From ac9b21eb60e709c155f56cff54bbe49b1f628d93 Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Fri, 28 Apr 2023 10:32:46 -0400
Subject: [PATCH] Now installs a LE SSL cert via certbot by default

---
 webapps/privatebin/defaults/main.yml          |  3 +-
 webapps/privatebin/tasks/main.yml             | 30 +++++++++++++++++--
 .../privatebin/templates/letsencrypt.conf.j2  | 11 +++++++
 webapps/privatebin/templates/ssl.conf.j2      |  3 ++
 webapps/privatebin/templates/vhost.conf.j2    | 15 ++--------
 5 files changed, 46 insertions(+), 16 deletions(-)
 create mode 100644 webapps/privatebin/templates/letsencrypt.conf.j2
 create mode 100644 webapps/privatebin/templates/ssl.conf.j2

diff --git a/webapps/privatebin/defaults/main.yml b/webapps/privatebin/defaults/main.yml
index b004cb1e..b9518213 100644
--- a/webapps/privatebin/defaults/main.yml
+++ b/webapps/privatebin/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 # defaults file for vars
-system_dep: "['apt-transport-https', 'git', 'certbot', 'libapache2-mod-php', 'libapache2-mpm-itk', 'php-gd']"
+system_dep: "['apt-transport-https', 'git', 'certbot', 'acl', 'apache2', 'libapache2-mpm-itk', 'libapache2-mod-php', 'php-gd']"
 git_url: 'https://github.com/PrivateBin/PrivateBin'
 git_version: '1.5.1'
 domains: ['example.domain.org']
+certbot_admin_email: 'mgauthier@evolix.ca'
diff --git a/webapps/privatebin/tasks/main.yml b/webapps/privatebin/tasks/main.yml
index 13c3eb5e..d0d0a1d8 100644
--- a/webapps/privatebin/tasks/main.yml
+++ b/webapps/privatebin/tasks/main.yml
@@ -4,6 +4,7 @@
 - name: Install main system dependencies
   apt:
     name: "{{ system_dep }}"
+    update_cache: yes
 
 - name: Add UNIX account
   user:
@@ -20,6 +21,20 @@
     umask: '0022'
   become_user: "{{ service }}"
 
+#- name: Create the conf-available dir if needed
+#  file:
+#    path: /etc/apache2/conf-available
+#    state: directory
+#    mode: '0750'
+
+- name: Template apache conf for Let's Encrypt/Certbot
+  template: 
+    src: "letsencrypt.conf.j2"
+    dest: "/etc/apache2/conf-available/letsencrypt.conf"
+
+- name: Enable apache conf for Let's Encrypt/Certbot
+  command: "/usr/sbin/a2enconf letsencrypt.conf"
+
 - name: Check if SSL certificate is present and register result
   stat:
     path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
@@ -43,8 +58,17 @@
       state: directory
       mode: '0755'
   - name: Generate certificate with certbot
-    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
-  when: ssl.stat.exists == true
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
+  - name: Create the ssl dir if needed
+    file:
+      path: /etc/apache2/ssl
+      state: directory
+      mode: '0750'
+  - name: Template ssl block for apache vhost
+    template: 
+      src: "ssl.conf.j2"
+      dest: "/etc/apache2/ssl/{{ service }}.conf"
+  when: ssl.stat.exists != true
 
 - name: (Re)check if SSL certificate is present and register result
   stat:
@@ -57,7 +81,7 @@
     dest: "/etc/apache2/sites-available/{{ service }}.conf"
 
 - name: Enable apache mode_rewrite
-  command: "/usr/sbin/a2enmod rewrite"
+  command: "/usr/sbin/a2enmod ssl rewrite"
   
 - name: Enable .htaccess configuration
   copy:
diff --git a/webapps/privatebin/templates/letsencrypt.conf.j2 b/webapps/privatebin/templates/letsencrypt.conf.j2
new file mode 100644
index 00000000..ebc99483
--- /dev/null
+++ b/webapps/privatebin/templates/letsencrypt.conf.j2
@@ -0,0 +1,11 @@
+<IfModule jk_module>
+    SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
+</IfModule>
+<IfModule proxy_module>
+    ProxyPass /.well-known/acme-challenge/ !
+</IfModule>
+Alias /.well-known/acme-challenge /var/lib/letsencrypt/.well-known/acme-challenge
+<Directory "/var/lib/letsencrypt/.well-known/acme-challenge">
+    Options -Indexes
+    Require all granted
+</Directory>
diff --git a/webapps/privatebin/templates/ssl.conf.j2 b/webapps/privatebin/templates/ssl.conf.j2
new file mode 100644
index 00000000..719fa1ad
--- /dev/null
+++ b/webapps/privatebin/templates/ssl.conf.j2
@@ -0,0 +1,3 @@
+SSLEngine On
+SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
diff --git a/webapps/privatebin/templates/vhost.conf.j2 b/webapps/privatebin/templates/vhost.conf.j2
index 343dd246..7a41926d 100644
--- a/webapps/privatebin/templates/vhost.conf.j2
+++ b/webapps/privatebin/templates/vhost.conf.j2
@@ -1,7 +1,7 @@
 <VirtualHost *:80>
     ServerName {{ domains |first }}
     
-    {% if not ssl.stat.exists %}
+    {% if ssl.stat.exists %}
     RewriteEngine On
     RewriteCond %{HTTPS} !=on
     RewriteCond %{HTTP:X-Forwarded-Proto} !=https
@@ -10,7 +10,7 @@
 
 </VirtualHost>
 
-{% if not ssl.stat.exists %}
+{% if ssl.stat.exists %}
 <VirtualHost *:443>
     ServerName {{ domains |first }}
 
@@ -24,16 +24,7 @@
     
     AssignUserID {{ service }} {{ service }}
 
-    SSLEngine On
-    #SSLCertificateFile /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem
-    #SSLCertificateKeyFile /etc/letsencrypt/live/{{ domains |first }}/privkey.pem
-    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
-    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-    
-    RewriteEngine On
-    RewriteCond %{HTTPS} !=on
-    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
-    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
+    IncludeOptional /etc/apache2/ssl/{{ service }}.conf
 
 </VirtualHost>
 {% endif %}