From 230d8a2a929d06a35567c2fdfb5e6603e5608e16 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Wed, 5 Feb 2020 22:48:21 -0600
Subject: [PATCH] Fix some bad Apache configs, set up ability for apache to nab
 its keys Getting there, step by step

---
 roles/nextcloud/tasks/main.yml               | 23 +++++++++++++++-----
 roles/nextcloud/templates/apache2-vhost.conf |  4 +---
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 7f9b95d..cb1419b 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -65,6 +65,13 @@
               remote_src: yes
               dest: "{{ nextcloud_webroot }}"
               extra_opts: [--strip-components=1]
+          - name: Chown webroot
+            file:
+              path: "{{ nextcloud_webroot }}"
+              state: directory
+              recurse: yes
+              owner: root
+              group: root
           - name: Cleanup
             file:
               path: /var/www/nextcloud.tar.bz2
@@ -75,6 +82,10 @@
         loop:
           - "a2enmod rewrite"
           - "a2enmod ssl"
+      - name: Reload Apache
+        service:
+          name: apache2
+          state: reloaded
   - name: Register certificates
     block:
       - name: Set up our filesystem heirarchy
@@ -82,13 +93,15 @@
           path: "{{ item.dir }}"
           mode: "{{ item.mode }}"
           recurse: yes
+          owner: root
+          group: www-data
           state: directory
         loop:
-          - { dir: "/etc/pki", mode: "0700" }
-          - { dir: "/etc/pki/cert", mode: "0700" }
-          - { dir: "/etc/pki/cert/crt", mode: "0700" }
-          - { dir: "/etc/pki/cert/csr", mode: "0700" }
-          - { dir: "/etc/pki/cert/private", mode: "0700" }
+          - { dir: "/etc/pki", mode: "0750" }
+          - { dir: "/etc/pki/cert", mode: "0750" }
+          - { dir: "/etc/pki/cert/crt", mode: "0750" }
+          - { dir: "/etc/pki/cert/csr", mode: "0750" }
+          - { dir: "/etc/pki/cert/private", mode: "0750" }
       - name: Create ACME account key
         openssl_privatekey:
           path: "/etc/pki/cert/private/account.key"
diff --git a/roles/nextcloud/templates/apache2-vhost.conf b/roles/nextcloud/templates/apache2-vhost.conf
index f6c152c..f8677c1 100644
--- a/roles/nextcloud/templates/apache2-vhost.conf
+++ b/roles/nextcloud/templates/apache2-vhost.conf
@@ -1,8 +1,6 @@
 # Configuration for {{ nextcloud_url }}
 # vim:ft=apache:
-# Ensure we listen on required ports
-Listen 80
-Listen 443
+
 # Listen for virtual host requests
 NameVirtualHost *:443
 # Accept connections from non-SNI clients