diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..492ab85
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+patreon: ansibleguy
diff --git a/defaults/main.yml b/defaults/main.yml
index b78e9a4..a756b5c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -60,7 +60,7 @@ default_apache:
# 'Header set Permissions-Policy': '"none"'
# 'Header set Content-Security-Policy': '"default-src https:; font-src https:; img-src https:; script-src https:; style-src https:;"'
- ssl:
+ ssl: # see: https://github.com/ansibleguy/infra_certs
path: '/etc/apache2/ssl'
ca:
file: # can be used if you want to use an existing ca
@@ -85,6 +85,9 @@ default_apache:
email:
renew: false # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise
+ security:
+ restricted_methods: ['GET', 'POST', 'HEAD']
+
APACHE_CONFIG: "{{ default_apache | combine(apache, recursive=true) }}"
# site-specific config
@@ -94,6 +97,7 @@ default_site_config:
admin: 'apache@template.ansibleguy.net'
port_plain: 80
port_ssl: 443
+ domain:
aliases: []
ip:
@@ -114,7 +118,7 @@ default_site_config:
serve:
path: '/var/www/html'
- ssl:
+ ssl: # see: https://github.com/ansibleguy/infra_certs
mode: 'selfsigned' # existing/selfsigned/ca/letsencrypt
# existing:
# We expect the certs to be placed in the role's 'files' directory named like the site
@@ -182,4 +186,3 @@ apache_config_graylist: [
'SSLEngine', 'SSLCertificateKeyFile', 'SSLCertificateFile', 'SSLCertificateChainFile', 'ErrorLog', 'CustomLog', 'ServerAdmin',
'ServerAlias', 'ServerName', 'Redirect'
]
-apache_restricted_methods: ['GET', 'POST', 'HEAD']
diff --git a/tasks/debian/add_site.yml b/tasks/debian/add_site.yml
index 0f08fd9..ba2036a 100644
--- a/tasks/debian/add_site.yml
+++ b/tasks/debian/add_site.yml
@@ -4,7 +4,7 @@
ansible.builtin.fail:
msg: "The required site-configuration was not provided!
Needed: 'domain'"
- when: site.domain is undefined
+ when: site.domain is none or site.domain is undefined
tags: [config, sites, certs]
- name: "Apache | Debian | Site '{{ name }}' | Configuring certificates"
diff --git a/tasks/debian/main.yml b/tasks/debian/main.yml
index d311211..e21ab88 100644
--- a/tasks/debian/main.yml
+++ b/tasks/debian/main.yml
@@ -113,6 +113,7 @@
vars:
site: "{{ default_site_config | combine(site_item.value, recursive=true) }}"
name: "{{ site_item.key | safe_key }}"
+ path: "{{ site.serve.path }}"
loop_control:
loop_var: site_item
with_dict: "{{ APACHE_CONFIG.sites }}"
@@ -131,9 +132,11 @@
vars:
site: "{{ default_site_config | combine(site_item.value, recursive=true) }}"
name: "{{ site_item.key | safe_key }}"
+ path: "{{ site.serve.path }}"
loop_control:
loop_var: site_item
with_dict: "{{ APACHE_CONFIG.sites }}"
+ no_log: true
tags: [config, sites, certs]
- name: Apache | Debian | Starting/Enabling apache
diff --git a/templates/etc/apache2/sites-available/site.conf.j2 b/templates/etc/apache2/sites-available/site.conf.j2
index da96cf0..f768cfe 100644
--- a/templates/etc/apache2/sites-available/site.conf.j2
+++ b/templates/etc/apache2/sites-available/site.conf.j2
@@ -113,11 +113,11 @@
{% if site.security.restrict_methods %}
RewriteEngine On
- RewriteCond %{REQUEST_METHOD} ^(?!{% for method in apache_restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %})
+ RewriteCond %{REQUEST_METHOD} ^(?!{% for method in APACHE_CONFIG.security.restricted_methods %}{{ method }}{% if not loop.last %}|{% endif %}{% endfor %})
RewriteRule .* - [F]
-
+
deny from all