- name: install apache
- apt: name=apache2 state=latest
+ apt: name=apache2,python3-netaddr state=latest
- name: enable apache
service: name=apache2 enabled=yes
-# config
+# apache config
- name: enable modules
apache2_module:
state: present
- ssl
- macro
notify: apache
-- name: install shared config files
+- name: disable modules
+ apache2_module:
+ state: absent
+ name: "{{ item }}"
+ loop:
+ - access_compat
+ notify: apache
+- name: install log anonymization script
copy:
+ dest: /etc/apache2/log-anon
+ src: files/log-anon
+ mode: +x
+ notify: apache
+- name: install shared config files
+ template:
dest: /etc/apache2/conf-available/{{ item }}
- src: files/{{ item }}
+ src: templates/{{ item }}
loop:
- ssl.conf
- acme-challenge.conf
- php5.conf
- security.conf
- - other-vhosts-access-log.conf
+ - defaults.conf
+ - caching.conf
notify: apache
- name: enable config files
command: a2enconf {{ item }}
creates: /etc/apache2/conf-enabled/{{ item }}.conf
loop:
- ssl
+ - security
+ - defaults
+ - caching
+ notify: apache
+- name: disable config files
+ command: a2disconf {{ item }}
+ args:
+ removes: /etc/apache2/conf-enabled/{{ item }}.conf
+ loop:
+ - other-vhosts-access-log
+ - serve-cgi-bin
+ notify: apache
- name: install default site
template:
dest: /etc/apache2/sites-available/000-default.conf
src: templates/000-default.conf
notify: apache
+# IPv6 autconf issues: DAD makes addresses appear but unusable, which breaks services startup
+- name: tweak apache systemd unit (create dir)
+ file: path=/etc/systemd/system/apache2.service.d state=directory
+- name: tweak apache systemd unit
+ copy:
+ dest: /etc/systemd/system/apache2.service.d/override.conf
+ content: |
+ [Unit]
+ After=network-online.target
+ Wants=network-online.target
+ [Service]
+ Restart=on-failure
+- name: cleanup old sysconfig
+ file: path=/etc/sysctl.d/50-no-dad.conf state=absent
+- name: sysconfig to fix IPv6 listening
+ copy:
+ dest: /etc/sysctl.d/50-ipv6-listen.conf
+ content: |
+ # Allow binding to IPv6 address before we got that address
+ net.ipv6.ip_nonlocal_bind=1