set default vhost rather than just collation order

Signed-off-by: David Loffredo <loffredo@steptools.com>
david-loffredo · Feb 19, 2020 · f6c9073 · f6c9073
1 parent a334012
commit f6c9073
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 19 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -1,5 +1,8 @@
 
-## [Unreleased]
+## [1.1] - 2020-02-18
+
+- Added 'www' user account for uploading website data.  Also reworked
+  the website configs to add a variety of extra flags.
 
 - Changed '-' to '_' in backup_server and raspberry_pi group names to
   satisfy new Ansible naming requirements.  Update your host files and

diff --git a/docs/apache.html b/docs/apache.html
@@ -29,9 +29,8 @@ <H1>Web Service</H1>
 <p>The role creates one or more vhosts, along with aliases for each.
 The document root for each vhost is
 at <code>/var/www/&lt;domain&gt;</code>.  We initialize the root with
-an index.html if one is not present.  The files are currently owned by
-root, but we create a 'www-data' group for future use when others
-might be uploading content.</p>
+an index.html if one is not present.  We create a 'www' user and a
+'www-data' group to use when uploading content via rsync.</p>
 
 <P>The default Apache config enables gzip compression, and it is not
 recommended to turn it off.  If your website uses cookies, strongly
@@ -43,22 +42,42 @@ <H2 class=rule>
 
 <p>The <code>web_vhosts</code> variable is a list of structs, one for
 each root domain, with a main name and any aliases.  It looks
-something like this.  If the machine is also
-a <a href="mail.html">mail server</a>, be sure to add the name used in
-the MX record to the aliases of that domain.</p>
+something like this.</p>
 
 <PRE class=code>
 web_vhosts:
   - name: "{{ domain }}"
     aliases:
       - www.{{ domain }}
-      - mail.{{ domain }}
 
   - name: foobar.com
     aliases:
       - www.foobar.com
 </PRE>
 
+<p>The <code>name</code> is required and is the ServerName.  The
+<code>aliases</code> list is optional and contains a list of
+ServerAlias values.  Other possible settings are:
+
+<ul>
+<li><code>admin</code>: "admin email" (defaults to webmaster@{{name}})
+<li><code>root</code> "document root" (defaults to {{webdata_root}}/{{name}})
+<li><code>cert</code> "cert file"       (defaults to letsencrypt {{name}}/fullchain.pem)
+<li><code>certkey</code> "key file"     (defaults to letsencrypt {{name}}/privkey.pem)
+
+<li><code>default</code> (if yes, .conf sorted first to force it as
+the default vhost)
+</ul>
+
+<p>The following can each contain a single string (probably
+multi-line) that is included in the http and https configuration
+directives.  Use for custom error pages, rewrite rules, etc.</p>
+
+<ul>
+<li><code>conf_extra</code> ( both )
+<li><code>conf_extra_http</code>     ( only http )
+<li><code>conf_extra_https</code> ( only https )
+</ul>
 <p>You can set the <code>apache_modules</code> variable to force
 certain modules to be enabled.  The rewrite module is always present.
 By default we always redirect http to https, but if you want to
@@ -81,7 +100,6 @@ <H2 class=rule>
 perhaps a few CGI scripts, and unlikely to spark worldwide interest,
 so any server would be fine.</p>
 
-
 <figure>
 <img src="images/mosaic_step1995.png" alt="STEP Data ca. 1995">
 <figcaption>Back in 1995, we ran NCSA HTTPs and looked at everything

diff --git a/docs/ssh.html b/docs/ssh.html
@@ -54,10 +54,11 @@ <H1>SSH Configuration</H1>
 <H2 class=rule>
 <A NAME=keys></A>SSH Keys</H2>
 
-<p>These playbooks expect a SSH keys for the deploy account and the
-Bacula tunnel.  The tunnel key should not have a passphrase because it
-will be used by scripts, but it is your choice whether to use one for
-the deploy account key.</p>
+<p>These playbooks expect a SSH keys for the deploy account, the
+Bacula tunnel, and the www account for website content.  The tunnel
+key should not have a passphrase because it will be used by scripts,
+but it is your choice whether to use one for the deploy and www
+account keys.</p>
 
 <p>I recommend using
 modern <a href="https://en.wikipedia.org/wiki/EdDSA">Ed25519 keys</a>
@@ -66,6 +67,7 @@ <H2 class=rule>
 <PRE class=code>
 $ ssh-keygen -t ed25519 -f deploy -C deploy-yourhost -N ''
 $ ssh-keygen -t ed25519 -f bacula -C bacula-tunnel-yourhost -N ''
+$ ssh-keygen -t ed25519 -f www -C www-yourhost -N ''
 </PRE>
 
 

diff --git a/roles/apache/tasks/host.yml b/roles/apache/tasks/host.yml
@@ -1,4 +1,15 @@
 ---
+# If we have multiple sites, the default one is first in the collation
+# order.  We can force that by prepending 000, but watch for outdated
+# conf files if we happen to change this setting.  For the most part,
+# the default does not matter unless we happen to use the raw IP or
+# have DNS records that point to us that have no vhost.
+#
+- name: "{{ host.name }} : defaults calculated"
+  set_fact:
+    host_conf: "{{ '000-' if host.default|default(False) }}{{ host.name }}" 
+    host_oppo: "{{ '000-' if not host.default|default(False) }}{{ host.name }}" 
+
 - name: "{{ host.name }} : document root present {{ apache_host_dflt_root }}"
   file:
     path: "{{ host.root | default(apache_host_dflt_root) }}"
@@ -19,16 +30,31 @@
 - name: "{{ host.name }} : http config present"
   template:
     src: host.conf.j2
-    dest: /etc/apache2/sites-available/{{ host.name }}.conf
+    dest: /etc/apache2/sites-available/{{ host_conf }}.conf
     owner: root
     group: root
     mode: 0644
   notify:
     - restart apache
 
+# make the link manually rather than call a2ensite because it bounces
+# apache every time
 - name: "{{ host.name }} : enabled"
-  command: a2ensite {{ host.name }}
-  args:
-    creates: /etc/apache2/sites-enabled/{{ host.name }}.conf
+  file:
+    dest: /etc/apache2/sites-enabled/{{ host_conf }}.conf
+    src: ../sites-available/{{ host_conf }}.conf
+    state: link
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart apache
+
+- name: "{{ host.name }} : alternate configs removed"
+  file: path={{ item }} state=absent
+  with_items:
+    - /etc/apache2/sites-available/{{ host_oppo }}.conf
+    - /etc/apache2/sites-enabled/{{ host_oppo }}.conf
   notify:
     - restart apache
+
diff --git a/roles/web-dflts/defaults/main.yml b/roles/web-dflts/defaults/main.yml
@@ -14,9 +14,9 @@ webdata_root: /var/www
 #   aliases: [list of ServerAlias]  (optional, usually www.{{name}})
 #   admin: "admin email"    (defaults to webmaster@{{name}})
 #   root: "document root"   (defaults to {{webdata_root}}/{{name}})
-#   cert: "cert file"       (defaults to letsencrypt {{name}}/cert.pem)
+#   cert: "cert file"       (defaults to letsencrypt {{name}}/fullchain.pem)
 #   certkey: "key file"     (defaults to letsencrypt {{name}}/privkey.pem)
-#   certchain: "chain file" (defaults to letsencrypt {{name}}/chain.pem)
+#   default: (if yes, .conf sorted first to force it as the default vhost)
 #
 # The following can each contain a string (probably multiline) that
 # will be included in the configuration directives for the http and