configpolicy/roles/apache/tasks/main.yml

- name: ensure apache httpd is installed
  package:
    name=httpd,mod_ssl
    state=present
  tags:
  - install

- name: ensure global error log is configured
  template:
    src: errorlog.j2
    dest: /etc/httpd/conf.d/00-errorlog.conf
    owner: root
    group: root
    mode: u=rw,go=r
  tags:
  - apache-config

- name: ensure http service keytab is in place
  copy:
    src={{ item }}
    dest=/etc/httpd/krb5.keytab
    mode=0440
    owner=root
    group=apache
  with_fileglob:
  - '{{ inventory_hostname }}.keytab'
  tags:
  - apache-config
  - keytab

- name: ensure tls private key exists
  copy:
    content: >-
      {{ apache_ssl_certificate_key_data }}      
    dest: >-
      {{ apache_ssl_certificate_key }}      
    mode: u=r,go=
    setype: cert_t
  diff: false
  when: apache_ssl_certificate_key_data is defined
  notify: reload httpd
  tags:
  - cert
- name: ensure tls certificate exists
  copy:
    content: >-
      {{ apache_ssl_certificate_data }}      
    dest: >-
      {{ apache_ssl_certificate }}      
    mode: u=rw,go=r
    setype: cert_t
  when: apache_ssl_certificate_data is defined
  tags:
  - cert
  notify: reload httpd
- name: ensure tls ca certificate exists
  copy:
    content: >-
      {{ apache_ssl_ca_certificate_data }}      
    dest: >-
      {{ apache_ssl_ca_certificate }}      
    mode: u=rw,go=r
    setype: cert_t
  when:
    apache_ssl_ca_certificate is defined and
    apache_ssl_ca_certificate_data is defined
  notify: reload httpd
  tags:
  - cert
- name: ensure ssl.include is populated
  template:
    src=ssl.include.j2
    dest=/etc/httpd/conf.d/ssl.include
    mode=0644
  notify: reload httpd
  tags:
  - apache-config
- name: ensure mod_ssl is configured
  template:
    src=ssl.conf.j2
    dest=/etc/httpd/conf.d/ssl.conf
    mode=0644
    setype=httpd_config_t
  notify: reload httpd
  tags:
  - apache-config

- name: ensure apache userdir module is configured
  template:
    src=userdir.httpd.conf.j2
    dest=/etc/httpd/conf.d/userdir.conf
    mode=0644
  notify: reload httpd
  tags:
  - apache-config
- name: ensure selinux is configured for apache user directories
  seboolean:
    name=httpd_enable_homedirs
    persistent=yes
    state={{ 'yes' if apache_userdir is defined else 'no' }}
  tags:
  - selinux

- name: ensure apache mpm module is configured
  template:
    src=mpm.httpd.conf.j2
    dest=/etc/httpd/conf.modules.d/00-mpm.conf
    mode=0644
    setype=httpd_config_t
  tags:
  - apache-config
  notify: reload httpd
- name: ensure apache server name is set
  template:
    src=servername.httpd.conf.j2
    dest=/etc/httpd/conf.d/00-servername.conf
    mode=0644
    setype=httpd_config_t
  notify: reload httpd
  tags:
  - apache-config

- name: ensure httpd service starts at boot
  service:
    name=httpd
    enabled=yes
  tags:
  - service

- name: ensure web ports are open in firewall
  firewalld: >-
    port={{ item if '/' in item else omit }}
    service={{ item if '/' not in item else omit }}
    permanent=no
    immediate=yes
    state=enabled    
  with_items: '{{ web_ports }}'
  notify: save firewalld configuration
  tags:
  - firewall

- name: ensure old apache logs are rotated
  template:
    src=httpd.logrotate.j2
    dest=/etc/logrotate.d/httpd
    mode=0644
  tags:
  - logrotate