add ssl conf, add changelog dep, remove wip tag

meta/main.yml

@@ -46,6 +46,8 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
 
-  dependencies: [tconstans.apache]
+  dependencies: 
+  - role: tconstans.apache
+  - { role: tco.changelog, role_version: 1.0, myrole_name: apache_vhost }
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.

tasks/certbot.yml

@@ -38,6 +38,12 @@
     creates: "{{ apache_ssl_chain }}"
   when: apache_server_alias is not defined
 
+- name: deploy ssl config file
+  template:
+    src: ssl.conf
+    dest: /etc/httpd/conf.d
+  notify: restart apache
+
 - name: create cronjob for renewal
   cron:
     name: certbot

tasks/main.yml

@@ -3,7 +3,6 @@
 
 
 - name: create dedicated user
-  tags: wip
   user:
     name: "{{ apache_user }}"
     groups:
@@ -13,7 +12,6 @@
   when: apache_user_password is not defined and apache_user != 'apache'
 
 - name: create dedicated user - ssh
-  tags: wip
   user:
     name: "{{ apache_user }}"
     groups:

templates/ssl.conf

@@ -0,0 +1,12 @@
+Listen 443 https
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+SSLCryptoDevice builtin
+
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
+
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"