diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-05-12 20:28:44 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-05-12 20:28:44 +0300 |
commit | a0b4020cbca74ab6c833b542840a9e2cdfda8abc (patch) | |
tree | ef00583c29f780d85aab3bdef1a09a6215b5a68a /roles/apache_server/templates | |
parent | 9443898ed15a4fa7b8d2712a073b1bd2b011fa0a (diff) | |
download | debian-ansible-a0b4020cbca74ab6c833b542840a9e2cdfda8abc.tar.gz |
Add: support optional Let's Encrypt TLS certs for static web sites
Diffstat (limited to 'roles/apache_server/templates')
-rw-r--r-- | roles/apache_server/templates/deploy_static_site_certs | 27 | ||||
-rw-r--r-- | roles/apache_server/templates/virtualhost.conf.tmpl | 35 |
2 files changed, 62 insertions, 0 deletions
diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs new file mode 100644 index 0000000..32ace4e --- /dev/null +++ b/roles/apache_server/templates/deploy_static_site_certs @@ -0,0 +1,27 @@ +#!/bin/sh + +set -eu + + +domains() +{ + cd /etc/letsencrypt/static_sites + ls +} + + +opts() +{ + for domain in $(domains) + do + echo -w "/srv/http/$domain" -d "$domain" + done +} + + +certbot certonly \ + --noninteractive \ + --email "{{ letsencrypt_email }}" \ + --agree-tos \ + --expand \ + --webroot $(opts) diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl index 1fa060a..5d06f0e 100644 --- a/roles/apache_server/templates/virtualhost.conf.tmpl +++ b/roles/apache_server/templates/virtualhost.conf.tmpl @@ -7,6 +7,36 @@ DocumentRoot /srv/http/{{ item.domain }} ErrorLog /var/log/apache2/{{ item.domain }}/error.log CustomLog /var/log/apache2/{{ item.domain }}/access.log combined +{% if item.letsencrypt|default(false) %} + Redirect permanent / "https://{{ item.domain }}/" +{% else %} + <Directory /srv/http/{{ item.domain }}> + + Options +SymlinksIfOwnerMatch +Indexes +MultiViews +{% if item.htpasswd is defined %} + AuthType Basic + AuthName "{{ item.htpasswd_name }}" + AuthUserFile "/srv/http/{{ item.domain }}.htpasswd" + Require valid-user +{% else %} + AllowOverride AuthConfig + Require all granted +{% endif %} + </Directory> +{% endif %} +</VirtualHost> + + +{% if item.letsencrypt|default(false) %} +<VirtualHost _default_:443> + ServerName {{ item.domain }} +{% if item.alias is defined %} + ServerAlias {{ item.alias }} +{% endif %} + ServerAdmin {{ item.ownermail }} + DocumentRoot /srv/http/{{ item.domain }} + ErrorLog /var/log/apache2/{{ item.domain }}/error.log + CustomLog /var/log/apache2/{{ item.domain }}/access.log combined <Directory /srv/http/{{ item.domain }}> Options +SymlinksIfOwnerMatch +Indexes +MultiViews {% if item.htpasswd is defined %} @@ -19,4 +49,9 @@ Require all granted {% endif %} </Directory> + + SSLEngine on + SSLCertificateFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/fullchain.pem" + SSLCertificateKeyFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/privkey.pem" </VirtualHost> +{% endif %} |