From 7573636fb8edd6339d88f823bc4695c51325dc3a Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 25 Dec 2024 12:25:01 +0100 Subject: [PATCH] Initial commit to the role This implements bare minimal functionality for the HTTPD role. It needs to be extended according to specific use-cases with follow-up patches Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/938571 Change-Id: I7c0dd550c82cc11d2edba724b3f3030a41c0d354 --- .gitignore | 69 +++++ CONTRIBUTING.rst | 100 ++++++ LICENSE | 201 ++++++++++++ README.rst | 19 ++ defaults/main.yml | 147 +++++++++ doc/requirements.txt | 16 + doc/source/conf.py | 290 ++++++++++++++++++ doc/source/index.rst | 49 +++ examples/playbook.yml | 6 + handlers/main.yml | 34 ++ meta/main.yml | 23 ++ molecule/default/group_vars/all.yml | 15 + molecule/default/group_vars/httpd.yml | 49 +++ molecule/default/molecule.yml | 37 +++ molecule/default/prepare.yml | 14 + molecule/default/verify.yml | 153 +++++++++ releasenotes/notes/.placeholder | 0 .../httpd_common_role-a955fdfe516386ea.yaml | 11 + releasenotes/source/_static/.placeholder | 0 releasenotes/source/_templates/.placeholder | 0 releasenotes/source/conf.py | 276 +++++++++++++++++ releasenotes/source/index.rst | 5 + requirements.yml | 17 + tasks/httpd_configure_vhosts.yml | 112 +++++++ tasks/httpd_post_install.yml | 82 +++++ tasks/httpd_pre_install.yml | 95 ++++++ tasks/main.yml | 78 +++++ templates/httpd_mpm.conf.j2 | 12 + templates/httpd_ports.conf.j2 | 5 + templates/httpd_vhost.conf.j2 | 57 ++++ tox.ini | 73 +++++ vars/debian.yml | 62 ++++ vars/main.yml | 71 +++++ vars/redhat.yml | 45 +++ zuul.d/project.yaml | 23 ++ 35 files changed, 2246 insertions(+) create mode 100644 .gitignore create mode 100644 CONTRIBUTING.rst create mode 100644 LICENSE create mode 100644 README.rst create mode 100644 defaults/main.yml create mode 100644 doc/requirements.txt create mode 100644 doc/source/conf.py create mode 100644 doc/source/index.rst create mode 100644 examples/playbook.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 molecule/default/group_vars/all.yml create mode 100644 molecule/default/group_vars/httpd.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/prepare.yml create mode 100644 molecule/default/verify.yml create mode 100644 releasenotes/notes/.placeholder create mode 100644 releasenotes/notes/httpd_common_role-a955fdfe516386ea.yaml create mode 100644 releasenotes/source/_static/.placeholder create mode 100644 releasenotes/source/_templates/.placeholder create mode 100644 releasenotes/source/conf.py create mode 100644 releasenotes/source/index.rst create mode 100644 requirements.yml create mode 100644 tasks/httpd_configure_vhosts.yml create mode 100644 tasks/httpd_post_install.yml create mode 100644 tasks/httpd_pre_install.yml create mode 100644 tasks/main.yml create mode 100644 templates/httpd_mpm.conf.j2 create mode 100644 templates/httpd_ports.conf.j2 create mode 100644 templates/httpd_vhost.conf.j2 create mode 100644 tox.ini create mode 100644 vars/debian.yml create mode 100644 vars/main.yml create mode 100644 vars/redhat.yml create mode 100644 zuul.d/project.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3a77206 --- /dev/null +++ b/.gitignore @@ -0,0 +1,69 @@ +# Add patterns in here to exclude files created by tools integrated with this +# repository, such as test frameworks from the project's recommended workflow, +# rendered documentation and package builds. +# +# Don't add patterns to exclude files created by preferred personal tools +# (editors, IDEs, your operating system itself even). These should instead be +# maintained outside the repository, for example in a ~/.gitignore file added +# with: +# +# git config --global core.excludesfile '~/.gitignore' + +# Compiled source # +################### +*.com +*.class +*.dll +*.exe +*.o +*.so +*.pyc +build/ +dist/ +doc/build/ + +# Packages # +############ +# it's better to unpack these files and commit the raw source +# git has its own built in compression methods +*.7z +*.dmg +*.gz +*.iso +*.jar +*.rar +*.tar +*.zip + +# Logs and databases # +###################### +*.log +*.sql +*.sqlite +logs/* + +# OS generated files # +###################### +._* +.tox +*.egg-info +.eggs + +# Generated by pbr while building docs +###################################### +AUTHORS +ChangeLog + +# Files created by releasenotes build +releasenotes/build + +# Test temp files +tests/common +tests/*.retry + +# Vagrant artifacts +.vagrant + +# Git clones +openstack-ansible-ops +previous diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst new file mode 100644 index 0000000..2f4c45e --- /dev/null +++ b/CONTRIBUTING.rst @@ -0,0 +1,100 @@ +OpenStack-Ansible HTTPD +####################### +tags: ansible, openstack +:category: \*nix + +contributor guidelines +^^^^^^^^^^^^^^^^^^^^^^ + +Filing Bugs +----------- + +Bugs should be filed on Launchpad, not GitHub: "https://bugs.launchpad.net +/openstack-ansible" + + +When submitting a bug, or working on a bug, please ensure the following +criteria are met: + * The description clearly states or describes the original problem or root + cause of the problem. + * Include historical information on how the problem was identified. + * Any relevant logs are included. + * The provided information should be totally self-contained. External + access to web services/sites should not be needed. + * Steps to reproduce the problem if possible. + + +Submitting Code +--------------- + +Changes to the project should be submitted for review via the Gerrit tool, +following the workflow documented at: +"https://docs.openstack.org/infra/manual/developers.html#development-workflow" + +Pull requests submitted through GitHub will be ignored and closed without +regard. + + +Extra +----- + +Tags: If it's a bug that needs fixing in a branch in addition to Master, add a + '\-backport-potential' tag (eg ``juno-backport-potential``). + There are predefined tags that will autocomplete. + +Status: + Please leave this alone, it should be New till someone triages the issue. + +Importance: + Should only be touched if it is a Blocker/Gating issue. If it is, please + set to High, and only use Critical if you have found a bug that can take + down whole infrastructures. + + +Style guide +----------- + +When creating tasks and other roles for use in Ansible please create then +using the YAML dictionary format. + +Example YAML dictionary format: + .. code-block:: yaml + + - name: The name of the tasks + module_name: + thing1: "some-stuff" + thing2: "some-other-stuff" + tags: + - some-tag + - some-other-tag + + +Example **NOT** in YAML