imfreedom/email-ansible
Add a mostly working apache role and make the mail role depend on it
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/files/000-default.conf Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,34 @@
+ # This allows for an actual site to be configured at the server's real + # hostname, if desired. + ServerAdmin root@pidgin.im + DocumentRoot /usr/local/share/wiktel/apache/notconfigured + <Directory /usr/local/share/wiktel/apache/notconfigured> + ErrorDocument 503 /notconfigured.html + RedirectMatch 503 ^/(?!(gtk-properties\.png|notconfigured\.(css|html)|server-status|robots\.txt|\.well-known)) + Header always set Retry-After "3600" + <Location /server-status> + Options +FollowSymLinks + RewriteCond %{REMOTE_ADDR} !^127\. + RewriteCond %{REMOTE_ADDR} !^::1$ + RewriteRule ^/ "https://%{HTTP_HOST}/server-status" + # Prevent caching to avoid issues if the real site comes back. + <IfModule mod_headers.c> + Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" + Header set Pragma "no-cache" + Header set Expires "Mon, 26 Jul 1997 05:00:00 GMT" +# vim: syntax=apache ai ts=4 sts=4 et sw=4 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/files/apache2.certbot Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,4 @@
+systemctl reload apache2 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/files/pidgin-certbot.conf Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,10 @@
+Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/ +<Directory /var/www/html/.well-known/acme-challenge/> +# vim: syntax=apache ai ts=4 sts=4 et sw=4 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/files/pidgin-compression.conf Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,52 @@
+### Enable Compression ### +# See: http://httpd.apache.org/docs/2.0/mod/mod_deflate.html +BrowserMatch ^Mozilla/4 gzip-only-text/html +BrowserMatch ^Mozilla/4\.0[678] no-gzip +### Internet Explorer ### +# MSIE's User-Agent mentions Mozilla; clear gzip-only-text/html just in case. +# Set no-gzip, which will be lifted later via ie-gzip-ok. +BrowserMatch \bMSIE no-gzip !gzip-only-text/html ie-gzip-ok=1 +# IE has intermittent problems here. +SetEnvIf Request_URI "^/phpmyadmin/css/" ie-gzip-ok=0 +# The PDF plugin for IE only intermittently works with compressed PDFs. +SetEnvIfNoCase Request_URI \.pdf$ ie-gzip-ok=0 +# Clear the no-gzip flag if IE is still safe. +SetEnvIf ie-gzip-ok 1 !no-gzip +# The Adobe PDF plugin for Safari has issues as well. +BrowserMatch \bAppleWebKit no-gzip safari-gzip-ok=1 +SetEnvIfNoCase Request_URI \.pdf$ safari-gzip-ok=0 +SetEnvIf safari-gzip-ok 1 !no-gzip +### Already Compressed Content ### +# Don't compress images, sounds, movies, executables, or archive types, as +# they're already compressed. (Executables might not be, but those being +# distributed via HTTP are generally installers, and the contents are.) +SetEnvIfNoCase Request_URI \.(?:avi|bmp|bz2|dmg|exe|flac|flv|gif|jpe?g|m4[apv]|mov|mp[34g]|ogg|png|rar|sit|swf|t?gz|wav|wm[av]|zip)$ no-gzip dont-vary +### Vary Header Setup ### +# Make sure proxies don't deliver the wrong content +Header append Vary User-Agent env=!dont-vary +# vim: syntax=apache ai ts=4 sts=4 et sw=4 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/files/pidgin-timeout.conf Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,5 @@
+# vim: syntax=apache ai ts=4 sts=4 et sw=4 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/handlers/main.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,4 @@
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/meta/main.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,1 @@
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/tasks/apache2.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,69 @@
