Add apache and modsecurity config, adjust handlers

handlers/main.yaml

@@ -1,10 +1,4 @@
 ---
-- name: Start MailHog
-  service:
-    name: mailhog
-    state: started
-  register: mailhog_service_result
-
 - name: Restart MailHog
   service:
     name: mailhog

meta/main.yaml

@@ -1,5 +1,9 @@
 ---
 dependencies:
+  - role: dehydrated
+  - role: apache
+    when: inventory_hostname in groups.apache
   - role: nginx
+    when: inventory_hostname in groups.nginx or not inventory_hostname in groups.apache
   - role: oauth2_proxy
     when: mailhog.oauth2_proxy

tasks/apache.yaml

@@ -0,0 +1,12 @@
+---
+- name: Template apache configuration
+  template: src="{{ item }}" dest="{{ render_path }}"
+  loop_control:
+    label: "{{ render_path }}"
+  vars:
+    template_dir: "{{ role_path }}/templates/apache"
+    render_path: "{{ apache.prefix.config }}/{{ item|strip_prefix(template_dir + '/')|strip_suffix('.j2') }}"
+  with_fileglob:
+    - "{{ template_dir }}/*.j2"
+    - "{{ template_dir }}/Includes/*.j2"
+  notify: Restart apache

tasks/main.yaml

@@ -1,4 +1,10 @@
 ---
 - import_tasks: config.yaml
+
 - import_tasks: service.yaml
+
+- import_tasks: apache.yaml
+  when: inventory_hostname in groups.apache
+
 - import_tasks: nginx.yaml
+  when: inventory_hostname in groups.nginx or not inventory_hostname in groups.apache

tasks/service.yaml

@@ -6,4 +6,9 @@
     line: 'mailhog_enable="YES"'
   with_items:
     - /etc/rc.conf
-  notify: Start MailHog
+
+- name: Start MailHog
+  service:
+    name: mailhog
+    state: started
+  register: mailhog_service_result

templates/apache/Includes/mailhog.conf.j2

@@ -0,0 +1,52 @@
+{% set http_listeners = ['*:80'] %}
+{% set https_listeners = ['*:443'] %}
+{% if ansible_local.proserver is defined and ansible_local.proserver.routing.with_gate64 -%}
+{% set _ = http_listeners.append('[::]:87') %}
+{% set _ = https_listeners.append('[::]:57') %}
+{% endif %}
+
+{% for i in http_listeners %}
+<VirtualHost {{ i }}>
+  {% if "57" in i %}
+  RemoteIPProxyProtocol On
+  {% endif %}
+  ServerName {{ mailhog.domain }}
+  RewriteEngine On
+  RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
+  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+</VirtualHost>
+{% endfor %}
+
+{% if dehydrated | cert_exists(mailhog.domain) %}
+{% for i in https_listeners %}
+<VirtualHost {{ i }}>
+    {% if "87" in i %}
+    RemoteIPProxyProtocol On
+    {% endif %}
+    ServerName {{ mailhog.domain }}
+    DocumentRoot /var/null
+
+    SSLEngine on
+    SSLProxyEngine on
+    {% if mailhog.oauth2_proxy -%}
+    ProxyPass /proserver/iap/auth/ http://[::1]:{{ oauth2_proxy.config[mailhog.oauth2_proxy].http_address.split(":")[-1] }}/proserver/iap/auth/
+    ProxyPassReverse /proserver/iap/auth/ http://[::1]:{{ oauth2_proxy.config[mailhog.oauth2_proxy].http_address.split(":")[-1] }}/proserver/iap/auth/
+
+    ErrorDocument 401 /proserver/iap/sign_in
+
+    RequestHeader set Auth-Cookie %{upstream_set_cookie}e env=upstream_set_cookie
+    Header always set Cookie "%{env:upstream_set_cookie}e" env=upstream_set_cookie
+    {% endif -%}
+
+    ProxyPass / http://127.0.0.1:8025/
+    ProxyPassReverse / http://127.0.0.1:8025/
+    ProxyPreserveHost On
+    ProxyPassInterpolateEnv On
+
+    SSLCertificateFile {{ dehydrated | cert_fullchain(mailhog.domain) }}
+    SSLCertificateChainFile {{ dehydrated | cert_fullchain(mailhog.domain) }}
+    SSLCertificateKeyFile {{ dehydrated | cert_privkey(mailhog.domain) }}
+
+</VirtualHost>
+{% endfor %}
+{% endif %}

templates/nginx/http.d/mailhog.conf.j2

@@ -23,6 +23,10 @@ server {
   server_name {{ mailhog.domain }};
 
   include {{ nginx.prefix.config }}/include/security_headers.conf;
+  {% if nginx.modsecurity is defined and nginx.modsecurity.enabled %}
+  include {{ nginx.prefix.config }}/include/modsecurity.conf;
+  {% endif %}
+
 
   {% if mailhog.oauth2_proxy -%}
   location /proserver/iap {