-
Notifications
You must be signed in to change notification settings - Fork 7
/
main.yml
419 lines (377 loc) · 16.9 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
# Default Variables for httpd role
# Should iptables be open by default ?
httpd_public: True
# Should openssl/mod_ssl be installed by default
httpd_tls: False
# If using TLS, which are the protocols/ciphers we can to apply
httpd_tls_ciphers: |
# https://ssl-config.mozilla.org/#server=apache&version=2.4.6&config=intermediate&openssl=1.0.2k&guideline=5.6
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
# Central LetsEncrypt node for the cerbot redirection
httpd_redirect_acmechallenge: True
httpd_certbot_fqdn: certbot.domain.com
# Which apache/http MPM (Multi-processing Module) should we load
# mpm_prefork: http://httpd.apache.org/docs/2.4/mod/prefork.html
# mpm_worker: http://httpd.apache.org/docs/2.4/mod/worker.html
# mpm_event: http://httpd.apache.org/docs/2.4/mod/event.html
# Can be overwritten per host/group vars
# logic is to use set_fact to define a default one if nothing is defined through inventory
# and reuse operating system/RHEL default value
# Apache httpd settings (see https://httpd.apache.org/docs/current/mod/mpm_common.html)
httpd_maxrequestworkers: 512
# Apache servertokens (https://httpd.apache.org/docs/2.4/mod/core.html#servertokens)
# can be Prod, Full, Major, Minor, Min OS
httpd_servertokens: Prod
# logrotate settings
# Keeping 4 weeks (default) but can be adjusted
httpd_logrotate_keep: 4
# snippet that can be injected into 01_common.conf
httpd_common_snippet: |
# This is a snippet block coming from ansible inventory
# Page information
httpd_html_autoindex_title: "CentOS"
httpd_html_autoindex_content: ""
# Some settings for included apache httpd modules
# These will be configured system-wide/global and not per vhost
httpd_mod_qos: False
# If we have it to True, we can just inject snippet for mod_qos
# See http://mod-qos.sourceforge.net/ for possible settings
httpd_mod_qos_snippet: |
QS_Status on
QS_MaxClients 500
QS_ClientEntries 100000
QS_SrvMaxConn 10000
QS_SrvMaxConnClose 60%
QS_SrvMaxConnPerIP 20
QS_ClientEventBlockCount 20 600
QS_SetEnvIfStatus QS_SrvMaxConnPerIP QS_Block
QS_SetEnvIfStatus BrokenConnection QS_Block
QS_SetEnvIfStatus NullConnection QS_Block
# Zabbix monitoring
httpd_zabbix_templates:
- Template CentOS http server
httpd_zabbix_groups:
- CentOS HTTP servers
httpd_tls_zabbix_templates:
- Template CentOS - https SSL Cert Check External
httpd_tls_zabbix_groups:
- CentOS HTTPS servers
# For reposnap task
reposnap_local_dir: /srv/reposnap
reposnap_rsync_from: msync.centos.org::centos/
# For SCL php task
scl_php_ver: 73
# For docs-infra task, used to render docs.infra.centos.org content
httpd_docs_infra_user: centos
httpd_docs_infra_rootdir: /var/www/docs.infra
httpd_docs_infra_hostname: docs.infra.centos.org
# For SIG docs task, used to render sig.centos.org/<name> content
httpd_docs_sigs_user: centos
httpd_docs_sigs_rootdir: /var/www/sigs
httpd_docs_sigs_hostname: sigs.centos.org
# the following list contains SIGS name, upstream git origin for where to find the doc to render it through mkdocs podman container
# example
# httpd_docs_sigs_list:
# - name: infra
# doc_git_origin: https://git.centos.org/centos/centos-infra-docs.git
# description: the CentOS Infra SIG documentation
httpd_docs_sigs_list: []
# For www task
httpd_www_rootdir: /var/www/centos_website
httpd_www_hostname: www.centos.org
httpd_www_aliases:
- centos.org
httpd_www_push_users:
- login_name: wwwpush
