Initial commit with previous code

defaults/main.yml

@@ -0,0 +1,29 @@
+---
+vhosts: []
+  # - vhostname: default.host.example.org
+  #   weight: 25
+  #   web_port: 80
+  #   ssl_port: 443
+  #   ssl: yes
+  #   docroot: /var/www/host.example.org
+  #   serveradmin: webmaster@example.org
+  #   server_aliases: []
+  #   root_options:
+  #     - '-Indexes'
+  #     - '-FollowSymLinks'
+  #   aliases:
+  #     - dest: my_page
+  #       src: /var/www/my_page
+  #   directories:
+  #     - path: /var/www/host.example.org/custom_dir
+  #       options:
+  #         - '-Indexes'
+  #         - '-FollowSymLinks'
+  #       allow_override: None
+  #       require: 'all granted'
+  #       custom_code: ""
+  #   custom_code: ""
+  #   ldap:
+  #     url: ldap://ldap.example.org/ou=People,ou=Users,dc=example,dc=org?uid
+  #     require: valid-user
+  #   reverse_proxy: http://127.0.0.1:8080/

files/default_host.conf

@@ -0,0 +1,18 @@
+## Default docroot
+DocumentRoot "/var/www/html/"
+
+## Directories, there should at least be a declaration for DocumentRoot
+
+<Directory "/var/www/html/">
+  Options +FollowSymlinks -Indexes
+  AllowOverride All
+</Directory>
+
+## Logging
+ErrorLog "/var/log/apache2/localhost_error.log"
+ServerSignature Off
+CustomLog "/var/log/apache2/localhost_access.log" combined
+
+## Redirect rules
+RewriteEngine On
+RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Apache
+  service:
+    name: apache2
+    state: restarted

tasks/configure.yml

@@ -0,0 +1,104 @@
+---
+- name: Allow HTTP traffic
+  ufw:
+    rule: allow
+    port: 80
+
+- name: Allow HTTPS traffic
+  ufw:
+    rule: allow
+    port: 443
+
+- name: Enable Apache2 modules
+  community.general.apache2_module:
+    state: present
+    name: "{{ item }}"
+  loop:
+    - rewrite
+    - ssl
+
+- name: Stop Apache
+  service:
+    name: apache2
+    state: stopped
+
+- name: Ensure SSL certificate exists
+  shell: "certbot certonly --agree-tos --email certs@susurrando.com -n --standalone -d {{ item.vhostname }}"
+  args:
+    creates: "/etc/letsencrypt/archive/{{ item.vhostname }}"
+  when:
+    - "'ssl' in item"
+    - item['ssl']
+  with_items: "{{ vhosts }}"
+
+- name: Ensure default vhost root exists
+  file:
+    path: /var/www/html
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: 0775
+
+- name: Ensure default vhost is configured with SSL redirection
+  copy:
+    dest: /etc/apache2/conf-available/default_host.conf
+    src: files/default_host.conf
+    backup: yes
+    mode: 0644
+  notify:
+    - Restart Apache
+
+- name: Ensure default vhost is enabled with SSL redirection
+  file:
+    dest: /etc/apache2/conf-enabled/default_host.conf
+    src: /etc/apache2/conf-available/default_host.conf
+    state: link
+    mode: 0644
+  notify:
+    - Restart Apache
+
+- name: Start Apache
+  service:
+    name: apache2
+    state: started
+
+- name: Ensure Apache modules are enabled
+  community.general.apache2_module:
+    state: present
+    force: True
+    name: "{{ item }}"
+  with_items: "{{ apache_modules }}"
+  when: apache_modules is defined
+
+- name: Ensure vhost docroot exists
+  file:
+    path: "{{ item.docroot }}"
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: 0775
+  loop: "{{ vhosts }}"
+
+- name: Ensure vhosts are configured
+  template:
+    src: templates/vhost.conf.j2
+    dest: "/etc/apache2/sites-available/{{ item.weight }}-{{ item.vhostname }}.conf"
+    owner: root
+    group: root
+    mode: '0644'
+    backup: yes
+  with_items: "{{ vhosts }}"
+  notify:
+    - Restart Apache
+
+- name: Ensure vhost is enabled
+  file:
+    src: "/etc/apache2/sites-available/{{ item.weight }}-{{ item.vhostname }}.conf"
+    dest: "/etc/apache2/sites-enabled/{{ item.weight }}-{{ item.vhostname }}.conf"
+    state: link
+  with_items: "{{ vhosts }}"
+  notify:
+    - Restart Apache
+# notfound.php
+# error500.php
+# error503.php

