diff --git a/playbook2_web.yml b/playbook2_web.yml new file mode 100644 index 0000000..3fa9c91 --- /dev/null +++ b/playbook2_web.yml @@ -0,0 +1,158 @@ +--- +- name: Configure Angie Web Server + hosts: server + become: true + vars: + angie_repo_key: "https://angie.software/keys/angie-release-key.gpg" + angie_repo: "https://angie.software/packages/debian/dists/stable/main/binary-$(ARCH)/" + ssl_cert_path: "/etc/angie/ssl/www.au.team.crt" + ssl_key_path: "/etc/angie/ssl/www.au.team.key" + server_name: "www.au.team" + listen_port_http: 80 + listen_port_https: 443 + + tasks: + - name: Install prerequisites for Angie repo + ansible.builtin.apt: + name: + - gnupg + - ca-certificates + - curl + - apt-transport-https + state: present + update_cache: true + tags: angie + + - name: Add Angie GPG key + ansible.builtin.apt_key: + url: "{{ angie_repo_key }}" + state: present + tags: angie + + - name: Add Angie repository + ansible.builtin.apt_repository: + repo: "deb [arch=amd64] https://angie.software/packages/debian stable main" + state: present + filename: angie + tags: angie + + - name: Install Angie web server + ansible.builtin.apt: + name: angie + state: present + update_cache: true + tags: angie + + - name: Create SSL directory + ansible.builtin.file: + path: /etc/angie/ssl + state: directory + mode: '0755' + owner: root + group: root + tags: ssl + + - name: Generate self-signed SSL certificate + ansible.builtin.command: + cmd: > + openssl req -x509 -nodes -days 3650 -newkey rsa:2048 + -keyout {{ ssl_key_path }} + -out {{ ssl_cert_path }} + -subj "/C=RU/ST=Moscow/L=Moscow/O=AU Team/CN={{ server_name }}" + creates: "{{ ssl_cert_path }}" + notify: Reload angie + tags: ssl + + - name: Set proper permissions for SSL key + ansible.builtin.file: + path: "{{ ssl_key_path }}" + mode: '0600' + owner: root + group: root + tags: ssl + + - name: Create index.html with server name + ansible.builtin.copy: + content: "{{ inventory_hostname }} by Angie!\n" + dest: /var/www/html/index.html + mode: '0644' + owner: www-data + group: www-data + tags: web + + - name: Configure Angie vhost with HTTPS and HTTP redirect + ansible.builtin.template: + content: | + # HTTP server - redirect to HTTPS + server { + listen {{ listen_port_http }}; + listen [::]:{{ listen_port_http }}; + server_name {{ server_name }}; + return 301 https://$host$request_uri; + } + + # HTTPS server + server { + listen {{ listen_port_https }} ssl; + listen [::]:{{ listen_port_https }} ssl; + server_name {{ server_name }}; + + ssl_certificate {{ ssl_cert_path }}; + ssl_certificate_key {{ ssl_key_path }}; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + root /var/www/html; + index index.html; + + location / { + try_files $uri $uri/ =404; + } + + # Add HSTS header + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + } + dest: /etc/angie/sites-available/www.au.team.conf + mode: '0644' + backup: true + notify: Reload angie + tags: web + + - name: Enable site configuration + ansible.builtin.file: + src: /etc/angie/sites-available/www.au.team.conf + dest: /etc/angie/sites-enabled/www.au.team.conf + state: link + notify: Reload angie + tags: web + + - name: Disable default site if exists + ansible.builtin.file: + path: /etc/angie/sites-enabled/default + state: absent + notify: Reload angie + tags: web + + - name: Add www.au.team to /etc/hosts for local resolution + ansible.builtin.lineinfile: + path: /etc/hosts + regexp: '^127\.0\.1\.1\s+www\.au\.team' + line: "127.0.1.1 {{ server_name }}" + state: present + tags: dns + + - name: Enable and start Angie service + ansible.builtin.systemd: + name: angie + enabled: true + state: started + daemon_reload: true + tags: angie + + handlers: + - name: Reload angie + ansible.builtin.systemd: + name: angie + state: reloaded + daemon_reload: true \ No newline at end of file