diff --git a/roles/collabora/tasks/apache.yml b/roles/collabora/tasks/apache.yml index 3130652..3de0398 100644 --- a/roles/collabora/tasks/apache.yml +++ b/roles/collabora/tasks/apache.yml @@ -6,15 +6,6 @@ owner: root group: root mode: 0644 - when: ansible_domain != 'dev' -- name: add development collabora http site - template: - src: etc/apache2/sites-available/dev.conf.j2 - dest: /etc/apache2/sites-available/{{ ansible_domain }}.conf - owner: root - group: root - mode: 0644 - when: ansible_domain == 'dev' - name: disable default site and enable collabora site block: - name: disable default site @@ -23,11 +14,12 @@ - name: enable collabora site command: cmd: a2ensite {{ ansible_domain }}.conf - notify: reload apache - name: run certbot command: cmd: certbot --apache --non-interactive --keep-until-expiring --no-eff-email --email {{ admin_mail }} --redirect --renew-with-new-domains --agree-tos -d {{ ansible_domain }} when: ansible_domain != 'dev' +- include: ssl-dev.yml + when: ansible_domain == 'dev' - name: add collabora https site template: src: etc/apache2/sites-available/ansible_domain-le-ssl.conf.j2 @@ -35,9 +27,7 @@ owner: root group: root mode: 0644 - when: ansible_domain != 'dev' - name: enable collabora https site command: cmd: a2ensite {{ ansible_domain }}-le-ssl.conf - when: ansible_domain != 'dev' notify: restart apache diff --git a/roles/collabora/tasks/ssl-dev.yml b/roles/collabora/tasks/ssl-dev.yml new file mode 100644 index 0000000..62787cd --- /dev/null +++ b/roles/collabora/tasks/ssl-dev.yml @@ -0,0 +1,27 @@ +--- +- name: Ensure python OpenSSL dependencies are installed. + pip: + name: pyOpenSSL + state: present + +- name: Ensure directory exists for local self-signed TLS certs. + file: + path: /etc/letsencrypt/live/{{ ansible_domain }} + state: directory + +- name: Generate an OpenSSL private key. + openssl_privatekey: + path: /etc/letsencrypt/live/{{ ansible_domain }}/privkey.pem + +- name: Generate an OpenSSL CSR. + openssl_csr: + path: /etc/ssl/private/{{ ansible_domain }}.csr + privatekey_path: /etc/letsencrypt/live/{{ ansible_domain }}/privkey.pem + common_name: "{{ ansible_domain }}" + +- name: Generate a Self Signed OpenSSL certificate. + openssl_certificate: + path: /etc/letsencrypt/live/{{ ansible_domain }}/fullchain.pem + privatekey_path: /etc/letsencrypt/live/{{ ansible_domain }}/privkey.pem + csr_path: /etc/ssl/private/{{ ansible_domain }}.csr + provider: selfsigned diff --git a/roles/collabora/templates/etc/apache2/sites-available/dev.conf.j2 b/roles/collabora/templates/etc/apache2/sites-available/dev.conf.j2 deleted file mode 100644 index 62aab11..0000000 --- a/roles/collabora/templates/etc/apache2/sites-available/dev.conf.j2 +++ /dev/null @@ -1,42 +0,0 @@ - - ServerName {{ ansible_domain }} - ServerAdmin {{ admin_mail }} - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - # Encoded slashes need to be allowed - AllowEncodedSlashes NoDecode - - # Container uses a unique non-signed certificate - SSLProxyEngine On - SSLProxyVerify None - SSLProxyCheckPeerCN Off - SSLProxyCheckPeerName Off - - # keep the host - ProxyPreserveHost On - - # static html, js, images, etc. served from loolwsd - # loleaflet is the client part of LibreOffice Online - ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 - ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet - - # WOPI discovery URL - ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 - ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery - - # Main websocket - ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon - - # Admin Console websocket - ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws - - # Download as, Fullscreen presentation and Image upload operations - ProxyPass /lool https://127.0.0.1:9980/lool - ProxyPassReverse /lool https://127.0.0.1:9980/lool - - # Endpoint with information about availability of various features - ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0 - ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities - -