duplicate default var defintition

remove certbot generation (its got its own role)

ISSUES

@@ -0,0 +1,4 @@
+too many variables
+should not take care of ssl, php etc.
+
+ditch it in favor of tco.Webhosting ?

README.md

@@ -11,24 +11,24 @@ Obviously an apache server, you'll probably want php and some certificates too.
 Role Variables
 --------------
 
+apache_db_name: no default
+apache_db_password: no default
+apache_server_ip
+apache_server_name
+apache_server_alias (list)
+apache_ssl_root_email: email to use for certificate
+
 apache_access_log: {{ apache_base_dir}}/logs/access_log
 apache_allowoverride: all
 apache_base_dir: /srv/{{ apache_server_name }}
 apache_db_login_password: from my.cnf
 apache_db_login_user: from root/.my.cnf
-apache_db_name: no default
-apache_db_password: no default
 apache_db_user: no default
 apache_document_root: {{ apache_base_dir }}/www
 apache_php_socket: {{ apache_base_dir }}/php-fpm.sock
-apache_server_alias (list)
-apache_server_ip
-apache_server_name
 apache_ssl_certificate: /etc/letsencrypt/live/{{ apache_server_name }}/cert.pem
 apache_ssl_chain: /etc/letsencrypt/live/{{ apache_server_name }}/fullchain.pem
 apache_ssl_key: /etc/letsencrypt/live/{{ apache_server_name }}/privkey.pem
-apache_ssl_root_email: email to use for certificate
-apache_ssl_root_email: email used for letsencrypt certificate
 apache_use_database: false
 apache_use_dns: true - wether we setup up dns A and CNAME records
 apache_use_php: true

defaults/main.yml

@@ -15,3 +15,10 @@ apache_use_ssl: true
 apache_use_stats: true
 apache_user: "{{ apache_server_name | regex_search( '([^.]+)' ) }}"
 apache_use_database: false
+apache_modules_list:
+  - headers
+  - http2
+  - rewrite
+  - proxy
+  - proxy_http
+  - proxy_fcgi

handlers/main.yml

@@ -2,8 +2,8 @@
 # handlers file for apache_vhost
 - name: restart apache
   service:
-    name: httpd
-    state: restarted
+    name: "{{ apache_service_name }}"
+    state: reloaded
 
 - name: restart zabbix_agentd
   service:

meta/main.yml

@@ -47,7 +47,6 @@ galaxy_info:
     #       Maximum 20 tags per role.
 
   dependencies: 
-  - role: tconstans.apache
-  - { role: tco.changelog, role_version: 1.0, myrole_name: apache_vhost }
+  - { role: tco.changelog, myrole_name: ansible_apache_vhost }
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.

tasks/certbot.yml

@@ -3,7 +3,7 @@
   package:
     name:
      - certbot
-     - mod_ssl
+     - "{{ apache_ssl_packages }}"
 
     state: present
 
@@ -12,7 +12,7 @@
     apache_use_ssl: false
   template:
     src: vhost.conf.jj
-    dest: /etc/httpd/conf.d/{{ apache_server_name }}.conf
+    dest: "{{ apache_config_dir }}/{{ apache_server_name }}.conf"
     mode: 0644
   notify: restart apache
   register: result
@@ -20,20 +20,20 @@
 # cant use meta / flush handlers in conditionnals
 - name: if needed, we restart apache
   service:
-    name: httpd
+    name: "{{ apache_service_name}}"
     state: restarted
   when: result.changed
 
 - name: generate certificates for domaine and subdomains
   vars:
     subdomains: "-d {{ apache_server_alias | join( ' -d ' ) }}"
-  command: certbot certonly --agree-tos --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }} --test-cert {{ subdomains }}
+  command: certbot certonly --agree-tos --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }} {{ subdomains }}
   args:
     creates: "{{ apache_ssl_chain }}"
   when: apache_server_alias is defined
 
 - name: generate certificates
-  command: certbot certonly --agree-tos  --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }} --test-cert
+  command: certbot certonly --agree-tos  --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }}
   args:
     creates: "{{ apache_ssl_chain }}"
   when: apache_server_alias is not defined
@@ -41,7 +41,7 @@
 - name: deploy ssl config file
   template:
     src: ssl.conf
-    dest: /etc/httpd/conf.d
+    dest: "{{ apache_config_dir }}"
   notify: restart apache
 
