From 73ec166871ba8262d14ad8ca8cf7ee88340f5d5a Mon Sep 17 00:00:00 2001
From: "Antonio J. Delgado" <ad@susurrando.com>
Date: Tue, 27 Dec 2022 17:36:24 +0200
Subject: [PATCH] Add apache2 handling

---
 README.md           |  4 ++++
 defaults/main.yml   | 36 ++++++++++++++++++++++++++++++++++--
 tasks/configure.yml | 10 ++++++++--
 3 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index fd7273c..b63def8 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,7 @@
 ## ansible-role-invidious
 
 Work in progress...
+
+# Requirements
+
+https://gitlab.com/antoniodelgado/ansible-role-apache_ssl_vhosts
diff --git a/defaults/main.yml b/defaults/main.yml
index 6c48ffb..8c10051 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 invidious_repository: https://github.com/iv-org/invidious.git
 invidious_folder: /srv/invidious
+invidious_hostname: invidious.example.com
 invidious_internal_port: 3000
 #handle_ufw will allow access to individious_internal_port from everywhere, use it only if Invidious handles SSL or you don't want to use SSL (what?)
 handle_ufw: false
@@ -27,7 +28,7 @@ docker_compose_options:
             port: 5432
           check_tables: true
           external_port: 443
-          domain: invi.susurrando.com
+          domain: {{ invidious_hostname }}
           https_only: true
           statistics_enabled: true
           use_quic: true
@@ -67,6 +68,37 @@ docker_compose_options:
         POSTGRES_PASSWORD: kemal
       healthcheck:
         test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
-
   volumes:
     postgresdata:
+invidious_vhosts:
+  - vhostname: "{{ invidious_hostname }}"
+    weight: 25
+    web_port: 80
+    ssl_port: 443
+    ssl: yes
+    docroot: "/var/www/{{ invidious_hostname }}"
+    serveradmin: "webmaster@{{ invidious_hostname }}"
+    server_aliases: []
+    root_options:
+      - '+FollowSymlinks'
+      - '+MultiViews'
+    root_custom_code: |
+      <IfModule mod_dav.c>
+        Dav off
+      </IfModule>
+    aliases: []
+    directories: []
+    custom_code: |
+      <IfModule mod_headers.c>
+        Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains"
+      </IfModule>
+      SSLHonorCipherOrder     on
+      SSLProxyEngine On
+      ProxyPreserveHost On
+      ProxyRequests off
+      SSLProxyCheckPeerCN on
+      SSLProxyCheckPeerExpire on
+      ProxyPass / http://127.0.0.1:{{ invidious_internal_port }}/ nocanon
+      ProxyPassReverse / http://127.0.0.1:{{ invidious_internal_port }}/
+      AllowEncodedSlashes on
+
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 28bfbbe..69f8a28 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -1,6 +1,12 @@
 ---
-#- name: Ensure Apache virtual host is configured
-#  when: handle_apache2_reverse_proxy
+- name: Add Invidious vhosts to list
+  set_fact:
+    vhosts: "{{ vhosts + invidious_vhosts }}"
+
+- name: Ensure Apache virtual host is configured
+  ansible.builtin.import_role:
+    name: apache_ssl_vhosts
+  when: handle_apache2_reverse_proxy
 
 - name: Ensure Invicious composition is created
   template: