Ansible playbook and roles to deploy the webservers for fsfe.org, its subdomains and other campaign domains https://fsfe.org
Go to file
Tobias Diekershoff defe38ac87
All checks were successful
continuous-integration/drone/push Build is passing
fix typo
2024-10-10 10:22:15 +02:00
files provide rrsync 2022-08-25 17:06:54 +02:00
group_vars change user for event PRs 2024-08-28 11:31:53 +02:00
host_vars secondary websites 2024-09-27 14:19:15 +02:00
inventory@de8e53f300 Bump inventory 2022-12-14 13:06:03 +01:00
roles fix typo 2024-10-10 10:22:15 +02:00
.drone.yml adding drone CI for docs sync 2023-01-13 15:48:52 +01:00
.gitignore initial apache+letsencrypt setup 2018-07-09 11:22:01 +02:00
.gitmodules prepare cert deployment via acme-dns 2021-10-12 12:52:00 +02:00
ansible.cfg Add FREESCOUT_API_KEY to Apache as env var 2023-06-06 17:14:27 +02:00
COPYING initial apache+letsencrypt setup 2018-07-09 11:22:01 +02:00
open_the_vault.sh Add FREESCOUT_API_KEY to Apache as env var 2023-06-06 17:14:27 +02:00
playbook.yaml added perl JSON dependency to the package list 2023-06-09 15:40:11 +02:00
README.md added docs.fsfe.org badge to the README 2023-01-13 15:51:08 +01:00
requirements.txt initial apache+letsencrypt setup 2018-07-09 11:22:01 +02:00
vault_passphrase.gpg Add Tobias Diekershoff to the vault 2024-05-21 17:27:45 +02:00
vault_passphrase.gpg.license Add FREESCOUT_API_KEY to Apache as env var 2023-06-06 17:14:27 +02:00

FSFE Webserver

in docs.fsfe.org

Install

Clone this repo:

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/webserver.git

Usage

Update the inventory submodule to reflect the newest changes to the list of our /generate_inventory and the groups that they are in:

git submodule update --remote inventory

Deploy/update all webservers:

ansible-playbook playbook.yaml

Deploy/update only one webserver:

ansible-playbook -l bunsen.fsfeurope.org playbook.yaml

Tags

There are some ansible tags you can use to only run specific tasks:

  • apache (all typical changes in apache, but no directory creation or so)
  • certs (all things regarding TLS certificates, certbot etc)
  • php (PHP configuration)

Host Vars

The hosts' variables play an essential role. Some are self-explanatory, some are more complex

Host-wide config:

  • onion_address defines the Onion/Tor address for that host. Currently only applies to fsfe.org.
  • ip_proxy defines whether the whole server so all primary and alias domains is behind our ip-proxy. In this case, some extra settings have to be made, and the Apache LogFormat is different. Unfortunately, this cannot be set on a vhost basis.

Each entry under domains is an own vhost and certificate. The parent is the primary domain, e.g. fsfe.org or freeyourandroid.org.

  • template defines the type of the apache2 vhost config to be used (see under /roles/apache2-site/templates).
  • aliases are domains that are aliases to the primary domain (ServerAlias).
  • mode is a special declaration to differ fsfe.org and test.fsfe.org, and not used for templates other than "fsfe"
  • target applies to "redirection" vhosts, so the URL all requests are pointed to.
  • www_dir is for vhosts that are served directly from a directory ("subdirectory" template).
  • acme_challenge defines how TLS certs are gathered. Default is http-01, but dns-01 triggers the use of the acne-dns-client role.
  • rewrites can define paths for "subdirectory" templates which redirect to the primary domain.
  • includes defines special Apache2 config files that should be included.

Important Notes

  • All domains/aliases that are served by more than one host/VM MUST have acme_challenge: "dns-01". Otherwise, gathering a new or renewerd cert will fail sooner or later. This then applies all aliases of the primary domain.