init

2026-03-14 05:38:45 +01:00 · 2026-03-14 05:38:45 +01:00 · 883f31932e
commit 883f31932e
169 changed files with 5676 additions and 0 deletions
--- a/ansible/roles/apache/defaults/main.yml
+++ b/ansible/roles/apache/defaults/main.yml
@ -0,0 +1,5 @@
+---
+ssl_cert_tiararodney: /etc/letsencrypt/live/tiararodney.com/fullchain.pem
+ssl_key_tiararodney: /etc/letsencrypt/live/tiararodney.com/privkey.pem
+ssl_cert_administratrix: /etc/letsencrypt/live/administratrix.io/fullchain.pem
+ssl_key_administratrix: /etc/letsencrypt/live/administratrix.io/privkey.pem
--- a/ansible/roles/apache/handlers/main.yml
+++ b/ansible/roles/apache/handlers/main.yml
@ -0,0 +1,6 @@
+---
+-
+    name: reload apache
+    service:
+        name: "{{ apache_service }}"
+        state: reloaded
--- a/ansible/roles/apache/meta/main.yml
+++ b/ansible/roles/apache/meta/main.yml
@ -0,0 +1,2 @@
+---
+dependencies: []
--- a/ansible/roles/apache/tasks/deploy-reverse-proxy.yml
+++ b/ansible/roles/apache/tasks/deploy-reverse-proxy.yml
@ -0,0 +1,18 @@
+---
+-
+    name: Ensure Apache is installed
+    include_tasks: main.yml
+
+-
+    name: "Deploy {{ vhost_name }} reverse proxy vhost"
+    template:
+        src: reverse-proxy-vhost.conf.j2
+        dest: "{{ apache_sites_available }}/{{ vhost_name }}.conf"
+    notify: reload apache
+
+-
+    name: "Enable {{ vhost_name }} site"
+    command: "{{ apache_enable_site_cmd }} {{ vhost_name }}"
+    args:
+        creates: "{{ apache_sites_enabled }}/{{ vhost_name }}.conf"
+    notify: reload apache
--- a/ansible/roles/apache/tasks/deploy-static-site.yml
+++ b/ansible/roles/apache/tasks/deploy-static-site.yml
@ -0,0 +1,27 @@
+---
+-
+    name: Ensure Apache is installed
+    include_tasks: main.yml
+
+-
+    name: Ensure document root exists
+    file:
+        path: "{{ document_root }}"
+        state: directory
+        owner: www-data
+        group: www-data
+        mode: "0755"
+
+-
+    name: Deploy vhost configuration
+    template:
+        src: static-site-vhost.conf.j2
+        dest: "{{ apache_sites_available }}/{{ name }}.conf"
+    notify: reload apache
+
+-
+    name: Enable site
+    command: "{{ apache_enable_site_cmd }} {{ name }}"
+    args:
+        creates: "{{ apache_sites_enabled }}/{{ name }}.conf"
+    notify: reload apache
--- a/ansible/roles/apache/tasks/install-apache.yml
+++ b/ansible/roles/apache/tasks/install-apache.yml
@ -0,0 +1,83 @@
+---
+-
+    name: Ensure letsencrypt directory exists
+    file:
+        path: /etc/letsencrypt
+        state: directory
+        mode: "0700"
+
+-
+    name: Deploy SSL certificates
+    unarchive:
+        src: "{{ letsencrypt_archive }}"
+        dest: /etc/letsencrypt/
+    when: letsencrypt_archive is defined
+    notify: reload apache
+
+-
+    name: Ensure SSL private keys are readable by containers
+    shell: find /etc/letsencrypt -name 'privkey*.pem' -exec chmod 644 {} +
+    changed_when: false
+    when: letsencrypt_archive is defined
+
+-
+    name: Install Apache
+    apt:
+        name: "{{ apache_package }}"
+        state: present
+        update_cache: yes
+
+-
+    name: Enable Apache modules
+    community.general.apache2_module:
+        name: "{{ item }}"
+        state: present
+    loop:
+        - proxy
+        - proxy_http
+        - proxy_wstunnel
+        - ssl
+        - rewrite
+        - headers
+        - auth_basic
+        - autoindex
+    notify: reload apache
+
+-
+    name: Disable default site
+    command: "{{ apache_disable_site_cmd }} 000-default"
+    args:
+        removes: "{{ apache_sites_enabled }}/000-default.conf"
+    notify: reload apache
+
+-
+    name: Ensure tiararodney.com document root exists
+    file:
+        path: /var/www/tiararodney.com
+        state: directory
