:
name: "{{ item.name }}"
state: "{{ item.state }}"
ignore_configcheck: true
warn_mpm_absent: false
with_items: "{{ httpd_mpms | sort(attribute='state') }}"
when:
- ansible_facts['pkg_mgr'] == 'apt'
notify: Restart web server
- name: Ensure apache2 MPM for EL
ansible.builtin.copy:
content: |
LoadModule mpm_{{ httpd_mpm_backend }}_module modules/mod_mpm_{{ httpd_mpm_backend }}.so
dest: "{{ httpd_conf_dir }}/conf.modules.d/00-mpm.conf"
mode: "0644"
when:
- ansible_facts['pkg_mgr'] == 'dnf'
notify: Restart web server
- name: Enable apache2 modules
community.general.apache2_module:
name: "{{ item.name }}"
state: "{{ item.state }}"
ignore_configcheck: true
with_items: "{{ httpd_modules }}"
when:
- ansible_facts['pkg_mgr'] == 'apt'
notify: Restart web server
- name: Disable default apache site
ansible.builtin.file:
path: "{{ item }}"
state: "absent"
with_items: "{{ httpd_default_sites }}"
notify: Restart web server
- name: Ensure Apache configuration
ansible.builtin.lineinfile:
dest: "{{ httpd_conf_file }}"
line: "{{ item }}"
regexp: "^{{ item | split() | first }}"
notify: Restart web server
with_items:
- "ServerName {{ httpd_server_name }}"
- "ErrorLog syslog:daemon"
- "LogLevel {{ httpd_log_level }}"
- name: Apply Apache extra configuration
ansible.builtin.template:
src: "{{ item['src'] }}"
dest: "{{ item['dest'] }}"
owner: "{{ item['owner'] }}"
group: "{{ item['group'] }}"
mode: "0644"
with_items: "{{ httpd_extra_conf_files }}"
notify: Restart web server
- name: Remove Listen from Apache config
ansible.builtin.lineinfile:
dest: "{{ httpd_security_conf }}"
regexp: '^(Listen.*)'
backrefs: true
line: '#\1'
notify: Restart web server

95
tasks/httpd_pre_install.yml Normal file
View File

@ -0,0 +1,95 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create the system group
ansible.builtin.group:
name: "{{ httpd_service_group_name }}"
state: "present"
system: "yes"
- name: Create the system user
ansible.builtin.user:
name: "{{ httpd_service_user_name }}"
group: "{{ httpd_service_group_name }}"
comment: "Apache Web Server user"
shell: "/usr/bin/false"
system: "yes"
createhome: "yes"
home: "{{ httpd_service_home_folder }}"
- name: Default and vhosts root directory setup
vars:
_vhost_document_roots: >-
{{
(
httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'present') +
httpd_vhosts | selectattr('state', 'undefined')
) | map(attribute='document_root') | map('community.general.dict_kv', 'path')
}}
_default_paths:
- path: "{{ httpd_conf_dir }}/sites-available"
mode: "0750"
- path: "{{ httpd_service_home_folder }}"
mode: "0750"
condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
ansible.builtin.file:
path: "{{ item.path }}"
state: "{{ item.state | default('directory') }}"
owner: "{{ httpd_service_user_name }}"
group: "{{ httpd_service_group_name }}"
mode: "{{ item.mode | default('0755') }}"
with_items: "{{ _default_paths + _vhost_document_roots }}"
when:
- item.condition | default(true)
- name: Create SSL CA for self-generated certificates
ansible.builtin.include_role:
name: pki
tasks_from: main_ca.yml
apply:
tags:
- httpd-install
- pki
vars:
pki_setup_host: "{{ httpd_pki_setup_host }}"
pki_dir: "{{ httpd_pki_dir }}"
pki_create_ca: "{{ httpd_pki_create_ca }}"
pki_authorities: "{{ httpd_pki_authorities }}"
pki_regen_ca: "{{ httpd_pki_regen_ca }}"
when:
- httpd_pki_create_ca | bool
- httpd_pki_authorities | length > 0
tags:
- httpd-install
- pki
- name: Install SSL CA for self-generated certificates
ansible.builtin.include_role:
name: pki
tasks_from: main_ca_install.yml
apply:
tags:
- httpd-install
- pki
vars:
pki_setup_host: "{{ httpd_pki_setup_host }}"
pki_dir: "{{ httpd_pki_dir }}"
pki_install_ca: "{{ httpd_pki_install_ca }}"
when:
- httpd_pki_create_ca | bool
- httpd_pki_install_ca | length > 0
tags:
- httpd-install
- pki

78
tasks/main.yml Normal file
View File

@ -0,0 +1,78 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure that at least one vhost is defined
ansible.builtin.assert:
that:
- httpd_vhosts | length > 0
- httpd_vhosts | selectattr('name', 'undefined') | length == 0
- httpd_vhosts | selectattr('document_root', 'undefined') | length == 0
success_msg: vhosts are defined properly
fail_msg: >-
At least one vhost must be defined in `httpd_vhosts`.
Each vhost must contain at least `name` and `document_root` keys.
- name: Gather variables for each operating system
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
vars:
params:
files:
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml"
- "{{ ansible_facts['distribution'] | lower }}.yml"
- "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_version'].split('.')[0] }}.yml"
- "{{ ansible_facts['os_family'] | lower }}.yml"
paths:
- "{{ role_path }}/vars"
tags:
- always
- name: Importing httpd_pre_install tasks
ansible.builtin.import_tasks:
file: httpd_pre_install.yml
tags:
- httpd-install
- name: Install distro packages
ansible.builtin.package:
name: "{{ httpd_distro_packages | reject('equalto', '') | list }}"
state: "{{ httpd_package_state }}"
update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
cache_valid_time: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary(cache_timeout, omit) }}"
register: install_packages
until: install_packages is success
retries: 5
delay: 5
notify:
- Restart web server
tags:
- httpd-install
- name: Importing httpd_post_install tasks
ansible.builtin.import_tasks:
file: httpd_post_install.yml
tags:
- httpd-config
- name: Importing httpd_configure_vhosts tasks
ansible.builtin.import_tasks:
file: httpd_configure_vhosts.yml
tags:
- httpd-config
- httpd-vhosts
- name: Flush handlers
ansible.builtin.meta: flush_handlers

12
templates/httpd_mpm.conf.j2 Normal file
View File

@ -0,0 +1,12 @@
# {{ ansible_managed }}
<IfModule mpm_{{ httpd_mpm_backend }}_module>
ServerLimit {{ httpd_mpm_server_limit }}
StartServers {{ httpd_mpm_start_servers }}
MinSpareThreads {{ httpd_mpm_min_spare_threads }}
MaxSpareThreads {{ httpd_mpm_max_spare_threads }}
ThreadLimit {{ httpd_mpm_thread_limit }}
ThreadsPerChild {{ httpd_mpm_thread_child }}
MaxRequestWorkers {{ httpd_mpm_max_requests }}
MaxConnectionsPerChild {{ httpd_mpm_max_conn_child }}
</IfModule>

5
templates/httpd_ports.conf.j2 Normal file
View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
# Listen commands happen inside the individual VHost files
# This allows for multiple services VHosts to exist without
# overwriting Listen lines.

57
templates/httpd_vhost.conf.j2 Normal file
View File

@ -0,0 +1,57 @@
# {{ ansible_managed }}
Listen {{ vhost['address'] | default('*') }}:{{ vhost['port'] | default(80) }}
<VirtualHost {{ vhost['address'] | default('*') }}:{{ vhost['port'] | default(80) }}>
ServerName {{ vhost['server_name'] | default(httpd_server_name) }}
LogLevel {{ vhost['log_level'] | default(httpd_log_level) }}
ErrorLog syslog:daemon
CustomLog "|/usr/bin/env logger -p daemon.info -t {{ httpd_system_service_name }}:{{ vhost['name'] }}" {{ vhost['log_format'] | default(httpd_custom_log_format) }}
DocumentRoot {{ vhost['document_root'] }}
{% for header in vhost['headers'] | default([]) %}
{{ header }}
{% endfor %}
{% if 'ssl' in vhost and vhost['ssl'] %}
{% set cert_name = ['httpd', inventory_hostname, vhost['name']] | join('_') %}
SSLEngine on
SSLCertificateFile {{ httpd_ssl_certs_dir ~ cert_name }}.pem
SSLCertificateKeyFile {{ httpd_ssl_keys_dir ~ cert_name }}.key
{% if 'ca' in vhost['ssl'] %}
SSLCACertificateFile {{ httpd_ssl_certs_dir ~ cert_name }}-ca.pem
{% endif %}
SSLCompression Off
SSLOptions +StdEnvVars +ExportCertData
SSLProtocol {{ vhost['protocol'] | default(httpd_ssl_protocol) }}
SSLHonorCipherOrder On
{% if httpd_ssl_cipher_suite_tls12 %}
SSLCipherSuite {{ httpd_ssl_cipher_suite_tls12 }}
{% endif %}
{% if httpd_ssl_cipher_suite_tls13 %}
SSLCipherSuite TLSv1.3 {{ httpd_ssl_cipher_suite_tls13 }}
{% endif %}
{% endif %}
{% for option in vhost['options'] | default([]) %}
{{ option }}
{% endfor %}
{% for location in vhost['locations'] | default([]) %}
<Location {{ location['path'] }}>
{% for loc_param in location['options'] %}
{{ loc_param }}
{% endfor %}
</Location>
{% endfor %}
{% for directory in vhost['directories'] | default([]) %}
<Directory {{ directory['path'] }}>
{% for dir_param in directory['options'] %}
{{ dir_param }}
{% endfor %}
</Directory>
{% endfor %}
</VirtualHost>

