Define apache SSL config in one place

roles/blog/templates/etc_apache2_sites-available_blog.j2

@@ -10,18 +10,7 @@
     ServerName {{ domain }}
     ServerAlias www.{{ domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            "/var/www/{{ domain }}"
     DirectoryIndex          index.html

roles/common/tasks/ssl.yml

@@ -19,3 +19,10 @@
 
 - name: Enable NameVirtualHost for HTTPS
   lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
+
+- name: Add common Apache SSL config
+  template:
+    src=etc_apache2_ssl.conf.j2
+    dest=/etc/apache2/ssl.conf
+    owner=root
+    group=root

roles/common/templates/etc_apache2_ssl.conf.j2

@@ -0,0 +1,12 @@
+SSLEngine on
+SSLProtocol ALL -SSLv2 -SSLv3
+SSLHonorCipherOrder On
+SSLCompression off
+SSLUseStapling On
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
+SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
+SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
+Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

roles/git/templates/etc_apache2_sites-available_cgit.j2

@@ -7,19 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ cgit_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
-
+    Include /etc/apache2/ssl.conf
     DocumentRoot /var/www/htdocs/cgit/
 
     <Directory "/var/www/htdocs/cgit/">

roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2

@@ -18,18 +18,7 @@
 <VirtualHost *:443>
     ServerName {{ mail_server_autoconfig_hostname }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            "/var/www/autoconfig"
     Options                 -Indexes

roles/newebe/templates/etc_apache2_sites-available_newebe.j2

@@ -7,20 +7,8 @@
 <VirtualHost *:443>
 
     ServerName {{ newebe_domain }}
-    SSLEngine On
-
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+
+    Include /etc/apache2/ssl.conf
 
     ErrorLog /var/log/apache2/newebe.info-error_log
     CustomLog /var/log/apache2/newebe.info-access_log common

roles/news/templates/etc_apache2_sites-available_selfoss.j2

@@ -7,18 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ selfoss_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            /var/www/selfoss
     Options                 -Indexes

roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2

@@ -7,18 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ owncloud_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            /var/www/owncloud
     Options                 -Indexes

roles/readlater/templates/etc_apache2_sites-available_wallabag.j2

@@ -7,18 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ wallabag_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     DocumentRoot            /var/www/wallabag
     Options                 -Indexes

roles/webmail/templates/etc_apache2_sites-available_roundcube.j2

@@ -7,18 +7,7 @@
 <VirtualHost *:443>
     ServerName {{ webmail_domain }}
 
-    SSLEngine on
-    SSLProtocol ALL -SSLv2 -SSLv3
-    SSLHonorCipherOrder On
-    SSLCompression off
-    SSLUseStapling On
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
+    Include /etc/apache2/ssl.conf
 
     # Those aliases do not work properly with several hosts on your apache server
     # Uncomment them to use it or adapt them to your configuration