---

# main switches
configure_anti_ddos: true  # mod_evasive
configure_security: true  # https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu

# default config => is overwritten by provided config
default_apache:
  sites: {}

  log:
    path: '/var/log/apache2'
    per_site: true
    syslog: true
    syslog_host:
    syslog_port: 514
    syslog_max_size: '4KiB'  # see: https://manpages.ubuntu.com/manpages/xenial/man1/logger.1.html
    prefix_ue: 'apache_'  # log prefix for http site
    prefix_ssl: 'apache_'  # log prefix for ssl site

  user: 'www-data'
  group: 'www-data'

  settings:
    # setting to be set in apache2.conf
    ServerTokens: 'Prod'
    ServerSignature: 'Off'

  # additions to the main apache config
  config:  # see: https://httpd.apache.org/docs/2.4/mod/core.html
    FileETag: 'None'
    KeepAlive: 'On'
    KeepAliveTimeout: 5
    MaxKeepAliveRequests: 100
    LimitRequestBody: 51200000  # 50MB => if you use file-uploads you might need to change this (0=unlimited, max=2147483647 [2GB])
    LimitRequestFields: 50
    LimitRequestFieldSize: 8190
    LimitRequestLine: 8190
    LimitXMLRequestBody: 1000000
    TimeOut: 60
    TraceEnable: 'off'
    # ssl option => see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
    SSLProtocol: 'ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3'
    SSLCipherSuite: 'ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL'
    SSLHonorCipherOrder: 'on'
    SSLOptions: '+StrictRequire'
    SSLSessionTickets: 'off'
    SSLCompression: 'off'

  headers:  # https://htaccessbook.com/important-security-headers/ | https://geekflare.com/http-header-implementation/
    # if first key does not include 'Header' => prepend 'Header set'
    'Header always set Strict-Transport-Security': '"max-age=31536000; includeSubDomains; preload"'
    'Referrer-Policy': '"same-origin"'
    'Content-Security-Policy': "\"default-src 'self';\""
    'X-Frame-Options': 'SAMEORIGIN'
    'X-Content-Type-Options': 'nosniff'
    'X-Permitted-Cross-Domain-Policies': '"none"'
    'X-XSS-Protection': '"1; mode=block"'
    'Header always edit Set-Cookie ^(.*)$': '$1;HttpOnly;Secure;SameSite=None'
    # 'Header set Permissions-Policy': '"none"'
    # 'Header set Content-Security-Policy': '"default-src https:; font-src https:; img-src https:; script-src https:; style-src https:;"'

  ssl:  # see: https://github.com/ansibleguy/infra_certs
    path: '/etc/apache2/ssl'
    ca:
      file:  # can be used if you want to use an existing ca
      cn: 'Apache CA Certificate'
      org: 'AnsibleGuy'
      ou:
      country:
      state:
      locality:
      email:
      pwd:  # it's highly recommended setting a passphrase!

  modules:
    present: ['ssl', 'headers', 'rewrite']
    absent: ['autoindex']

  letsencrypt:
    key_size: 4096
    path: '/etc/letsencrypt'
    renew_timer: 'Mon *-*-* 03:00:00'
    verbosity: 'v'
    email:
    renew: false  # if a renewal should be started by the role; the renewal service will auto-renew the certificates otherwise

  security:
    restricted_methods: ['GET', 'POST', 'HEAD']

APACHE_CONFIG: "{{ default_apache | combine(apache, recursive=true) }}"

# site-specific config
default_site_config:
  mode: 'serve'
  state: 'present'
  admin: 'apache@template.ansibleguy.net'
  port_plain: 80
  port_ssl: 443
  domain:
  aliases: []
  ip:

  config: {}  # site-specific setting-value pairs
  config_additions: []  # lines that will 1-to-1 be appended to the site-config
  app_include: false
  headers: {}

  security:  # https://www.nixpal.com/apache-httpd-hardening/
    disable_root_index: true
    disable_ssi_cgi: true
    restrict_methods: true

  redirect:
    target: 'https://github.com/ansibleguy'
    request_uri: true

  serve:
    path: '/var/www/html'

  ssl:  # see: https://github.com/ansibleguy/infra_certs
    mode: 'selfsigned'  # existing/selfsigned/ca/letsencrypt
    # existing:
    #   We expect the certs to be placed in the role's 'files' directory named like the site
    #   Example: files/certs/ansibleguy.key and files/certs/ansibleguy.crt
    # letsencrypt:
    #   Host needs to have a valid public dns record pointed at it
    #   Needs to be publicly reachable over port 80/tcp
    cert:
      name:
      cn: 'Apache Certificate'
      org: 'AnsibleGuy'
      ou:
      country:
      state:
      locality:
      email:
      crl_distribution: []
    ca:
      file:  # can be used if you want to use an existing ca
      cn:
      org:
      ou:
      country:
      state:
      locality:
      email:
      pwd:  # it's highly recommended setting a passphrase!

  letsencrypt:
    key_size:
    email:

default_modules:
  # <IfModule ${MOD}>
  # </IfModule>
  prefork: # see: https://httpd.apache.org/docs/2.4/mod/mpm_common.html
    ifname: 'prefork.c'
    settings:
      StartServers: 5
      MinSpareServers: 5
      MaxSpareServers: 10
      MaxRequestWorkers: 256
      MaxConnectionsPerChild: 0
  mod_evasive:
    ifname: 'mod_evasive20.c'
    settings:
      DOSHashTableSize: 4096
      DOSPageCount: 25
      DOSSiteCount: 100
      DOSPageInterval: 1
      DOSSiteInterval: 1
      DOSBlockingPeriod: 60
      DOSLogDir: "{{ CONFIG.log.path }}"
      # DOSSystemCommand:
      # DOSEmailNotify: mail@yourdomain.com
      DOSWhitelist: [
          '127.0.0.*', '192.168.*.*', '10.*.*.*', '172.16.*.*', '172.17.*.*', '172.18.*.*', '172.19.*.*',
          '172.20.*.*', '172.21.*.*', '172.22.*.*', '172.23.*.*', '172.24.*.*', '172.25.*.*', '172.26.*.*',
          '172.27.*.*', '172.28.*.*', '172.29.*.*', '172.30.*.*', '172.31.*.*', '172.32.*.*',
      ]

APACHE_MODULES: "{{ default_modules | combine(modules, recursive=true) }}"

apache_config_graylist: [
    'SSLEngine', 'SSLCertificateKeyFile', 'SSLCertificateFile', 'SSLCertificateChainFile', 'ErrorLog', 'CustomLog', 'ServerAdmin',
    'ServerAlias', 'ServerName', 'Redirect'
]
force_removal: false
NONE_VALUES: [none, '', ' ']