websites/dcow: Transition to static site

We don't really use this site for screenshot sharing any more.  It's
cool to keep to look at old screenshots, so I've saved a static snapshot
of it that can be hosted by plain ol' Apache.

group_vars/dch-proxy.yml

@@ -54,7 +54,7 @@ dch_proxy_sites:
   matcher: dom
 - backend: kubernetes
   match: ntfy.pyrocufflink.net
-- backend: kubernetes
+- backend: web
   match: darkchestofwonders.us
 - backend: kubernetes
   match: invoiceninja.pyrocufflink.net

roles/websites/darkchestofwonders.us/meta/main.yml

@@ -1,9 +0,0 @@
-dependencies:
-- role: cert
-  vars:
-    cert_src: websites/darkchestofwonders.us.cer
-    cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
-    cert_key_src: websites/darkchestofwonders.us.key
-    cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
-  tags:
-  - websites/darkchestofwonders.us

roles/websites/darkchestofwonders.us/tasks/main.yml

@@ -1,3 +1,49 @@
+- name: ensure rsync is installed
+  package:
+    name: rsync
+    state: present
+  tags:
+  - install
+
+- name: ensure app group exists
+  group:
+    name: webapp.dcow
+    state: present
+- name: ensure app user exists
+  user:
+    name: webapp.dcow
+    group: webapp.dcow
+    home: /srv/www/darkchestofwonders.us
+    createhome: true
+    state: present
+
+- name: ensure app home directory permissions are set
+  file:
+    path: /srv/www/darkchestofwonders.us
+    mode: u=rwx,go=rx
+    state: directory
+
+- name: ensure app ssh home directory exists
+  file:
+    path: /srv/www/darkchestofwonders.us/.ssh
+    mode: '0700'
+    owner: webapp.dcow
+    group: webapp.dcow
+    setype: ssh_home_t
+    state: directory
+- name: ensure publisher keys are trusted
+  authorized_key:
+    key: "{{ dcow_publisher_keys|join('\n') }}"
+    user: webapp.dcow
+    exclusive: true
+- name: ensure authorized_keys file permissions are correct
+  file:
+    path: /srv/www/darkchestofwonders.us/.ssh/authorized_keys
+    mode: u=rw,go=
+    owner: webapp.dcow
+    group: webapp.dcow
+    setype: ssh_home_t
+
 - name: ensure apache is configured to serve darkchestofwonders.us
   template:
     src=darkchestofwonders.us.httpd.conf.j2

roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2

@@ -1,9 +1,5 @@
-WSGIDaemonProcess dcow \
-	user=webapp.dcow \
-	group=webapp.dcow \
-	python-home=/srv/www/darkchestofwonders.us/venv \
-	lang=en_US.UTF-8 \
-	display-name=%{GROUP}
+# vim: set ft=apache :
+MDomain darkchestofwonders.us
 
 <VirtualHost _default_:80>
 ServerName darkchestofwonders.us
@@ -16,34 +12,13 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
 ServerName darkchestofwonders.us
 
 Include conf.d/ssl.include
-SSLCertificateKeyFile /etc/pki/tls/private/darkchestofwonders.us.key
-SSLCertificateFile /etc/pki/tls/certs/darkchestofwonders.us.cer
 
 <IfModule mod_headers.c>
 	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 </IfModule>
 
-ProxyRequests off
-
-ProxyPass / http://k8s-ingress.pyrocufflink.blue/
-ProxyPassReverse / http://k8s-ingress.pyrocufflink.blue/
-ProxyPreserveHost on
-
-<Location />
+DocumentRoot /srv/www/darkchestofwonders.us/htdocs
+<Directory /srv/www/darkchestofwonders.us/htdocs>
 	Require all granted
-</Location>
-
-<Location /upload>
-<IfModule auth_gssapi_module>
-	AuthType GSSAPI
-	AuthName "{{ krb5_realm|lower }} Domain Authentication"
-	#KrbServiceName HTTP/{{ ansible_fqdn }}@{{ krb5_realm }}
-	GssapiCredStore keytab:/etc/httpd/httpd.keytab
-	GssapiBasicAuth On
-	Require valid-user
-</IfModule>
-<IfModule !auth_kerb_module>
-	Require all denied
-</IfModule>
-</Location>	
+</Directory>
 </VirtualHost>

websites.yml

@@ -16,6 +16,8 @@
     tags: websites/ebonfire.com
   - role: websites/nratonpass.com
     tags: websites/nratonpass.com
+  - role: websites/darkchestofwonders.us
+    tags: websites/darkchestofwonders.us
   - role: websites/chmod777.sh
     tags: websites/chmod777.sh
   - role: websites/apps.du5t1n.xyz