first commit

handlers/main.yml

@@ -0,0 +1,10 @@
+
+- name: restart apache2
+  service: 
+    name: apache2
+    state: restarted
+
+- name: reload apache2
+  service: 
+    name: apache2
+    state: reloaded

tasks/main.yml

@@ -0,0 +1,146 @@
+---
+- name: Install stuff
+  apt:
+    name:
+      - apache2
+    update_cache: yes
+
+- name: install acme.sh
+  include_role:
+    name: acmesh
+
+- name: set DocumentRoot
+  set_fact:
+    docroot: "/var/www/html"
+  when: not docroot is defined
+
+- name: set domainname
+  set_fact:
+    domainname: "{{ inventory_hostname }}"
+  when: not domainname is defined
+
+- name: create wwwroot
+  file:
+    path: "{{ docroot }}"
+    owner: www-data
+    group: www-data
+    mode: '0755'
+    state: directory
+
+- name: enable apache module proxy
+  command: a2enmod proxy
+  args:
+    creates: /etc/apache2/mods-enabled/proxy.load
+  notify:
+    reload apache2
+
+- name: enable apache module proxy_html
+  command: a2enmod proxy_html
+  args:
+    creates: /etc/apache2/mods-enabled/proxy_html.load
+  notify:
+    reload apache2
+
+- name: enable apache module proxy_http
+  command: a2enmod proxy_http
+  args:
+    creates: /etc/apache2/mods-enabled/proxy_http.load
+  notify:
+    reload apache2
+
+- name: enable apache module proxy_http2
+  command: a2enmod proxy_http2
+  args:
+    creates: /etc/apache2/mods-enabled/proxy_http2.load
+  notify:
+    reload apache2
+
+- name: enable apache module ssl
+  command: a2enmod ssl
+  args:
+    creates: /etc/apache2/mods-enabled/ssl.load
+  notify:
+    reload apache2
+
+- name: enable apache module headers
+  command: a2enmod headers
+  args:
+    creates: /etc/apache2/mods-enabled/headers.load
+  notify:
+    reload apache2
+
+- name: enable apache module rewrite
+  command: a2enmod rewrite
+  args:
+    creates: /etc/apache2/mods-enabled/rewrite.load
+  notify:
+    reload apache2
+
+- name: install acme.sh
+  include_role:
+    name: acmesh
+
+- name: set amce server url
+  set_fact:
+    acmeshserver: "--server {{ acme_sh_server }} --insecure --force --days 1"
+  when: acme_sh_server is defined
+
+- name: set amce server url
+  set_fact:
+    acmeshserver: ""
+  when: not acme_sh_server is defined
+  
+- name: generate /etc/apache2/sites-available/{{ domainname }}.conf
+  template:
+    src: apache.conf.j2
+    dest: /etc/apache2/sites-available/{{ domainname }}.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - reload apache2
+
+- name: generate /etc/apache2/sites-available/{{ domainname }}-ssl.conf
+  template:
+    src: apache-ssl.conf.j2
+    dest: /etc/apache2/sites-available/{{ domainname }}-ssl.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - reload apache2
+
+- name: activate /etc/apache2/sites-available/{{ domainname }}.conf
+  file:
+    state: link
+    src: /etc/apache2/sites-available/{{ domainname }}.conf
+    dest: /etc/apache2/sites-enabled/{{ domainname }}.conf
+  notify:
+    - reload apache2
+
+- name: generate /etc/apache2/conf-available/{{ domainname }}-ssl-optionalDirectives.conf
+  template:
+    src: includeOptional.conf.j2
+    dest: /etc/apache2/conf-available/{{ domainname }}-ssl-optionalDirectives.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+    - reload apache2
+
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: get certificates
+  command: /root/.acme.sh/acme.sh --issue --webroot {{ docroot | default("/var/www/html") }} {{ acmeshserver }} -d {{ domainname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ domainname }}.key --fullchain-file /etc/ssl/certs/{{ domainname }}.pem --reloadcmd "service apache2 reload"
+  args:
+    creates: /etc/ssl/private/{{ domainname }}.key
+
+- name: activate /etc/apache2/sites-available/{{ domainname }}-ssl.conf
+  file:
+    state: link
+    src: /etc/apache2/sites-available/{{ domainname }}-ssl.conf
+    dest: /etc/apache2/sites-enabled/{{ domainname }}-ssl.conf
+  notify:
+    - reload apache2
+

templates/apache-ssl.conf.j2

@@ -0,0 +1,30 @@
+<IfModule mod_ssl.c>
+        <VirtualHost _default_:443>
+                ServerName {{ domainname }}
+                ServerAdmin webmaster@{{ domainname }}
+
+                DocumentRoot "{{ docroot }}"
+                <Directory "{{ docroot }}">
+                        Options Indexes MultiViews Includes FollowSymLinks
+                        AddOutputFilter Includes html
+                        AllowOverride All
+                        Order allow,deny
+                        Allow from all
+                </Directory>
+
+                ErrorLog ${APACHE_LOG_DIR}/{{ domainname }}.error.log
+                CustomLog ${APACHE_LOG_DIR}/{{ domainname }}.access.log combined
+
+                SSLEngine on
+                SSLCertificateFile      /etc/ssl/certs/{{ domainname }}.pem
+                SSLCertificateKeyFile /etc/ssl/private/{{ domainname }}.key
+
+                <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                                SSLOptions +StdEnvVars
+                </FilesMatch>
+                <Directory /usr/lib/cgi-bin>
+                                SSLOptions +StdEnvVars
+                </Directory>
+                IncludeOptional /etc/apache2/conf-available/{{ domainname }}-ssl-optionalDirectives.conf
+        </VirtualHost>
+</IfModule>

templates/apache.conf.j2

@@ -0,0 +1,15 @@
+<VirtualHost *:80>
+        ServerName {{ domainname }}
+
+        ServerAdmin webmaster@{{ domainname }}
+        DocumentRoot "{{ docroot }}"
+
+        ErrorLog ${APACHE_LOG_DIR}/{{ domainname }}.error.log
+        CustomLog ${APACHE_LOG_DIR}/{{ domainname }}.access.log combined
+
+        #rewrite transparent to https, keep uri 
+        RewriteEngine On
+        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
+</VirtualHost>

templates/includeOptional.conf.j2

@@ -0,0 +1 @@
+{{ optionalDirectives | default('')}}