Add apache2 handling

2022-12-27 17:36:24 +02:00 · 2022-12-27 17:36:24 +02:00 · 73ec166871
commit 73ec166871
parent 35a6c6a355
3 changed files with 46 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,7 @@
 ## ansible-role-invidious

 Work in progress...
+
+# Requirements
+
+https://gitlab.com/antoniodelgado/ansible-role-apache_ssl_vhosts
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,6 +1,7 @@
 ---
 invidious_repository: https://github.com/iv-org/invidious.git
 invidious_folder: /srv/invidious
+invidious_hostname: invidious.example.com
 invidious_internal_port: 3000
 #handle_ufw will allow access to individious_internal_port from everywhere, use it only if Invidious handles SSL or you don't want to use SSL (what?)
 handle_ufw: false
@ -27,7 +28,7 @@ docker_compose_options:
            port: 5432
          check_tables: true
          external_port: 443
-          domain: invi.susurrando.com
+          domain: {{ invidious_hostname }}
          https_only: true
          statistics_enabled: true
          use_quic: true
@ -67,6 +68,37 @@ docker_compose_options:
        POSTGRES_PASSWORD: kemal
      healthcheck:
        test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
-
  volumes:
    postgresdata:
+invidious_vhosts:
+  - vhostname: "{{ invidious_hostname }}"
+    weight: 25
+    web_port: 80
+    ssl_port: 443
+    ssl: yes
+    docroot: "/var/www/{{ invidious_hostname }}"
+    serveradmin: "webmaster@{{ invidious_hostname }}"
+    server_aliases: []
+    root_options:
+      - '+FollowSymlinks'
+      - '+MultiViews'
+    root_custom_code: |
+      <IfModule mod_dav.c>
+        Dav off
+      </IfModule>
+    aliases: []
+    directories: []
+    custom_code: |
+      <IfModule mod_headers.c>
+        Header always set Strict-Transport-Security "max-age=15552001; includeSubDomains"
+      </IfModule>
+      SSLHonorCipherOrder     on
+      SSLProxyEngine On
+      ProxyPreserveHost On
+      ProxyRequests off
+      SSLProxyCheckPeerCN on
+      SSLProxyCheckPeerExpire on
+      ProxyPass / http://127.0.0.1:{{ invidious_internal_port }}/ nocanon
+      ProxyPassReverse / http://127.0.0.1:{{ invidious_internal_port }}/
+      AllowEncodedSlashes on
+
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@ -1,6 +1,12 @@
 ---
-#- name: Ensure Apache virtual host is configured
-#  when: handle_apache2_reverse_proxy
+- name: Add Invidious vhosts to list
+  set_fact:
+    vhosts: "{{ vhosts + invidious_vhosts }}"
+
+- name: Ensure Apache virtual host is configured
+  ansible.builtin.import_role:
+    name: apache_ssl_vhosts
+  when: handle_apache2_reverse_proxy

 - name: Ensure Invicious composition is created
  template: