119 lines
3.1 KiB
YAML
119 lines
3.1 KiB
YAML
---
|
|
- name: Configure Angie Web Server (ALT Linux)
|
|
hosts: server
|
|
become: true
|
|
vars:
|
|
ssl_cert_path: "/etc/angie/ssl/www.au.team.crt"
|
|
ssl_key_path: "/etc/angie/ssl/www.au.team.key"
|
|
server_name: "www.au.team"
|
|
listen_port_http: 80
|
|
listen_port_https: 443
|
|
|
|
tasks:
|
|
- name: Update package cache (ALT Linux)
|
|
ansible.builtin.command:
|
|
cmd: apt-rpm update
|
|
changed_when: false
|
|
tags:
|
|
- angie
|
|
|
|
- name: Install Angie web server (ALT Linux)
|
|
ansible.builtin.package:
|
|
name: angie
|
|
state: present
|
|
tags:
|
|
- angie
|
|
|
|
- name: Create SSL directory
|
|
ansible.builtin.file:
|
|
path: /etc/angie/ssl
|
|
state: directory
|
|
mode: '0755'
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- ssl
|
|
|
|
- name: Generate self-signed SSL certificate
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
openssl req -x509 -nodes -days 3650 -newkey rsa:2048
|
|
-keyout {{ ssl_key_path }}
|
|
-out {{ ssl_cert_path }}
|
|
-subj "/C=RU/ST=Moscow/L=Moscow/O=AU Team/CN={{ server_name }}"
|
|
creates: "{{ ssl_cert_path }}"
|
|
notify: Reload angie
|
|
tags:
|
|
- ssl
|
|
|
|
- name: Set proper permissions for SSL key
|
|
ansible.builtin.file:
|
|
path: "{{ ssl_key_path }}"
|
|
mode: '0600'
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- ssl
|
|
|
|
- name: Create index.html with server name
|
|
ansible.builtin.copy:
|
|
content: "{{ inventory_hostname }} by Angie!\n"
|
|
dest: /var/www/html/index.html
|
|
mode: '0644'
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- web
|
|
|
|
- name: Configure Angie vhost with HTTPS and HTTP redirect
|
|
ansible.builtin.copy:
|
|
content: |
|
|
# HTTP server - redirect to HTTPS
|
|
server {
|
|
listen {{ listen_port_http }};
|
|
listen [::]:{{ listen_port_http }};
|
|
server_name {{ server_name }};
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# HTTPS server
|
|
server {
|
|
listen {{ listen_port_https }} ssl;
|
|
listen [::]:{{ listen_port_https }} ssl;
|
|
server_name {{ server_name }};
|
|
|
|
ssl_certificate {{ ssl_cert_path }};
|
|
ssl_certificate_key {{ ssl_key_path }};
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
root /var/www/html;
|
|
index index.html;
|
|
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
}
|
|
dest: /etc/angie/conf.d/www.au.team.conf
|
|
mode: '0644'
|
|
backup: true
|
|
notify: Reload angie
|
|
tags:
|
|
- web
|
|
|
|
- name: Enable and start Angie service
|
|
ansible.builtin.systemd:
|
|
name: angie
|
|
enabled: true
|
|
state: started
|
|
tags:
|
|
- angie
|
|
|
|
handlers:
|
|
- name: Reload angie
|
|
ansible.builtin.systemd:
|
|
name: angie
|
|
state: reloaded |