disabled redirect-uri by default, added config examples, added ipv6 option

README.md

@@ -16,16 +16,17 @@ Ansible Role to deploy one or multiple Apache2 sites on a linux server.
   * Two **config-modes**:
     * serve (_default_)
     * redirect
+  * Support for specific configurations using the 'config' and 'config_additions' parameters
 
 
   * **Default config**:
     * Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
     * Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
     * Limits to prevent DDoS
-    * Logging to syslog
     * Using a Self-Signed certificate
-    * Modules: +ssl, headers, rewrite; -autoindex
+    * Modules: +ssl, +http2, headers, rewrite; -autoindex
     * HTTP2 enabled with fallback to HTTP1.1
+    * IPv6 support disabled (*at least one ipv6 address MUST EXIST*)
 
 
   * **SSL modes** (_for more info see: [CERT ROLE](https://github.com/ansibleguy/infra_certs)_)
@@ -37,10 +38,13 @@ Ansible Role to deploy one or multiple Apache2 sites on a linux server.
 
   * **Default opt-ins**:
     * restricting methods to POST/GET/HEAD
+    * status-page listener on localhost
+    * Logging to syslog
+    * http2
 
 
   * **Default opt-outs**:
-    * Include the config file 'site_{{ site_name }}_app.conf' for advanced usage
+    * Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage
 
 
 Options to provide module config will be added in the future!<br>
@@ -57,8 +61,8 @@ Also some basic mods will get a pre-config added. (_prefork, evasive_)
 * **Note:** This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
 
 
-* **Note:** If you want all domain-names to get 'caught' by a site/server you need to add an underline '*' as alias or domain!<br>
+* **Note:** If you want all domain-names to get 'caught' by a site/server you need to add a star/wildcard '*' as alias!<br>
-This will also be done automatically if no domain is supplied.
+BUT: You still have to provide a main domain!
 
 
 * **Warning:** Not every setting/variable you provide will be checked for validity. Bad config might break the role!
@@ -90,13 +94,15 @@ apache:
     mode: 'serve'
     domain: 'static.guy.net'
     serve:
-      path: '/var/www/static'
+      path: '/var/www/site_guys_statics'
 
     ssl:
       mode: 'ca'  # create minimal ca with signed server-certificate
 
-    config:
+    config:  # add settings as key-value pairs
       KeepAliveTimeout: 10
+    config_additions:   # add a list of custom lines of config
+      - 'location = / { return 301 /kitty.jpg; }'
 
   git_stuff:
     mode: 'redirect'
@@ -110,6 +116,9 @@ apache:
 
     letsencrypt:
       email: 'apache@template.ansibleguy.net'
+
+    security:
+      restrict_methods: false
 ```
 
 ### Execution

defaults/main.yml

@@ -8,6 +8,8 @@ configure_security: true  # https://www.digitalocean.com/community/tutorials/how
 default_apache:
   sites: {}
 
+  ipv6: false  # IMPORTANT: at least one ipv6 address MUST BE defined on your system! else apache2 will fail to start
+
   status_page:
     state: 'present'
     bind: '127.0.0.1'
@@ -103,6 +105,7 @@ default_site_config:
   admin: 'apache@template.ansibleguy.net'
   port_plain: 80
   port_ssl: 443
+  listen: '*'
   domain:
   aliases: []
   ip:
@@ -122,7 +125,7 @@ default_site_config:
 
   redirect:
     target: 'https://github.com/ansibleguy'
-    request_uri: true
+    request_uri: false
 
   serve:
     path: '/var/www/html'

tasks/debian/add_site.yml

@@ -12,7 +12,7 @@
   when: "site.ssl.mode in ['selfsigned', 'existing', 'ca']"
   tags: [sites, certs]
 
-- name: "Apache | Debian | Site '{{ name }}' | Configuring listen-ports"
+- name: "Apache | Debian | Site '{{ name }}' | Configuring ipv4 listen-ports"
   ansible.builtin.lineinfile:
     path: '/etc/apache2/ports.conf'
     line: "Listen {{ port }}"
@@ -24,11 +24,24 @@
     - port != '443'
   loop_control:
     loop_var: port
-  with_items:
+  loop:
     - "{{ site.port_plain }}"
     - "{{ site.port_ssl }}"
   tags: [config, sites]
 
+- name: "Apache | Debian | Site '{{ name }}' | Configuring ipv6 listen-ports"
+  ansible.builtin.lineinfile:
+    path: '/etc/apache2/ports.conf'
+    line: "Listen [::]:{{ port }}"
+  ignore_errors: true
+  loop_control:
+    loop_var: port
+  loop:
+    - "{{ site.port_plain }}"
+    - "{{ site.port_ssl }}"
+  when: APACHE_CONFIG.ipv6
+  tags: [config, sites]
+
 - name: "Apache | Debian | Site '{{ name }}' | Create root directory"
   ansible.builtin.file:
     path: "{{ site.serve.path }}"

tasks/debian/main.yml

@@ -101,7 +101,7 @@
   ansible.builtin.file:
     state: absent
     dest: "/etc/apache2/sites-enabled/{{ item }}"
-  with_items:
+  loop:
     - '000-default.conf'
     - 'default-ssl.conf'
   tags: [config, base]

templates/etc/apache2/sites-available/site.conf.j2

@@ -3,7 +3,7 @@
 
 {% if site.plain_site %}
 # http listener
-<VirtualHost *:{{ site.port_plain }}>
+<VirtualHost {{ site.listen }}:{{ site.port_plain }}>
   ServerName {{ site.domain }}
 
 {%   if site.aliases | length > 0 %}
@@ -41,7 +41,7 @@
 {% endif %}
 
 # https listener
-<VirtualHost *:{{ site.port_ssl }}>
+<VirtualHost {{ site.listen }}:{{ site.port_ssl }}>
   ServerName {{ site.domain }}
 
 {% if site.aliases | length > 0 %}