Refactor variable names, get SSL ready

ec2.yml

@@ -10,8 +10,8 @@
     acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
     acme_version: 2
     nextcloud_tarbz2: "https://download.nextcloud.com/server/releases/nextcloud-18.0.0.tar.bz2"
-    website_url: "nc.assburgers.club"
+    nextcloud_url: "nc.assburgers.club"
-    website_root: "/var/www/nextcloud"
+    nextcloud_webroot: "/var/www/nextcloud"
   roles:
     - nextcloud
 - hosts: tag_role_cockpit

roles/nextcloud/tasks/main.yml

@@ -37,16 +37,16 @@
       - name: Configure virtual host
         template:
           src: apache2-vhost.conf
-          dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+          dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
       - name: Create webroot
         file:
-          path: "{{ website_root }}"
+          path: "{{ nextcloud_webroot }}"
           mode: "0644"
           recurse: yes
           state: directory
       - name: Check for existing installation
         stat:
-          path: "{{ website_root }}/index.html"
+          path: "{{ nextcloud_webroot }}/index.html"
         register: stat_webroot_index
       - name: Install Nextcloud
         block:
@@ -58,7 +58,7 @@
             unarchive:
               src: /var/www/nextcloud.tar.bz2
               remote_src: yes
-              dest: "{{ website_root }}"
+              dest: "{{ nextcloud_webroot }}"
               extra_opts: [--strip-components=1]
           - name: Cleanup
             file:
@@ -79,24 +79,24 @@
           - { dir: "/etc/pki/cert/crt", mode: "0600" }
           - { dir: "/etc/pki/cert/csr", mode: "0600" }
           - { dir: "/etc/pki/cert/private", mode: "0600" }
-          - { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" }
+          - { dir: "/etc/pki/cert/challenge/{{ nextcloud_url }}", mode: "0600" }
       - name: Create ACME account key
         openssl_privatekey:
           path: "/etc/pki/cert/private/account.key"
           size: 4096
       - name: Create certificate key
         openssl_privatekey:
-          path: "/etc/pki/cert/private/{{ website_url }}.key"
+          path: "/etc/pki/cert/private/{{ nextcloud_url }}.key"
           size: 4096
       - name: Create CSR
         openssl_csr:
-          path: "/etc/pki/cert/csr/{{ website_url }}.csr"
+          path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
-          common_name: "{{ website_url }}"
+          common_name: "{{ nextcloud_url }}"
           privatekey_path: /etc/pki/cert/private/account.key
           email_address: "rehashedsalt@cock.li"
       - name: Create well-known directory
         file:
-          path: "{{ website_root }}/.well-known/acme-challenge"
+          path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
           mode: "0644"
           recurse: yes
           state: directory
@@ -107,21 +107,21 @@
           terms_agreed: yes
           account_email: "rehashedsalt@cock.li"
           account_key: "/etc/pki/cert/private/account.key"
-          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
+          csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
-          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
+          dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
-          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
+          fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
         register: com_challenge
       - name: Fulfill challenge
         copy:
-          dest: "{{ website_root }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
+          dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}"
-          content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
+          content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}"
         when: com_challenge is changed
       - name: Create certificate
         acme_certificate:
           account_key: /etc/pki/cert/private/account.key
-          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
+          csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
-          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
+          dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
-          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
+          fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
-          chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
+          chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
           data: "{{ com_challenge }}"
   become: yes

roles/nextcloud/templates/apache2-vhost.conf

@@ -1,6 +1,22 @@
-# Configuration for {{ website_url }}
+# Configuration for {{ nextcloud_url }}
 # vim:ft=apache:
+# Ensure we listen on required ports
+Listen 80
+Listen 443
+# Listen for virtual host requests
+NameVirtualHost *:443
+# Accept connections from non-SNI clients
+SSLStrictSNIVHostCheck off
+
+# Website configuration
 <VirtualHost *:80>
-	ServerName {{ website_url }}
+	ServerName {{ nextcloud_url }}
-	DocumentRoot {{ website_root }}
+	DocumentRoot {{ nextcloud_webroot }}
+</VirtualHost>
+<VirtualHost *:443>
+	SSLEngine on
+	SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt
+	SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key
+	ServerName {{ nextcloud_url }}
+	DocumentRoot {{ nexcloud_webroot }}
 </VirtualHost>