Move Apache stuff to a separate role

ansible/ansible.cfg

@@ -1,5 +1,7 @@
 [defaults]
 ansible_python_interpreter = python3
+display_ok_hosts = false
+hash_behaviour = merge
 inventory = hosts
 remote_user = root
 

ansible/group_vars/all.yml

@@ -1,9 +1,5 @@
 ---
 ansible_python_interpreter: python3
-apache2_logdir: /var/log/apache2
-apache2:
-  max_request_workers: 450
-  server_limit: 20
 
 tileserver:
   styles:
@@ -39,3 +35,220 @@ users:
     root: true
     ssh_public_keys:
       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINhAgXnd5Gx6vfKbJa/PZLFcyrcQ04HZ3wu9cSb9BEtv [email protected]"
+
+apache2:
+  modules:
+    proxy:
+    proxy_http:
+    headers:
+    wsgi:
+    http2:
+    rewrite:
+    alias:
+  sites:
+    www.openrailwaymap.org.conf:
+      content: |
+        <VirtualHost *:80>
+            ServerName www.openrailwaymap.org
+            ServerAlias openrailwaymap.org
+            ServerAlias {{ inventory_hostname }}
+            Include /etc/apache2/sites-available/redirect-http.inc
+        </VirtualHost>
+        <VirtualHost *:443>
+            SSLEngine on
+            SSLCertificateFile /etc/letsencrypt/openrailwaymap.org/openrailwaymap.org-chain.crt
+            SSLCertificateKeyFile /etc/letsencrypt/openrailwaymap.org/domain.key
+            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+            SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+            SSLHonorCipherOrder off
+            SSLSessionTickets off
+
+            Include /etc/apache2/sites-available/www.openrailwaymap.org.inc
+        </VirtualHost>
+    www.openrailwaymap.org.inc:
+      enabled: no
+      content: |
+        DocumentRoot /var/www/www.openrailwaymap.org
+        ServerName www.openrailwaymap.org
+        ServerAlias openrailwaymap.org
+        ServerAlias {{ inventory_hostname }}
+
+        <Directory /var/www/www.openrailwaymap.org>
+            AllowOverride None
+        </Directory>
+
+        AddType application/json .json
+
+        # alias for imprint
+        Alias /de/imprint /var/www/www.openrailwaymap.org/imprint-de.html
+        Alias /en/imprint /var/www/www.openrailwaymap.org/imprint-en.html
+
+        # language redirection for imprint page
+        RewriteEngine On
+        RewriteCond %{REQUEST_URI} ^/imprint$
+        RewriteCond %{HTTP:Accept-Language} ^de[-,;].*$ [NC]
+        RewriteRule ^/imprint$ /imprint-de.html [L,R=307]
+        RewriteCond %{HTTP:Accept-Language} ^en[-,;].*$ [NC]
+        RewriteRule ^/imprint$ /imprint-en.html [L,R=307]
+        RewriteCond %{HTTP:Accept-Language} [,;]de[-,;].*$ [NC]
+        RewriteRule ^/imprint$ /imprint-de.html [L,R=307]
+        RewriteCond %{HTTP:Accept-Language} [,;]en[-,;].*$ [NC]
+        RewriteRule ^/imprint$ /imprint-en.html [L,R=307]
+
+        ErrorLog /var/log/apache2/www.openrailwaymap.org.error.log
+        LogLevel info ssl:warn
+        CustomLog /var/log/apache2/www.openrailwaymap.org.access.log combined
+
+        DirectoryIndex index.php
+        ProxyPassMatch "^/(.*\.php)$" "unix:/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/www.openrailwaymap.org/"
+    api.openrailwaymap.org.conf:
+      content: |
+        <VirtualHost *:80>
+            ServerName api.openrailwaymap.org
+            Include /etc/apache2/sites-available/redirect-http.inc
+        </VirtualHost>
+
+        WSGIDaemonProcess api_v2 python-path=/opt/OpenRailwayMap-api processes=4 threads=1 user=openrailwaymap
+
+        <VirtualHost *:443>
+            SSLEngine on
+            SSLCertificateFile /etc/letsencrypt/openrailwaymap.org/openrailwaymap.org-chain.crt
+            SSLCertificateKeyFile /etc/letsencrypt/openrailwaymap.org/domain.key
+            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+            SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+            SSLHonorCipherOrder off
+            SSLSessionTickets off
+
+            Include /etc/apache2/sites-available/api.openrailwaymap.org.inc
+        </VirtualHost>
+    api.openrailwaymap.org.inc:
+      enabled: no
+      content: |
+        ServerName  api.openrailwaymap.org
+        DocumentRoot /var/www/www.openrailwaymap.org
+
+        ProxyPass /server-status !
+
+        ProxyPass /timestamp !
+        Alias "/timestamp" "/nvme/data/timestamp.txt"
+        Alias "/v2/timestamp" "/nvme/data/timestamp.txt"
+        Header set Access-Control-Allow-Origin "*"
+        <location /timestamp>
+            ForceType text/plain
+            Require all granted
+        </location>
