From 6915da790011815ffb0f80d0708665e7dc3accb7 Mon Sep 17 00:00:00 2001
From: alex <alex@pdp7.net>
Date: Sat, 11 Oct 2025 13:51:20 +0200
Subject: [PATCH] Add https web

---
 infrastructure/README.md                    |  2 ++
 infrastructure/production.yaml              |  3 +++
 infrastructure/roles/web/handlers/main.yaml |  4 ++++
 infrastructure/roles/web/tasks/main.yaml    | 26 +++++++++++++++++++++
 infrastructure/site.yaml                    |  1 +
 5 files changed, 36 insertions(+)
 create mode 100644 infrastructure/roles/web/handlers/main.yaml
 create mode 100644 infrastructure/roles/web/tasks/main.yaml

diff --git a/infrastructure/README.md b/infrastructure/README.md
index 5e96671..4694334 100644
--- a/infrastructure/README.md
+++ b/infrastructure/README.md
@@ -18,6 +18,8 @@ Ensure you can `ssh root@ñix.es`, and then:
 uv run ansible-playbook -i ssh-root.yaml -i production.yaml site.yaml
 ```
 
+You might need to `systemctl restart apache2` for the Let's Encrypt certificate.
+
 ## Running Ansible
 
 After bootstrapping, you can run Ansible via ssh with your user and `sudo`.
diff --git a/infrastructure/production.yaml b/infrastructure/production.yaml
index eff8cc9..19a260f 100644
--- a/infrastructure/production.yaml
+++ b/infrastructure/production.yaml
@@ -2,9 +2,12 @@ ungrouped:
   hosts:
     ñix.es:
       ansible_become: true
+      public_hostname: ñix.es
+      public_hostname_punycode: xn--ix-yja.es
 all:
   vars:
     users:
       - name: alex
         shell: /usr/bin/bash
         authorized_keys: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsmNM+izEWl/tIRncLIc9UFHwjL4b64VGD9ZTqeR/fEbfrhUjcQNmwHMbfF3l35OEFnPw6Afm8TzL/RwM+ePpdxj7HzZW6XBOVf258Dcs3olw/JuG8+oSvLoXUiTS1rqgNNp7RLEQN1IxYOUCreu6ju6y2WDi8Ota2vO1DpGgfHB1M6KbGBpLpZBCAKzrhI9I0y6nx6WEWWYJpcvN947oAgQRf/Bv4j9pNUATXhe14rNSWwk5lvOYZSEu7XZeg55GSzJSQjIO29F2SW8b886pB3hbRV+OFtLwWaMvsQwNp25n4wePQJX5OczKZxbN6rfjf4kuOmeGbVP3PmHa8hrmEw== alex@case"
+    admin_email: acb.nix8518@miemilio.es
diff --git a/infrastructure/roles/web/handlers/main.yaml b/infrastructure/roles/web/handlers/main.yaml
new file mode 100644
index 0000000..73ed47a
--- /dev/null
+++ b/infrastructure/roles/web/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: restart web
+  ansible.builtin.service:
+    name: apache2
+    state: restarted
diff --git a/infrastructure/roles/web/tasks/main.yaml b/infrastructure/roles/web/tasks/main.yaml
new file mode 100644
index 0000000..2bf04e2
--- /dev/null
+++ b/infrastructure/roles/web/tasks/main.yaml
@@ -0,0 +1,26 @@
+- name: install apache2
+  ansible.builtin.package:
+    name: apache2
+- name: enable mod_md
+  ansible.builtin.command:
+    cmd: a2enmod md
+    creates: /etc/apache2/mods-enabled/md.load
+  notify: restart web
+- name: enable mod_ssl
+  ansible.builtin.command:
+    cmd: a2enmod ssl
+    creates: /etc/apache2/mods-enabled/ssl.load
+  notify: restart web
+- name: ssl site
+  ansible.builtin.copy:
+    dest: /etc/apache2/sites-enabled/ssl.conf
+    content: |
+      MDomain {{ public_hostname_punycode }}
+      MDCertificateAgreement accepted
+
+      <VirtualHost *:443>
+        ServerName {{ public_hostname_punycode }}
+        SSLEngine on
+        ServerAdmin {{ admin_email }}
+      </VirtualHost>
+  notify: restart web
diff --git a/infrastructure/site.yaml b/infrastructure/site.yaml
index 96e7048..451c2d9 100644
--- a/infrastructure/site.yaml
+++ b/infrastructure/site.yaml
@@ -3,4 +3,5 @@
   roles:
     - users
     - motd
+    - web
     - git
-- 
2.47.3