Ansible playbook and roles to deploy the webservers for fsfe.org, its subdomains and other campaign domains https://fsfe.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Max Mehl 0ed3d17fc6
add new zangemann domains
2 months ago
files tag playbook, improve php config deployment 2 months ago
group_vars make ip_proxy vars global per host+ 2 months ago
host_vars add new zangemann domains 2 months ago
inventory@6704314ee8 bump inventory 2 months ago
roles also have freely defined php-fpm version in vhost 2 months ago
.gitignore initial apache+letsencrypt setup 3 years ago
.gitmodules prepare cert deployment via acme-dns 2 months ago
COPYING initial apache+letsencrypt setup 3 years ago
README.md make ip_proxy vars global per host+ 2 months ago
ansible.cfg select inventory automatically 5 months ago
playbook.yaml add dependency package for PHP script 2 months ago
requirements.txt initial apache+letsencrypt setup 3 years ago

README.md

FSFE Webserver

Install

Clone this repo:

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/webserver.git

Usage

Update the inventory submodule to reflect the newest changes to the list of our /generate_inventory and the groups that they are in:

git submodule update --remote inventory

Deploy/update all webservers:

ansible-playbook playbook.yaml

Deploy/update only one webserver:

ansible-playbook -l bunsen.fsfeurope.org playbook.yaml

Tags

There are some ansible tags you can use to only run specific tasks:

  • apache (all typical changes in apache, but no directory creation or so)
  • certs (all things regarding TLS certificates, certbot etc)
  • php (PHP configuration)

Host Vars

The hosts' variables play an essential role. Some are self-explanatory, some are more complex

Host-wide config:

  • onion_address defines the Onion/Tor address for that host. Currently only applies to fsfe.org.
  • ip_proxy defines whether the whole server – so all primary and alias domains – is behind our ip-proxy. In this case, some extra settings have to be made, and the Apache LogFormat is different. Unfortunately, this cannot be set on a vhost basis.

Each entry under domains is an own vhost and certificate. The parent is the primary domain, e.g. fsfe.org or freeyourandroid.org.

  • template defines the type of the apache2 vhost config to be used (see under /roles/apache2-site/templates).
  • aliases are domains that are aliases to the primary domain (ServerAlias).
  • mode is a special declaration to differ fsfe.org and test.fsfe.org, and not used for templates other than "fsfe"
  • target applies to "redirection" vhosts, so the URL all requests are pointed to.
  • www_dir is for vhosts that are served directly from a directory ("subdirectory" template).
  • acme_challenge defines how TLS certs are gathered. Default is http-01, but dns-01 triggers the use of the acne-dns-client role.
  • rewrites can define paths for "subdirectory" templates which redirect to the primary domain.
  • includes defines special Apache2 config files that should be included.

Important Notes

  • All domains/aliases that are served by more than one host/VM MUST have acme_challenge: "dns-01". Otherwise, gathering a new or renewerd cert will fail sooner or later. This then applies all aliases of the primary domain.