+        mode: "0755"
+
+-
+    name: Deploy tiararodney.com vhost
+    template:
+        src: 000-default-redirect.conf.j2
+        dest: "{{ apache_sites_available }}/000-default-redirect.conf"
+    notify: reload apache
+
+-
+    name: Enable tiararodney.com redirect vhost
+    command: "{{ apache_enable_site_cmd }} 000-default-redirect"
+    args:
+        creates: "{{ apache_sites_enabled }}/000-default-redirect.conf"
+    notify: reload apache
+
+-
+    name: Ensure Apache is started and enabled
+    service:
+        name: "{{ apache_service }}"
+        state: started
+        enabled: yes
+
+-
+    name: Ensure Apache is reloaded with current config
+    meta: flush_handlers
--- a/ansible/roles/apache/tasks/main.yml
+++ b/ansible/roles/apache/tasks/main.yml
@ -0,0 +1,8 @@
+---
+-
+    name: Load OS-specific variables
+    ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
+
+-
+    name: Install and configure Apache
+    ansible.builtin.include_tasks: install-apache.yml
--- a/ansible/roles/apache/templates/000-default-redirect.conf.j2
+++ b/ansible/roles/apache/templates/000-default-redirect.conf.j2
@ -0,0 +1,18 @@
+<VirtualHost *:80>
+    ServerName tiararodney.com
+    Redirect permanent / https://tiararodney.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName tiararodney.com
+    SSLEngine on
+    SSLCertificateFile {{ ssl_cert_tiararodney }}
+    SSLCertificateKeyFile {{ ssl_key_tiararodney }}
+
+    DocumentRoot /var/www/tiararodney.com
+    <Directory /var/www/tiararodney.com>
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+</VirtualHost>
--- a/ansible/roles/apache/templates/reverse-proxy-vhost.conf.j2
+++ b/ansible/roles/apache/templates/reverse-proxy-vhost.conf.j2
@ -0,0 +1,31 @@
+<VirtualHost *:80>
+    ServerName {{ server_name }}
+    Redirect permanent / https://{{ server_name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ server_name }}
+    SSLEngine on
+    SSLCertificateFile {{ ssl_cert }}
+    SSLCertificateKeyFile {{ ssl_key }}
+
+{% for loc in restricted_locations | default([]) %}
+    <Location {{ loc.path }}>
+{% for ip in loc.allowed_ips %}
+        Require ip {{ ip }}
+{% endfor %}
+    </Location>
+{% endfor %}
+
+    ProxyPreserveHost on
+    RequestHeader set X-Forwarded-Proto "https"
+    RequestHeader set X-Forwarded-Ssl "on"
+{% if websocket | default(false) %}
+    RewriteEngine on
+    RewriteCond %{HTTP:Upgrade} websocket [NC]
+    RewriteCond %{HTTP:Connection} upgrade [NC]
+    RewriteRule ^/(.*) ws://{{ backend_host | default('127.0.0.1') }}:{{ backend_port }}/$1 [P,L]
+{% endif %}
+    ProxyPass / http://{{ backend_host | default('127.0.0.1') }}:{{ backend_port }}/
+    ProxyPassReverse / http://{{ backend_host | default('127.0.0.1') }}:{{ backend_port }}/
+</VirtualHost>
--- a/ansible/roles/apache/templates/static-site-vhost.conf.j2
+++ b/ansible/roles/apache/templates/static-site-vhost.conf.j2
@ -0,0 +1,21 @@
+<VirtualHost *:80>
+    ServerName {{ server_name }}
+    Redirect permanent / https://{{ server_name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ server_name }}
+    SSLEngine on
+    SSLCertificateFile {{ ssl_cert }}
+    SSLCertificateKeyFile {{ ssl_key }}
+
+    DocumentRoot {{ document_root }}
+    <Directory {{ document_root }}>
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
+    </Directory>
+{% if directory_index is defined %}
+    DirectoryIndex {{ directory_index }}
+{% endif %}
+</VirtualHost>
--- a/ansible/roles/apache/vars/Debian.yml
+++ b/ansible/roles/apache/vars/Debian.yml
@ -0,0 +1,7 @@
+---
+apache_package: apache2
+apache_service: apache2
+apache_sites_available: /etc/apache2/sites-available
+apache_sites_enabled: /etc/apache2/sites-enabled
+apache_enable_site_cmd: a2ensite
+apache_disable_site_cmd: a2dissite