diff --git a/webapps/privatebin/defaults/main.yml b/webapps/privatebin/defaults/main.yml
index b004cb1e..b9518213 100644
--- a/webapps/privatebin/defaults/main.yml
+++ b/webapps/privatebin/defaults/main.yml
@@ -1,6 +1,7 @@
---
# defaults file for vars
-system_dep: "['apt-transport-https', 'git', 'certbot', 'libapache2-mod-php', 'libapache2-mpm-itk', 'php-gd']"
+system_dep: "['apt-transport-https', 'git', 'certbot', 'acl', 'apache2', 'libapache2-mpm-itk', 'libapache2-mod-php', 'php-gd']"
git_url: 'https://github.com/PrivateBin/PrivateBin'
git_version: '1.5.1'
domains: ['example.domain.org']
+certbot_admin_email: 'mgauthier@evolix.ca'
diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
index 13c3eb5e..d0d0a1d8 100644
--- a/webapps/privatebin/tasks/main.yml
+++ b/webapps/privatebin/tasks/main.yml
@@ -4,6 +4,7 @@
- name: Install main system dependencies
apt:
name: "{{ system_dep }}"
+ update_cache: yes
- name: Add UNIX account
user:
@@ -20,6 +21,20 @@
umask: '0022'
become_user: "{{ service }}"
+#- name: Create the conf-available dir if needed
+# file:
+# path: /etc/apache2/conf-available
+# state: directory
+# mode: '0750'
+
+- name: Template apache conf for Let's Encrypt/Certbot
+ template:
+ src: "letsencrypt.conf.j2"
+ dest: "/etc/apache2/conf-available/letsencrypt.conf"
+
+- name: Enable apache conf for Let's Encrypt/Certbot
+ command: "/usr/sbin/a2enconf letsencrypt.conf"
+
- name: Check if SSL certificate is present and register result
stat:
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
@@ -43,8 +58,17 @@
state: directory
mode: '0755'
- name: Generate certificate with certbot
- shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
- when: ssl.stat.exists == true
+ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
+ - name: Create the ssl dir if needed
+ file:
+ path: /etc/apache2/ssl
+ state: directory
+ mode: '0750'
+ - name: Template ssl block for apache vhost
+ template:
+ src: "ssl.conf.j2"
+ dest: "/etc/apache2/ssl/{{ service }}.conf"
+ when: ssl.stat.exists != true
- name: (Re)check if SSL certificate is present and register result
stat:
@@ -57,7 +81,7 @@
dest: "/etc/apache2/sites-available/{{ service }}.conf"
- name: Enable apache mode_rewrite
- command: "/usr/sbin/a2enmod rewrite"
+ command: "/usr/sbin/a2enmod ssl rewrite"
- name: Enable .htaccess configuration
copy:
diff --git a/webapps/privatebin/templates/letsencrypt.conf.j2 b/webapps/privatebin/templates/letsencrypt.conf.j2
new file mode 100644
index 00000000..ebc99483
--- /dev/null
+++ b/webapps/privatebin/templates/letsencrypt.conf.j2
@@ -0,0 +1,11 @@
+
+ SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
+
+
+ ProxyPass /.well-known/acme-challenge/ !
+
+Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
+
+ Options -Indexes
+ Require all granted
+
diff --git a/webapps/privatebin/templates/ssl.conf.j2 b/webapps/privatebin/templates/ssl.conf.j2
new file mode 100644
index 00000000..719fa1ad
--- /dev/null
+++ b/webapps/privatebin/templates/ssl.conf.j2
@@ -0,0 +1,3 @@
+SSLEngine On
+SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
diff --git a/webapps/privatebin/templates/vhost.conf.j2 b/webapps/privatebin/templates/vhost.conf.j2
index 343dd246..7a41926d 100644
--- a/webapps/privatebin/templates/vhost.conf.j2
+++ b/webapps/privatebin/templates/vhost.conf.j2
@@ -1,7 +1,7 @@
ServerName {{ domains |first }}
- {% if not ssl.stat.exists %}
+ {% if ssl.stat.exists %}
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
@@ -10,7 +10,7 @@
-{% if not ssl.stat.exists %}
+{% if ssl.stat.exists %}
ServerName {{ domains |first }}
@@ -24,16 +24,7 @@
AssignUserID {{ service }} {{ service }}
- SSLEngine On
- #SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
- #SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
- RewriteEngine On
- RewriteCond %{HTTPS} !=on
- RewriteCond %{HTTP:X-Forwarded-Proto} !=https
- RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
+ IncludeOptional /etc/apache2/ssl/{{ service }}.conf
{% endif %}