dictionary format: + .. code-block:: yaml + + - name: The name of the tasks + module_name: thing1="some-stuff" thing2="some-other-stuff" + tags: + - some-tag + - some-other-tag + + +Usage of the ">" and "|" operators should be limited to Ansible conditionals +and command modules such as the ansible ``shell`` module. + + +Issues +------ + +When submitting an issue, or working on an issue please ensure the following +criteria are met: + * The description clearly states or describes the original problem or root + cause of the problem. + * Include historical information on how the problem was identified. + * Any relevant logs are included. + * If the issue is a bug that needs fixing in a branch other than Master, + add the 'backport potential' tag TO THE ISSUE (not the PR). + * The provided information should be totally self-contained. External + access to web services/sites should not be needed. + * If the issue is needed for a hotfix release, add the 'expedite' label. + * Steps to reproduce the problem if possible. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..980a15a --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..3b4c9d2 --- /dev/null +++ b/README.rst @@ -0,0 +1,19 @@ +====================== +Apache Web Server role +====================== + +Ansible role to install and manage Apache Web Server (httpd). This role +is being maintained by OpenStack-Ansible project, though can be used +as a stand-alone role as well. + +Documentation for the project can be found at: + https://docs.openstack.org/ansible-role-httpd/latest/ + +The project source code repository is located at: + https://opendev.org/openstack/ansible-role-httpd/ + +The project home is at: + https://launchpad.net/openstack-ansible + +The bugs is at: + https://bugs.launchpad.net/openstack-ansible diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..60abffa --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,147 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +cache_timeout: 300 + +# Generic configuration +httpd_conf_dir: "/etc/{{ httpd_system_service_name }}" +httpd_conf_file: "{{ _httpd_conf_file }}" +httpd_default_sites: "{{ _httpd_default_sites }}" +httpd_distro_packages: "{{ _httpd_distro_packages }}" +httpd_extra_conf_files: "{{ _httpd_extra_conf_files }}" + +## List of modules and MPMs to enable/disable is defined only for DEB systems +httpd_default_modules: "{{ _httpd_default_modules }}" +httpd_extra_modules: [] +httpd_modules: "{{ httpd_default_modules + httpd_extra_modules }}" +httpd_mpms: "{{ _httpd_mpms }}" + +httpd_package_state: "{{ package_state | default('latest') }}" +httpd_security_conf: "{{ _httpd_security_conf }}" +httpd_server_name: "{{ ansible_facts['fqdn'] }}" +httpd_vhost_enable_path: "{{ _httpd_vhost_enable_path }}" + +httpd_service_home_folder: "{{ _httpd_service_home_folder }}" +httpd_service_user_name: "{{ _httpd_service_user_name }}" +httpd_service_group_name: "{{ _httpd_service_group_name }}" +httpd_system_service_name: "{{ _httpd_system_service_name }}" + +## vHost defenition example: +# httpd_vhosts: +# - address: "" +# document_root: +# directories: +# - path: "/" +# options: [] +# headers: [] +# locations: +# - path: "/" +# options: [] +# options: [] +# port: 80 +# server_name: "{{ inventory_hostname }}" +# state: present +# enabled: false +# ssl: +# # In case `cert` or `key` is undefined, certificate will be generated. +# # You can use `san` key to adjust CNs for the generated certificate. +# # `ca` key is optional and can be ommited. +# # You can also set ``ssl: false`` to explicitly disable any TLS configuration +# # for vhost +# cert: /path/to/vhost.crt +# key: /path/to/key.crt +# ca: /path/to/ca.crt +httpd_vhosts: [] + +# Logging +httpd_custom_log_format: '"%h %l %u \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""' +httpd_log_level: info + +# MPM tunables +httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}" +httpd_mpm_max_conn_child: "{{ openstack_apache_max_conn_child | default(0) }}" +httpd_mpm_max_requests: "{{ httpd_mpm_server_limit | int * httpd_mpm_thread_child | int }}" +httpd_mpm_max_spare_threads: "{{ openstack_apache_max_spare_threads | default(75) }}" +httpd_mpm_min_spare_threads: "{{ openstack_apache_min_spare_threads | default(25) }}" +httpd_mpm_server_limit: "{{ [[ansible_facts['processor_vcpus'] | default(2) // 2, 1] | max, httpd_mpm_thread_max | int] | min }}" +httpd_mpm_start_servers: "{{ openstack_apache_start_servers | default(2) }}" +httpd_mpm_thread_child: "{{ openstack_apache_thread_child | default(25) }}" +httpd_mpm_thread_limit: "{{ openstack_apache_thread_limit | default(64) }}" +httpd_mpm_thread_max: "{{ openstack_apache_thread_max | default(16) }}" + +# TLS configuration +httpd_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}" +## TLS v1.2 and below +httpd_ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}" +## TLS v1.3 +httpd_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}" + +httpd_pki_dir: "{{ openstack_pki_dir | default('/etc/pki') }}" +httpd_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + +## Create a certificate authority if one does not already exist +httpd_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool and httpd_pki_create_certificates }}" +httpd_pki_regen_ca: '' +httpd_pki_authorities: + - name: "HTTPDRoot" + country: "GB" + state_or_province_name: "England" + organization_name: "Example Corporation" + organizational_unit_name: "IT Security" + cn: "Apache HTTPD Root CA" + provider: selfsigned + basic_constraints: "CA:TRUE" + key_usage: + - digitalSignature + - cRLSign + - keyCertSign + not_after: "+3650d" + - name: "HTTPDIntermediate" + country: "GB" + state_or_province_name: "England" + organization_name: "Example Corporation" + organizational_unit_name: "IT Security" + cn: "Apache HTTPD Intermediate CA" + provider: ownca + basic_constraints: "CA:TRUE,pathlen:0" + key_usage: + - digitalSignature + - cRLSign + - keyCertSign + not_after: "+3650d" + signed_by: "HTTPDRoot" + +# Installation details for certificate authorities +httpd_pki_install_ca: + - name: "HTTPDRoot" + condition: "{{ httpd_pki_create_ca }}" + +# HTTPD server certificates to generate +httpd_pki_certs_path: "{{ httpd_pki_dir ~ '/certs/certs/' }}" +httpd_pki_certificates: "{{ _httpd_pki_generate_certificates_vhosts }}" +httpd_pki_create_certificates: "{{ httpd_pki_certificates | length > 0 }}" +httpd_pki_default_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['fqdn']) }}" +httpd_pki_keys_path: "{{ httpd_pki_dir ~ '/certs/private/' }}" +httpd_pki_regen_cert: '' + +httpd_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('HTTPDIntermediate') }}" +httpd_pki_intermediate_cert_path: "{{ httpd_pki_dir ~ '/roots/' ~ httpd_pki_intermediate_cert_name ~ '/certs/' ~ httpd_pki_intermediate_cert_name ~ '.crt' }}" + +## Installation details for SSL certificates +httpd_pki_install_certificates: "{{ _httpd_pki_install_certificates_vhosts }}" + +## Destination directories for SSL certificates +httpd_ssl_certs_dir: /etc/ssl/certs/ +httpd_ssl_keys_dir: /etc/ssl/private/ diff --git a/doc/requirements.txt b/doc/requirements.txt new file mode 100644 index 0000000..a211e44 --- /dev/null +++ b/doc/requirements.txt @@ -0,0 +1,16 @@ +# The order of packages is significant, because pip processes them in the order +# of appearance. Changing the order has an impact on the overall integration +# process, which may cause wedges in the gate later. + +# WARNING: +# This file is maintained in the openstack-ansible-tests repository. +# https://opendev.org/openstack/openstack-ansible-tests/src/branch/master/sync/doc/requirements.txt +# If you need to modify this file, update the one in the +# openstack-ansible-tests repository. Once it merges there, the changes will +# automatically be proposed to all the repositories which use it. + +sphinx>=1.8.0,!=2.1.0 # BSD +sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD +openstackdocstheme>=1.32.1 # Apache-2.0 +reno>=2.5.0 # Apache-2.0 +doc8>=0.6.0 # Apache-2.0 diff --git a/doc/source/conf.py b/doc/source/conf.py new file mode 100644 index 0000000..9ad68fa --- /dev/null +++ b/doc/source/conf.py @@ -0,0 +1,290 @@ +#!/usr/bin/env python3 + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ + 'openstackdocstheme', + 'sphinx.ext.autodoc', +] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix(es) of source filenames. +# You can specify multiple suffix as a list of string: +# source_suffix = ['.rst', '.md'] +source_suffix = '.rst' + +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +author = 'OpenStack-Ansible Contributors' +category = 'Miscellaneous' +copyright = '2024, OpenStack-Ansible Contributors' +description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.' +project = 'OpenStack-Ansible' +role_name = 'httpd' +target_name = 'ansible-role-httpd' +title = 'OpenStack-Ansible Documentation: ' + role_name + +# openstackdocstheme options +openstackdocs_repo_name = 'openstack/' + target_name +openstackdocs_bug_project = project.lower() +openstackdocs_bug_tag = '' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# +# This is also used if you do content translation via gettext catalogs. +# Usually you set "language" from the command line for these cases. +language = 'en' + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = [] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'native' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + +# If true, `todo` and `todoList` produce output, else they produce nothing. +todo_include_todos = False + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'openstackdocs' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +# html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +# html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Language to be used for generating the HTML full-text search index. +# Sphinx supports the following languages: +# 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja' +# 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr' +# html_search_language = 'en' + +# A dictionary with options for the search language support, empty by default. +# Now only 'ja' uses this config value +# html_search_options = {'type': 'default'} + +# The name of a javascript file (relative to the configuration directory) that +# implements a search results scorer. If empty, the default will be used. +# html_search_scorer = 'scorer.js' + +# Output file base name for HTML help builder. +htmlhelp_basename = target_name + '-docs' + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', + + # Latex figure (float) alignment + # 'figure_align': 'htbp', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, target_name + '.tex', + title, author, 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + (master_doc, target_name, + title, [author], 1) +] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, target_name, + title, author, project, + description, category), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False diff --git a/doc/source/index.rst b/doc/source/index.rst new file mode 100644 index 0000000..180784e --- /dev/null +++ b/doc/source/index.rst @@ -0,0 +1,49 @@ +============================ +OpenStack-Ansible HTTPD role +============================ + +This role installs a PKI infrastructure for maintaining a Root CA and +creating server certificates as required to enable secure communication +between components in a deployment. + +To clone or view the source code for this repository, visit the role repository +for `pki `_. + +Sample configuration +~~~~~~~~~~~~~~~~~~~~ + +.. code:: yaml + + httpd_extra_modules: + - name: proxy + state: present + + httpd_vhosts: + - name: test_http + address: "127.0.1.1" + document_root: /var/www/test + directories: + - path: "/var/www/cgi-bin" + params: + - Options Indexes FollowSymLinks MultiViews + headers: + - Header set X-Content-Type-Options "nosniff" + params: + - Options +FollowSymLinks + port: 80 + server_name: test_http.test_server + + +Default variables +~~~~~~~~~~~~~~~~~ + +.. literalinclude:: ../../defaults/main.yml + :language: yaml + :start-after: under the License. + + +Example playbook +~~~~~~~~~~~~~~~~ + +.. literalinclude:: ../../examples/playbook.yml + :language: yaml diff --git a/examples/playbook.yml b/examples/playbook.yml new file mode 100644 index 0000000..64dac51 --- /dev/null +++ b/examples/playbook.yml @@ -0,0 +1,6 @@ +--- + +- name: Installing Apache Web Server + hosts: httpd + roles: + - role: "{{ playbook_dir | dirname | basename }}" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..fdc4e5f --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,34 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Restart web server + ansible.builtin.service: + name: "{{ httpd_system_service_name }}" + enabled: true + state: "restarted" + daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}" + register: _httpd_restart + +- name: Reload web server + ansible.builtin.service: + name: "{{ httpd_system_service_name }}" + enabled: true + state: "reloaded" + daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('no', omit) }}" + when: + - _httpd_restart is not defined or (_httpd_restart is defined and _httpd_restart is skipped) + listen: + - "httpd cert installed" + - "venv changed" diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..42e3015 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,23 @@ +--- +galaxy_info: + author: OpenStack-Ansible Contributors + description: Installation and configuration of Apache Web Server + license: Apache2 + role_name: httpd + namespace: openstack + min_ansible_version: "2.10" + platforms: + - name: Debian + versions: + - bookworm + - bullseye + - name: Ubuntu + versions: + - jammy + - noble + - name: EL + versions: + - "9" + galaxy_tags: + - cloud + - httpd diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml new file mode 100644 index 0000000..4eed451 --- /dev/null +++ b/molecule/default/group_vars/all.yml @@ -0,0 +1,15 @@ +--- + +molecule_packages: + debian: + - ca-certificates + - python3-cryptography + - gnutls-bin + - iproute2 + redhat: + - ca-certificates + - python3-cryptography + - gnutls-utils + - iproute + - procps + - sudo diff --git a/molecule/default/group_vars/httpd.yml b/molecule/default/group_vars/httpd.yml new file mode 100644 index 0000000..9bec8e8 --- /dev/null +++ b/molecule/default/group_vars/httpd.yml @@ -0,0 +1,49 @@ +--- + +httpd_pki_setup_host: "{{ inventory_hostname }}" + +httpd_extra_modules: + - name: proxy + state: present + +httpd_vhosts: + - name: test_http + address: "*" + document_root: /var/www/test_http + directories: + - path: "/var/www/cgi-bin" + options: + - Options Indexes FollowSymLinks MultiViews + headers: + - Header set X-Content-Type-Options "nosniff" + locations: + - path: "/Shibboleth.sso" + options: + - SetHandler shib + options: + - Options +FollowSymLinks + port: 8080 + server_name: test_http + - name: test_https + address: "*" + document_root: /var/www/test_https + options: + - Options +FollowSymLinks + port: 8443 + ssl: + san: "{{ httpd_pki_default_san }},DNS:noop.server" + server_name: secure_vhost + - name: absent_vhost + address: "*" + document_root: /var/www/absent + port: 8081 + server_name: "absent" + state: absent + enabled: true + - name: disabled_vhost + address: "*" + document_root: /var/www/disabled + port: 8082 + server_name: "disabled" + enabled: false + ssl: false diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..0324353 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,37 @@ +--- +dependency: + name: galaxy + options: + requirements-file: requirements.yml + force: ${GALAXY_FORCE:-false} + +driver: + name: docker + +platforms: + - name: "httpd-${MOLECULE_SCENARIO_NAME}" + image: "${DOCKER_REGISTRY:-quay.io/gotmax23}/${DOCKER_IMAGE_TAG:-debian-systemd:bookworm}" + command: ${DOCKER_COMMAND:-""} + pre_build_image: true + privileged: true + systemd: true + groups: + - httpd + +provisioner: + name: ansible + lint: + name: ansible-lint + playbooks: + prepare: prepare.yml + converge: ../../examples/playbook.yml + verify: verify.yml + inventory: + links: + group_vars: ./group_vars/ + config_options: + defaults: + inject_facts_as_vars: false + +scenario: + name: default diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..e21e817 --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,14 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: Update apt cache + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + when: + - ansible_facts['os_family'] | lower == 'debian' + + - name: Install packages + ansible.builtin.package: + name: "{{ molecule_packages[ansible_facts['os_family'] | lower] }}" diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..6ff8fc2 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,153 @@ +--- +- name: Testing httpd deployment + hosts: httpd + vars: + _httpd_ctl_binary: + debian: apachectl + redhat: httpd + _httpd_vhost_present_dir: + debian: /etc/apache2/sites-available + redhat: /etc/httpd/sites-available + _httpd_vhost_enable_dir: + debian: "/etc/apache2/sites-enabled" + redhat: "/etc/httpd/conf.d" + _os_family: "{{ ansible_facts['os_family'] | lower }}" + + tasks: + - name: Verify Apache configuration syntax + ansible.builtin.command: "{{ _httpd_ctl_binary[_os_family] }} -t" + changed_when: false + + - name: Fetch list of listened ports + community.general.listen_ports_facts: + + - name: Verify that expected ports are listened + vars: + tcp_ports: "{{ ansible_facts.tcp_listen | map(attribute='port') | list | unique }}" + ansible.builtin.assert: + that: + - "80 not in tcp_ports" + - "443 not in tcp_ports" + - "8080 in tcp_ports" + - "8081 not in tcp_ports" + - "8082 not in tcp_ports" + - "8443 in tcp_ports" + + - name: Fetch list of loaded modules + ansible.builtin.command: "{{ _httpd_ctl_binary[_os_family] }} -D DUMP_MODULES" + register: _httpd_modules_results + changed_when: false + + - name: Ensure expected modules are present + ansible.builtin.assert: + that: + - _httpd_modules_results.stdout_lines | select("match", "\sproxy_module\s.*") | length > 0 + - _httpd_modules_results.stdout_lines | select("match", "\sssl_module\s.*") | length > 0 + - _httpd_modules_results.stdout_lines | select("match", "\smpm_event_module\s.*") | length > 0 + + - name: Fetch vhost data + ansible.builtin.command: "{{ _httpd_ctl_binary[_os_family] }} -D DUMP_VHOSTS" + register: _httpd_vhosts_results + changed_when: false + + - name: Ensure ServerName for all vhosts is set correctly + ansible.builtin.assert: + that: + - _httpd_vhosts_results.stdout_lines | select("match", "\*:8080\s*test_http\s.*") | length > 0 + - _httpd_vhosts_results.stdout_lines | select("match", "\*:8443\s*secure_vhost\s.*") | length > 0 + - _httpd_vhosts_results.stdout_lines | select("match", ".*\shttpd-default\s.