ssh_pub_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRL1TUUwizrKopU5AOvJR6jCBAIA41Jr5nAZBZT3gQQAzEETgxeDJXGfiG9vZnfNMZuVoiomgxl+u8HaiyKV8CiXOiE/Afj+6qsdmbUlAkOCs+rAHoFiaSmkKP8gC7yMeBAO22FRDH/P+OAHOwFxvcaeOKb86xHPlRePOMABRWZBpdUNYUOE2ZD6jn2ywnhxAr2BLOmFKbIJsMirvQS3v4qbjyzmcyje4qnw9Ypen79VGz/FukEc8tJKhrD5dvncNEcdA0WJ/4fjHv30fpeAkil3ChSkH5u0d8DESoBba21f6SySYlAwJmZVUM3Orb4hgMkP+JXIvL/UcZMyC7pEmFwMGXcsQigInwLj3RMZ6CKbZ6VTtcYEGZ4h7uD8YJNwGsdDcWYFOnyIZmsY1KrQ4oIBv3WBo29VcdzoyZaatnieQFa5mc+mO7WWdGHp/rd1r0OdhjbgbgjViTGaiVN+YDXWth7GBgvEVQrWZRmYGOmbKyJQgv25lFpQvRLw5WSPP3uEoXVLk3KpoPUckMd2i5N8HutaF16psP0MaAx3NxoRFPHI/+ko5LY3pNcIQtAwmIRbmvdit7KZkF3SBwxZ5bET/XdlviOkT9HtGDhNoEZ6ESIK4RyLIlHbXsDWFu2nkGNlTcv4EJxFHrsoaPW323sdsjhSgeB8Ip0587Tp5imQ==
# www staging task where website is rendered
httpd_www_local_users:
- name: centos
branch: main
- name: centos_staging
branch: staging
httpd_www_git_upstream: https://git.centos.org/centos/centos.org.git
# Servers we need to push content to
httpd_www_servers: "web1.test.centos.org web2.test.centos.org"
httpd_stg_zabbix_templates:
- Template CentOS website render
httpd_www_snippet: |
# This is a snippet block coming from ansible inventory
# For internal-mirrorlist task
# FQDN of internal mirror we want to redirect yum/dnf clients to
httpd_mirrorlist_internal_url: mirror.centos.org
# For vhost-people task
httpd_people_hostname: people.centos.org
# ===============================================================================
# httpd_people_dirname - Set people entry point.
#
# This is the absolute path to the directory where people index.html will be
# stored in. This is where the list of users is presented.
# ===============================================================================
httpd_people_dirname: "/var/www/people"
# ===============================================================================
# httpd_common_alias - Set http alias to common http resources
#
# This is the location that will be used in the ErrorDocument directive to
# refer CentOS customized 404 page. Also, it will be used to refer customized
# autoindex header and footer files necessary on both people and services
# specific sites.
# ===============================================================================
httpd_common_alias: "/common"
# ==============================================================================
# httpd_common_directory - Set directory path to common http resources
#
# Common resources include files like 404.html, and autoindex pages specific to
# people and services.
# ==============================================================================
httpd_common_directory: "/var/www/common"
# ===============================================================================
# httpd_common_assets - Set assets url (without trailing slash).
#
# Here is were css, images and js files will be retrieved from. This is
# normally "https://www.centos.org" in production, "https://www.stg.centos.org"
# in staging and "https://www.dev.centos.org" in development. When we change
# the main site design, all other sites based on it will be changed as well and
# it won't be necessary to maintain separated files. In order for this to work,
# origin domains must be specified in httpd_www_cors option.
#
# This variable should be defined in a high scope location (e.g., under
# `group_vars/all.yml`, or `group_vars/webistes.yml`) so all website-related
# playbooks you run can take advantage of it reducing the number of places you
# need to change.
# ===============================================================================
httpd_common_assets: "https://{{ httpd_www_hostname }}"
