No description
Find a file
s3lph da505db40d
All checks were successful
Ansible Galaxy / deploy (push) Successful in 2m8s
Ansible Lint / build (push) Successful in 2m30s
fix: ansible-lint
2024-08-11 04:02:14 +02:00
.forgejo/workflows major cleanup 2024-08-11 03:39:26 +02:00
meta major cleanup 2024-08-11 03:39:26 +02:00
roles fix: ansible-lint 2024-08-11 04:02:14 +02:00
.ansible-lint major cleanup 2024-08-11 03:39:26 +02:00
.gitignore major cleanup 2024-08-11 03:39:26 +02:00
galaxy.yml feat: add global ssl config 2024-08-11 04:01:35 +02:00
README.md major cleanup 2024-08-11 03:39:26 +02:00

Ansible Collection - s3lph.webserver

Configure Apache2 and Certbot, with an auto-bootstrap mechanism.

Usage Examples

Multi-VHost Setup with Let's Encrypt Certificates

We start with the following playbook:

- hosts: webserver
  roles:
    - s3lph.webserver.apache2
    - s3lph.webserver.certbot

To configure our VHosts, we create a hostvars file, e.g. host_vas/web01.example.org/apache2.yml:

apache2_sites:

  # This simply serves /var/www/foo.example.org/html under the vhost foo.example.org.
  foo.example.org:
    documentroot: /var/www/foo.example.org/html
    tls_certfile: /etc/letsencrypt/live/foo.example.org/fullchain.pem
    tls_keyfile: /etc/letsencrypt/live/foo.example.org/privkey.pem

  # A simple reverse-proxy example
  bar.example.org:
    aliases:
	  - baz.example.org
    documentroot: /var/www/bar.example.org/html
    tls_certfile: /etc/letsencrypt/live/bar.example.org/fullchain.pem
    tls_keyfile: /etc/letsencrypt/live/bar.example.org/privkey.pem
	# You can add any Apache2 config to the VHost config
	additional_config: |
      ProxyPass / http://localhost:8080/
      ProxyPassReverse / http://localhost:8080/      

To tell the certbot role which certificates to issue, create another hostvars file such as host_vas/web01.example.org/certbot.yml:

certbot_certificates:
  foo.example.org:
    webroot_map:
	  foo.example.org: /var/www/foo.example.org/html
  bar.example.org:
    webroot_map:
	  bar.example.org: /var/www/bar.example.org/html
	  baz.example.org: /var/www/bar.example.org/html

Bootstrap

The bootstrap mechanism works in two steps:

  • When the configured certificate files do not exist yet, the apache2 role instead uses Debian's default "snakeoil" certificate, resulting in a valid configuration, but using self-signed certificates.
  • After the ACME challenge has been completed - which can be done with invalid certs - and the Apache2 role is applied a second time, it now configures the certificates issued by Let's Encrypt.

This can either be achieved by running the playbook from the previous example twice, or by invoking the Apache2 role twice in the same playbook (but in a second play):

- hosts: webserver
  roles:
    - s3lph.webserver.apache2
    - s3lph.webserver.certbot

- hosts: webserver
  roles:
    - s3lph.webserver.apache2