duplicate default var defintition

remove dev to apache
fix modules enabling code
2025-02-19 18:14:26 +01:00 · 2025-02-18 13:54:55 +01:00 · 2025-02-18 12:17:49 +01:00 · 2024-12-19 11:13:13 +01:00 · 2024-05-23 09:34:31 +02:00 · 2024-05-08 17:30:19 +02:00
10 changed files with 103 additions and 11 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -15,3 +15,10 @@ apache_use_ssl: true
 apache_use_stats: true
 apache_user: "{{ apache_server_name | regex_search( '([^.]+)' ) }}"
 apache_use_database: false
+apache_modules_list:
+  - headers
+  - http2
+  - rewrite
+  - proxy
+  - proxy_http
+  - proxy_fcgi
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -47,7 +47,6 @@ galaxy_info:
    #       Maximum 20 tags per role.

  dependencies: 
-  - role: tconstans.apache
  - { role: tco.changelog, myrole_name: ansible_apache_vhost }
  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
  # if you add dependencies to this list.
--- a/tasks/certbot.yml
+++ b/tasks/certbot.yml
@@ -0,0 +1,55 @@
+---
+- name: install certbot
+  package:
+    name:
+     - certbot
+     - "{{ apache_ssl_packages }}"
+
+    state: present
+
+- name: install apache config file without ssl
+  vars:
+    apache_use_ssl: false
+  template:
+    src: vhost.conf.jj
+    dest: "{{ apache_config_dir }}/{{ apache_server_name }}.conf"
+    mode: 0644
+  notify: restart apache
+  register: result
+
+# cant use meta / flush handlers in conditionnals
+- name: if needed, we restart apache
+  service:
+    name: "{{ apache_service_name}}"
+    state: restarted
+  when: result.changed
+
+- name: generate certificates for domaine and subdomains
+  vars:
+    subdomains: "-d {{ apache_server_alias | join( ' -d ' ) }}"
+  command: certbot certonly --agree-tos --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }} {{ subdomains }}
+  args:
+    creates: "{{ apache_ssl_chain }}"
+  when: apache_server_alias is defined
+
+- name: generate certificates
+  command: certbot certonly --agree-tos  --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }}
+  args:
+    creates: "{{ apache_ssl_chain }}"
+  when: apache_server_alias is not defined
+
+- name: deploy ssl config file
+  template:
+    src: ssl.conf
+    dest: "{{ apache_config_dir }}"
+  notify: restart apache
+
+- name: create cronjob for renewal
+  cron:
+    name: certbot
+    cron_file: certbot
+    user: root
+    hour: "01"
+    minute: "00"
+    weekday: "6"
+    job: "/usr/bin/certbot renew"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 # tasks file for apache_vhost

- include_vars: "{{ ansible_os_family|lower }}.yml"
+- include_vars: "{{ ansible_os_family}}.yml"
  tags: always

 - name: create dedicated user
@@ -39,10 +39,29 @@
    - "{{ apache_base_dir }}/session"
    - "{{ apache_base_dir }}/wsdlcache"

+- name: enable some modules
+  when: ansible_os_family == 'Debian'
+  tags: modules
+  community.general.apache2_module:
+    state: present
+    name: "{{ item }}"
+  loop: "{{ apache_modules_list }}"
+
 - name: dns setup
  include_tasks: dns.yml
  when: apache_use_dns

+- name: remove default site
+  ansible.builtin.file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify: restart apache
+  when: ansible_os_family| lower == 'debian'
+
+- name: create certificate
+  include_tasks: certbot.yml
+  when: apache_use_ssl
+
 - name: vhost config file
  template:
    src: vhost.conf.jj
@@ -59,4 +78,5 @@
 - name: goaccess
  import_tasks: goaccess.yml
  when: apache_use_stats
-  tags: stats
+  tags: stats
+
--- a/templates/ssl.conf
+++ b/templates/ssl.conf
@@ -1,4 +1,6 @@
+{% if ansible_os_family | lower =='redhat' %}
 Listen 443 https
+{% endif %}
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300
 SSLCryptoDevice builtin
--- a/templates/vhost.conf.jj
+++ b/templates/vhost.conf.jj
@@ -11,10 +11,12 @@
      Options +indexes
   </Directory>
   {%if apache_use_ssl %}
+   <IfModule rewrite>
   RewriteEngine on
   RewriteCond %{HTTPS} off
   RewriteCond %{REQUEST_URI}  "!^/\.well-known"
   RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
+   </IfModule>
   {%endif %}
 </VirtualHost>

@@ -26,6 +28,7 @@
   ServerAlias {{ alias }}
   {%endfor%}
   {%endif%}
+   Protocols h2 http/1.1
   DocumentRoot {{ apache_document_root }}
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -0,0 +1,7 @@
+#/home/tom/Documents/Opendoor/Technique/Ansible/roles/tconstans.apache/vars/Debian.yml
+apache_packages:
+- apache2
+apache_ssl_packages: openssl
+apache_group: www-data
+apache_service_name: apache2
+apache_config_dir: /etc/apache2/sites-enabled/
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@@ -0,0 +1,7 @@
+#/home/tom/Documents/Opendoor/Technique/Ansible/roles/tco.apache_vhost/vars/RedHat.yml
+apache_config_dir: /etc/httpd/conf.d/
+apache_packages:
+- httpd
+apache_service_name: httpd
+apache_ssl_packages: mod_ssl
+apache_group: apache
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -1,4 +0,0 @@
---
-apache_group: www-data
-apache_config_dir: /etc/apache2/sites-enabled/
-apache_service_name: apache2
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -1,4 +0,0 @@
---
-apache_group: apache
-apache_config_dir: /etc/httpd/conf.d/
-apache_service_name: httpd
Author	SHA1	Message	Date
Thomas Constans	7dd6b51c2c	duplicate default var defintition	2025-02-19 18:14:26 +01:00
Thomas Constans	3db2160549	remove dev to apache	2025-02-18 13:54:55 +01:00
Thomas Constans	dfdae74445	fix modules enabling code	2025-02-18 12:17:49 +01:00
Thomas Constans	2d4e5a5853	add some modules, include http2	2024-12-19 11:13:13 +01:00
Thomas Constans	a882c50e2a	manual merge	2024-05-23 09:34:31 +02:00
Thomas Constans	180aa7c404	Merge branch 'certbot'	2024-05-08 17:30:19 +02:00
Thomas Constans	a0ad2a9301	make it work on debian, restore certificate management	2024-05-08 17:27:37 +02:00