From a0b4020cbca74ab6c833b542840a9e2cdfda8abc Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 12 May 2018 20:28:44 +0300
Subject: Add: support optional Let's Encrypt TLS certs for static web sites

---
 roles/apache_server/defaults/main.yml              |  4 ++
 roles/apache_server/tasks/main.yml                 | 47 ++++++++++++++++++++--
 .../templates/deploy_static_site_certs             | 27 +++++++++++++
 .../apache_server/templates/virtualhost.conf.tmpl  | 35 ++++++++++++++++
 4 files changed, 109 insertions(+), 4 deletions(-)
 create mode 100644 roles/apache_server/templates/deploy_static_site_certs

diff --git a/roles/apache_server/defaults/main.yml b/roles/apache_server/defaults/main.yml
index cfa797c..f130e35 100644
--- a/roles/apache_server/defaults/main.yml
+++ b/roles/apache_server/defaults/main.yml
@@ -15,3 +15,7 @@
 #         ownermail: liw@liw.fi
 
 static_sites: []
+
+
+# Enable letsencrypt?
+letsencrypt: yes
diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index 0f59f67..a66f85e 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -1,9 +1,48 @@
-- name: install rsync (so one can publish files via server)
+- name: install apache and related packages
   apt:
-    name: rsync
+    name: "{{ item }}"
+  with_items:
+    - rsync
+    - apache2
 
-- name: install apache2
-  apt: name=apache2
+- name: enable apache modules for ssl
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  with_items:
+    - ssl
+    - rewrite
+
+- name: install certbot
+  apt:
+    name: certbot
+    default_release: stretch-backports
+  when: letsencrypt
+
+- name: "empty list of domains for Let's Encrypt"
+  shell: rm -f /etc/letsencrypt/static_sites/*
+
+- name: "create list of domains for static sites to get Let's Encrypt certs for"
+  shell: |
+    if [ "{{ item.letsencrypt|default(false) }}" = True ]
+    then
+        listdir="/etc/letsencrypt/static_sites"
+        mkdir -p "$listdir"
+        touch "$listdir/{{ item.domain }}"
+    fi
+  with_items: "{{ static_sites }}"
+
+- name: install script to run certbot
+  template:
+    src: deploy_static_site_certs
+    dest: /usr/local/sbin/deploy_static_site_certs
+    owner: root
+    group: root
+    mode: 755
+  when: letsencrypt
+
+- name: "get initial certificate from Let's Encrypt"
+  shell: /usr/local/sbin/deploy_static_site_certs
 
 - name: create dirs for static site contents
   file:
diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs
new file mode 100644
index 0000000..32ace4e
--- /dev/null
+++ b/roles/apache_server/templates/deploy_static_site_certs
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -eu
+
+
+domains()
+{
+    cd /etc/letsencrypt/static_sites
+    ls
+}
+
+
+opts()
+{
+    for domain in $(domains)
+    do
+        echo -w "/srv/http/$domain" -d "$domain"
+    done
+}
+
+
+certbot certonly \
+        --noninteractive \
+        --email "{{ letsencrypt_email }}" \
+        --agree-tos \
+        --expand \
+        --webroot $(opts)
diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl
index 1fa060a..5d06f0e 100644
--- a/roles/apache_server/templates/virtualhost.conf.tmpl
+++ b/roles/apache_server/templates/virtualhost.conf.tmpl
@@ -2,6 +2,36 @@
     ServerName {{ item.domain }}
 {% if item.alias is defined %}
     ServerAlias {{ item.alias }}
+{% endif %}
+    ServerAdmin {{ item.ownermail }}
+    DocumentRoot /srv/http/{{ item.domain }}
+    ErrorLog /var/log/apache2/{{ item.domain }}/error.log
+    CustomLog /var/log/apache2/{{ item.domain }}/access.log combined
+{% if item.letsencrypt|default(false) %}
+    Redirect permanent / "https://{{ item.domain }}/"
+{% else %}
+    <Directory /srv/http/{{ item.domain }}>
+
+        Options +SymlinksIfOwnerMatch +Indexes +MultiViews
+{% if item.htpasswd is defined %}
+        AuthType Basic
+        AuthName "{{ item.htpasswd_name }}"
+        AuthUserFile "/srv/http/{{ item.domain }}.htpasswd"
+        Require valid-user
+{% else %}
+        AllowOverride AuthConfig
+        Require all granted
+{% endif %}
+    </Directory>
+{% endif %}
+</VirtualHost>
+
+
+{% if item.letsencrypt|default(false) %}
+<VirtualHost _default_:443>
+    ServerName {{ item.domain }}
+{% if item.alias is defined %}
+    ServerAlias {{ item.alias }}
 {% endif %}
     ServerAdmin {{ item.ownermail }}
     DocumentRoot /srv/http/{{ item.domain }}
@@ -19,4 +49,9 @@
         Require all granted
 {% endif %}
     </Directory>
+
+    SSLEngine on
+    SSLCertificateFile	"/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/fullchain.pem"
+    SSLCertificateKeyFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/privkey.pem"
 </VirtualHost>
+{% endif %}
-- 
cgit v1.2.1


From 5ea07a9bbe42f34583ecac44da492975317041a5 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 18 May 2018 13:03:57 +0300
Subject: Change: don't use Let's Encrypt certificates by default

---
 roles/apache_server/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/apache_server/defaults/main.yml b/roles/apache_server/defaults/main.yml
index f130e35..dfd4ec0 100644
--- a/roles/apache_server/defaults/main.yml
+++ b/roles/apache_server/defaults/main.yml
@@ -18,4 +18,4 @@ static_sites: []
 