+- name: install Apache configuration files + dest: /etc/apache2/conf-available/ + - pidgin-compression.conf + # This will fail if Apache has not been installed. + ignore_errors: "{{ ansible_check_mode }}" +- name: enable HTTP/2 module + when: not ((ansible_facts["distribution"] == "Debian" and + ansible_facts["distribution_major_version"] == "10") or + (ansible_facts["distribution"] == "Ubuntu" and + (ansible_facts["distribution_version"] == "16.04" or + ansible_facts["distribution_version"] == "18.04"))) + # This will fail if Apache has not been installed. + ignore_errors: "{{ ansible_check_mode }}" +- name: enable Apache configuration files + src: "../conf-available/{{ item }}" + dest: "/etc/apache2/conf-enabled/{{ item }}" + # This will fail if the files have not been installed. + ignore_errors: "{{ ansible_check_mode }}" + - pidgin-compression.conf +- name: install 000-default.conf + dest: /etc/apache2/sites-available/ +- name: enable 000-default.conf + src: ../sites-available/000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf + # This will fail if Apache has not been installed. + ignore_errors: "{{ ansible_check_mode }}" --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/tasks/apache2tls.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,40 @@
+# The following task is here as it has to wait until the certificate has been +# obtained, which we only run when the hostname does not end with "-new". +# We use 000-default-ssl.conf instead of default-ssl.conf to ensure it is +# ordered first. This ensures that we get the server's certificate if no +# hostname is provided via SNI. We can't use _default_:443, as the +# documentation says "A default vhost never serves a request that was sent to +# an address/port that is used for name-based vhosts." +# -- https://httpd.apache.org/docs/2.4/vhosts/examples.html#default +- name: install 000-default-ssl.conf + src: 000-default-ssl.conf.j2 + dest: /etc/apache2/sites-available/000-default-ssl.conf +- name: enable 000-default-ssl.conf + src: ../sites-available/000-default-ssl.conf + dest: /etc/apache2/sites-enabled/000-default-ssl.conf + # This will fail if the file has not been created. + ignore_errors: "{{ ansible_check_mode }}" +- name: eliminate default-ssl site + path: "/etc/apache2/sites-{{ item }}/default-ssl.conf" --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/tasks/certbot.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,28 @@
+- name: create /etc/letsencrypt/renewal-hooks/deploy directory + path: /etc/letsencrypt/renewal-hooks/deploy +- name: install apache2 hook for certbot + dest: /etc/letsencrypt/renewal-hooks/deploy/apache2 +- name: obtain a certificate for the hostname + certbot --quiet -m root@pidgin.im --no-eff-email --agree-tos + --webroot -w /var/www/html certonly \ + -d {{ inventory_hostname | quote }} + creates: "/etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem" --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/tasks/http.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,8 @@
+- name: allow http traffic --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/tasks/main.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,40 @@
+- include_tasks: software.yaml +- include_tasks: http.yaml +- include_tasks: apache2.yaml +- include_tasks: certbot.yaml +- include_tasks: apache2tls.yaml --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/tasks/software.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,16 @@
+- name: install software + name: "{{ apache_packages }}" --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/roles/apache2/templates/000-default-ssl.conf.j2 Mon Nov 16 21:46:22 2020 -0600
@@ -0,0 +1,32 @@
+# vim: syntax=apache ai ts=4 sts=4 et sw=4 + # This allows for an actual site to be configured at the server's real + # hostname, if desired. + ServerAdmin root@pidgin.im + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCertificateKeyFile /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem + SSLCACertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem + SSLCertificateFile /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem + DocumentRoot /usr/local/share/wiktel/apache/notconfigured + <Directory /usr/local/share/wiktel/apache/notconfigured> + ErrorDocument 503 /notconfigured.html + RedirectMatch 503 ^/(?!(gtk-properties\.png|notconfigured\.(css|html)|fpm-status|server-status|status|robots\.txt|\.well-known)) + Header always set Retry-After "3600" + # Prevent caching to avoid issues if the real site comes back. + <IfModule mod_headers.c> + Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" + Header set Pragma "no-cache" + Header set Expires "Mon, 26 Jul 1997 05:00:00 GMT" --- a/roles/mail/meta/main.yaml Mon Nov 16 20:35:18 2020 -0600
+++ b/roles/mail/meta/main.yaml Mon Nov 16 21:46:22 2020 -0600
@@ -1,2 +1,3 @@