 - name: create cronjob for renewal

tasks/main.yml

@@ -1,15 +1,18 @@
 ---
 # tasks file for apache_vhost
 
+- include_vars: "{{ ansible_os_family}}.yml"
+  tags: always
 
 - name: create dedicated user
   user:
     name: "{{ apache_user }}"
     groups:
-    - apache
+    - "{{ apache_group }}"
     home: "{{ apache_base_dir }}"
     shell: /bin/bash
   when: apache_user_password is not defined and apache_user != 'apache'
+  tags: apache_user
 
 - name: create dedicated user - ssh
   user:
@@ -20,13 +23,14 @@
     home: "{{ apache_base_dir }}"
     shell: /bin/bash
   when: apache_user_password is defined
+  tags: apache_user
 
 - name: create directories
   file:
     path: "{{ item }}"
     state: directory
     owner: "{{ apache_user }}"
-    group: apache
+    group: "{{ apache_group }}"
     mode: 0750
   loop:
     - "{{ apache_base_dir }}"
@@ -35,10 +39,25 @@
     - "{{ apache_base_dir }}/session"
     - "{{ apache_base_dir }}/wsdlcache"
 
+- name: enable some modules
+  when: ansible_os_family == 'Debian'
+  tags: modules
+  community.general.apache2_module:
+    state: present
+    name: "{{ item }}"
+  loop: "{{ apache_modules_list }}"
+
 - name: dns setup
   include_tasks: dns.yml
   when: apache_use_dns
 
+- name: remove default site
+  ansible.builtin.file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify: restart apache
+  when: ansible_os_family| lower == 'debian'
+
 - name: create certificate
   include_tasks: certbot.yml
   when: apache_use_ssl
@@ -46,7 +65,7 @@
 - name: vhost config file
   template:
     src: vhost.conf.jj
-    dest: /etc/httpd/conf.d/{{ apache_server_name }}.conf
+    dest: "{{ apache_config_dir }}/{{ apache_server_name }}.conf"
     mode: 0644
   notify: restart apache
 
@@ -59,4 +78,5 @@
 - name: goaccess
   import_tasks: goaccess.yml
   when: apache_use_stats
-  tags: stats
+  tags: stats
+

templates/pool.conf.jj

@@ -1,6 +1,6 @@
 [www_{{apache_server_name}}]
 user = {{ apache_user }}
-group = apache
+group = {{ apache_group }}
 listen = {{ apache_php_socket }}
 listen.owner = {{ apache_user }}
 listen.group = apache

templates/ssl.conf

@@ -1,4 +1,6 @@
+{% if ansible_os_family | lower =='redhat' %}
 Listen 443 https
+{% endif %}
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300
 SSLCryptoDevice builtin

templates/vhost.conf.jj

@@ -11,10 +11,12 @@
       Options +indexes
    </Directory>
    {%if apache_use_ssl %}
+   <IfModule rewrite>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteCond %{REQUEST_URI}  "!^/\.well-known"
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
+   </IfModule>
    {%endif %}
 </VirtualHost>
 
@@ -26,6 +28,7 @@
    ServerAlias {{ alias }}
    {%endfor%}
    {%endif%}
+   Protocols h2 http/1.1
    DocumentRoot {{ apache_document_root }}
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
@@ -42,7 +45,7 @@
    </Directory>
    {%if apache_use_php %}
    <FilesMatch \.php$>
-      SetHandler  "proxy:unix:{{ apache_php_socket }}|fcgi://localhost/"
+      SetHandler  "{{ php_listen_url }}"
    </FilesMatch>
    {% endif %}
 </VirtualHost>

vars/Debian.yml

@@ -0,0 +1,7 @@
+#/home/tom/Documents/Opendoor/Technique/Ansible/roles/tconstans.apache/vars/Debian.yml
+apache_packages:
+- apache2
+apache_ssl_packages: openssl
+apache_group: www-data
+apache_service_name: apache2
+apache_config_dir: /etc/apache2/sites-enabled/

vars/RedHat.yml

@@ -0,0 +1,7 @@
+#/home/tom/Documents/Opendoor/Technique/Ansible/roles/tco.apache_vhost/vars/RedHat.yml
+apache_config_dir: /etc/httpd/conf.d/
+apache_packages:
+- httpd
+apache_service_name: httpd
+apache_ssl_packages: mod_ssl
+apache_group: apache