Ansible Role to deploy one or multiple Apache2 sites on a linux server.
Molecule Integration-Tests:
Internal CI: Tester Role | Jobs API
- Debian 11
- Debian 12
# latest
ansible-galaxy role install git+
# from galaxy
ansible-galaxy install ansibleguy.infra_apache
# or to custom role-path
ansible-galaxy install ansibleguy.infra_apache --roles-path ./roles
# install dependencies
ansible-galaxy install -r requirements.yml
Need professional support using Ansible or managing Web-Applications? Contact us:
Tel: +43 3115 40 900 0
Language: German or English
You want a simple Ansible GUI?
Check-out this Ansible WebUI
Define the apache dictionary as needed!
mySuperCustom: 'headerContent'
present: ['evasive', 'ssl', 'headers', 'rewrite']
mode: 'serve'
domain: ''
path: '/var/www/site_guys_statics'
mode: 'snakeoil'
config: # add settings as key-value pairs
KeepAliveTimeout: 10
config_additions: # add a list of custom lines of config
- 'location = / { return 301 /kitty.jpg; }'
mode: 'redirect'
domain: ''
aliases: ['']
target: ''
mode: 'letsencrypt'
email: ''
restrict_methods: false
Run the playbook:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml
There are also some useful tags available:
- base => only configure basics; sites will not be touched
- sites
- config => configuration (base and instances)
- certs
To debug errors - you can set the 'debug' variable at runtime:
ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes
Package installation
- Ansible dependencies (minimal)
- Apache2
Support for multiple sites/servers
Two config-modes:
- serve (default)
- redirect
Support for specific configurations using the 'config' and 'config_additions' parameters
Default config:
- Disabled: <TLS1.2, unsecure ciphers, autoindex, servertokens/-signature, ServerSideIncludes, CGI
- Security headers: HSTS, X-Frame, Referrer-Policy, Content-Type nosniff, X-Domain-Policy, XXS-Protection
- Limits to prevent DDoS
- Using a Self-Signed certificate
- Modules: +ssl, +http2, headers, rewrite; -autoindex
- HTTP2 enabled with fallback to HTTP1.1
- IPv6 support disabled (at least one ipv6 address MUST EXIST)
SSL modes (for more info see: CERT ROLE)
- selfsigned => Generate self-signed ones
- ca => Generate a minimal Certificate Authority and certificate signed by it
- letsencrypt => Uses the LetsEncrypt certbot
- existing => Copy certificate files or use existing ones
Default opt-ins:
- restricting methods to POST/GET/HEAD
- status-page listener on localhost
- Logging to syslog
- http2
Default opt-outs:
- Include the config file 'sites-available/site_{{ site_name }}_app.conf' for advanced usage
Options to provide module config will be added in the future!
Also some basic mods will get a pre-config added. (prefork, evasive)
Note: Most of the role's functionality can be opted in or out.
For all available options - see the default-config located in the main/site defaults-file!
Note: this role currently only supports debian-based systems
Note: This role expects that the site's unencrypted 'server' will only redirect to its encrypted connection.
Note: If you want any requested domain to get handled by a site/server you need to add a wildcard '*' as alias!
BUT: You still have to provide a main domain!
Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!
Info: To disable default settings and headers => just set their value to: ''
Info: For LetsEncrypt renewal to work, you must allow outgoing connections to:
80/tcp, 443/tcp+udp to, (debug mode) and