Merge pull request #3 from HypertextAssassin0273/feature/zubair

updated playbooks

playbooks/sanjna_playbooks/apache_ssl.yaml

@@ -0,0 +1,138 @@
+---
+- name: Install and configure Apache with SSL
+  hosts: all
+  become: yes
+  vars:
+    apache_port: 443
+    server_name: example.com
+    cert_dir: /etc/ssl/certs
+    key_dir: /etc/ssl/private
+    cert_name: apache_selfsigned
+
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: yes
+      when: ansible_os_family == "Debian"
+
+    - name: Install Apache and required modules
+      package:
+        name:
+          - apache2
+          - openssl
+        state: present
+
+    - name: Ensure SSL certificate directories exist
+      file:
+        path: "{{ item }}"
+        state: directory
+        mode: '0755'
+      loop:
+        - "{{ cert_dir }}"
+        - "{{ key_dir }}"
+
+    - name: Enable SSL and headers modules
+      apache2_module:
+        name: "{{ item }}"
+        state: present
+      loop:
+        - ssl
+        - headers
+      notify: Reload apache
+
+    - name: Check if SSL certificate exists
+      stat:
+        path: "{{ cert_dir }}/{{ cert_name }}.crt"
+      register: ssl_cert
+
+    - name: Generate self-signed SSL certificate
+      shell: |
+        openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout {{ key_dir }}/{{ cert_name }}.key \
+        -out {{ cert_dir }}/{{ cert_name }}.crt \
+        -subj "/C=US/ST=State/L=City/O=Organization/OU=IT Department/CN={{ server_name }}"
+      when: not ssl_cert.stat.exists
+      notify: Reload apache
+
+    - name: Set SSL certificate permissions
+      file:
+        path: "{{ item.path }}"
+        owner: root
+        group: root
+        mode: "{{ item.mode }}"
+      loop:
+        - { path: "{{ cert_dir }}/{{ cert_name }}.crt", mode: '0644' }
+        - { path: "{{ key_dir }}/{{ cert_name }}.key", mode: '0600' }
+      when: not ssl_cert.stat.exists
+
+    - name: Create Apache SSL configuration
+      copy:
+        dest: /etc/apache2/sites-available/default-ssl.conf
+        content: |
+          <IfModule mod_ssl.c>
+              <VirtualHost *:{{ apache_port }}>
+                  ServerAdmin webmaster@localhost
+                  ServerName {{ server_name }}
+                  DocumentRoot /var/www/html
+
+                  SSLEngine on
+                  SSLCertificateFile {{ cert_dir }}/{{ cert_name }}.crt
+                  SSLCertificateKeyFile {{ key_dir }}/{{ cert_name }}.key
+
+                  <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                      SSLOptions +StdEnvVars
+                  </FilesMatch>
+
+                  <Directory /usr/lib/cgi-bin>
+                      SSLOptions +StdEnvVars
+                  </Directory>
+
+                  ErrorLog ${APACHE_LOG_DIR}/error.log
+                  CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+                  # Modern SSL configuration
+                  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+                  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+                  SSLHonorCipherOrder off
+                  SSLSessionTickets off
+
+                  # HSTS (uncomment if you're sure)
+                  # Header always set Strict-Transport-Security "max-age=63072000"
+              </VirtualHost>
+          </IfModule>
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Reload apache
+
+    - name: Enable default SSL site
+      command: a2ensite default-ssl
+      notify: Reload apache
+
+    # Optional UFW configuration - only run if UFW is installed
+    - name: Check if UFW is installed
+      command: which ufw
+      register: ufw_check
+      ignore_errors: yes
+      changed_when: false
+
+    - name: Allow HTTPS through UFW firewall
+      community.general.ufw:
+        rule: allow
+        port: "{{ apache_port }}"
+        proto: tcp
+      when: 
+        - ufw_check.rc == 0
+        - not ansible_virtualization_type in ['docker', 'container']
+
+    - name: Ensure Apache service is started and enabled
+      service:
+        name: apache2
+        state: started
+        enabled: yes
+
+  handlers:
+    - name: Reload apache
+      service:
+        name: apache2
+        state: reloaded

playbooks/sanjna_playbooks/apache_ssl2.yaml

@@ -0,0 +1,113 @@
+---
+- name: Install and configure Apache SSL server
+  hosts: all
+  become: yes
+  vars:
+    apache_port: "443"
+    server_name: "{{ server_name | default('example.com') }}"
+    ssl_cert_path: "/etc/ssl/certs/{{ server_name }}.crt"
+    ssl_key_path: "/etc/ssl/private/{{ server_name }}.key"
+
+  tasks:
+    # Step 1: Install Apache and SSL module
+    - name: Install Apache and SSL module
+      apt:
+        name:
+          - apache2
+          - ssl-cert
+          - ufw
+        state: present
+        update_cache: yes
+
+    # Step 2: Enable SSL module and default SSL site
+    - name: Enable SSL module
+      apache2_module:
+        name: ssl
+        state: present
+
+    - name: Enable default SSL site
+      apache2_site:
+        name: default-ssl
+        state: enabled
+
+    # Step 3: Create SSL directory for certificates
+    - name: Create SSL directory for certificates
+      file:
+        path: "/etc/ssl/private"
+        state: directory
+        mode: '0700'
+
+    # Step 4: Generate self-signed SSL certificate
+    - name: Generate self-signed SSL certificate
+      openssl_certificate:
+        path: "{{ ssl_cert_path }}"
+        privatekey_path: "{{ ssl_key_path }}"
+        common_name: "{{ server_name }}"
+        issuer: "Self-signed"
+        state: present
+        country_name: "US"
+        state_or_province_name: "California"
+        locality_name: "San Francisco"
+        organization_name: "Example Organization"
+        organizational_unit_name: "IT"
+        email_address: "[email protected]"
+        days: 365
+
+    # Step 5: Create custom SSL virtual host configuration
+    - name: Create custom SSL virtual host configuration
+      copy:
+        dest: "/etc/apache2/sites-available/{{ server_name }}-ssl.conf"
+        content: |
+          <VirtualHost *:443>
+              ServerAdmin webmaster@{{ server_name }}
+              ServerName {{ server_name }}
+              
+              DocumentRoot /var/www/html
+              
+              SSLEngine on
+              SSLCertificateFile {{ ssl_cert_path }}
+              SSLCertificateKeyFile {{ ssl_key_path }}
+              
+              <Directory "/var/www/html">
+                  Options Indexes FollowSymLinks
+                  AllowOverride All
+                  Require all granted
+              </Directory>
+              
+              ErrorLog ${APACHE_LOG_DIR}/error.log
+              CustomLog ${APACHE_LOG_DIR}/access.log combined
+          </VirtualHost>
+        mode: '0644'
+      notify: Reload Apache
+
+    # Step 6: Enable the custom SSL site
+    - name: Enable the custom SSL site
+      apache2_site:
+        name: "{{ server_name }}-ssl"
+        state: enabled
+
+    # Step 7: Configure UFW firewall to allow HTTPS (port 443)
+    - name: Allow HTTPS through UFW
+      ufw:
+        rule: allow
+        port: "{{ apache_port }}"
+        proto: tcp
+
+    # Step 8: Ensure Apache is running and enabled
+    - name: Ensure Apache is running and enabled
+      service:
+        name: apache2
+        state: started
+        enabled: yes
+
+    - name: Wait for Apache to start
+      wait_for:
+        port: "{{ apache_port }}"
+        timeout: 30
+        state: started
+
+  handlers:
+    - name: Reload Apache
+      service:
+        name: apache2
+        state: reloaded

