| 1 | - name: Create site directories |
|---|
| 2 | file: |
|---|
| 3 | state: directory |
|---|
| 4 | path: "{{ item.path }}" |
|---|
| 5 | group: "{{ item.group }}" |
|---|
| 6 | owner: "{{ item.owner }}" |
|---|
| 7 | mode: "{{ item.mode }}" |
|---|
| 8 | with_items: |
|---|
| 9 | - { path: '/var/log/apache2/{{ service_name }}', group: 'adm', owner: 'www-data', mode: '0750' } |
|---|
| 10 | - { path: '{{ web_root }}', group: 'www-data', owner: 'root', mode: '0751' } |
|---|
| 11 | notify: |
|---|
| 12 | - reload apache2 |
|---|
| 13 | |
|---|
| 14 | - name: Configure a TLS certificate for this site |
|---|
| 15 | include: ../../tls/tasks/configure-tls-cert.yml |
|---|
| 16 | |
|---|
| 17 | # The default vhost *must* be the first lexigraphically, so for the default service |
|---|
| 18 | # we add a filename prefix of '0-' to ensure that is the case |
|---|
| 19 | |
|---|
| 20 | - name: Install vhost |
|---|
| 21 | template: |
|---|
| 22 | src: ../../apache2/templates/apache.vhost.conf.j2 |
|---|
| 23 | dest: "/etc/apache2/sites-available/{{ '0-default' if service_name == 'default' else service_name }}.conf" |
|---|
| 24 | owner: root |
|---|
| 25 | group: root |
|---|
| 26 | mode: 0644 |
|---|
| 27 | register: vhost_config |
|---|
| 28 | |
|---|
| 29 | - name: Enable vhost |
|---|
| 30 | file: |
|---|
| 31 | src: "/etc/apache2/sites-available/{{ '0-default' if service_name == 'default' else service_name }}.conf" |
|---|
| 32 | dest: "/etc/apache2/sites-enabled/{{ '0-default' if service_name == 'default' else service_name }}.conf" |
|---|
| 33 | state: link |
|---|
| 34 | |
|---|
| 35 | # This file is supplied by the calling role, and included in the apache configuration |
|---|
| 36 | # by the above vhost file |
|---|
| 37 | |
|---|
| 38 | - name: Install custom site config |
|---|
| 39 | template: |
|---|
| 40 | src: apache.incl.conf.j2 |
|---|
| 41 | dest: "/etc/apache2/includes/{{ service_name }}.incl.conf" |
|---|
| 42 | owner: root |
|---|
| 43 | group: root |
|---|
| 44 | mode: 0644 |
|---|
| 45 | notify: |
|---|
| 46 | - reload apache2 |
|---|
| 47 | |
|---|
| 48 | # We want to reload apache config _now_ instead of waiting for the notify |
|---|
| 49 | # task to run so we can request certificates using certbot and have the |
|---|
| 50 | # appropriate apache config in place for verification |
|---|
| 51 | - name: Reload apache now if vhost config changed |
|---|
| 52 | service: |
|---|
| 53 | name: apache2 |
|---|
| 54 | state: reloaded |
|---|
| 55 | when: vhost_config is changed |
|---|
| 56 | |
|---|
| 57 | - name: Check to see if a valid letsencrypt live directory is present |
|---|
| 58 | stat: |
|---|
| 59 | path: "/etc/letsencrypt/live/{{ domain }}/README" |
|---|
| 60 | register: letsencrypt_live |
|---|
| 61 | when: |
|---|
| 62 | - vhost_config is changed |
|---|
| 63 | - domain != "" |
|---|
| 64 | |
|---|
| 65 | - name: Remove letsencrypt live directory if it's not valid |
|---|
| 66 | file: |
|---|
| 67 | path: "/etc/letsencrypt/live/{{ domain }}" |
|---|
| 68 | state: absent |
|---|
| 69 | when: |
|---|
| 70 | - not letsencrypt_live.stat.exists |
|---|
| 71 | - development_mode != true |
|---|
| 72 | - domain != "" |
|---|
| 73 | |
|---|
| 74 | - name: Request letsencrypt certificate via certbot |
|---|
| 75 | command: "certbot certonly --non-interactive -m certificate@darkpeak.org --agree-tos --webroot -w /usr/share/certbot -d \"{{ domain }}\"" |
|---|
| 76 | when: |
|---|
| 77 | - development_mode != true |
|---|
| 78 | - domain != "" |
|---|
| 79 | |
|---|