# ===============================================================================
# httpd_common_navbar - Set website navigation bar.
#
# The navigation bar is visible on the very top of each CentOS website, where
# the CentOS logo and the top-level-always-visible links are placed. The navbar
# can contain both links and menu of links so you can group them. Menus by
# default are hidden and are visible when the user clicks the item that has the
# arrow pointing down on right side.
#
# The navigation bar the httpd_common_navbar variable defines is re-used in
# different website templates. For consistency, it must match the content the
# `_data/base/navbar.yml` file provides in www.centos.org site.
#
# This variable should be defined in a high scope location (e.g., under
# `group_vars/all.yml`, or `group_vars/webistes.yml`) so all website-related
# playbooks you run can take advantage of it reducing the number of places you
# need to change.
#
# When you define a link inside the navbar, use `httpd_common_assets` variable
# as much as possible to keep navigability among different environments (e.g.,
# www.dev.centos.org and www.centos.org).
#
# Related resources:
# - https://centos.gitlab.io/artwork/centos-web/jekyll-theme-centos-base/documentation/page-layout/navbar/
# ===============================================================================
httpd_common_navbar:
- name: "Download"
icon: "fas fa-download"
link: "{{ httpd_common_assets }}/download"
menu: []
visible_on: ["navbar"]
- name: "About"
icon: "fas fa-info-circle"
link: "#"
menu:
- name: "About CentOS"
link: "{{ httpd_common_assets }}/about"
- name: "Special Interest Groups (SIGs)"
link: "{{ httpd_common_assets }}/sigs"
- name: "Governance"
link: "{{ httpd_common_assets }}/about/governance"
- name: "Code of Conduct"
link: "{{ httpd_common_assets }}/code-of-conduct"
- name: "Sponsors"
link: "{{ httpd_common_assets }}/sponsors"
visible_on: ["navbar"]
# ===============================================================================
# httpd_common_social - List of links to social networks.
#
# This variable should be defined in a high scope location (e.g., under
# `group_vars/all.yml`, or `group_vars/webistes.yml`) so all website-related
# playbooks you run can take advantage of it reducing the number of places you
# need to change.
#
# Related resources:
# - https://centos.gitlab.io/artwork/centos-web/jekyll-theme-centos-base/documentation/page-layout/social/
# ===============================================================================
httpd_common_social:
- name: YouTube
icon: "fab fa-youtube"
link: "https://youtube.com/TheCentOSProject"
- name: Mastodon
icon: "fab fa-mastodon"
link: "https://fosstodon.org/@centos"
- name: Facebook
icon: "fab fa-facebook-f"
link: "https://www.facebook.com/CentOSProject"
- name: LinkedIn
icon: "fab fa-linkedin"
link: "https://www.linkedin.com/company/centos-project/"
- name: x
icon: "fab fa-x-twitter"
link: "https://x.com/centos"
- name: Discourse
icon: "fab fa-discourse"
link: "https://discussion.fedoraproject.org/c/neighbors/centos/"
- name: Reddit
icon: "fab fa-reddit"
link: "https://www.reddit.com/r/CentOS/"
# ===============================================================================
# httpd_common_copyright - Set copyright sentence and related links.
#
# This variable should be defined in a high scope location (e.g., under
# `group_vars/all.yml`, or `group_vars/webistes.yml`) so all website-related
# playbooks you run can take advantage of it reducing the number of places you
# need to change.
#
# Related resources:
# - https://centos.gitlab.io/artwork/centos-web/jekyll-theme-centos-base/documentation/page-layout/copyright-note/
# ===============================================================================
httpd_common_copyright:
author: "The CentOS Project"
year: "{{ ansible_facts.date_time.year }}"
legals:
- text: "Legal"
link: "{{ httpd_common_assets }}/legal"
- text: "Privacy"
link: "{{ httpd_common_assets }}/legal/privacy"
- text: "Site source"
link: "https://git.centos.org/centos/centos.org"
# ===============================================================================
# httpd_common_title - Equivalent to site.title configuration variable in
# jekyll site.
#
# This variable should be defined in a high scope location (e.g., under
# `group_vars/all.yml`, or `group_vars/webistes.yml`) so all website-related
# playbooks you run can take advantage of it reducing the number of places you
# need to change.
# ===============================================================================
httpd_common_title: The CentOS Project
# ===============================================================================
# httpd_common_description - Equivalent to site.description configuration
# variable in jekyll site.
#
# This variable should be defined in a high scope location (e.g., under
# `group_vars/all.yml`, or `group_vars/webistes.yml`) so all website-related
# playbooks you run can take advantage of it reducing the number of places you
# need to change.
# ===============================================================================
httpd_common_description: |
Community-driven free software effort focused around the goal of providing a
rich base platform for open source communities to build upon.
