From d7f34587be9250d4ce1998e74ac10821dea3b2c6 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Wed, 3 Jun 2020 06:07:11 -0500
Subject: [PATCH] Roll out new cipher suites

---
 inventory/group_vars/webservers.yml              | 1 +
 roles/dokuwiki/templates/apache2-vhost-ssl.conf  | 1 +
 roles/gitea/templates/apache2-vhost-ssl.conf     | 1 +
 roles/gitlab/templates/apache2-vhost-ssl.conf    | 1 +
 roles/gitweb/templates/apache2-vhost-ssl.conf    | 1 +
 roles/nextcloud/templates/apache2-vhost-ssl.conf | 1 +
 6 files changed, 6 insertions(+)

diff --git a/inventory/group_vars/webservers.yml b/inventory/group_vars/webservers.yml
index ae8a1f4..732d161 100644
--- a/inventory/group_vars/webservers.yml
+++ b/inventory/group_vars/webservers.yml
@@ -1,3 +1,4 @@
 #!/usr/bin/ansible-playbook
 # vim:ft=ansible:
 backups_outdir: "/cold/backups"
+ssl_cipher_suite: "!SHA1:!SHA256:!SHA384"
diff --git a/roles/dokuwiki/templates/apache2-vhost-ssl.conf b/roles/dokuwiki/templates/apache2-vhost-ssl.conf
index 0f8936c..4b100fd 100644
--- a/roles/dokuwiki/templates/apache2-vhost-ssl.conf
+++ b/roles/dokuwiki/templates/apache2-vhost-ssl.conf
@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ dokuwiki_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ dokuwiki_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ dokuwiki_url}}-fullchain.crt
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
 		SSLOptions +StdEnvVars
 	</FilesMatch>
diff --git a/roles/gitea/templates/apache2-vhost-ssl.conf b/roles/gitea/templates/apache2-vhost-ssl.conf
index aeaf894..5f7e5ae 100644
--- a/roles/gitea/templates/apache2-vhost-ssl.conf
+++ b/roles/gitea/templates/apache2-vhost-ssl.conf
@@ -16,6 +16,7 @@ SSLProxyEngine on
 	SSLCertificateFile /etc/pki/cert/crt/{{ gitea_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitea_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitea_url }}-fullchain.crt
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	ServerName {{ gitea_url }}
 	DocumentRoot {{ gitea_webroot }}
 	<Directory "{{ gitea_webroot }}">
diff --git a/roles/gitlab/templates/apache2-vhost-ssl.conf b/roles/gitlab/templates/apache2-vhost-ssl.conf
index 879b1b3..f6a9c0d 100644
--- a/roles/gitlab/templates/apache2-vhost-ssl.conf
+++ b/roles/gitlab/templates/apache2-vhost-ssl.conf
@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url }}-fullchain.crt
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	ServerName {{ gitlab_url }}
 	DocumentRoot {{ gitlab_webroot }}
 	<Directory "{{ gitlab_webroot }}">
diff --git a/roles/gitweb/templates/apache2-vhost-ssl.conf b/roles/gitweb/templates/apache2-vhost-ssl.conf
index c3e444b..9fee433 100644
--- a/roles/gitweb/templates/apache2-vhost-ssl.conf
+++ b/roles/gitweb/templates/apache2-vhost-ssl.conf
@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ gitweb_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ gitweb_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ gitweb_url}}-fullchain.crt
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
 		SSLOptions +StdEnvVars
 	</FilesMatch>
diff --git a/roles/nextcloud/templates/apache2-vhost-ssl.conf b/roles/nextcloud/templates/apache2-vhost-ssl.conf
index cc2d51c..09aeae5 100644
--- a/roles/nextcloud/templates/apache2-vhost-ssl.conf
+++ b/roles/nextcloud/templates/apache2-vhost-ssl.conf
@@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off
 	SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt
 	SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key
 	SSLCertificateChainFile /etc/pki/cert/crt/{{ nextcloud_url}}-fullchain.crt
+	SSLCipherSuite {{ ssl_cipher_suite }}
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">\
 		SSLOptions +StdEnvVars
 	</FilesMatch>