Enable HTTPS on Core, mainly for Nextcloud's satisfaction.

Firefox will warn about the institute certificate, even if said
certificate is installed as a trusted CA.

diff --git a/README.org b/README.org
index cfdabbeb4a710e41eb446b5662e17e0a52af1618..fe8fa11e8226612887308593260d3af890d25c2a 100644 (file)
--- a/README.org
+++ b/README.org
@@ -342,7 +342,7 @@ will automatically wipe it within 15 minutes.
 ** The Cloud Service
 
 Core runs Nextcloud to provide a private institute cloud at
-~http://core.small.private/nextcloud/~.  It is managed manually per
+~https://core.small.private/nextcloud/~.  It is managed manually per
 [[https://docs.nextcloud.com/server/latest/admin_manual/][The Nextcloud Server Administration Guide]].  The code /and/ data,
 including especially database dumps, are stored in =/Nextcloud/= which
 is included in Core's backup procedure as described in [[*Backups][Backups]].  The
@@ -3510,7 +3510,19 @@ The tasks below install Apache2 and edit its default configuration.
   become: yes
   apache2_module:
     name: "{{ item }}"
-  loop: [ userdir, cgid ]
+  loop: [ userdir, cgid, ssl ]
+  notify: Restart Apache2.
+
+- name: Configure Apache2 SSL certificate.
+  become: yes
+  lineinfile:
+    path: /etc/apache2/sites-available/default-ssl.conf
+    regexp: "^([\t ]*){{ item.p }}"
+    line: "\\1{{ item.p }}\t{{ item.v }}"
+    backrefs: yes
+  loop:
+    - { p: SSLCertificateFile, v: "/etc/server.crt" }
+    - { p: SSLCertificateKeyFile, v: "/etc/server.key" }
   notify: Restart Apache2.
 #+END_SRC
 
@@ -3553,7 +3565,7 @@ The ~a2ensite~ command enables them.
   command:
     cmd: a2ensite -q {{ item }}
     creates: /etc/apache2/sites-enabled/{{ item }}.conf
-  loop: [ live, test, www ]
+  loop: [ live, test, www, default-ssl ]
   notify: Restart Apache2.
 
 - name: Enable/Start Apache2.
@@ -4503,9 +4515,8 @@ should be corrected by hand for immediate testing, but the
 Core is next checked (or updated) e.g. with ~./inst config -n core~.
 
 Before calling Nextcloud "configured", the administrator runs ~./inst
-config core~, surfs to ~http://core.small.private/nextcloud/~,
-logins in as ~sysadm~, and follows any reasonable
-instructions (reasonable for a small organization) on the
+config core~, surfs to ~https://core.small.private/nextcloud/~, logins
+in as ~sysadm~, and follows any reasonable instructions on the
 Administration > Overview page.
 
 *** Afterwards
@@ -7319,7 +7330,7 @@ the following tests on ~dick~'s desktop.
 - Use a web browser to get ~http://core/nextcloud/~.  It should be a
   warning about accessing Nextcloud by an untrusted name.
 
-- Get ~http://core.small.private/nextcloud/~.  It should be a
+- Get ~https://core.small.private/nextcloud/~.  It should be a
   login web page.
 
 - Login as ~sysadm~ with password ~fubar~.
@@ -7338,7 +7349,7 @@ the following tests on ~dick~'s desktop.
 - Use the Nextcloud app to sync =~/nextCloud/= with the cloud.  In the
   Nextcloud app's Connection Wizard (the initial dialog), choose to
   "Log in to your Nextcloud" with the URL
-  ~http://core.small.private/nextcloud~.  The web browser should pop
+  ~https://core.small.private/nextcloud~.  The web browser should pop
   up with a new tab: "Connect to your account".  Press "Log in" and
   "Grant access".  The Nextcloud Connection Wizard then prompts for
   sync parameters.  The defaults are fine.  Presumably the Local
@@ -7366,7 +7377,7 @@ the following tests on ~dick~'s desktop.
 
 - Create a CardDAV account in Evolution.  Choose Edit, Accounts, Add,
   Address Book, Type CardDAV, name Small Institute, and user ~dick~.
-  The URL starts with ~http://core.small.private/nextcloud/~ and
+  The URL starts with ~https://core.small.private/nextcloud/~ and
   ends with ~remote.php/dav/addressbooks/users/dick/contacts/~ (yeah,
   88 characters!).  Create a contact in the new address book and see
   it in the Contacts web page.  At some point Evolution will need
@@ -7531,14 +7542,6 @@ include the essential ~verify-x509-name~.  Use the same name on
 separate certificates for Gate and Front?  Use the same certificate
 and key on Gate and Front?
 
-Nextcloud should really be found at ~https://CLOUD.small.private/~
-rather than ~https://core.small.private/nextcloud/~, to ease
-future expansion (moving services to additional machines).
-
-HTTPS could be used for Nextcloud transactions even though they are
-carried on encrypted VPNs.  This would eliminate a big warning on the
-Nextcloud Administration Overview page.
-
 ** More Tests
 
 The testing process described in the previous chapter is far from

diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 80531024139cac1caf578efb2a138c619bc7f8c1..c44a9b356cc13b5635c73a05d80bb62e67c68321 100644 (file)
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -453,7 +453,19 @@
   become: yes
   apache2_module:
     name: "{{ item }}"
-  loop: [ userdir, cgid ]
+  loop: [ userdir, cgid, ssl ]
+  notify: Restart Apache2.
+
+- name: Configure Apache2 SSL certificate.
+  become: yes
+  lineinfile:
+    path: /etc/apache2/sites-available/default-ssl.conf
+    regexp: "^([\t ]*){{ item.p }}"
+    line: "\\1{{ item.p }}\t{{ item.v }}"
+    backrefs: yes
+  loop:
+    - { p: SSLCertificateFile, v: "/etc/server.crt" }
+    - { p: SSLCertificateKeyFile, v: "/etc/server.key" }
   notify: Restart Apache2.
 
 - name: Install live web site.
@@ -553,7 +565,7 @@
   command:
     cmd: a2ensite -q {{ item }}
     creates: /etc/apache2/sites-enabled/{{ item }}.conf
-  loop: [ live, test, www ]
+  loop: [ live, test, www, default-ssl ]
   notify: Restart Apache2.
 
 - name: Enable/Start Apache2.