initial upload

2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -0,0 +1,164 @@
+---
+
+- name: Install Apache packages
+  apt:
+    pkg:
+      - apache2
+      - socat
+    state: present
+  tags: packages
+
+- name: Ensure the ssl-cert group exists
+  group:
+    name: ssl-cert
+    system: yes
+  tags: packages
+
+- name: Ensure apache is a member of ssl-cert
+  user:
+    name: www-data
+    groups: ssl-cert
+    append: yes
+  tags: packages
+
+- name: Install Apache config
+  template:
+    dest: /etc/apache2/apache2.conf
+    src: etc_apache2_apache2.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+  notify: Reload Apache
+  tags: configs
+
+- name: Install Apache module configs
+  template:
+    dest: "/etc/apache2/mods-available/{{ item }}"
+    src: "etc_apache2_mods-available_{{ item }}.j2"
+    mode: 0644
+    owner: root
+    group: root
+  with_items:
+    - deflate.conf
+    - http2.conf
+    - ssl.conf
+    - status.conf
+  notify: Reload Apache
+  tags:
+    - configs
+    - apache-configs
+
+- name: Enable Apache modules
+  apache2_module:
+    name: "{{ item }}"
+    state: present
+    force: yes
+  with_items:
+    - deflate
+    - env
+    - expires
+    - headers
+    - http2
+    - reqtimeout
+    - rewrite
+    - setenvif
+    - ssl
+    - status
+    - unique_id
+  notify: Restart Apache
+  tags: configs
+
+- name: Install Apache other configs
+  template:
+    dest: "/etc/apache2/conf-available/{{ item }}"
+    src: "etc_apache2_conf-available_{{ item }}.j2"
+  with_items:
+    - logging.conf
+    - security.conf
+  notify: Reload Apache
+  tags: [configs, logging]
+
+- name: Enable Apache other configs
+  command: "a2enconf {{ item }}"
+  args:
+    creates: "/etc/apache2/conf-enabled/{{ item }}"
+  with_items:
+    - logging.conf
+    - security.conf
+  notify: Reload Apache
+  tags: configs
+
+- name: Enable the SSL default vhost
+  command: a2ensite default-ssl
+  args:
+    creates: /etc/apache2/sites-enabled/default-ssl.conf
+  notify: Reload Apache
+  tags: configs
+
+- name: Install Apache logrotate snippet
+  template:
+    dest: /etc/logrotate.d/apache2
+    src: etc_logrotate.d_apache2.j2
+    mode: 0644
+    owner: root
+    group: root
+  tags: [configs, logrotate]
+
+- name: Install apache2.service override dir
+  file:
+    dest: /etc/systemd/system/apache2.service.d
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+  tags: [configs, systemd]
+
+- name: Install apache2.service override
+  template:
+    dest: /etc/systemd/system/apache2.service.d/local.conf
+    src: etc_systemd_system_apache2.service.d_local.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+  notify: Reload Apache systemd
+  tags: [configs, systemd]
+
+- name: Ensure Apache is running
+  systemd:
+    name: apache2
+    state: started
+    enabled: yes
+  tags: configs
+
+- include: mod_evasive.yml
+  when: apache_mod_evasive
+  tags: mod_evasive
+
+- include: mod_security.yml
+  when: apache_mod_security
+  tags: mod_security
+
+- name: Install the Apache firewall config
+  template:
+    dest: "/etc/firewall/{{ item }}"
+    src: "etc_firewall_{{ item | replace('/', '_') }}.j2"
+    mode: 0600
+    owner: root
+    group: root
+  when: firewall_enabled and apache_firewall
+  notify: Restart firewall
+  with_items:
+  - rules-v4.d/40_apache.sh
+  - rules-v6.d/40_apache.sh
+  tags:
+  - configs
+  - firewall
+
+- name: Register the apache service in Consul
+  template:
+    dest: /etc/consul.d/service-apache.hcl
+    src: etc_consul.d_service-apache.hcl.j2
+  when: apache_consul_service
+  notify: Reload consul
+  tags: configs
+
--- a/roles/apache/tasks/mod_evasive.yml
+++ b/roles/apache/tasks/mod_evasive.yml
@@ -0,0 +1,27 @@
+---
+
+- name: Install Apache mod_evasive
+  apt:
+    pkg:
+      - libapache2-mod-evasive
+    state: present
+  notify: Restart Apache
+  tags: packages
+
+- name: Install Apache mod_evasive config
+  template:
+    dest: /etc/apache2/mods-available/evasive.conf
+    src: etc_apache2_mods-available_evasive.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+  notify: Reload Apache
+  tags: configs
+
+- name: Enable Apache mod_evasive
+  apache2_module:
+    name: evasive
+    state: present
+    force: yes
+  notify: Restart Apache
+  tags: configs
--- a/roles/apache/tasks/mod_security.yml
+++ b/roles/apache/tasks/mod_security.yml
@@ -0,0 +1,38 @@
+---
+
+- name: Install Apache mod_security
+  apt:
+    pkg:
+      - libapache2-mod-security2=2.9.*
+      - modsecurity-crs=3.*
+    state: present
+  notify: Restart Apache
+  tags: packages
+
+- name: Install Apache mod_security config
+  template:
+    dest: /etc/modsecurity/modsecurity.conf
+    src: etc_modsecurity_modsecurity.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+  notify: Reload Apache
+  tags: configs
+
+- name: Install Apache mod_security ruleset config
+  template:
+    dest: /etc/modsecurity/crs/crs-setup.conf
+    src: etc_modsecurity_crs_crs-setup.conf.j2
+    mode: 0644
+    owner: root
+    group: root
+  notify: Reload Apache
+  tags: configs
+
+- name: Enable Apache mod_security
+  apache2_module:
+    name: security2
+    state: present
+    force: yes
+  notify: Restart Apache
+  tags: configs