--- - name: Configure Angie Web Server hosts: server become: true vars: angie_repo_key: "https://angie.software/keys/angie-release-key.gpg" angie_repo: "https://angie.software/packages/debian/dists/stable/main/binary-$(ARCH)/" ssl_cert_path: "/etc/angie/ssl/www.au.team.crt" ssl_key_path: "/etc/angie/ssl/www.au.team.key" server_name: "www.au.team" listen_port_http: 80 listen_port_https: 443 tasks: - name: Install prerequisites for Angie repo ansible.builtin.apt: name: - gnupg - ca-certificates - curl - apt-transport-https state: present update_cache: true tags: angie - name: Add Angie GPG key ansible.builtin.apt_key: url: "{{ angie_repo_key }}" state: present tags: angie - name: Add Angie repository ansible.builtin.apt_repository: repo: "deb [arch=amd64] https://angie.software/packages/debian stable main" state: present filename: angie tags: angie - name: Install Angie web server ansible.builtin.apt: name: angie state: present update_cache: true tags: angie - name: Create SSL directory ansible.builtin.file: path: /etc/angie/ssl state: directory mode: '0755' owner: root group: root tags: ssl - name: Generate self-signed SSL certificate ansible.builtin.command: cmd: > openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout {{ ssl_key_path }} -out {{ ssl_cert_path }} -subj "/C=RU/ST=Moscow/L=Moscow/O=AU Team/CN={{ server_name }}" creates: "{{ ssl_cert_path }}" notify: Reload angie tags: ssl - name: Set proper permissions for SSL key ansible.builtin.file: path: "{{ ssl_key_path }}" mode: '0600' owner: root group: root tags: ssl - name: Create index.html with server name ansible.builtin.copy: content: "{{ inventory_hostname }} by Angie!\n" dest: /var/www/html/index.html mode: '0644' owner: www-data group: www-data tags: web - name: Configure Angie vhost with HTTPS and HTTP redirect ansible.builtin.template: content: | # HTTP server - redirect to HTTPS server { listen {{ listen_port_http }}; listen [::]:{{ listen_port_http }}; server_name {{ server_name }}; return 301 https://$host$request_uri; } # HTTPS server server { listen {{ listen_port_https }} ssl; listen [::]:{{ listen_port_https }} ssl; server_name {{ server_name }}; ssl_certificate {{ ssl_cert_path }}; ssl_certificate_key {{ ssl_key_path }}; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; root /var/www/html; index index.html; location / { try_files $uri $uri/ =404; } # Add HSTS header add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; } dest: /etc/angie/sites-available/www.au.team.conf mode: '0644' backup: true notify: Reload angie tags: web - name: Enable site configuration ansible.builtin.file: src: /etc/angie/sites-available/www.au.team.conf dest: /etc/angie/sites-enabled/www.au.team.conf state: link notify: Reload angie tags: web - name: Disable default site if exists ansible.builtin.file: path: /etc/angie/sites-enabled/default state: absent notify: Reload angie tags: web - name: Add www.au.team to /etc/hosts for local resolution ansible.builtin.lineinfile: path: /etc/hosts regexp: '^127\.0\.1\.1\s+www\.au\.team' line: "127.0.1.1 {{ server_name }}" state: present tags: dns - name: Enable and start Angie service ansible.builtin.systemd: name: angie enabled: true state: started daemon_reload: true tags: angie handlers: - name: Reload angie ansible.builtin.systemd: name: angie state: reloaded daemon_reload: true