---

# site-specific config
defaults_site:
  mode: 'serve'
  state: 'present'
  admin: 'apache@template.oxl.at'
  port_plain: 80
  port_ssl: 443
  listen: '*'
  name:
  # name is used to set the filename of the apache config file under the
  # sites_available directory (like "site_{{name}}.conf").
  domain:
  aliases: []
  ip:
  http_versions: [2, 1]
  plain_site: true  # if http site (only used for redirect to https) should be created
  plain_redirect: 'preserve_domain'  # keep hostname from plain request => any other value will set the redirect to the main-domain

  config: {}  # site-specific setting-value pairs
  config_additions: []  # lines that will 1-to-1 be appended to the site-config
  app_include: false
  headers: {}

  security:  # https://www.nixpal.com/apache-httpd-hardening/
    disable_root_index: true
    disable_ssi_cgi: true
    restrict_methods: true  # disable anything but GET/POST/HEAD methods; if you're running a web-application you might need to disable this filter
    deny_dangerous_methods: true  # if 'restrict_methods' is disabled - this will still deny 'TRACE' & 'CONNECT' as they might open your server/services up to attacks

  redirect:
    target: 'https://github.com/O-X-L'
    request_uri: false

  serve:
    path: '/var/www/html'

  ssl:  # see: https://github.com/O-X-L/ansible-role-certs
    mode: 'snakeoil'  # existing/selfsigned/ca/letsencrypt/snakeoil
    # existing:
    #   We expect the certs to be placed in the role's 'files' directory named like the site
    #   Example: files/certs/oxlorg.key and files/certs/oxlorg.crt
    # letsencrypt:
    #   Host needs to have a valid public dns record pointed at it
    #   Needs to be publicly reachable over port 80/tcp
    bundle: false
    # If all necessary intermediate certificates are included in the certificate
    # file, set bundle to true. This will prevent configuring an
    # SSLCertificateChainFile in the apache ssl configuration, as the chain file
    # will not exist in this use case & the config option should not be included
    cert:
      name:
      cn: 'Apache Certificate'
      org: 'AnsibleGuy'
      ou:
      country:
      state:
      locality:
      email:
      crl_distribution: []
    ca:
      file:  # can be used if you want to use an existing ca
      cn:
      org:
      ou:
      country:
      state:
      locality:
      email:
      pwd:  # it's highly recommended setting a passphrase!

  letsencrypt:
    key_size:
    email: