infrastructure/roles/web/tasks/main.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

- name: install apache2
  ansible.builtin.package:
    name: apache2
- name: enable mod_md
  ansible.builtin.command:
    cmd: a2enmod md
    creates: /etc/apache2/mods-enabled/md.load
  notify: restart web
- name: enable mod_ssl
  ansible.builtin.command:
    cmd: a2enmod ssl
    creates: /etc/apache2/mods-enabled/ssl.load
  notify: restart web
- name: enable mod_userdir
  ansible.builtin.command:
    cmd: a2enmod userdir
    creates: /etc/apache2/mods-enabled/userdir.load
  notify: restart web
- name: enable mod_proxy_http
  ansible.builtin.command:
    cmd: a2enmod proxy_http
    creates: /etc/apache2/mods-enabled/proxy_http.load
  notify: restart web
- name: enable mod_headers
  ansible.builtin.command:
    cmd: a2enmod headers
    creates: /etc/apache2/mods-enabled/headers.load
  notify: restart web
- name: ssl site
  ansible.builtin.copy:
    dest: /etc/apache2/sites-enabled/ssl.conf
    content: |
      {% if web_server_reachable %}
      MDomain {{ public_hostname_punycode }}
      MDCertificateAgreement accepted
      {% endif %}

      <VirtualHost *:443>
        ServerName {{ public_hostname_punycode }}
        SSLEngine on

      {% if not web_server_reachable %}
        SSLCertificateFile "/etc/ssl/certs/ssl-cert-snakeoil.pem"
        SSLCertificateKeyFile "/etc/ssl/private/ssl-cert-snakeoil.key"
      {% endif %}

        ServerAdmin {{ admin_email }}

        <Location /vaultwarden/>
          ProxyPass http://127.0.0.1:8080/vaultwarden/
          ProxyPreserveHost On
          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
        </Location>

        RedirectMatch "^/$" "https://ñix.es/cgit/alex/ñix.es.git/about/"
      </VirtualHost>
  notify: restart web
- name: gemini
  ansible.builtin.copy:
    dest: /etc/apache2/conf-enabled/gemini.conf
    content: |
      AddType text/gemini .gmi
      AddCharset UTF-8 .gmi
      # With the default dir module configuration disabled, DirectoryIndex index enables multiviews for indexes.
      # This means that you can have index.html and index.gmi and the client and server will negotiate which content to deliver.
      DirectoryIndex index
      LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so
  notify: restart web
- name: rss
  ansible.builtin.copy:
    dest: /etc/apache2/conf-enabled/rss.conf
    content: |
      AddCharset UTF-8 .rss
  notify: restart web
- name: disable dir mod
  ansible.builtin.command:
    cmd: a2dismod -f dir
    removes: /etc/apache2/mods-enabled/dir.conf
  notify: restart web