Implement deployment of conf files and conf files for modules

zstyblik · Aug 5, 2024 · 022f328 · 022f328
1 parent 5174145
commit 022f328
Show file tree

Hide file tree

Showing 6 changed files with 159 additions and 70 deletions.
diff --git a/README.md b/README.md
@@ -83,10 +83,16 @@ There are no extra dependencies as far as Ansible goes.
     apache_mods:
       - name: rewrite
         state: present
+      - name: ssl
+        conf_content: |
+          SSLProtocol all -SSLv2 -SSLv3 -TLSv1
 
     apache_confs:
       - name: serve-cgi-bin
         state: absent
+      - name: my_config
+        conf_content: |
+          TraceEnable On
   roles:
      - role: zstyblik.apache
 ```

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,15 +13,24 @@ apache_vhosts:
 # Only used on Debian/Ubuntu.
 # Example:
 # apache_mods:
-#   - name: rewrite
+#   - name: ssl
 #     state: present
+#     # Create or overwrite .conf file with the following content.
+#     # This can be used to override/neuter default mod configuration.
+#     conf_content: |
+#       SSLProtocol all -SSLv2 -SSLv3 -TLSv1
 apache_mods: []
 
 # Only used on Debian/Ubuntu.
 # Example:
 # apache_confs:
 #   - name: trace
 #     state: absent
+#   - name: my_config
+#     state: present
+#     # Create or overwrite .conf file with the following content.
+#     conf_content: |
+#       TraceEnable On
 apache_confs: []
 
 # httpd.conf

diff --git a/specs/apache_conf_argument_specs.yml b/specs/apache_conf_argument_specs.yml
@@ -0,0 +1,20 @@
+%YAML 1.2
+---
+argument_specs:
+  apache_conf_item:
+    short_description: Specification of Apache httpd conf/module item.
+    description: Specification of Apache httpd conf/module item.
+    options:
+      name:
+        description: Name of Apache's httpd configuration file(fragment).
+        required: true
+        type: str
+      state:
+        description: State of configuration file - present, absent etc.
+        required: false
+        type: str
+        choices: ['present', 'absent', 'purged']
+      conf_content:
+        description: Content of configuration file itself.
+        required: false
+        type: str
diff --git a/tasks/configure-Debian.yml b/tasks/configure-Debian.yml
@@ -104,81 +104,22 @@
   ansible.builtin.set_fact:
     _apache_a2q_confs: "{{ _apache_cmd_a2q_confs.stdout_lines | parse_a2query }}"
 
-# NOTE(zstyblik): run a2en* regardless
-# re-add check "is in a2q STDOUT", if necessary to save cycles.
-- name: Enable desired Apache confs.
-  ansible.builtin.command:
-    argv:
-      - /usr/sbin/a2enconf
-      - -q
-      - "{{ item.name }}"
-  register: _apache_cmd_a2enconf
-  changed_when: "'To activate the new configuration' in _apache_cmd_a2enconf.stdout_lines"
-  failed_when: _apache_cmd_a2enconf.rc != 0
-  loop: "{{ apache_confs }}"
-  loop_control:
-    label: "{{ item.name }}"
-  when:
-    - item.state | default('present') == 'present'
-  notify: restart apache
-  become: true
-
-- name: Disable desired Apache confs.
-  ansible.builtin.command:
-    argv:
-      - /usr/sbin/a2disconf
-      - -q
-      - "{{ item.name }}"
-  register: _apache_cmd_a2disconf
-  changed_when: "'To activate the new configuration' in _apache_cmd_a2disconf.stdout_lines"
-  failed_when: _apache_cmd_a2disconf.rc != 0
+- name: Configure Apache configuration files(fragment).
+  ansible.builtin.include_tasks:
+    file: configure-conf-file.yml
   loop: "{{ apache_confs }}"
   loop_control:
-    label: "{{ item.name }}"
-  when:
-    - item.state | default('present') != 'present'
-    - item.name in _apache_a2q_confs
-  notify: restart apache
-  become: true
+    label: "{{ _apache_conf_item.name | default('unknown') }}"
+    loop_var: _apache_conf_item
 
 # Apache mods
-# NOTE(zstyblik): run a2en* regardless
-# re-add check "is in a2q STDOUT", if necessary to save cycles.
-- name: Enable desired Apache mods.
-  ansible.builtin.command:
-    argv:
-      - /usr/sbin/a2enmod
-      - -q
-      - "{{ item.name }}"
-  register: _apache_cmd_a2enmod
-  changed_when: "'To activate the new configuration' in _apache_cmd_a2enmod.stdout_lines"
-  failed_when: _apache_cmd_a2enmod.rc != 0
-  loop: "{{ apache_mods }}"
-  loop_control:
-    label: "{{ item.name }}"
-  when:
-    - item.state | default('present') == 'present'
-  notify: restart apache
-  become: true
-
-- name: Disable desired Apache mods.
-  ansible.builtin.command:
-    argv:
-      - /usr/sbin/a2dismod
-      - -q
-      - "{{ item.name }}"
-  register: _apache_cmd_a2dismod
-  changed_when: "'To activate the new configuration' in _apache_cmd_a2dismod.stdout_lines"
-  failed_when: _apache_cmd_a2dismod.rc != 0
+- name: Configure Apache modules.
+  ansible.builtin.include_tasks:
+    file: configure-mod-file.yml
   loop: "{{ apache_mods }}"
   loop_control:
-    label: "{{ item.name }}"
-  when:
-    - item.state | default('present') != 'present'
-    - item.name in _apache_a2q_mods
-    - item.name != _apache_mpm_module
-  notify: restart apache
-  become: true
+    label: "{{ _apache_mod_item.name | default('unknown') }}"
+    loop_var: _apache_mod_item
 
 # Apache vhosts
 - name: Get list of enabled Apache sites.

diff --git a/tasks/configure-conf-file.yml b/tasks/configure-conf-file.yml
@@ -0,0 +1,56 @@
+---
+- name: Check conf configuration against spec file
+  ansible.builtin.validate_argument_spec:
+    argument_spec: |
+      {{
+        (
+          lookup(
+            'ansible.builtin.file',
+            'specs/apache_conf_argument_specs.yml'
+          ) | from_yaml
+        )['argument_specs']['apache_conf_item']['options']
+      }}
+    provided_arguments: "{{ _apache_conf_item }}"
+
+- name: Create Apache config file.
+  ansible.builtin.copy:
+    content: "{{ _apache_conf_item.conf_content }}"
+    dest: "{{ apache_httpd_conf_load_dir }}/{{ _apache_conf_item.name }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  when:
+    - _apache_conf_item.state | default('present') == 'present'
+    - _apache_conf_item.conf_content is defined
+  become: true
+
+# NOTE(zstyblik): run a2en* regardless
+# re-add check "is in a2q STDOUT", if necessary to save cycles.
+- name: Enable Apache config file.
+  ansible.builtin.command:
+    argv:
+      - /usr/sbin/a2enconf
+      - -q
+      - "{{ _apache_conf_item.name }}"
+  register: _apache_cmd_a2enconf
+  changed_when: "'To activate the new configuration' in _apache_cmd_a2enconf.stdout_lines"
+  failed_when: _apache_cmd_a2enconf.rc != 0
+  when:
+    - _apache_conf_item.state | default('present') == 'present'
+  notify: restart apache
+  become: true
+
+- name: Disable Apache config file.
+  ansible.builtin.command:
+    argv:
+      - /usr/sbin/a2disconf
+      - -q
+      - "{{ _apache_conf_item.name }}"
+  register: _apache_cmd_a2disconf
+  changed_when: "'To activate the new configuration' in _apache_cmd_a2disconf.stdout_lines"
+  failed_when: _apache_cmd_a2disconf.rc != 0
+  when:
+    - _apache_conf_item.state | default('present') != 'present'
+    - _apache_conf_item.name in _apache_a2q_confs
+  notify: restart apache
+  become: true
diff --git a/tasks/configure-mod-file.yml b/tasks/configure-mod-file.yml
@@ -0,0 +1,57 @@
+---
+- name: Check mod configuration against spec file
+  ansible.builtin.validate_argument_spec:
+    argument_spec: |
+      {{
+        (
+          lookup(
+            'ansible.builtin.file',
+            'specs/apache_conf_argument_specs.yml'
+          ) | from_yaml
+        )['argument_specs']['apache_conf_item']['options']
+      }}
+    provided_arguments: "{{ _apache_mod_item }}"
+
+- name: Create config file for Apache module.
+  ansible.builtin.copy:
+    content: "{{ _apache_mod_item.conf_content }}"
+    dest: "{{ apache_httpd_mod_load_dir }}/{{ _apache_mod_item.name }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+  when:
+    - _apache_mod_item.state | default('present') == 'present'
+    - _apache_mod_item.conf_content is defined
+  become: true
+
+# NOTE(zstyblik): run a2en* regardless
+# re-add check "is in a2q STDOUT", if necessary to save cycles.
+- name: Enable Apache module.
+  ansible.builtin.command:
+    argv:
+      - /usr/sbin/a2enmod
+      - -q
+      - "{{ _apache_mod_item.name }}"
+  register: _apache_cmd_a2enmod
+  changed_when: "'To activate the new configuration' in _apache_cmd_a2enmod.stdout_lines"
+  failed_when: _apache_cmd_a2enmod.rc != 0
+  when:
+    - _apache_mod_item.state | default('present') == 'present'
+  notify: restart apache
+  become: true
+
+- name: Disable Apache module.
+  ansible.builtin.command:
+    argv:
+      - /usr/sbin/a2dismod
+      - -q
+      - "{{ _apache_mod_item.name }}"
+  register: _apache_cmd_a2dismod
+  changed_when: "'To activate the new configuration' in _apache_cmd_a2dismod.stdout_lines"
+  failed_when: _apache_cmd_a2dismod.rc != 0
+  when:
+    - _apache_mod_item.state | default('present') != 'present'
+    - _apache_mod_item.name in _apache_a2q_mods
+    - _apache_mod_item.name != _apache_mpm_module
+  notify: restart apache
+  become: true