From 840beb3a529235b4d18c125d72be5d87dfe6d93f Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Tue, 22 Jun 2021 09:09:09 +0200 Subject: [PATCH] new httpd docs-infra task/role Signed-off-by: Fabian Arrotin --- defaults/main.yml | 5 ++ tasks/vhost-docs-infra.yml | 83 ++++++++++++++++++++++++++ templates/02_vhost-docs-infra.conf.j2 | 18 ++++++ templates/docs-infra/mkdocs-infra.j2 | 75 +++++++++++++++++++++++ templates/ssl-vhost-docs-infra.conf.j2 | 39 ++++++++++++ 5 files changed, 220 insertions(+) create mode 100644 tasks/vhost-docs-infra.yml create mode 100644 templates/02_vhost-docs-infra.conf.j2 create mode 100644 templates/docs-infra/mkdocs-infra.j2 create mode 100644 templates/ssl-vhost-docs-infra.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 1163062..94b4a34 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -53,6 +53,11 @@ reposnap_rsync_from: msync.centos.org::centos/ # For SCL php task scl_php_ver: 73 +# For docs-infra task, used to render docs.infra.centos.org content +httpd_docs_infra_user: centos +httpd_docs_infra_rootdir: /var/www/docs.infra +httpd_docs_infra_hostname: docs.infra.centos.org + # For www task httpd_www_rootdir: /var/www/centos_website httpd_www_hostname: www.centos.org diff --git a/tasks/vhost-docs-infra.yml b/tasks/vhost-docs-infra.yml new file mode 100644 index 0000000..dd659cb --- /dev/null +++ b/tasks/vhost-docs-infra.yml @@ -0,0 +1,83 @@ +# This task is just for the docs.infra.centos.org node, automatically rendering (through podman) website content + +- import_role: + name: httpd + vars: + httpd_tls: True + +- import_role: + name: httpd + tasks_from: pki-tls + vars: + pki_hostname: docs.infra.centos.org + +- name: Adding specific user to build mkdocs site + user: + name: "{{ httpd_docs_infra_user }}" + state: present + comment: CentOS Web content user + +- name: Ensuring we have a DocumentRoot + file: + path: "{{ httpd_docs_infra_rootdir }}" + state: directory + owner: '{{ httpd_docs_infra_user }}' + group: '{{ httpd_docs_infra_user }}' + mode: 0775 + + +- name: Configuring httpd vhost for www + template: + src: "{{ item }}.j2" + dest: "/etc/httpd/conf.d/{{ item }}" + mode: 0644 + with_items: + - 02_vhost-docs-infra.conf + - ssl-vhost-docs-infra.conf + notify: + - reload_httpd + tags: + - config + +- name: Install some tools to render website locally + yum: + name: + - podman + - git + state: installed + +- name: Enabling needed selinux booleans + seboolean: + name: "{{ item }}" + persistent: yes + state: on + with_items: + - httpd_can_network_connect + +- name: Wrapper tool to build website + template: + src: docs-infra/mkdocs-infra.j2 + dest: /usr/libexec/centos/mkdocs-infra + mode: 0750 + owner: "{{ httpd_docs_infra_user }}" + register: mkdocs_infra_script + tags: + - script + +- name: Init podman containers + command: /usr/libexec/centos/mkdocs-infra init + when: mkdocs_infra_script is changed + become_user: "{{ httpd_docs_infra_user }}" + tags: + - script + +- name: Cron to compare upstream git + cron: + name: Build mkdcos from git + job: /usr/libexec/centos/mkdocs-infra build + minute: "*/2" + user: "{{ httpd_docs_infra_user }}" + tags: + - cron + + diff --git a/templates/02_vhost-docs-infra.conf.j2 b/templates/02_vhost-docs-infra.conf.j2 new file mode 100644 index 0000000..148c538 --- /dev/null +++ b/templates/02_vhost-docs-infra.conf.j2 @@ -0,0 +1,18 @@ + + DocumentRoot {{ httpd_docs_infra_rootdir }} + ServerName {{ httpd_docs_infra_hostname }} + CustomLog logs/{{ httpd_docs_infra_hostname }}_access.log combined + ErrorLog logs/{{ httpd_docs_infra_hostname }}_error.log + # Some needed headers + Header always set X-Frame-Options "SAMEORIGIN" + Header always set X-Xss-Protection "1; mode=block" + Header always set X-Content-Type-Options "nosniff" + Header always set Referrer-Policy "same-origin" + + RewriteEngine On + RewriteCond $1 !