 
 # Enable letsencrypt?
-letsencrypt: yes
+letsencrypt: no
-- 
cgit v1.2.1


From de0e510a15edb7a44028389f40687c4297bdadad Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 18 May 2018 13:04:11 +0300
Subject: Fix: don't run things that require letencrypt vars, unlss desired

---
 roles/apache_server/tasks/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index a66f85e..b1de7e2 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -31,6 +31,7 @@
         touch "$listdir/{{ item.domain }}"
     fi
   with_items: "{{ static_sites }}"
+  when: letsencrypt
 
 - name: install script to run certbot
   template:
@@ -43,6 +44,7 @@
 
 - name: "get initial certificate from Let's Encrypt"
   shell: /usr/local/sbin/deploy_static_site_certs
+  when: letsencrypt
 
 - name: create dirs for static site contents
   file:
@@ -52,6 +54,7 @@
     group: "{{ item.owner }}"
     mode: 0755
   with_items: "{{ static_sites }}"
+  when: letsencrypt
 
 - name: create log dirs for websites
   file:
-- 
cgit v1.2.1


From 327610bad876a6c9ba4a7dbbb760ecfacb857c95 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 18 May 2018 16:10:00 +0300
Subject: Change: allow .well-known dir be outside webroot

---
 roles/apache_server/tasks/main.yml                     |  6 ++++--
 roles/apache_server/templates/deploy_static_site_certs |  4 +++-
 roles/apache_server/templates/virtualhost.conf.tmpl    | 17 +++++++++++------
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index b1de7e2..808d8e9 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -24,11 +24,13 @@
 
 - name: "create list of domains for static sites to get Let's Encrypt certs for"
   shell: |
+    listdir="/etc/letsencrypt/static_sites"
+    wellknown="/srv/letsencrypt"
+    mkdir -p "$listdir" "$wellknown"
     if [ "{{ item.letsencrypt|default(false) }}" = True ]
     then
-        listdir="/etc/letsencrypt/static_sites"
-        mkdir -p "$listdir"
         touch "$listdir/{{ item.domain }}"
+        mkdir -p "$wellknown/{{ item.domain }}"
     fi
   with_items: "{{ static_sites }}"
   when: letsencrypt
diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs
index 32ace4e..3521651 100644
--- a/roles/apache_server/templates/deploy_static_site_certs
+++ b/roles/apache_server/templates/deploy_static_site_certs
@@ -14,7 +14,8 @@ opts()
 {
     for domain in $(domains)
     do
-        echo -w "/srv/http/$domain" -d "$domain"
+        echo -w "/srv/http/$domain" -d "$domain" \
+             --webroot-path "/srv/letsencrypt/$domain"
     done
 }
 
@@ -24,4 +25,5 @@ certbot certonly \
         --email "{{ letsencrypt_email }}" \
         --agree-tos \
         --expand \
+        --cert-name static_sites \
         --webroot $(opts)
diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl
index 5d06f0e..fd6bb51 100644
--- a/roles/apache_server/templates/virtualhost.conf.tmpl
+++ b/roles/apache_server/templates/virtualhost.conf.tmpl
@@ -7,11 +7,10 @@
     DocumentRoot /srv/http/{{ item.domain }}
     ErrorLog /var/log/apache2/{{ item.domain }}/error.log
     CustomLog /var/log/apache2/{{ item.domain }}/access.log combined
+    <Directory /srv/http/{{ item.domain }}>
 {% if item.letsencrypt|default(false) %}
-    Redirect permanent / "https://{{ item.domain }}/"
+        Redirect permanent / "https://{{ item.domain }}/"
 {% else %}
-    <Directory /srv/http/{{ item.domain }}>
-
         Options +SymlinksIfOwnerMatch +Indexes +MultiViews
 {% if item.htpasswd is defined %}
         AuthType Basic
@@ -22,8 +21,14 @@
         AllowOverride AuthConfig
         Require all granted
 {% endif %}
-    </Directory>
 {% endif %}
+    </Directory>
+
+    Alias /.well-known/ /srv/letsencrypt/{{ item.domain }}/
+    <Directory /srv/letsencrypt/{{ item.domain }}>
+        Require all granted
+    </Directory>
+
 </VirtualHost>
 
 
@@ -51,7 +56,7 @@
     </Directory>
 
     SSLEngine on
-    SSLCertificateFile	"/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/fullchain.pem"
-    SSLCertificateKeyFile "/etc/letsencrypt/live/{{ letsencrypt_main_domain }}/privkey.pem"
+    SSLCertificateFile	"/etc/letsencrypt/live/static_sites/fullchain.pem"
+    SSLCertificateKeyFile "/etc/letsencrypt/live/static_sites/privkey.pem"
 </VirtualHost>
 {% endif %}
-- 
cgit v1.2.1


From 7e0a78dbc97c945fe9e8301eddec941649453909 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 22 May 2018 08:17:40 +0300
Subject: Fix: enable apache ssl module only after configs

---
 roles/apache_server/tasks/main.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index 808d8e9..79b5054 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -5,14 +5,6 @@
     - rsync
     - apache2
 
-- name: enable apache modules for ssl
-  apache2_module:
-    state: present
-    name: "{{ item }}"
-  with_items:
-    - ssl
-    - rewrite
-
 - name: install certbot
   apt:
     name: certbot
@@ -86,6 +78,14 @@
   with_items: "{{ static_sites }}"
   when: item.htpasswd is defined
 
+- name: enable apache modules for ssl
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  with_items:
+    - ssl
+    - rewrite
+
 - name: enable apache sites
   shell: a2ensite "{{ item.domain }}"
   with_items: "{{ static_sites }}"
-- 
cgit v1.2.1