+        <location /v2/timestamp>
+            ForceType text/plain
+            Require all granted
+        </location>
+
+        ProxyPass /.well-known !
+
+        RewriteEngine on
+        # Generic user agents
+        # Dalvik, an Android HTTP library
+        RewriteCond "%{HTTP_USER_AGENT}" "^Dalvik/[0-9.]+ \(Linux; U; Android" [OR]
+        # Dart:io, a NodeJS HTTP library
+        RewriteCond "%{HTTP_USER_AGENT}" "^Dart/\d+\.\d+ \(dart:io\)$" [OR]
+        # python-requests, a Python HTTP library
+        RewriteCond "%{HTTP_USER_AGENT}" "^python-requests/" [OR]
+        # python-requests, a Python HTTP library
+        RewriteCond "%{HTTP_USER_AGENT}" "^MOBAC/" [OR]
+        # Wget, non-interactive network downloader
+        RewriteCond "%{HTTP_USER_AGENT}" "^Wget/" [OR]
+        # Go HTTP client
+        RewriteCond "%{HTTP_USER_AGENT}" "^Go-http-client/" [OR]
+        # Empty user agents
+        RewriteCond "%{HTTP_USER_AGENT}" "^$"
+        RewriteRule "." "-" [F]
+
+        # This IP appears with referer web.alarmmonitor.de on the tile server. On the API vhost, all requests end with status 408.
+        RewriteCond expr "%{REMOTE_ADDR} -ipmatch '80.153.203.81'" [OR]
+        RewriteCond expr "%{REMOTE_ADDR} -ipmatch '195.192.216.10'"
+        RewriteRule "." "-" [R=429,L]
+
+        ProxyPass /v2 !
+        WSGIScriptAlias /v2 /opt/OpenRailwayMap-api/api.py
+        WSGIProcessGroup api_v2
+
+        <Location /v2>
+            Require all granted
+        </Location>
+
+        ProxyPreserveHost On
+        ProxyPass / http://localhost:9002/
+        ProxyPassReverse / http://localhost:9002/
+
+        ErrorLog /var/log/apache2/api.openrailwaymap.org.error.log
+        LogLevel info ssl:warn
+        CustomLog /var/log/apache2/api.openrailwaymap.org.access.log combined
+    blog.openrailwaymap.org.conf:
+      content: |
+        <VirtualHost *:80>
+            ServerName blog.openrailwaymap.org
+            Include /etc/apache2/sites-available/redirect-http.inc
+        </VirtualHost>
+        <VirtualHost *:443>
+            SSLEngine on
+            SSLCertificateFile /etc/letsencrypt/openrailwaymap.org/openrailwaymap.org-chain.crt
+            SSLCertificateKeyFile /etc/letsencrypt/openrailwaymap.org/domain.key
+            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+            SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+            SSLHonorCipherOrder off
+            SSLSessionTickets off
+
+            Include /etc/apache2/sites-available/blog.openrailwaymap.org.inc
+        </VirtualHost>
+    blog.openrailwaymap.org.inc:
+      enabled: no
+      content: |
+        DocumentRoot /var/www/blog
+        ServerName blog.openrailwaymap.org
+
+        <Directory /var/www/blog>
+            AllowOverride None
+        </Directory>
+
+        AddType application/json .json
+        ProxyPassMatch "^/(.*\.php)$" "unix:/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/blog/"
+
+        ErrorLog /var/log/apache2/blog.openrailwaymap.org.error.log
+        LogLevel info
+        CustomLog /var/log/apache2/blog.openrailwaymap.org.access.log combined
+
+        DirectoryIndex index.php
+    mailman.conf:
+      content: |
+        <VirtualHost *:80>
+            ServerName lists.openrailwaymap.org
+            Include /etc/apache2/sites-available/redirect-http.inc
+        </VirtualHost>
+        <VirtualHost *:443>
+            ServerName lists.openrailwaymap.org
+            ServerAlias lists.orm-dev
+        
+            SSLEngine on
+            SSLCertificateFile /etc/letsencrypt/openrailwaymap.org/openrailwaymap.org-chain.crt
+            SSLCertificateKeyFile /etc/letsencrypt/openrailwaymap.org/domain.key
+            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+            SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+            SSLHonorCipherOrder off
+            SSLSessionTickets off
+        
+            Include /etc/apache2/sites-available/mailman.inc
+            Include /etc/mailman3/apache.conf
+            RedirectMatch "^/$" "/mailman3"
+            <Location /mailman3/hyperkitty/api>
+                Require local
+            </Location>
+        </VirtualHost>
+        
+        <VirtualHost *:80>
+            # requests by mailman3-hyperkitty (the archiver)
+            ServerName 127.0.0.1
+            ServerAlias localhost
+            Include /etc/mailman3/apache.conf
+            <Location /mailman3/hyperkitty/api>
+                Require local
+            </Location>
+        </VirtualHost>

