new httpd docs-infra task/role

Signed-off-by: Fabian Arrotin <arrfab@centos.org>

defaults/main.yml

@@ -53,6 +53,11 @@ reposnap_rsync_from: msync.centos.org::centos/
 # For SCL php task
 scl_php_ver: 73
 
+# For docs-infra task, used to render docs.infra.centos.org content
+httpd_docs_infra_user: centos
+httpd_docs_infra_rootdir: /var/www/docs.infra
+httpd_docs_infra_hostname: docs.infra.centos.org
+
 # For www task
 httpd_www_rootdir: /var/www/centos_website
 httpd_www_hostname: www.centos.org

tasks/vhost-docs-infra.yml

@@ -0,0 +1,83 @@
+# This task is just for the docs.infra.centos.org node, automatically rendering (through podman) website content
+
+- import_role:
+    name: httpd
+  vars:  
+    httpd_tls: True
+
+- import_role:
+    name: httpd
+    tasks_from: pki-tls
+  vars:
+    pki_hostname: docs.infra.centos.org
+
+- name: Adding specific user to build mkdocs site
+  user: 
+    name: "{{ httpd_docs_infra_user }}"
+    state: present 
+    comment: CentOS Web content user
+
+- name: Ensuring we have a DocumentRoot
+  file:
+    path: "{{ httpd_docs_infra_rootdir }}"
+    state: directory
+    owner: '{{ httpd_docs_infra_user }}'
+    group: '{{ httpd_docs_infra_user }}'
+    mode: 0775
+
+
+- name: Configuring httpd vhost for www
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/httpd/conf.d/{{ item }}"
+    mode: 0644
+  with_items:
+    - 02_vhost-docs-infra.conf
+    - ssl-vhost-docs-infra.conf
+  notify:
+    - reload_httpd
+  tags:
+    - config
+
+- name: Install some tools to render website locally
+  yum:
+    name: 
+      - podman
+      - git
+    state: installed
+
+- name: Enabling needed selinux booleans
+  seboolean:
+    name: "{{ item }}"
+    persistent: yes
+    state: on
+  with_items:
+    - httpd_can_network_connect
+
+- name: Wrapper tool to build website
+  template:
+    src: docs-infra/mkdocs-infra.j2
+    dest: /usr/libexec/centos/mkdocs-infra
+    mode: 0750
+    owner: "{{ httpd_docs_infra_user }}"
+  register: mkdocs_infra_script
+  tags:
+    - script
+
+- name: Init podman containers
+  command: /usr/libexec/centos/mkdocs-infra init
+  when: mkdocs_infra_script is changed
+  become_user: "{{ httpd_docs_infra_user }}"
+  tags:
+    - script
+
+- name: Cron to compare upstream git
+  cron:
+    name: Build mkdcos from git
+    job: /usr/libexec/centos/mkdocs-infra build
+    minute: "*/2"
+    user: "{{ httpd_docs_infra_user }}"
+  tags:
+    - cron
+
+

templates/02_vhost-docs-infra.conf.j2

@@ -0,0 +1,18 @@
+<VirtualHost *:80>
+   DocumentRoot {{ httpd_docs_infra_rootdir }}
+   ServerName {{ httpd_docs_infra_hostname }}
+   CustomLog logs/{{ httpd_docs_infra_hostname }}_access.log combined
+   ErrorLog logs/{{ httpd_docs_infra_hostname }}_error.log
+   # Some needed headers
+   Header always set X-Frame-Options "SAMEORIGIN"
+   Header always set X-Xss-Protection "1; mode=block"
+   Header always set X-Content-Type-Options "nosniff"
+   Header always set Referrer-Policy "same-origin"
+
+   RewriteEngine On
+   RewriteCond $1 !^.well-known
+   RewriteCond %{HTTPS} !=on
+   RewriteRule ^/?(.*) https://{{ httpd_docs_infra_hostname }}/$1 [R,L]
+
+
+</VirtualHost>

templates/docs-infra/mkdocs-infra.j2

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+#
+# Purposes : renders and publish website from git 
+# Called by: cron
+# Configured by: Ansible, don't edit
+#
+
+action="$1"
+git_upstream="https://git.centos.org/centos/centos-infra-docs.git" # Where to git clone/pull from
+git_directory="/home/{{ httpd_docs_infra_user }}/git/"
+logfile="/home/{{ httpd_docs_infra_user }}/mkdocs-infra.log"
+
+function usage() {
+cat << EOF
+You need to call the script like this : $0 -arguments
+Argument can be one of the following:
+ init			: prepares local podman container and git initial clone
+ build		: verify upstream git and rebuild if different
+
+EOF
+}
+
+f_log() {
+   echo "[+] $(date +%Y%m%d-%H:%M) $(basename $0) -> $*" >>$logfile
+}
+
+function init(){
+  test -d ${git_directory} || mkdir -p ${git_directory}
+  pushd ${git_directory} >/dev/null
+  test -d centos-infra-docs || git clone ${git_upstream} >> $logfile
+  podman images |grep -q mkdocs-material || podman pull docker.io/squidfunk/mkdocs-material:latest >>$logfile
+popd >/dev/null
+  render
+}
+
+function render(){
+  podman run --volume="${git_directory}/centos-infra-docs:/docs:z" --rm -it squidfunk/mkdocs-material build 2>&1 > /dev/null && cp -r ${git_directory}/centos-infra-docs/site/* /var/www/docs.infra/
+  if [ "$?" -eq "0" ] ; then
+    f_log "Rendering status : $?"
+  else
+    f_log "[ERROR] issue detected when building website"
+  fi
+}
+
+function build(){
+  pushd ${git_directory}/centos-infra-docs >/dev/null
+  last_commit=$(git log| head -n 1|awk '{print $2}')
+  git pull >/dev/null
+  current_commit=$(git log| head -n 1|awk '{print $2}')
+  popd >/dev/null
+
+  if [ "${current_commit}" == "${last_commit}" ] ; then
+    f_log "Git head/last commit is equal [${current_commit}]"
+    f_log "Skipping website build and push"
+  else
+    render
+fi
+}
+
+if [ "$action" == "init" ] ; then
+   f_log "Initializing ..."
+   init
+elif [ "$action" ==  "build" ] ; then
+   f_log "Comparing upstream git HEAD and rebuilding if needed"
+   build
+elif [ "$action" ==  "refresh" ] ; then
+  f_log "Refreshing external content and rendering website .."
+  refresh
+else
+  usage
+  exit 1
+fi
+
+

templates/ssl-vhost-docs-infra.conf.j2

@@ -0,0 +1,39 @@
+<VirtualHost *:443>
+ ServerAdmin webmaster@centos.org
+ ServerName {{ httpd_docs_infra_hostname }}
+ DocumentRoot {{ httpd_docs_infra_rootdir }}
+
+ Header always set Strict-Transport-Security "max-age=31536000"  
+ Header always set X-Frame-Options "SAMEORIGIN"
+ Header always set X-Xss-Protection "1; mode=block"
+ Header always set X-Content-Type-Options "nosniff"
+ Header always set Referrer-Policy "same-origin"
+
+RewriteEngine on
+
+
+ErrorLog logs/ssl-{{ httpd_docs_infra_hostname }}_error.log
+TransferLog logs/ssl-{{ httpd_docs_infra_hostname }}_access.log
+LogLevel warn
+SSLEngine on
+SSLHonorCipherOrder on
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!aNULL:!eNULL:!DES:!MD5:!PSK:!RC4
+
+SSLCertificateFile /etc/pki/tls/certs/{{ httpd_docs_infra_hostname }}.crt
+SSLCertificateKeyFile /etc/pki/tls/private/{{ httpd_docs_infra_hostname }}.key
+SSLCertificateChainFile /etc/pki/tls/certs/{{ httpd_docs_infra_hostname }}-CAChain.crt
+
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+SetEnvIf User-Agent ".*MSIE.*" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+CustomLog logs/ssl-{{ httpd_docs_infra_hostname }}_request.log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</VirtualHost>                               
+