journalwatch: allow more TLS errors
[ansible.git] / roles / apache / tasks / main.yml
1 - name: install apache
2   apt: name=apache2,python3-netaddr state=latest
3 - name: enable apache
4   service: name=apache2 enabled=yes
5 # apache config
6 - name: enable modules
7   apache2_module:
8     state: present
9     name: "{{ item }}"
10   loop:
11   - headers
12   - ssl
13   - macro
14   notify: apache
15 - name: disable modules
16   apache2_module:
17     state: absent
18     name: "{{ item }}"
19   loop:
20   - access_compat
21   notify: apache
22 - name: install log anonymization script
23   copy:
24     dest: /etc/apache2/log-anon
25     src: files/log-anon
26     mode: +x
27   notify: apache
28 - name: install shared config files
29   template:
30     dest: /etc/apache2/conf-available/{{ item }}
31     src: templates/{{ item }}
32   loop:
33   - ssl.conf
34   - acme-challenge.conf
35   - php5.conf
36   - security.conf
37   - defaults.conf
38   - caching.conf
39   notify: apache
40 - name: enable config files
41   command: a2enconf {{ item }}
42   args:
43     creates: /etc/apache2/conf-enabled/{{ item }}.conf
44   loop:
45   - ssl
46   - security
47   - defaults
48   - caching
49   notify: apache
50 - name: disable config files
51   command: a2disconf {{ item }}
52   args:
53     removes: /etc/apache2/conf-enabled/{{ item }}.conf
54   loop:
55   - other-vhosts-access-log
56   - serve-cgi-bin
57   notify: apache
58 - name: install default site
59   template:
60     dest: /etc/apache2/sites-available/000-default.conf
61     src: templates/000-default.conf
62   notify: apache
63 # IPv6 autconf issues: DAD makes addresses appear but unusable, which breaks services startup
64 - name: tweak apache systemd unit (create dir)
65   file: path=/etc/systemd/system/apache2.service.d state=directory
66 - name: tweak apache systemd unit
67   copy:
68     dest: /etc/systemd/system/apache2.service.d/override.conf
69     content: |
70       [Unit]
71       After=network-online.target
72       Wants=network-online.target
73       [Service]
74       Restart=on-failure
75 - name: cleanup old sysconfig
76   file: path=/etc/sysctl.d/50-no-dad.conf state=absent
77 - name: sysconfig to fix IPv6 listening
78   copy:
79     dest: /etc/sysctl.d/50-ipv6-listen.conf
80     content: |
81       # Allow binding to IPv6 address before we got that address
82       net.ipv6.ip_nonlocal_bind=1