websites: Add hatchlearningcenter.org

This is the website for Tabitha's new hybrid private school! 👩‍🎓
2022-11-30 22:04:29 -06:00 · 2022-11-30 22:04:29 -06:00 · 244482ac52
parent 11e26c3189
commit 244482ac52
7 changed files with 128 additions and 0 deletions
--- a/certs/websites/hatchlearningcenter.org.cer
+++ b/certs/websites/hatchlearningcenter.org.cer
@ -0,0 +1 @@
+../lego/hatchlearningcenter.org.crt
--- a/certs/websites/hatchlearningcenter.org.key
+++ b/certs/websites/hatchlearningcenter.org.key
@ -0,0 +1 @@
+../lego/hatchlearningcenter.org.key
--- a/group_vars/public-web/main.yml
+++ b/group_vars/public-web/main.yml
@ -10,3 +10,4 @@ userdir_proxy_backend: http://files.pyrocufflink.blue
 tabitha_publisher_keys:
 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbeVaQ5eGTaQU9P0sqo9R2IISoe50qS/Hv/vvFdt3ce tabitha@Tabithas-MacBook-Pro.local
 dustinandtabitha_publisher_keys: '{{ tabitha_publisher_keys + dchwww_publisher_keys }}'
+hlc_publisher_keys: '{{ tabitha_publisher_keys }}'
--- a/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
+++ b/roles/websites/hatchlearningcenter.org/files/hatchlearningcenter.org.httpd.conf
@ -0,0 +1,64 @@
+# vim: set ft=apache sw=4 ts=4 sts=4 et :
+<VirtualHost *:80>
+    ServerName hatchlearningcenter.org
+    ServerAlias \
+        www.hatchlearningcenter.org \
+        hatchlearningcenter.com \
+        www.hatchlearningcenter.com \
+        hlcks.org \
+        www.hlcks.org \
+        hlcks.com \
+        www.hlcks.com \
+        hlckc.org \
+        www.hlckc.org \
+        hlckc.com \
+        www.hlckc.com
+
+    RewriteEngine on
+    RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+    ServerName hatchlearningcenter.org
+    ServerAlias \
+        hatchlearningcenter.com \
+        www.hatchlearningcenter.com \
+        hlcks.org \
+        www.hlcks.org \
+        hlcks.com \
+        www.hlcks.com \
+        hlckc.org \
+        www.hlckc.org \
+        hlckc.com \
+        www.hlckc.com
+
+    Include conf.d/ssl.include
+
+    SSLCertificateFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+    SSLCertificateKeyFile /etc/pki/tls/private/hatchlearningcenter.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+    RewriteEngine On
+    RewriteRule /.* https://www.hatchlearningcenter.org$0 [R=301,L]
+</VirtualHost>
+
+<VirtualHost _default_:443>
+    ServerName www.hatchlearningcenter.org
+
+    Include conf.d/ssl.include
+
+    SSLCertificateFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+    SSLCertificateKeyFile /etc/pki/tls/private/hatchlearningcenter.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/hatchlearningcenter.org.cer
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+    DocumentRoot /srv/www/hatchlearningcenter.org/htdocs
+    <Directory /srv/www/hatchlearningcenter.org/htdocs>
+        Require all granted
+    </Directory>
+</VirtualHost>
--- a/roles/websites/hatchlearningcenter.org/meta/main.yml
+++ b/roles/websites/hatchlearningcenter.org/meta/main.yml
@ -0,0 +1,7 @@
+dependencies:
+- role: cert
+  vars:
+    cert_src: websites/hatchlearningcenter.org.cer
+    cert_dest: /etc/pki/tls/certs/hatchlearningcenter.org.cer
+    cert_key_src: websites/hatchlearningcenter.org.key
+    cert_key_dest: /etc/pki/tls/private/hatchlearningcenter.org.key
--- a/roles/websites/hatchlearningcenter.org/tasks/main.yml
+++ b/roles/websites/hatchlearningcenter.org/tasks/main.yml
@ -0,0 +1,51 @@
+- name: ensure app group exists
+  group:
+    name: webapp.hlc
+    state: present
+  tags:
+  - group
+  - user
+
+- name: ensure app user exists
+  user:
+    name: webapp.hlc
+    group: webapp.hlc
+    home: /srv/www/hatchlearningcenter.org
+    createhome: true
+    state: present
+  tags:
+  - user
+
+- name: ensure app home directory permissions are set
+  file:
+    path: /srv/www/hatchlearningcenter.org
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - datadir
+
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ hlc_publisher_keys|join('\n') }}"
+    user: webapp.hlc
+    exclusive: true
+  tags:
+  - sshkey
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/hatchlearningcenter.org/.ssh/authorized_keys
+    mode: u=rw,go=
+    owner: webapp.hlc
+    group: webapp.hlc
+    setype: ssh_home_t
+  tags:
+  - sshkey
+
+- name: ensure apache is configured to serve hatchlearningcenter.org
+  copy:
+    src: hatchlearningcenter.org.httpd.conf
+    dest: /etc/httpd/conf.d/hatchlearningcenter.org.conf
+    mode: u=rw,go=r
+  notify: reload httpd
+  tags:
+  - apache-config
--- a/websites.yml
+++ b/websites.yml
@ -59,6 +59,9 @@
  - role: websites/dustinandtabitha.com
    tags:
    - websites/dustinandtabitha
+  - role: websites/hatchlearningcenter.org
+    tags:
+    - websites/hatchlearningcenter.org
  tasks:
  - name: ensure httpd service is running
    service: