Disable outdated TLS versions

hopefully this fixes git

inventory/group_vars/webservers.yml

@@ -1,4 +1,5 @@
 #!/usr/bin/ansible-playbook
 # vim:ft=ansible:
 backups_outdir: "/cold/backups"
-ssl_cipher_suite: "!SHA1:!SHA256:!SHA384"
+ssl_protocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
+ssl_cipher_suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

roles/dokuwiki/templates/apache2-vhost-ssl.conf

@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ dokuwiki_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ dokuwiki_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ dokuwiki_url}}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
 	SSLCipherSuite {{ ssl_cipher_suite }}
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
 		SSLOptions +StdEnvVars

roles/gitea/templates/apache2-vhost-ssl.conf

@@ -16,6 +16,7 @@ SSLProxyEngine on
 	SSLCertificateFile /etc/pki/cert/crt/{{ gitea_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitea_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitea_url }}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
 	SSLCipherSuite {{ ssl_cipher_suite }}
 	ServerName {{ gitea_url }}
 	DocumentRoot {{ gitea_webroot }}

roles/gitlab/templates/apache2-vhost-ssl.conf

@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url }}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
 	SSLCipherSuite {{ ssl_cipher_suite }}
 	ServerName {{ gitlab_url }}
 	DocumentRoot {{ gitlab_webroot }}

roles/gitweb/templates/apache2-vhost-ssl.conf

@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ gitweb_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitweb_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitweb_url}}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
 	SSLCipherSuite {{ ssl_cipher_suite }}
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
 		SSLOptions +StdEnvVars

roles/grafana/templates/apache2-vhost-ssl.conf

@@ -16,6 +16,8 @@ SSLProxyEngine on
 	SSLCertificateFile /etc/pki/cert/crt/{{ grafana_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ grafana_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ grafana_url }}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	ServerName {{ grafana_url }}
 	DocumentRoot {{ grafana_webroot }}
 	<Directory "{{ grafana_webroot }}">

roles/nextcloud/templates/apache2-vhost-ssl.conf

@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ nextcloud_url}}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
 	SSLCipherSuite {{ ssl_cipher_suite }}
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
 		SSLOptions +StdEnvVars

roles/redirect/templates/apache2-redirect.conf

@@ -15,6 +15,8 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ redirect_from }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ redirect_from }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ redirect_from}}-fullchain.crt
+	SSLProtocol {{ ssl_protocol }}
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	ServerName {{ redirect_from }}
 	Redirect permanent / https://{{ redirect_to }}/
 </VirtualHost>