[ansible] Add sign-vault01
by Nicolas Chauvet
commit 42b314c127e2d9a65320f8bd4db4bfd68baa0062
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 11:05:34 2017 +0100
Add sign-vault01
inventory/group_vars/sign-vault | 5 ++
.../host_vars/sign-vault01.online.rpmfusion.net | 13 ++++++
inventory/inventory | 3 +
playbooks/manual/sign-vault.yml | 46 ++++++++++++++++++++
4 files changed, 67 insertions(+), 0 deletions(-)
---
diff --git a/inventory/group_vars/sign-vault b/inventory/group_vars/sign-vault
new file mode 100644
index 0000000..8b63ff9
--- /dev/null
+++ b/inventory/group_vars/sign-vault
@@ -0,0 +1,5 @@
+---
+freezes: true
+postfix_group: sign
+host_group: sign
+ansible_ifcfg_blacklist: true
diff --git a/inventory/host_vars/sign-vault01.online.rpmfusion.net b/inventory/host_vars/sign-vault01.online.rpmfusion.net
new file mode 100644
index 0000000..a8243bd
--- /dev/null
+++ b/inventory/host_vars/sign-vault01.online.rpmfusion.net
@@ -0,0 +1,13 @@
+nm: 255.255.255.0
+gw: 195.154.185.1
+dns: 62.210.16.6
+ks_url: http://192.168.181.254/install/ks/sign-vault01.ks
+
+volgroup: /dev/vg_hv03_virt
+eth0_ip: 192.168.181.111
+vmhost: hv01.online.rpmfusion.net
+datacenter: online
+
+nrpe_procs_warn: 900
+nrpe_procs_crit: 1000
+
diff --git a/inventory/inventory b/inventory/inventory
index 5cc0384..67e778c 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -55,6 +55,9 @@ bodhi-backend01.online.rpmfusion.net
[sign-bridge]
koji01.online.rpmfusion.net
+[sign-vault]
+sign-vault01.online.rpmfusion.net
+
[bvirthost]
[buildvmhost]
diff --git a/playbooks/manual/sign-vault.yml b/playbooks/manual/sign-vault.yml
new file mode 100644
index 0000000..2c95873
--- /dev/null
+++ b/playbooks/manual/sign-vault.yml
@@ -0,0 +1,46 @@
+# provision a new sign server.
+# NOTE: this assumes the boxes are already up and are accessible
+# NOTE: most of these vars_path come from group_vars/sign or from hostvars
+#
+# FURTHER NOTE: some of These machines run day to day with sshd disabled/off.
+# Access is via management interface only. This playbook does initial setup.
+# Please check with rel-eng before doing anything here.
+
+- name: make sign-vault server vm (secondary and stg only)
+ hosts: sign-vault
+ user: root
+ gather_facts: False
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ tasks:
+ - include: "{{ tasks }}/virt_instance_create.yml"
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
+
+- name: make sign vault server
+ hosts: sign-vault
+ user: root
+ gather_facts: true
+
+ vars_files:
+ - /srv/web/infra/ansible/vars/global.yml
+ - "/srv/private/ansible/vars.yml"
+ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+ roles:
+ - base
+ - rkhunter
+ - serial-console
+ - sigul/server
+
+ tasks:
+ - include: "{{ tasks }}/yumrepos.yml"
+ - include: "{{ tasks }}/motd.yml"
+
+ handlers:
+ - include: "{{ handlers }}/restart_services.yml"
7 years, 9 months
- 1
- 0
[ansible] Allow acme-challenge to bypass https redirect
by Nicolas Chauvet
commit 890cae59296ba6c890817cafbe65f2f43ef523a0
Author: Nicolas Chauvet <kwizart(a)gmail.com>
Date: Thu Mar 2 10:21:37 2017 +0100
Allow acme-challenge to bypass https redirect
roles/httpd/templates/website.conf.j2 | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
---
diff --git a/roles/httpd/templates/website.conf.j2 b/roles/httpd/templates/website.conf.j2
index 466b2b0..5d62924 100644
--- a/roles/httpd/templates/website.conf.j2
+++ b/roles/httpd/templates/website.conf.j2
@@ -10,9 +10,21 @@
SetOutputFilter DEFLATE
<% end -%>
+{% if acme -%}
+ AliasMatch ^/.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
+
+ <Directory "/var/www/html/.well-known/acme-challenge/">
+ Options None
+ AllowOverride None
+ ForceType text/plain
+ RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
+ </Directory>
+<% end -%>
+
{% if sslonly -%}
RewriteEngine On
RewriteCond %{HTTPS} off
+ RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
<% else -%>
Include "conf.d/{{ name }}/*.conf"
7 years, 9 months
- 1
- 0