From 164f61819affb88a2e5c0b5e744de86fc836e477 Mon Sep 17 00:00:00 2001
From: Thomas Constans <thomas@opendoor.fr>
Date: Sat, 29 Jul 2023 09:59:44 +0200
Subject: [PATCH] add ssl conf, add changelog dep, remove wip tag

---
 meta/main.yml      |  4 +++-
 tasks/certbot.yml  |  6 ++++++
 tasks/main.yml     |  2 --
 templates/ssl.conf | 12 ++++++++++++
 4 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 templates/ssl.conf

diff --git a/meta/main.yml b/meta/main.yml
index 5fb774e..af562a3 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -46,6 +46,8 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
 
-  dependencies: [tconstans.apache]
+  dependencies: 
+  - role: tconstans.apache
+  - { role: tco.changelog, role_version: 1.0, myrole_name: apache_vhost }
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.
\ No newline at end of file
diff --git a/tasks/certbot.yml b/tasks/certbot.yml
index 730f0e5..7b79d66 100644
--- a/tasks/certbot.yml
+++ b/tasks/certbot.yml
@@ -38,6 +38,12 @@
     creates: "{{ apache_ssl_chain }}"
   when: apache_server_alias is not defined
 
+- name: deploy ssl config file
+  template:
+    src: ssl.conf
+    dest: /etc/httpd/conf.d
+  notify: restart apache
+
 - name: create cronjob for renewal
   cron:
     name: certbot
diff --git a/tasks/main.yml b/tasks/main.yml
index 689c099..197d861 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,7 +3,6 @@
 
 
 - name: create dedicated user
-  tags: wip
   user:
     name: "{{ apache_user }}"
     groups:
@@ -13,7 +12,6 @@
   when: apache_user_password is not defined and apache_user != 'apache'
 
 - name: create dedicated user - ssh
-  tags: wip
   user:
     name: "{{ apache_user }}"
     groups:
diff --git a/templates/ssl.conf b/templates/ssl.conf
new file mode 100644
index 0000000..7eec1bb
--- /dev/null
+++ b/templates/ssl.conf
@@ -0,0 +1,12 @@
+Listen 443 https
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+SSLCryptoDevice builtin
+
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off
+SSLSessionTickets       off
+
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"