tasks/install.yml

@@ -0,0 +1,6 @@
+---
+- name: Ensure software is installed
+  apt:
+    name:
+      - apache2
+    state: latest

tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Ensure installation
+  include_tasks: install.yml
+- name: Ensure configuration
+  include_tasks: configure.yml

templates/vhost.conf.j2

@@ -0,0 +1,113 @@
+# ************************************
+# Vhost template in role apache_ssl_vhost
+# Managed by Ansible
+# ************************************
+
+<VirtualHost *:{{ item.web_port|default("80") }}>
+  ServerName {{ item.vhostname }}
+{% if item.server_aliases is defined %}
+    ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %}
+{% endif %}
+
+  ## Directories, there should at least be a declaration for {{ item.docroot }}/
+  <Directory "{{ item.docroot }}/">
+    Options +FollowSymlinks
+    AllowOverride All
+  </Directory>
+
+  ## Logging
+  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/{{ item.vhostname }}_access.log" combined
+
+  ## Redirect rules
+  Redirect permanent / https://{{ item.vhostname }}/
+</VirtualHost>
+
+<VirtualHost *:{{ ssl_port|default("443") }}>
+  ServerName {{ item.vhostname }}
+  ServerAdmin {{ item.serveradmin|default("webmaster@{{ item.vhostname }}") }}
+{% if item.server_aliases is defined %}
+    ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %}
+{% endif %}
+
+{% if item.aliases is defined %}{% for alias in item.aliases %}
+  Alias /{{ alias.dest }} "{{ alias.src }}"
+{% endfor %}{% endif %}
+
+
+{% if item.docroot %}  ## Vhost docroot
+  DocumentRoot "{{ item.docroot|default("/var/www/{{ item.vhostname }}") }}/"
+
+  ## Directories, there should at least be a declaration for {{ item.docroot }}/
+
+  <Directory "{{ item.docroot }}/">
+{% if item.root_options is defined %}
+    Options {% for option in item.root_options %}{{ option }} {% endfor %}
+{% endif %}
+
+{% if item.root_custom_code is defined %}
+    {{ item.root_custom_code }}
+{% endif %}
+
+    AllowOverride All
+  </Directory>{% endif %}
+
+{% if item.directories is defined %}{% for directory in item.directories %}
+  <Directory "{{ directory.path }}">
+{% if directory.options is defined %}
+    Options {% for option in directory.options %}{{ option }} {% endfor %}
+{% endif %}
+
+  AllowOverride {{ directory.allow_override | default("All") }}
+  Require {{ directory.require | default("all granted") }}
+  {{ directory.custom_code | default("") }}
+  </Directory>{% endfor %}{% endif %}
+
+  ## Logging
+  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error_ssl.log"
+  ServerSignature Off
+  CustomLog "/var/log/apache2/{{ item.vhostname }}_access_ssl.log" combined
+  ErrorDocument 404 /notfound.php
+  ErrorDocument 500 /error500.php
+  ErrorDocument 503 /error503.php
+  ## Rewrite rules
+  RewriteEngine On
+
+
+  ## SSL directives
+  SSLEngine on
+  SSLCertificateFile      "/etc/letsencrypt/live/{{ item.vhostname }}/fullchain.pem"
+  SSLCertificateKeyFile   "/etc/letsencrypt/live/{{ item.vhostname }}/privkey.pem"
+  SSLProtocol             all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
+  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+{% if item.ldap is defined %}
+  ## LDAP authentication
+  <Location />
+      AuthType Basic
+      AuthName "Enter credentials"
+      AuthBasicProvider ldap
+      AuthLDAPGroupAttribute member
+      AuthLDAPSubGroupClass group
+      AuthLDAPGroupAttributeIsDN On
+      AuthLDAPURL {{ item.ldap.url }} #ldap://ldap.koti.site/ou=People,ou=Users,dc=koti,dc=site?uid
+      Require {{ item.ldap.require }} #valid-user
+  </Location>
+{% endif %}
+
+{% if item.reverse_proxy is defined %}
+  ## Reverse proxy
+  SSLProxyEngine On
+  SSLProxyCheckPeerCN on
+  SSLProxyCheckPeerExpire on
+  ProxyPass / {{ item.reverse_proxy }}
+  ProxyPassReverse / {{ item.reverse_proxy }}
+{% endif %}
+
+{% if item.custom_code is defined %}
+  ## Custom fragment
+{{ item.custom_code }}
+  ## End of custom fragment
+{% endif %}
+</VirtualHost>