playbooks/sanjna_playbooks/db_management.yaml

@@ -0,0 +1,128 @@
+---
+- name: Install and configure PostgreSQL
+  hosts: all
+  become: yes
+  vars:
+    postgres_user: "postgres"
+    postgres_password: "postgres_password"
+    postgres_db: "example_db"
+    locale: "en_US.UTF-8"
+    postgres_locale: "en_US.utf8"
+
+  tasks:
+    # Step 1: Install sudo
+    - name: Install sudo
+      apt:
+        name: sudo
+        state: present
+        update_cache: yes
+
+    # Step 2: Install required locales
+    - name: Ensure required locales are present
+      apt:
+        name: 
+          - locales
+          - locales-all
+        state: present
+
+    # Step 3: Generate required locale
+    - name: Generate en_US.UTF-8 locale
+      locale_gen:
+        name: "{{ locale }}"
+        state: present
+
+    # Step 4: Install psycopg2 library for PostgreSQL
+    - name: Install psycopg2 library for PostgreSQL
+      apt:
+        name: python3-psycopg2
+        state: present
+
+    # Step 5: Install PostgreSQL
+    - name: Install PostgreSQL
+      apt:
+        name: postgresql
+        state: present
+
+    # Step 6: Ensure PostgreSQL is running
+    - name: Ensure PostgreSQL is running
+      service:
+        name: postgresql
+        state: started
+        enabled: yes
+
+    # Step 7: Wait for PostgreSQL to be ready
+    - name: Wait for PostgreSQL to be ready
+      wait_for:
+        port: 5432
+        timeout: 30
+
+    # Step 8: Set PostgreSQL user password
+    - name: Set PostgreSQL user password
+      become_user: postgres
+      postgresql_user:
+        name: "{{ postgres_user }}"
+        password: "{{ postgres_password }}"
+        role_attr_flags: LOGIN,SUPERUSER
+
+    # Step 9: Create PostgreSQL database with correct locale
+    - name: Create PostgreSQL database
+      become_user: postgres
+      postgresql_db:
+        name: "{{ postgres_db }}"
+        owner: "{{ postgres_user }}"
+        encoding: UTF8
+        lc_collate: "{{ postgres_locale }}"
+        lc_ctype: "{{ postgres_locale }}"
+        template: template0
+        state: present
+
+    # Step 10: Configure PostgreSQL to listen on all interfaces
+    - name: Update postgresql.conf to listen on all interfaces
+      lineinfile:
+        path: /etc/postgresql/13/main/postgresql.conf
+        regexp: '^#?listen_addresses\s*='
+        line: "listen_addresses = '*'"
+      notify: Restart PostgreSQL
+
+    # Step 11: Allow remote connections in pg_hba.conf
+    - name: Update pg_hba.conf to allow remote connections
+      blockinfile:
+        path: /etc/postgresql/13/main/pg_hba.conf
+        block: |
+          # Allow remote connections
+          host    all             all             0.0.0.0/0               md5
+          host    all             all             ::/0                    md5
+      notify: Restart PostgreSQL
+
+    # Step 12: Install UFW (optional)
+    - name: Check if UFW is installed
+      command: which ufw
+      register: ufw_check
+      ignore_errors: yes
+      changed_when: false
+
+    # Step 13: Configure firewall if UFW is present
+    - name: Configure UFW for PostgreSQL
+      block:
+        - name: Install UFW
+          apt:
+            name: ufw
+            state: present
+          when: ufw_check.rc != 0
+
+        - name: Allow PostgreSQL through UFW
+          community.general.ufw:
+            rule: allow
+            port: 5432
+            proto: tcp
+      when: not ansible_virtualization_type in ['docker', 'container']
+      ignore_errors: yes
+
+  handlers:
+    - name: Restart PostgreSQL
+      service:
+        name: postgresql
+        state: restarted
+
+    - name: Reload locale
+      command: update-locale LANG={{ locale }}