Fix some bad Apache configs, set up ability for apache to nab its keys

Getting there, step by step

roles/nextcloud/tasks/main.yml

@@ -65,6 +65,13 @@
               remote_src: yes
               dest: "{{ nextcloud_webroot }}"
               extra_opts: [--strip-components=1]
+          - name: Chown webroot
+            file:
+              path: "{{ nextcloud_webroot }}"
+              state: directory
+              recurse: yes
+              owner: root
+              group: root
           - name: Cleanup
             file:
               path: /var/www/nextcloud.tar.bz2
@@ -75,6 +82,10 @@
         loop:
           - "a2enmod rewrite"
           - "a2enmod ssl"
+      - name: Reload Apache
+        service:
+          name: apache2
+          state: reloaded
   - name: Register certificates
     block:
       - name: Set up our filesystem heirarchy
@@ -82,13 +93,15 @@
           path: "{{ item.dir }}"
           mode: "{{ item.mode }}"
           recurse: yes
+          owner: root
+          group: www-data
           state: directory
         loop:
-          - { dir: "/etc/pki", mode: "0700" }
-          - { dir: "/etc/pki/cert", mode: "0700" }
-          - { dir: "/etc/pki/cert/crt", mode: "0700" }
-          - { dir: "/etc/pki/cert/csr", mode: "0700" }
-          - { dir: "/etc/pki/cert/private", mode: "0700" }
+          - { dir: "/etc/pki", mode: "0750" }
+          - { dir: "/etc/pki/cert", mode: "0750" }
+          - { dir: "/etc/pki/cert/crt", mode: "0750" }
+          - { dir: "/etc/pki/cert/csr", mode: "0750" }
+          - { dir: "/etc/pki/cert/private", mode: "0750" }
       - name: Create ACME account key
         openssl_privatekey:
           path: "/etc/pki/cert/private/account.key"

roles/nextcloud/templates/apache2-vhost.conf

@@ -1,8 +1,6 @@
 # Configuration for {{ nextcloud_url }}
 # vim:ft=apache:
-# Ensure we listen on required ports
-Listen 80
-Listen 443
+
 # Listen for virtual host requests
 NameVirtualHost *:443
 # Accept connections from non-SNI clients