^.well-known + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://{{ httpd_docs_infra_hostname }}/$1 [R,L] + + + diff --git a/templates/docs-infra/mkdocs-infra.j2 b/templates/docs-infra/mkdocs-infra.j2 new file mode 100644 index 0000000..d893aed --- /dev/null +++ b/templates/docs-infra/mkdocs-infra.j2 @@ -0,0 +1,75 @@ +#!/bin/bash + +# +# Purposes : renders and publish website from git +# Called by: cron +# Configured by: Ansible, don't edit +# + +action="$1" +git_upstream="https://git.centos.org/centos/centos-infra-docs.git" # Where to git clone/pull from +git_directory="/home/{{ httpd_docs_infra_user }}/git/" +logfile="/home/{{ httpd_docs_infra_user }}/mkdocs-infra.log" + +function usage() { +cat << EOF +You need to call the script like this : $0 -arguments +Argument can be one of the following: + init : prepares local podman container and git initial clone + build : verify upstream git and rebuild if different + +EOF +} + +f_log() { + echo "[+] $(date +%Y%m%d-%H:%M) $(basename $0) -> $*" >>$logfile +} + +function init(){ + test -d ${git_directory} || mkdir -p ${git_directory} + pushd ${git_directory} >/dev/null + test -d centos-infra-docs || git clone ${git_upstream} >> $logfile + podman images |grep -q mkdocs-material || podman pull docker.io/squidfunk/mkdocs-material:latest >>$logfile +popd >/dev/null + render +} + +function render(){ + podman run --volume="${git_directory}/centos-infra-docs:/docs:z" --rm -it squidfunk/mkdocs-material build 2>&1 > /dev/null && cp -r ${git_directory}/centos-infra-docs/site/* /var/www/docs.infra/ + if [ "$?" -eq "0" ] ; then + f_log "Rendering status : $?" + else + f_log "[ERROR] issue detected when building website" + fi +} + +function build(){ + pushd ${git_directory}/centos-infra-docs >/dev/null + last_commit=$(git log| head -n 1|awk '{print $2}') + git pull >/dev/null + current_commit=$(git log| head -n 1|awk '{print $2}') + popd >/dev/null + + if [ "${current_commit}" == "${last_commit}" ] ; then + f_log "Git head/last commit is equal [${current_commit}]" + f_log "Skipping website build and push" + else + render +fi +} + +if [ "$action" == "init" ] ; then + f_log "Initializing ..." + init +elif [ "$action" == "build" ] ; then + f_log "Comparing upstream git HEAD and rebuilding if needed" + build +elif [ "$action" == "refresh" ] ; then + f_log "Refreshing external content and rendering website .." + refresh +else + usage + exit 1 +fi + + diff --git a/templates/ssl-vhost-docs-infra.conf.j2 b/templates/ssl-vhost-docs-infra.conf.j2 new file mode 100644 index 0000000..215343a --- /dev/null +++ b/templates/ssl-vhost-docs-infra.conf.j2 @@ -0,0 +1,39 @@ + + ServerAdmin webmaster@centos.org + ServerName {{ httpd_docs_infra_hostname }} + DocumentRoot {{ httpd_docs_infra_rootdir }} + + Header always set Strict-Transport-Security "max-age=31536000" + Header always set X-Frame-Options "SAMEORIGIN" + Header always set X-Xss-Protection "1; mode=block" + Header always set X-Content-Type-Options "nosniff" + Header always set Referrer-Policy "same-origin" + +RewriteEngine on + + +ErrorLog logs/ssl-{{ httpd_docs_infra_hostname }}_error.log +TransferLog logs/ssl-{{ httpd_docs_infra_hostname }}_access.log +LogLevel warn +SSLEngine on +SSLHonorCipherOrder on +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!aNULL:!eNULL:!DES:!MD5:!PSK:!RC4 + +SSLCertificateFile /etc/pki/tls/certs/{{ httpd_docs_infra_hostname }}.crt +SSLCertificateKeyFile /etc/pki/tls/private/{{ httpd_docs_infra_hostname }}.key +SSLCertificateChainFile /etc/pki/tls/certs/{{ httpd_docs_infra_hostname }}-CAChain.crt + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + +SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 +CustomLog logs/ssl-{{ httpd_docs_infra_hostname }}_request.log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +