libravatar: we need a separate ssl configuration for seccdn.libravatar.org

inventory/group_vars/libravatar

@@ -2,4 +2,5 @@ resolvconf: "resolv.conf/cloud"
 git_branch: master
 server_name: www.libravatar.org
 server_alias: "*.libravatar.org"
+server_seccdn_name: seccdn.libravatar.org
 server_redirect_name: "libravatar.org libravatar.com www.libravatar.com"

inventory/group_vars/libravatar-stg

@@ -2,4 +2,5 @@ resolvconf: "resolv.conf/cloud"
 git_branch: devel
 server_name: libravatar-stg.fedorainfracloud.org
 server_alias: libravatar-stg.fedorainfracloud.org
+server_seccdn_name: libravatar-stg.fedorainfracloud.org
 server_redirect_name: libravatar-stg.fedorainfracloud.org

roles/libravatar/tasks/main.yml

@@ -112,6 +112,7 @@
   template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
   with_items:
   - "libravatar.conf"
+  - "libravatar-app.include"
   notify:
   - reload httpd
   tags:

roles/libravatar/templates/httpd/libravatar-app.include

@@ -0,0 +1,29 @@
+WSGIPassAuthorization On
+WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=10000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
+WSGIScriptAlias / /mnt/data/wsgi.py
+
+ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/"
+
+Alias /robots.txt /srv/libravatar/static/robots.txt
+Alias /favicon.ico /srv/libravatar/static/favicon.ico
+
+Alias /media/ /srv/libravatar/media/
+Alias /static/ /srv/libravatar/static/
+
+<Directory /srv/libravatar/static>
+    Require all granted
+</Directory>
+
+<Directory /srv/libravatar/media>
+    Require all granted
+</Directory>
+
+<Location />
+    WSGIProcessGroup libravatar
+    Require all granted
+</Location>
+
+<Directory /srv/libravatar>
+    WSGIApplicationGroup %{GLOBAL}
+    Require all granted
+</Directory>

roles/libravatar/templates/httpd/libravatar.conf

@@ -23,35 +23,20 @@ RewriteEngine on
 
     RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
 
-    WSGIPassAuthorization On
-    WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=10000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
-    WSGIScriptAlias / /mnt/data/wsgi.py
+    Include /etc/httpd/conf.d/libravatar-app.include
+</VirtualHost>
 
-    ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/"
+<VirtualHost *:443>
+    ServerName {{ server_seccdn_name }}
 
-    Alias /robots.txt /srv/libravatar/static/robots.txt
-    Alias /favicon.ico /srv/libravatar/static/favicon.ico
+    SSLCertificateFile    /etc/letsencrypt/live/{{ server_seccdn_name }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ server_seccdn_name }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ server_seccdn_name }}/fullchain.pem
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
 
-    Alias /media/ /srv/libravatar/media/
-    Alias /static/ /srv/libravatar/static/
+    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
 
-    <Directory /srv/libravatar/static>
-        Require all granted
-    </Directory>
-
-    <Directory /srv/libravatar/media>
-        Require all granted
-    </Directory>
-
-    <Location />
-        WSGIProcessGroup libravatar
-        Require all granted
-    </Location>
-
-    <Directory /srv/libravatar>
-        WSGIApplicationGroup %{GLOBAL}
-        Require all granted
-    </Directory>
+    Include /etc/httpd/conf.d/libravatar-app.include
 </VirtualHost>
 
 <VirtualHost *:443>