debops-contrib · ganto · Feb 13, 2017 · Mar 29, 2017 · Mar 30, 2017 · Mar 30, 2017
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -598,63 +598,15 @@ checkmk_server__site_cfg_netif_description:
 checkmk_server__site_packages: []
                                                                    # ]]]
                                                                    # ]]]
-# PKI Configuration [[[
-# ---------------------
+# Configuration for other Ansible roles [[[
+# -----------------------------------------
 
-# .. envvar:: checkmk_server__pki [[[
+# .. envvar:: checkmk_server__apache__dependent_vhosts [[[
 #
-# Enable or disable support for HTTPS in Check_MK server (using
-# debops.pki_).
-checkmk_server__pki: '{{ (True
-                          if (ansible_local|d() and ansible_local.pki|d() and
-                              ansible_local.pki.enabled|d() | bool)
-                          else False) | bool }}'
-
-                                                                   # ]]]
-# .. envvar:: checkmk_server__pki_path [[[
-#
-# Base path for PKI directory.
-checkmk_server__pki_path: '{{ ansible_local.pki.path
-                              if (ansible_local|d() and ansible_local.pki|d() and
-                                  ansible_local.pki.path|d())
-                              else "/etc/pki/realms" }}'
-
-                                                                   # ]]]
-# .. envvar:: checkmk_server__pki_realm [[[
-#
-# Default PKI realm used by Check_MK server.
-checkmk_server__pki_realm: '{{ ansible_local.pki.realm
-                               if (ansible_local|d() and ansible_local.pki|d() and
-                                   ansible_local.pki.realm|d())
-                               else "domain" }}'
-
-                                                                   # ]]]
-# .. envvar:: checkmk_server__pki_ca [[[
-#
-# Root CA certificate, relative to :envvar:`checkmk_server__pki_realm`.
-checkmk_server__pki_ca: 'CA.crt'
-
-                                                                   # ]]]
-# .. envvar:: checkmk_server__pki_crt [[[
-#
-# Host certificate, relative to :envvar:`checkmk_server__pki_realm`.
-checkmk_server__pki_crt: 'default.crt'
-
-                                                                   # ]]]
-# .. envvar:: checkmk_server__pki_key [[[
-#
-# Host private key, relative to :envvar:`checkmk_server__pki_realm`.
-checkmk_server__pki_key: 'default.key'
-
-                                                                   # ]]]
-# .. envvar:: checkmk_server__tls_options [[[
-#
-# Additional Apache mod_ssl options. Valid configuration keys:
-# ``SSLCipherSuite``, ``SSLHonorCipherOrder``, ``SSLProtocols``,
-# ``SSLStrictSNIVHostCheck``
-checkmk_server__tls_options:
-  SSLHonorCipherOrder: 'On'
-  SSLCipherSuite: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
+# Configuration for debops.apache_ Ansible role.
+checkmk_server__apache__dependent_vhosts:
+  - name: '{{ checkmk_server__fqdn }}'
+    by_role: 'debops-contrib.checkmk_server'
                                                                    # ]]]
                                                                    # ]]]
                                                                    # ]]]
diff --git a/docs/playbooks/checkmk_server.yml b/docs/playbooks/checkmk_server.yml
@@ -6,21 +6,29 @@
 
   roles:
 
+    - role: debops.apache/env
+      tags: [ 'role::apache', 'role::apache:env' ]
+
     - role: debops-contrib.checkmk_server/env
       tags: [ 'role::checkmk_server', 'role::checkmk_server:env' ]
 
-    - role: debops.users
-      tags: [ 'role::users' ]
-      users__dependent_accounts: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.users__dependent_accounts") | list }}'
-
     - role: debops.etc_services
       tags: [ 'role::etc_services' ]
       etc_services__dependent_list: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.etc_services__dependent_list") | list }}'
 
     - role: debops.ferm
       tags: [ 'role::ferm' ]
       ferm__dependent_rules:
+        - '{{ apache__ferm__dependent_rules }}'
         - '{{ checkmk_server__ferm_dependent_rules }}'
 
+    - role: debops.apache
+      tags: [ 'role::apache' ]
+      apache__dependent_vhosts: '{{ checkmk_server__apache__dependent_vhosts }}'
+
+    - role: debops.users
+      tags: [ 'role::users' ]
+      users__dependent_accounts: '{{ ansible_local.checkmk_server | map(attribute="dependent_vars.users__dependent_accounts") | list }}'
+
     - role: debops-contrib.checkmk_server
       tags: [ 'role::checkmk_server' ]
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,60 +1,10 @@
 ---
 # vim: foldmarker=[[[,]]]:foldmethod=marker
 
-#- debug:
-#    var: checkmk_server__sites
-#- fail:
-#    msg: 'bla'
-
-- name: Set TLS options
-  template:
-    src: 'etc/apache2/mods-available/ssl.conf.j2'
-    dest: '/etc/apache2/mods-available/ssl.conf'
-    owner: 'root'
-    group: 'root'
-    mode: '0644'
-  when: checkmk_server__pki|d(False)
-  notify: [ 'Reload apache2' ]
-
-- name: Check apache2 mod_headers status
-  stat:
-    path: '/etc/apache2/mods-enabled/headers.load'
-  register: checkmk_server_register_mod_headers
-  changed_when: False
-  always_run: True
-
-- name: Enable apache2 mod_headers
-  command: 'a2enmod headers'
-  when: not checkmk_server_register_mod_headers.stat.exists
-  notify: [ 'Reload apache2' ]
-
-- name: Check apache2 mod_ssl status
-  stat:
-    path: '/etc/apache2/mods-enabled/ssl.load'
-  register: checkmk_server_register_mod_ssl
-  changed_when: False
-  always_run: True
-
-- name: Enable apache2 mod_ssl
-  command: '{{ item }}'
-  with_items:
-    - 'a2enmod ssl'
-    - 'a2ensite default-ssl'
-  when: checkmk_server__pki|d(False) and not checkmk_server_register_mod_ssl.stat.exists
-  notify: [ 'Reload apache2' ]
-
-- name: Disable apache2 mod_ssl
-  command: '{{ item }}'
-  with_items:
-    - 'a2dismod ssl'
-    - 'a2dissite default-ssl'
-  when: not checkmk_server__pki|d(False) and checkmk_server_register_mod_ssl.stat.exists
-  notify: [ 'Reload apache2' ]
-
 - name: Manage SSH keys for monitoring and site synchronization
   include: ssh.yml
 
-- name: Manage Check_MK site
+- name: Manage Check_MK sites
   include: site.yml
   with_items: '{{ checkmk_server__sites }}'
   loop_control:
@@ -69,6 +19,9 @@
     - 'role::checkmk_server:multisite'
     - 'role::checkmk_server:users'
 
+- name: Trigger reload/restart handlers
+  meta: flush_handlers
+
 - name: Login on distributed sites
   include: login.yml
   when: (checkmk_server__sites | length) > 1