---
- name: "Configuration | Disable ServerTokens"
  ansible.builtin.lineinfile:
    path: /etc/apache2/conf-enabled/security.conf
    regexp: '^ServerTokens OS'
    line: ServerTokens Prod
  notify: reload apache2

- name: "Configuration | Disable access-log"
  ansible.builtin.command:
    cmd: a2disconf other-vhosts-access-log
    removes: /etc/apache2/conf-enabled/other-vhosts-access-log.conf
  notify: reload apache2

- name: "Configuration | Generate Diffie Hellman parameters"
  openssl_dhparam:
    path: "{{ dhparams_path }}"
  # Most of our apache2 instances are currently running behind public reverse proxies.
  # Thus, they do not offer HTTPS and do not need DH parameters.
  # The only possible exceptions are external hosts (e.g. orwell).
  when: apache.is_proxy is defined and apache.is_proxy

- name: "Configuration | Copy misc configuration files"
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/apache2/conf-available/{{ item }}"
    mode: 0644
  loop:
    - add-headers.conf
    - letsencrypt.conf
    - sao-cache.conf

- name: "Configuration | Copy configuration templates"
  ansible.builtin.template:
    src: "{{ item }}"
    dest: /etc/apache2/conf-available/
    mode: 0644
  loop:
    - remoteip.conf
    - ssl.conf

- name: "Configuration | Enable modules"
  community.general.apache2_module:
    name: "{{ item }}"
    state: present
  notify: reload apache2
  when: apache.is_proxy is defined and apache.is_proxy
  loop:
    - headers
    - mpm_event
    - ssl

- name: "Configuration | Enable configuration"
  ansible.builtin.command:
    cmd: "a2enconf {{ item }}"
    creates: "/etc/apache2/conf-enabled/{{ item }}"
  notify: reload apache2
  when: apache.is_proxy is defined and apache.is_proxy
  loop:
    - add-headers.conf
    - letsencrypt.conf
    - sao-cache.conf
    - ssl.conf