# Specific default header settings that can be overwritten if needed
# Example:
# httpd_common_autoindex:
# title: 'People of CentOS'
# title_lead: |
# This is an area where the CentOS Developers and allowed contributors
# can make test files and other things available that are not yet part of
# CentOS. Some items here will make it into CentOS, CentOS Extras and/or
# CentOS Plus ... while other things may not.
# with_manifestation: People
# with_social: true
# with_datatables: false
# with_highlight: false
# with_shortcuts: false
# with_finale: true
# with_sponsors: false
# with_copyright: true
# with_content:
# - element: p
# element_class: alert alert-warning
# element_content: >-
# <strong>Caution:</strong> Use anything here at your own risk!
# - element: p
# element_content: >-
# The following users currently have areas on people.centos.org:
# (sorted by First name)
httpd_common_autoindex:
title: 'CentOS'
title_lead: ''
with_manifestation: ""
with_content: []
# same thing but for custom-header task, inherited from other roles
# That means we can override in these roles but let's still have default here
httpd_custom_header_page:
title: 'CentOS'
title_lead: ''
with_manifestation: ''
with_content: []
# For the vhost-shared-dir task
# It permits to quickly share over http/https a local directory and not coming from a role
# We can combine (all optional so default to all open):
# - tls (boolean but would expect existing cert/key matching fqdn)
# - acl (IP based)
# - basic auth (would exclude IP ACL as using user/password instead)
# - rewrite_rules : Rewrite rules injected as a block into vhost (see example below)
#
# Example:
# httpd_vhost_shared_list:
# - name: test
# fqdn: test.domain.com
# path: /srv/test
# - name: restricted
# fqdn: test2.domain.com
# path: /srv/test2
# acl:
# - 192.168.1.0/23
# - name: tls_protected
# fqdn: tls.domain.com
# path: /srv/test3
# tls: True
# - name: tls_and_auth
# fqdn: tls-auth.domain.com
# tls: True
# auth: True
# auth_user: user
# auth_password: mypassword
# - name: tls_and_auth_redirect
# fqdn: redirect.domain.com
# tls: True
# rewrite_rules:
# Redirect "/" "http://new-redirect.domain.com/"
httpd_vhost_shared_list: []
#######################################################################################
# for vhost-git-website-content.yml task
# purpose : define a vhost that would just pull already generated content from a git url
# It can be a list for multiple hostnames/vhosts and git upstream url
# second example shows how to inject rewrite rules in generated httpd conf file
# example:
#
# httpd_git_websites_list:
# - hostname: myvhost.mydomain.com
# local_dir: /var/www/docs
# upstream_git_project_url: https://github.com/CentOS/docs-web
# git_public_site_dir: '/' # can be public_site or else but from where to copy to {{ local_dir }} (docroot)
# - hostname: myvhost2.mydomain.com
# local_dir: /var/www/vhost2
# upstream_git_project_url: url_to_git
# git_public_site_dir: '/public_site/'
# rewrite_rules: |
# RedirectMatch temp "^/(Download|Promote|ReportBugs|SpecialInterestGroup|Donate)$" "/$1.html"
# RedirectMatch temp "^/HowTos/(.*)$" "/HowTos(2f)$1.html"
httpd_git_websites_list: []
######################################################################################
# for vhost-docs.yml task
# purpose : setup a vhost that will pull content from various docs git repositories
# and render through mkdocs-centos container (mkdocs and plugins in one container)
# We can define some variables for this (default) and override if needed
httpd_docs_hostname: docs.centos.org
httpd_docs_username: mkdocsbot
# where to find container and which tag
httpd_docs_container: quay.io/centosci/mkdocs-centos
httpd_docs_container_tag: 1.6.1
# how to call mkdocs-centos cmd through podman
httpd_docs_mkdocs_buildcmd: build
httpd_docs_pkgs_list:
- git
# From which repository we need to pull from
httpd_docs_git_url: https://gitlab.com/CentOS/docs/docs.centos.org.git
httpd_docs_git_branch: main