# ************************************
# Vhost template in role apache_ssl_vhost
# Managed by Ansible
# ************************************

<VirtualHost *:{{ item.web_port|default("80") }}>
  ServerName {{ item.vhostname }}
{% if item.server_aliases is defined %}
    ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %}
{% endif %}

  ## Directories, there should at least be a declaration for {{ item.docroot | default("/var/www/" + item.vhostname) }}/
  <Directory "{{ item.docroot | default("/var/www/" + item.vhostname) }}/">
    Options +FollowSymlinks
    AllowOverride All
  </Directory>

  ## Logging
  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/{{ item.vhostname }}_access.log" combined

  ## Redirect rules
  Redirect permanent / https://{{ item.vhostname }}/
</VirtualHost>

<VirtualHost *:{{ ssl_port|default("443") }}>
  ServerName {{ item.vhostname }}
  ServerAdmin {{ item.serveradmin|default("webmaster@" + item.vhostname ) }}
{% if item.server_aliases is defined %}
  ServerAlias {% for alias in item.server_aliases %}{{ alias }} {% endfor %}
{% endif %}

{% if item.aliases is defined %}{% for alias in item.aliases %}
  Alias /{{ alias.dest }} "{{ alias.src }}"
{% endfor %}{% endif %}

{% if item.scriptaliases is defined %}{% for alias in item.scriptaliases %}
  ScriptAlias /{{ alias.dest }} "{{ alias.src }}"
{% endfor %}{% endif %}

{% if item.docroot is defined %}  ## Vhost docroot
  DocumentRoot "{{ item.docroot | default("/var/www/" + item.vhostname ) }}/"

  ## Directories, there should at least be a declaration for {{ item.docroot | default('/var/www/' + item.vhostname ) }}/

  <Directory "{{ item.docroot | default('/var/www/' + item.vhostname ) }}/">
{% if item.root_options is defined %}
    Options {% for option in item.root_options %}{{ option }} {% endfor %}
{% endif %}

{% if item.root_custom_code is defined %}
    {{ item.root_custom_code }}
{% endif %}

    AllowOverride All
  </Directory>
## End of root directory
{% endif %}

{% if item.directories is defined %}{% for directory in item.directories %}
  <Directory "{{ directory.path }}">
{% if directory.options is defined %}
    Options {% for option in directory.options %}{{ option }} {% endfor %}
{% endif %}

    {% if directory.allow_override is defined %}AllowOverride {{ directory.allow_override }}{% endif %}
    {% if directory.require is defined %}Require {{ directory.require }}{% endif %}
    {{ directory.custom_code | default("") }}
  </Directory>
{% endfor %}{% endif %}
## End of directories

{% if item.directoriesmatches is defined %}{% for directorymatch in item.directoriesmatches %}
  <DirectoryMatch "{{ directorymatch.path }}">
{% if directorymatch.options is defined %}
    Options {% for option in directorymatch.options %}{{ option }} {% endfor %}
{% endif %}

    {% if directory.allow_override is defined %}AllowOverride {{ directory.allow_override }}{% endif %}
    {% if directory.require is defined %}Require {{ directory.require }}{% endif %}
  {{ directorymatch.custom_code | default("") }}
  </DirectoryMatch>
{% endfor %}{% endif %}
## End of directorymatches

  ## Logging
  ErrorLog "/var/log/apache2/{{ item.vhostname }}_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/{{ item.vhostname }}_access_ssl.log" combined
  ErrorDocument 404 /notfound.php
  ErrorDocument 500 /error500.php
  ErrorDocument 503 /error503.php
  ## Rewrite rules
  RewriteEngine On

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/letsencrypt/live/{{ item.vhostname }}/fullchain.pem"
  SSLCertificateKeyFile   "/etc/letsencrypt/live/{{ item.vhostname }}/privkey.pem"
  SSLProtocol             all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

{% if item.ldap is defined %}
  ## LDAP authentication
  <Location />
    AuthType Basic
    AuthName "Enter credentials"
    AuthBasicProvider ldap
    AuthLDAPGroupAttribute member
    AuthLDAPSubGroupClass group
    AuthLDAPGroupAttributeIsDN On
    AuthLDAPURL {{ item.ldap.url }} #ldap://ldap.koti.site/ou=People,ou=Users,dc=koti,dc=site?uid
    Require {{ item.ldap.require }} #valid-user
  </Location>
{% endif %}

{% if item.reverse_proxy is defined %}
  ## Reverse proxy
  SSLProxyEngine On
  SSLProxyCheckPeerCN on
  SSLProxyCheckPeerExpire on
  ProxyPass / {{ item.reverse_proxy }}
  ProxyPassReverse / {{ item.reverse_proxy }}
{% endif %}

{% if item.custom_code is defined %}
  ## Custom fragment
  {{ item.custom_code }}
  ## End of custom fragment
{% endif %}
</VirtualHost>