73
tox.ini Normal file
View File

@ -0,0 +1,73 @@
[tox]
minversion = 4.0
skipsdist = True
envlist = docs,pdf-docs,releasenotes,molecule
ignore_basepython_conflict = True
[testenv]
basepython = python3
usedevelop = False
commands =
/usr/bin/find . -type f -name "*.pyc" -delete
passenv =
COMMON_TESTS_PATH
HOME
http_proxy
HTTP_PROXY
https_proxy
HTTPS_PROXY
no_proxy
NO_PROXY
TESTING_BRANCH
TESTING_HOME
USER
allowlist_externals =
bash
setenv =
PYTHONUNBUFFERED=1
ROLE_NAME=pki
VIRTUAL_ENV={envdir}
WORKING_DIR={toxinidir}
[testenv:docs]
deps =
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
-r{toxinidir}/doc/requirements.txt
commands=
bash -c "rm -rf doc/build"
doc8 doc
sphinx-build -W -b html doc/source doc/build/html
[testenv:pdf-docs]
deps = {[testenv:docs]deps}
allowlist_externals =
make
commands =
sphinx-build -W --keep-going -b latex doc/source doc/build/pdf
make -C doc/build/pdf
[doc8]
# Settings for doc8:
extensions = .rst
[testenv:releasenotes]
deps = {[testenv:docs]deps}
commands =
sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
[testenv:molecule]
# You can use DOCKER_REGISTRY and DOCKER_IMAGE_TAG to switch between
# tested distros. I.e:
# DOCKER_IMAGE_TAG=centos-systemd:stream9 tox -e molecule
deps =
-c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master}
-rhttps://opendev.org/openstack/openstack-ansible/raw/branch/{env:TEST_BRANCH:master}/test-requirements.txt
commands =
molecule test
passenv =
{[testenv]passenv}
DOCKER_REGISTRY
DOCKER_IMAGE_TAG
DOCKER_COMMAND

62
vars/debian.yml Normal file
View File

@ -0,0 +1,62 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_httpd_system_service_name: apache2
_httpd_service_user_name: www-data
_httpd_service_group_name: www-data
_httpd_service_home_folder: /var/www
_httpd_service_home_folder_mode: "0750"
_httpd_vhost_enable_path: "{{ httpd_conf_dir }}/sites-enabled"
_httpd_mpms:
- name: "mpm_event"
state: "{{ (httpd_mpm_backend == 'event') | ternary('present', 'absent') }}"
- name: "mpm_worker"
state: "{{ (httpd_mpm_backend == 'worker') | ternary('present', 'absent') }}"
- name: "mpm_prefork"
state: "{{ (httpd_mpm_backend == 'prefork') | ternary('present', 'absent') }}"
_httpd_default_modules:
- name: "ssl"
state: "present"
- name: "rewrite"
state: "present"
- name: "headers"
state: "present"
- name: "deflate"
state: "present"
_httpd_default_sites:
- "{{ httpd_vhost_enable_path }}/000-default.conf"
- "{{ httpd_conf_dir }}/conf-enabled/other-vhosts-access-log.conf"
_httpd_extra_conf_files:
- src: "httpd_ports.conf.j2"
dest: "{{ httpd_conf_dir }}/ports.conf"
owner: "root"
group: "root"
- src: "httpd_mpm.conf.j2"
dest: "{{ httpd_conf_dir }}/mods-available/mpm_{{ httpd_mpm_backend }}.conf"
owner: "root"
group: "root"
_httpd_conf_file: "{{ httpd_conf_dir }}/apache2.conf"
_httpd_security_conf: "{{ httpd_conf_dir }}/conf-available/security.conf"
_httpd_distro_packages:
- git
- apache2
- sudo