ansible/group_vars/tileservers.yml

@@ -0,0 +1,18 @@
+apache:
+  modules:
+    remoteip:
+    tile:
+    rewrite:
+    alias:
+  sites:
+    tileserver_site.conf:
+      enabled: no
+  configurations:
+    max_request_workers.conf:
+      content: |
+        <IfModule mpm_event_module>
+            # MaxRequestWorkers could be raised up to ServerLimit * ThreadsPerChild (defaults to 16 and 25)
+            # For default of ThreadsPerChild, see mods-available/mpm_event.conf
+            MaxRequestWorkers 450
+            ServerLimit 20
+        </IfModule>

ansible/host_vars/buegelfalte.openrailwaymap.org.yml

@@ -1,3 +1,13 @@
 pg_version: 11
 website_hostname_aliases:
   - buegelfalte.openrailwaymap.org
+
+apache2:
+  sites:
+    redirect-http.inc:
+      enabled: no
+      content: |-
+        RewriteEngine On
+        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

ansible/hosts

@@ -1,5 +1,8 @@
 buegelfalte.openrailwaymap.org
 
+[tileservers]
+buegelfalte.openrailwaymap.org
+
 [letsencrypt]
 buegelfalte.openrailwaymap.org
 

ansible/openrailwaymap/openrailwaymap.yml

@@ -1,4 +1,12 @@
 # SPDX-License-Identifier: MIT
+- hosts: all
+  become: yes
+  tags: webserver
+  tasks:
+    - name: 'Webserver configuration'
+      import_role:
+        name: roles/webserver
+
 - hosts: letsencrypt
   become: yes
   tags: letsencrypt
@@ -27,12 +35,6 @@
         name: roles/website
       vars:
         osm_dbname: gis
-        website_hostname: www.openrailwaymap.org
-        website_hostname_aliases:
-          - openrailwaymap.org
-          - buegelfalte.openrailwaymap.org
-        api_hostname: api.openrailwaymap.org
-        website_dir: /var/www/www.openrailwaymap.org
         openrailwaymap_user_home: /srv/openrailwaymap
         api_v2:
           directory: /opt/OpenRailwayMap-api
@@ -45,10 +47,6 @@
       import_role:
         name: roles/blog
       vars:
-        blog:
-          hostname: blog.openrailwaymap.org
-          hostname_aliases: []
-          directory: /var/www/blog
 
 - hosts: mailservers
   become: yes
@@ -61,7 +59,6 @@
         mail:
           mailman2: false
           mailman3: true
-          http_hostname: lists.openrailwaymap.org
 
 - hosts: backup_access
   become: yes

ansible/roles/blog/tasks/main.yml

@@ -1,18 +1,18 @@
 - name: Install required packages from APT
   apt:
-    name: [php-fpm, apache2, php-xml]
+    name: [php-fpm, php-xml]
 
 - name: Create directory for Git repository
   file:
-    path: '{{ blog.directory }}'
+    path: '/var/www/blog'
     owner: root
     group: root
     state: directory
     mode: '0755'
 
 - name: Clone Git repository of the blog
   git:
-    dest: '{{ blog.directory }}'
+    dest: '/var/www/blog'
     repo: https://github.com/OpenRailwayMap/openrailwaymap-blog.git
     # We need to call it with force:yes because our database layout requires to overwrite api/config.json
     force: yes
@@ -60,25 +60,3 @@
       line: 'pm.max_spare_servers = 6'
   notify:
     - systemd restart php-fpm
-
-- name: Add blog VirtualHost configuration of Apache
-  template:
-    src: '{{ item }}'
-    dest: '/etc/apache2/sites-available/{{ item }}'
-    owner: root
-    group: root
-    mode: 0664
-  loop:
-    - 'blog.openrailwaymap.org.inc'
-    - 'blog.openrailwaymap.org.conf'
-  register: apache_virtualhost_files
-  notify:
-    - systemd reload apache2
-
-- name: Enable Apache VirtualHost configuration for API and website
-  command:
-    cmd: 'a2ensite blog.openrailwaymap.org.conf'
-    chdir: /etc/apache2/sites-available
-    creates: '/etc/apache2/sites-enabled/blog.openrailwaymap.org.conf'
-  notify:
-    - systemd reload apache2