*") | length == 0 + + - name: Check vhost paths of present vhosts + ansible.builtin.stat: + path: "{{ item }}" + loop: + - "{{ _httpd_vhost_present_dir[_os_family] }}/test_http.conf" + - "{{ _httpd_vhost_present_dir[_os_family] }}/test_https.conf" + - "{{ _httpd_vhost_present_dir[_os_family] }}/absent_vhost.conf" + - "{{ _httpd_vhost_present_dir[_os_family] }}/disabled_vhost.conf" + register: _vhost_present_conf_files + + - name: Assert presence of vhost files + ansible.builtin.assert: + that: + - (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/test_http.conf') | first).stat.exists + - (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/test_https.conf') | first).stat.exists + - (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/disabled_vhost.conf') | first).stat.exists + - not (_vhost_present_conf_files.results | selectattr('item', 'eq', _httpd_vhost_present_dir[_os_family] ~ '/absent_vhost.conf') | first).stat.exists + + - name: Check vhost paths of enabled vhosts + ansible.builtin.stat: + path: "{{ item }}" + loop: + - "{{ _httpd_vhost_enable_dir[_os_family] }}/test_http.conf" + - "{{ _httpd_vhost_enable_dir[_os_family] }}/test_https.conf" + - "{{ _httpd_vhost_enable_dir[_os_family] }}/absent_vhost.conf" + - "{{ _httpd_vhost_enable_dir[_os_family] }}/disabled_vhost.conf" + register: _vhost_enable_conf_files + + - name: Assert enablement of vhost files + ansible.builtin.assert: + that: + - (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/test_http.conf') | first).stat.exists + - (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/test_https.conf') | first).stat.exists + - not (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/disabled_vhost.conf') | first).stat.exists + - not (_vhost_enable_conf_files.results | selectattr('item', 'eq', _httpd_vhost_enable_dir[_os_family] ~ '/absent_vhost.conf') | first).stat.exists + + - name: Place a noop file to serve via Apache + ansible.builtin.copy: + content: "{{ item.content }}" + dest: "{{ item.dest }}" + mode: "0644" + with_items: + - dest: /var/www/test_http/noop.txt + content: Hello, test_http! + - dest: /var/www/test_https/noop.txt + content: Hello, test_https! + + - name: Fetch the noop file from HTTP vhost and ensure content + ansible.builtin.uri: + url: "http://127.0.0.1:8080/noop.txt" + follow_redirects: none + method: GET + return_content: true + register: test_http_noop + failed_when: test_http_noop is failed or test_http_noop.content != 'Hello, test_http!' + + - name: Fetch the noop file from HTTPS vhost and ensure content + ansible.builtin.uri: + url: "https://{{ ansible_facts['fqdn'] }}:8443/noop.txt" + follow_redirects: none + method: GET + return_content: true + register: test_https_noop + failed_when: test_https_noop is failed or test_https_noop.content != 'Hello, test_https!' + + - name: Check if certificates were generated + ansible.builtin.stat: + path: "{{ item }}" + loop: + - "/etc/ssl/certs/httpd_{{ inventory_hostname }}_test_http.pem" + - "/etc/ssl/certs/httpd_{{ inventory_hostname }}_test_https.pem" + - "/etc/ssl/certs/httpd_{{ inventory_hostname }}_disabled_vhost.pem" + register: _vhost_ssl_files + + - name: Assert enablement of vhost files + ansible.builtin.assert: + that: + - not (_vhost_ssl_files.results | selectattr('item', 'eq', '/etc/ssl/certs/httpd_' ~ inventory_hostname ~ '_test_http.pem') | first).stat.exists + - (_vhost_ssl_files.results | selectattr('item', 'eq', '/etc/ssl/certs/httpd_' ~ inventory_hostname ~ '_test_https.pem') | first).stat.exists + - not (_vhost_ssl_files.results | selectattr('item', 'eq','/etc/ssl/certs/httpd_' ~ inventory_hostname ~ '_disabled_vhost.pem') | first).stat.exists + + - name: Fetch details of generated certificate + community.crypto.x509_certificate_info: + path: "/etc/ssl/certs/httpd_{{ inventory_hostname }}_test_https.pem" + register: test_https_cert + + - name: Verify generated cert details + ansible.builtin.assert: + that: + - test_https_cert['issuer']['commonName'] == 'Apache HTTPD Intermediate CA' + - test_https_cert['subject']['commonName'] == inventory_hostname + - "'DNS:noop.server' in test_https_cert['subject_alt_name']" + - "'DNS:httpd-default' in test_https_cert['subject_alt_name']" + - not test_https_cert['expired'] diff --git a/releasenotes/notes/.placeholder b/releasenotes/notes/.placeholder new file mode 100644 index 0000000..e69de29 diff --git a/releasenotes/notes/httpd_common_role-a955fdfe516386ea.yaml b/releasenotes/notes/httpd_common_role-a955fdfe516386ea.yaml new file mode 100644 index 0000000..8f0863e --- /dev/null +++ b/releasenotes/notes/httpd_common_role-a955fdfe516386ea.yaml @@ -0,0 +1,11 @@ +--- +prelude: > + Implemented a standalone role ``httpd`` for Apache Web Server (HTTPD) + configuration that aims to be included in various roles that require + Apache2 (i.e. keystone, horizon, skyline, etc). +features: + - | + Created a common ``httpd`` role to unify approach for managing + Apache2 instalaltion and configuration across roles. + Role is written in relatively agnostic way and should be suitable + for usage outside of OpenStack-Ansible deployments as well. diff --git a/releasenotes/source/_static/.placeholder b/releasenotes/source/_static/.placeholder new file mode 100644 index 0000000..e69de29 diff --git a/releasenotes/source/_templates/.placeholder b/releasenotes/source/_templates/.placeholder new file mode 100644 index 0000000..e69de29 diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py new file mode 100644 index 0000000..f7ba8bb --- /dev/null +++ b/releasenotes/source/conf.py @@ -0,0 +1,276 @@ +#!/usr/bin/env python3 + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ + 'openstackdocstheme', + 'reno.sphinxext', +] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +author = 'OpenStack-Ansible Contributors' +category = 'Miscellaneous' +copyright = '2014-2024, OpenStack-Ansible Contributors' +description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.' +project = 'OpenStack-Ansible' +role_name = 'httpd' +target_name = 'ansible-role-' + role_name +title = 'OpenStack-Ansible Release Notes: ' + role_name + 'role' + +# Release notes do not need a version number in the title, they +# cover multiple releases. +# The full version, including alpha/beta/rc tags. +release = '' +# The short X.Y version. +version = '' + +# openstackdocstheme options +openstackdocs_repo_name = 'openstack/' + target_name +openstackdocs_bug_project = project.lower() +openstackdocs_bug_tag = '' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = [] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'native' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'openstackdocs' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +# html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = target_name + '-docs' + + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, target_name + '.tex', + title, author, 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + (master_doc, target_name, + title, [author], 1) +] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, target_name, + title, author, project, + description, category), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False + +# -- Options for Internationalization output ------------------------------ +locale_dirs = ['locale/'] diff --git a/releasenotes/source/index.rst b/releasenotes/source/index.rst new file mode 100644 index 0000000..cd22aab --- /dev/null +++ b/releasenotes/source/index.rst @@ -0,0 +1,5 @@ +============================== + Current Series Release Notes +============================== + +.. release-notes:: diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..c56621e --- /dev/null +++ b/requirements.yml @@ -0,0 +1,17 @@ +--- +roles: + - name: pki + version: master + scm: git + src: https://opendev.org/openstack/ansible-role-pki +collections: + # for the PKI role + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git + version: 2.23.0 + # for the httpd role + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git + version: 10.2.0 \ No newline at end of file diff --git a/tasks/httpd_configure_vhosts.yml b/tasks/httpd_configure_vhosts.yml new file mode 100644 index 0000000..7568e3e --- /dev/null +++ b/tasks/httpd_configure_vhosts.yml @@ -0,0 +1,112 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Disabling vhosts that are marked as absent or not enabled + ansible.builtin.file: + path: "{{ httpd_vhost_enable_path }}/{{ vhost['name'] }}.conf" + state: absent + loop: >- + {{ + httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'absent') + + httpd_vhosts | selectattr('enabled', 'defined') | selectattr('enabled', 'false') + }} + loop_control: + loop_var: vhost + label: "{{ loop_label | to_json }}" + vars: + loop_label: + vhost: "{{ vhost['name'] }}" + notify: + - Reload web server + +- name: Removing vhost defenitions which are marked as absent + ansible.builtin.file: + path: "{{ httpd_conf_dir }}/sites-available/{{ vhost['name'] }}.conf" + state: absent + loop: "{{ httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'absent') }}" + loop_control: + loop_var: vhost + label: "{{ loop_label | to_json }}" + vars: + loop_label: + vhost: "{{ vhost['name'] }}" + notify: + - Reload web server + +- name: Create and install SSL certificates + ansible.builtin.include_role: + name: pki + tasks_from: main_certs.yml + apply: + tags: + - httpd-config + - pki + vars: + pki_setup_host: "{{ httpd_pki_setup_host }}" + pki_dir: "{{ httpd_pki_dir }}" + pki_create_certificates: "{{ httpd_pki_create_certificates }}" + pki_regen_cert: "{{ httpd_pki_regen_cert }}" + pki_certificates: "{{ httpd_pki_certificates }}" + pki_install_certificates: "{{ httpd_pki_install_certificates }}" + pki_handler_cert_installed: "httpd cert installed" + when: + - httpd_pki_install_certificates | length > 0 + tags: + - httpd-config + - pki + +- name: Placing vhost files that should be present + ansible.builtin.template: + src: httpd_vhost.conf.j2 + dest: "{{ httpd_conf_dir }}/sites-available/{{ vhost['name'] }}.conf" + owner: "{{ httpd_service_user_name }}" + group: "{{ httpd_service_group_name }}" + mode: "0640" + loop: >- + {{ + httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'present') + + httpd_vhosts | selectattr('state', 'undefined') + }} + loop_control: + loop_var: vhost + label: "{{ loop_label | to_json }}" + vars: + loop_label: + vhost: "{{ vhost['name'] }}" + notify: + - Reload web server + +- name: Enable required vhosts + ansible.builtin.file: + src: "{{ httpd_conf_dir }}/sites-available/{{ vhost['name'] }}.conf" + dest: "{{ httpd_vhost_enable_path }}/{{ vhost['name'] }}.conf" + state: link + loop: >- + {{ + ( + httpd_vhosts | selectattr('enabled', 'defined') | selectattr('enabled', 'true') + + httpd_vhosts | selectattr('enabled', 'undefined') + ) | rejectattr('name', 'in', absent_vhosts) + }} + loop_control: + loop_var: vhost + label: "{{ loop_label | to_json }}" + vars: + loop_label: + vhost: "{{ vhost['name'] }}" + absent_vhosts: >- + {{ httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'absent') | map(attribute='name') }} + notify: + - Reload web server diff --git a/tasks/httpd_post_install.yml b/tasks/httpd_post_install.yml new file mode 100644 index 0000000..f12beb6 --- /dev/null +++ b/tasks/httpd_post_install.yml @@ -0,0 +1,82 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure apache2 MPM for Debian/Ubuntu + community.general.apache2_module: + name: "{{ item.name }}" + state: "{{ item.state }}" + ignore_configcheck: true + warn_mpm_absent: false + with_items: "{{ httpd_mpms | sort(attribute='state') }}" + when: + - ansible_facts['pkg_mgr'] == 'apt' + notify: Restart web server + +- name: Ensure apache2 MPM for EL + ansible.builtin.copy: + content: | + LoadModule mpm_{{ httpd_mpm_backend }}_module modules/mod_mpm_{{ httpd_mpm_backend }}.so + + dest: "{{ httpd_conf_dir }}/conf.modules.d/00-mpm.conf" + mode: "0644" + when: + - ansible_facts['pkg_mgr'] == 'dnf' + notify: Restart web server + +- name: Enable apache2 modules + community.general.apache2_module: + name: "{{ item.name }}" + state: "{{ item.state }}" + ignore_configcheck: true + with_items: "{{ httpd_modules }}" + when: + - ansible_facts['pkg_mgr'] == 'apt' + notify: Restart web server + +- name: Disable default apache site + ansible.builtin.file: + path: "{{ item }}" + state: "absent" + with_items: "{{ httpd_default_sites }}" + notify: Restart web server + +- name: Ensure Apache configuration + ansible.builtin.lineinfile: + dest: "{{ httpd_conf_file }}" + line: "{{ item }}" + regexp: "^{{ item | split() | first }}" + notify: Restart web server + with_items: + - "ServerName {{ httpd_server_name }}" + - "ErrorLog syslog:daemon" + - "LogLevel {{ httpd_log_level }}" + +- name: Apply Apache extra configuration + ansible.builtin.template: + src: "{{ item['src'] }}" + dest: "{{ item['dest'] }}" + owner: "{{ item['owner'] }}" + group: "{{ item['group'] }}" + mode: "0644" + with_items: "{{ httpd_extra_conf_files }}" + notify: Restart web server + +- name: Remove Listen from Apache config + ansible.builtin.lineinfile: + dest: "{{ httpd_security_conf }}" + regexp: '^(Listen.*)' + backrefs: true + line: '#\1' + notify: Restart web server diff --git a/tasks/httpd_pre_install.yml b/tasks/httpd_pre_install.yml new file mode 100644 index 0000000..fc7fd0b --- /dev/null +++ b/tasks/httpd_pre_install.yml @@ -0,0 +1,95 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create the system group + ansible.builtin.group: + name: "{{ httpd_service_group_name }}" + state: "present" + system: "yes" + +- name: Create the system user + ansible.builtin.user: + name: "{{ httpd_service_user_name }}" + group: "{{ httpd_service_group_name }}" + comment: "Apache Web Server user" + shell: "/usr/bin/false" + system: "yes" + createhome: "yes" + home: "{{ httpd_service_home_folder }}" + +- name: Default and vhosts root directory setup + vars: + _vhost_document_roots: >- + {{ + ( + httpd_vhosts | selectattr('state', 'defined') | selectattr('state', 'eq', 'present') + + httpd_vhosts | selectattr('state', 'undefined') + ) | map(attribute='document_root') | map('community.general.dict_kv', 'path') + }} + _default_paths: + - path: "{{ httpd_conf_dir }}/sites-available" + mode: "0750" + - path: "{{ httpd_service_home_folder }}" + mode: "0750" + condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}" + ansible.builtin.file: + path: "{{ item.path }}" + state: "{{ item.state | default('directory') }}" + owner: "{{ httpd_service_user_name }}" + group: "{{ httpd_service_group_name }}" + mode: "{{ item.mode | default('0755') }}" + with_items: "{{ _default_paths + _vhost_document_roots }}" + when: + - item.condition | default(true) + +- name: Create SSL CA for self-generated certificates + ansible.builtin.include_role: + name: pki + tasks_from: main_ca.yml + apply: + tags: + - httpd-install + - pki + vars: + pki_setup_host: "{{ httpd_pki_setup_host }}" + pki_dir: "{{ httpd_pki_dir }}" + pki_create_ca: "{{ httpd_pki_create_ca }}" + pki_authorities: "{{ httpd_pki_authorities }}" + pki_regen_ca: "{{ httpd_pki_regen_ca }}" + when: + - httpd_pki_create_ca | bool + - httpd_pki_authorities | length > 0 + tags: + - httpd-install + - pki + +- name: Install SSL CA for self-generated certificates + ansible.builtin.include_role: + name: pki + tasks_from: main_ca_install.yml + apply: + tags: + - httpd-install + - pki + vars: + pki_setup_host: "{{ httpd_pki_setup_host }}" + pki_dir: "{{ httpd_pki_dir }}" + pki_install_ca: "{{ httpd_pki_install_ca }}" + when: + - httpd_pki_create_ca | bool + - httpd_pki_install_ca | length > 0 + tags: + - httpd-install + - pki diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..ede1dd5 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,78 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure that at least one vhost is defined + ansible.builtin.assert: + that: + - httpd_vhosts | length > 0 + - httpd_vhosts | selectattr('name', 'undefined') | length == 0 + - httpd_vhosts | selectattr('document_root', 'undefined') | length == 0 + success_msg: vhosts are defined properly + fail_msg: >- + At least one vhost must be defined in `httpd_vhosts`. + Each vhost must contain at least `name` and `document_root` keys. + +- name: Gather variables for each operating system + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml" + - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml" + - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml" + - "{{ ansible_facts['distribution'] | lower }}.yml" + - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_version'].split('.')[0] }}.yml" + - "{{ ansible_facts['os_family'] | lower }}.yml" + paths: + - "{{ role_path }}/vars" + tags: + - always + +- name: Importing httpd_pre_install tasks + ansible.builtin.import_tasks: + file: httpd_pre_install.yml + tags: + - httpd-install + +- name: Install distro packages + ansible.builtin.package: + name: "{{ httpd_distro_packages | reject('equalto', '') | list }}" + state: "{{ httpd_package_state }}" + update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}" + cache_valid_time: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary(cache_timeout, omit) }}" + register: install_packages + until: install_packages is success + retries: 5 + delay: 5 + notify: + - Restart web server + tags: + - httpd-install + +- name: Importing httpd_post_install tasks + ansible.builtin.import_tasks: + file: httpd_post_install.yml + tags: + - httpd-config + +- name: Importing httpd_configure_vhosts tasks + ansible.builtin.import_tasks: + file: httpd_configure_vhosts.yml + tags: + - httpd-config + - httpd-vhosts + +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/templates/httpd_mpm.conf.j2 b/templates/httpd_mpm.conf.j2 new file mode 100644 index 0000000..eae4725 --- /dev/null +++ b/templates/httpd_mpm.conf.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + + + ServerLimit {{ httpd_mpm_server_limit }} + StartServers {{ httpd_mpm_start_servers }} + MinSpareThreads {{ httpd_mpm_min_spare_threads }} + MaxSpareThreads {{ httpd_mpm_max_spare_threads }} + ThreadLimit {{ httpd_mpm_thread_limit }} + ThreadsPerChild {{ httpd_mpm_thread_child }} + MaxRequestWorkers {{ httpd_mpm_max_requests }} + MaxConnectionsPerChild {{ httpd_mpm_max_conn_child }} + diff --git a/templates/httpd_ports.conf.j2 b/templates/httpd_ports.conf.j2 new file mode 100644 index 0000000..720694b --- /dev/null +++ b/templates/httpd_ports.conf.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +# Listen commands happen inside the individual VHost files +# This allows for multiple services VHosts to exist without +# overwriting Listen lines. diff --git a/templates/httpd_vhost.conf.j2 b/templates/httpd_vhost.conf.j2 new file mode 100644 index 0000000..b0d6cd2 --- /dev/null +++ b/templates/httpd_vhost.conf.j2 @@ -0,0 +1,57 @@ +# {{ ansible_managed }} + +Listen {{ vhost['address'] | default('*') }}:{{ vhost['port'] | default(80) }} + + + + ServerName {{ vhost['server_name'] | default(httpd_server_name) }} + LogLevel {{ vhost['log_level'] | default(httpd_log_level) }} + ErrorLog syslog:daemon + CustomLog "|/usr/bin/env logger -p daemon.info -t {{ httpd_system_service_name }}:{{ vhost['name'] }}" {{ vhost['log_format'] | default(httpd_custom_log_format) }} + DocumentRoot {{ vhost['document_root'] }} + +{% for header in vhost['headers'] | default([]) %} + {{ header }} +{% endfor %} + +{% if 'ssl' in vhost and vhost['ssl'] %} +{% set cert_name = ['httpd', inventory_hostname, vhost['name']] | join('_') %} + SSLEngine on + SSLCertificateFile {{ httpd_ssl_certs_dir ~ cert_name }}.pem + SSLCertificateKeyFile {{ httpd_ssl_keys_dir ~ cert_name }}.key +{% if 'ca' in vhost['ssl'] %} + SSLCACertificateFile {{ httpd_ssl_certs_dir ~ cert_name }}-ca.pem +{% endif %} + SSLCompression Off + SSLOptions +StdEnvVars +ExportCertData + SSLProtocol {{ vhost['protocol'] | default(httpd_ssl_protocol) }} + SSLHonorCipherOrder On +{% if httpd_ssl_cipher_suite_tls12 %} + SSLCipherSuite {{ httpd_ssl_cipher_suite_tls12 }} +{% endif %} +{% if httpd_ssl_cipher_suite_tls13 %} + SSLCipherSuite TLSv1.3 {{ httpd_ssl_cipher_suite_tls13 }} +{% endif %} +{% endif %} + +{% for option in vhost['options'] | default([]) %} + {{ option }} +{% endfor %} + +{% for location in vhost['locations'] | default([]) %} + +{% for loc_param in location['options'] %} + {{ loc_param }} +{% endfor %} + +{% endfor %} + +{% for directory in vhost['directories'] | default([]) %} + +{% for dir_param in directory['options'] %} + {{ dir_param }} +{% endfor %} + +{% endfor %} + + diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..7ac7762 --- /dev/null +++ b/tox.ini @@ -0,0 +1,73 @@ +[tox] +minversion = 4.0 +skipsdist = True +envlist = docs,pdf-docs,releasenotes,molecule +ignore_basepython_conflict = True + +[testenv] +basepython = python3 +usedevelop = False +commands = + /usr/bin/find . -type f -name "*.pyc" -delete +passenv = + COMMON_TESTS_PATH + HOME + http_proxy + HTTP_PROXY + https_proxy + HTTPS_PROXY + no_proxy + NO_PROXY + TESTING_BRANCH + TESTING_HOME + USER +allowlist_externals = + bash +setenv = + PYTHONUNBUFFERED=1 + ROLE_NAME=pki + VIRTUAL_ENV={envdir} + WORKING_DIR={toxinidir} + +[testenv:docs] +deps = + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -r{toxinidir}/doc/requirements.txt +commands= + bash -c "rm -rf doc/build" + doc8 doc + sphinx-build -W -b html doc/source doc/build/html + +[testenv:pdf-docs] +deps = {[testenv:docs]deps} +allowlist_externals = + make +commands = + sphinx-build -W --keep-going -b latex doc/source doc/build/pdf + make -C doc/build/pdf + +[doc8] +# Settings for doc8: +extensions = .rst + +[testenv:releasenotes] +deps = {[testenv:docs]deps} +commands = + sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html + +[testenv:molecule] +# You can use DOCKER_REGISTRY and DOCKER_IMAGE_TAG to switch between +# tested distros. I.e: +# DOCKER_IMAGE_TAG=centos-systemd:stream9 tox -e molecule +deps = + -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} + -rhttps://opendev.org/openstack/openstack-ansible/raw/branch/{env:TEST_BRANCH:master}/test-requirements.txt + +commands = + molecule test + +passenv = + {[testenv]passenv} + DOCKER_REGISTRY + DOCKER_IMAGE_TAG + DOCKER_COMMAND diff --git a/vars/debian.yml b/vars/debian.yml new file mode 100644 index 0000000..c5a8e04 --- /dev/null +++ b/vars/debian.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +_httpd_system_service_name: apache2 +_httpd_service_user_name: www-data +_httpd_service_group_name: www-data +_httpd_service_home_folder: /var/www +_httpd_service_home_folder_mode: "0750" + +_httpd_vhost_enable_path: "{{ httpd_conf_dir }}/sites-enabled" + +_httpd_mpms: + - name: "mpm_event" + state: "{{ (httpd_mpm_backend == 'event') | ternary('present', 'absent') }}" + - name: "mpm_worker" + state: "{{ (httpd_mpm_backend == 'worker') | ternary('present', 'absent') }}" + - name: "mpm_prefork" + state: "{{ (httpd_mpm_backend == 'prefork') | ternary('present', 'absent') }}" + +_httpd_default_modules: + - name: "ssl" + state: "present" + - name: "rewrite" + state: "present" + - name: "headers" + state: "present" + - name: "deflate" + state: "present" + +_httpd_default_sites: + - "{{ httpd_vhost_enable_path }}/000-default.conf" + - "{{ httpd_conf_dir }}/conf-enabled/other-vhosts-access-log.conf" + +_httpd_extra_conf_files: + - src: "httpd_ports.conf.j2" + dest: "{{ httpd_conf_dir }}/ports.conf" + owner: "root" + group: "root" + - src: "httpd_mpm.conf.j2" + dest: "{{ httpd_conf_dir }}/mods-available/mpm_{{ httpd_mpm_backend }}.conf" + owner: "root" + group: "root" + +_httpd_conf_file: "{{ httpd_conf_dir }}/apache2.conf" +_httpd_security_conf: "{{ httpd_conf_dir }}/conf-available/security.conf" + +_httpd_distro_packages: + - git + - apache2 + - sudo diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..5a985af --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,71 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +_httpd_vhosts_with_ssl: "{{ httpd_vhosts | selectattr('ssl', 'defined') | selectattr('ssl') }}" + +_httpd_pki_generate_certificates_vhosts: |- + {% set certs_to_generate = [] %} + {% for vhost in _httpd_vhosts_with_ssl %} + {% if not ('cert' in vhost['ssl'] and 'key' in vhost['ssl']) %} + {% set _ = certs_to_generate.append({ + 'name': ['httpd', inventory_hostname, vhost['name']] | join('_'), + 'provider': 'ownca', + 'cn': inventory_hostname, + 'san': vhost['ssl']['san'] | default(httpd_pki_default_san), + 'signed_by': httpd_pki_intermediate_cert_name, + }) + %} + {% endif %} + {% endfor %} + {{ certs_to_generate }} + +_httpd_pki_install_certificates_vhosts: |- + {% set certs_to_install = [] %} + {% for vhost in _httpd_vhosts_with_ssl %} + {% set cert_name = ['httpd', inventory_hostname, vhost['name']] | join('_') %} + {% if not ('cert' in vhost['ssl'] and 'key' in vhost['ssl']) %} + {% set _ = vhost['ssl'].update({ + 'cert': httpd_pki_certs_path ~ cert_name ~ '-chain.crt', + 'key': httpd_pki_keys_path ~ cert_name ~ '.key.pem' + }) + %} + {% endif %} + {% set _ = certs_to_install.append({ + 'src': vhost['ssl']['cert'], + 'dest': httpd_ssl_certs_dir ~ cert_name ~ '.pem', + 'owner': httpd_service_user_name, + 'group': httpd_service_group_name, + 'mode': '0640' + }) + %} + {% set _ = certs_to_install.append({ + 'src': vhost['ssl']['key'], + 'dest': httpd_ssl_keys_dir ~ cert_name ~ '.key', + 'owner': httpd_service_user_name, + 'group': httpd_service_group_name, + 'mode': '0600' + }) + %} + {% set _ = certs_to_install.append({ + 'src': vhost['ssl'].get('ca'), + 'dest': httpd_ssl_certs_dir ~ cert_name ~ '-ca.pem', + 'owner': httpd_service_user_name, + 'group': httpd_service_group_name, + 'mode': '0644', + 'condition': 'ca' in vhost['ssl'] + }) + %} + {% endfor %} + {{ certs_to_install }} diff --git a/vars/redhat.yml b/vars/redhat.yml new file mode 100644 index 0000000..cb94d84 --- /dev/null +++ b/vars/redhat.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2024, Cleura AB +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +_httpd_system_service_name: httpd +_httpd_service_user_name: apache +_httpd_service_group_name: apache +_httpd_service_home_folder: /usr/share/httpd + +_httpd_vhost_enable_path: "{{ httpd_conf_dir }}/conf.d" + +_httpd_default_sites: + - "{{ httpd_vhost_enable_path }}/userdir.conf" + - "{{ httpd_vhost_enable_path }}/welcome.conf" + - "{{ httpd_vhost_enable_path }}/ssl.conf" + +_httpd_extra_conf_files: + - src: "httpd_ports.conf.j2" + dest: "{{ httpd_vhost_enable_path }}/ports.conf" + owner: "root" + group: "root" + - src: "httpd_mpm.conf.j2" + dest: "{{ httpd_conf_dir }}/conf.modules.d/mpm_{{ httpd_mpm_backend }}.conf" + owner: "root" + group: "root" + +_httpd_conf_file: "{{ httpd_conf_dir }}/conf/httpd.conf" +_httpd_security_conf: "{{ httpd_conf_file }}" + +_httpd_distro_packages: + - git + - httpd + - "{{ (_httpd_vhosts_with_ssl | length > 0) | ternary('mod_ssl', '') }}" + - sudo diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml new file mode 100644 index 0000000..26ffef2 --- /dev/null +++ b/zuul.d/project.yaml @@ -0,0 +1,23 @@ +--- +# Copyright 2024, Cleura AB. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- project: + templates: + - check-requirements + - openstack-ansible-deploy-infra_lxc-jobs + - openstack-ansible-linters-jobs + - openstack-ansible-molecule + - publish-openstack-docs-pti + - build-release-notes-jobs-python3