Further fixes with an eye toward getting HTTPS going.

cluster-setup/deployment/group_vars/default_template.yml

@@ -51,6 +51,12 @@ slurm_tarball: "slurm-23.02.5.tar.bz2"
 slurm_source_url: "https://download.schedmd.com/slurm/slurm-23.02.5.tar.bz2"
 slurm_sha1_checksum: b3f06d7030bd771a3a94be06e3c0d58a2630a21e
 
+# mod_wsgi installation:
+mod_wsgi_source_url: "https://files.pythonhosted.org/packages/fe/12/b3756f3b72ae3410a83a9b98862925aea64e854c93ef16c1e46b11e32d59/mod_wsgi-4.9.4.tar.gz"
+mod_wsgi_tarball: "mod_wsgi-4.9.4.tar.gz"
+mod_wsgi_basename: "mod_wsgi-4.9.4"
+mod_wsgi_sha256_checksum: "8e762662ea5b01afc386bbcfbaa079748eb6203ab1d6d3a3dac9237f5666cfc9"
+
 # The following are defaults, and probably don't need to be changed.
 # In a typical deployment, Kive, its virtualenv, and slurm are only "installed"
 # by the head node and shared to the compute nodes via NFS, so kive_venv,

cluster-setup/deployment/group_vars/octomore_template.yaml

@@ -92,6 +92,12 @@ slurm_tarball: "slurm-23.02.5.tar.bz2"
 slurm_source_url: "https://download.schedmd.com/slurm/slurm-23.02.5.tar.bz2"
 slurm_sha1_checksum: b3f06d7030bd771a3a94be06e3c0d58a2630a21e
 
+# mod_wsgi installation:
+mod_wsgi_source_url: "https://files.pythonhosted.org/packages/fe/12/b3756f3b72ae3410a83a9b98862925aea64e854c93ef16c1e46b11e32d59/mod_wsgi-4.9.4.tar.gz"
+mod_wsgi_tarball: "mod_wsgi-4.9.4.tar.gz"
+mod_wsgi_basename: "mod_wsgi-4.9.4"
+mod_wsgi_sha256_checksum: "8e762662ea5b01afc386bbcfbaa079748eb6203ab1d6d3a3dac9237f5666cfc9"
+
 # The following are defaults, and probably don't need to be changed.
 # In a typical deployment, Kive, its virtualenv, and slurm are only "installed"
 # by the head node and shared to the compute nodes via NFS, so kive_venv,

cluster-setup/deployment/roles/kive_server/files/001-kive-ssl.conf

@@ -0,0 +1,30 @@
+# SSL configuration for the Kive web portal.  This file was created by copying
+# and modifying `/etc/apache2/sites-available/default-ssl.conf`.  That file
+# has some helpful comments that may be useful to look at if you ever need
+# to further adjust this file.
+
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@localhost
+
+        DocumentRoot /var/www/html
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        SSLEngine on
+
+        SSLCertificateFile      /etc/ssl/certs/star_cfe.crt
+        SSLCertificateKeyFile /etc/ssl/private/star_cfe.key
+        SSLCertificateChainFile /etc/ssl/certs/DigiCertCA.crt
+
+        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                        SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+                        SSLOptions +StdEnvVars
+        </Directory>
+
+    </VirtualHost>
+</IfModule>

cluster-setup/deployment/roles/kive_server/tasks/main.yml

@@ -58,6 +58,88 @@
       # - libapache2-mod-wsgi-py3
       - barman
 
+- name: install mod_wsgi from source
+  become: true
+  block:
+    - name: check if mod_wsgi slurm source files are already downloaded
+      stat:
+        path: "/usr/local/src/{{ mod_wsgi_tarball }}"
+      register: mod_wsgi_download
+
+    - name: fetch mod_wsgi source files
+      become: true
+      get_url:
+        url: "{{ mod_wsgi_source_url }}"
+        dest: "/usr/local/src/{{ mod_wsgi_tarball }}"
+        checksum: "sha256:{{ mod_wsgi_sha256_checksum }}"
+      when: not mod_wsgi_download.stat.exists
+
+    - name: decompress mod_wsgi tarball
+      unarchive:
+        remote_src: true
+        src: "/usr/local/src/{{ mod_wsgi_tarball }}"
+        dest: "/usr/local/src"
+        owner: root
+        group: root
+
+    - name: make a link to the mod_wsgi source code directory
+      file:
+        src: "/usr/local/src/{{ mod_wsgi_basename }}"
+        dest: "/usr/local/src/mod_wsgi"
+        state: link
+
+    - name: configure mod_wsgi build
+      command:
+        argv:
+          - "/usr/local/src/mod_wsgi/configure"
+          - "--with-python={{ kive_venv }}/bin/python"
+        chdir: "/usr/local/src/mod_wsgi"
+        creates: "/usr/local/src/mod_wsgi/Makefile"
+
+    - name: build and install mod_wsgi
+      make:
+        chdir: "/usr/local/src/mod_wsgi"
+        target: install
+
+    - name: enable the wsgi module in apache
+      community.general.apache2_module:
+        state: present
+        name: wsgi
+
+# This is following the general instructions for Ubuntu SSL support
+# in `/usr/share/doc/apache2/README.Debian.gz`.
+# For the certificates to be installed, they should be placed in the
+# directory you're running Ansible in, with the desired names.
+- name: enable Apache SSL support
+  become: true
+  block:
+    - name: enable the SSL module
+      community.general.apache2_module:
+        state: present
+        name: ssl
+
+    - name: install SSL certificate
+      copy:
+        src: star_cfe.crt
+        dest: /etc/ssl/certs/star_cfe.crt
+        owner: root
+        group: root
+
+    - name: install SSL key
+      copy:
+        src: star_cfe.key
+        dest: /etc/ssl/private/star_cfe.key
+        owner: root
+        group: root
+        mode: "0600"
+
+    - name: install SSL certificate chain file
+      copy:
+        src: DigiCertCA.crt
+        dest: /etc/ssl/certs/DigiCertCA.crt
+        owner: root
+        group: root
+
 
 - name: fetch kive source code
   become: true
@@ -187,6 +269,17 @@
           command:
             cmd: "a2enconf rotate-kive-logs"
 
+    - name: install the httpd site configuration for Kive
+      copy:
+        src: 001-kive-ssl.conf
+        dest: /etc/apache2/sites-available
+        owner: root
+        group: root
+
+    - name: enable the httpd site configuration for Kive
+      command:
+        cmd: "a2ensite 001-kive-ssl"
+
     - name: enable apache2
       systemd:
         name: apache2