71
vars/main.yml Normal file
View File

@ -0,0 +1,71 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_httpd_vhosts_with_ssl: "{{ httpd_vhosts | selectattr('ssl', 'defined') | selectattr('ssl') }}"
_httpd_pki_generate_certificates_vhosts: |-
{% set certs_to_generate = [] %}
{% for vhost in _httpd_vhosts_with_ssl %}
{% if not ('cert' in vhost['ssl'] and 'key' in vhost['ssl']) %}
{% set _ = certs_to_generate.append({
'name': ['httpd', inventory_hostname, vhost['name']] | join('_'),
'provider': 'ownca',
'cn': inventory_hostname,
'san': vhost['ssl']['san'] | default(httpd_pki_default_san),
'signed_by': httpd_pki_intermediate_cert_name,
})
%}
{% endif %}
{% endfor %}
{{ certs_to_generate }}
_httpd_pki_install_certificates_vhosts: |-
{% set certs_to_install = [] %}
{% for vhost in _httpd_vhosts_with_ssl %}
{% set cert_name = ['httpd', inventory_hostname, vhost['name']] | join('_') %}
{% if not ('cert' in vhost['ssl'] and 'key' in vhost['ssl']) %}
{% set _ = vhost['ssl'].update({
'cert': httpd_pki_certs_path ~ cert_name ~ '-chain.crt',
'key': httpd_pki_keys_path ~ cert_name ~ '.key.pem'
})
%}
{% endif %}
{% set _ = certs_to_install.append({
'src': vhost['ssl']['cert'],
'dest': httpd_ssl_certs_dir ~ cert_name ~ '.pem',
'owner': httpd_service_user_name,
'group': httpd_service_group_name,
'mode': '0640'
})
%}
{% set _ = certs_to_install.append({
'src': vhost['ssl']['key'],
'dest': httpd_ssl_keys_dir ~ cert_name ~ '.key',
'owner': httpd_service_user_name,
'group': httpd_service_group_name,
'mode': '0600'
})
%}
{% set _ = certs_to_install.append({
'src': vhost['ssl'].get('ca'),
'dest': httpd_ssl_certs_dir ~ cert_name ~ '-ca.pem',
'owner': httpd_service_user_name,
'group': httpd_service_group_name,
'mode': '0644',
'condition': 'ca' in vhost['ssl']
})
%}
{% endfor %}
{{ certs_to_install }}

45
vars/redhat.yml Normal file
View File

@ -0,0 +1,45 @@
---
# Copyright 2024, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
_httpd_system_service_name: httpd
_httpd_service_user_name: apache
_httpd_service_group_name: apache
_httpd_service_home_folder: /usr/share/httpd
_httpd_vhost_enable_path: "{{ httpd_conf_dir }}/conf.d"
_httpd_default_sites:
- "{{ httpd_vhost_enable_path }}/userdir.conf"
- "{{ httpd_vhost_enable_path }}/welcome.conf"
- "{{ httpd_vhost_enable_path }}/ssl.conf"
_httpd_extra_conf_files:
- src: "httpd_ports.conf.j2"
dest: "{{ httpd_vhost_enable_path }}/ports.conf"
owner: "root"
group: "root"
- src: "httpd_mpm.conf.j2"
dest: "{{ httpd_conf_dir }}/conf.modules.d/mpm_{{ httpd_mpm_backend }}.conf"
owner: "root"
group: "root"
_httpd_conf_file: "{{ httpd_conf_dir }}/conf/httpd.conf"
_httpd_security_conf: "{{ httpd_conf_file }}"
_httpd_distro_packages:
- git
- httpd
- "{{ (_httpd_vhosts_with_ssl | length > 0) | ternary('mod_ssl', '') }}"
- sudo

23
zuul.d/project.yaml Normal file
View File

@ -0,0 +1,23 @@
---
# Copyright 2024, Cleura AB.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- project:
templates:
- check-requirements
- openstack-ansible-deploy-infra_lxc-jobs
- openstack-ansible-linters-jobs
- openstack-ansible-molecule
- publish-openstack-docs-pti
- build-release-notes-jobs-python3