---
apache_user: www-data
apache_group: www-data
apache_document_root: /var/www/html
apache_server_admin: "root@{{ inventory_hostname }}"
apache_chroot: false
# apache_chroot_dir: /users/www-data
apache_chroot_dir: /var/www/users/www-data
apache_suexec: false
# The apache_timeout might need to be set as high as 1200
# for Nextcloud updates
apache_timeout: 300
# The apache_disable_root variable is used in the
# conf-available/security.conf file to disable access to /
apache_disable_root: true
# The apache_disable_dot variable is used in the
# conf-available/security.conf file to disable access to
# directories and files starting with a dot
apache_disable_dot: true
# The apache_server_tokens variable is used in the
# conf-available/security.conf file
apache_server_tokens: OS
# https://wiki.mozilla.org/Security/Server_Side_TLS
# Debian Stretch Apache supports TLSv1.2
apache_tls1_2_cipher_suites: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# Debian Debian Bullseye and Debian Buster Backports Apache supports TLSv1.3
apache_tls1_3_cipher_suites: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
apache_dhparam_path: /etc/apache2/dhparam.pem
apache_dhparam_size: 2048
apache_localhost_port: 80
apache_ulimit: 65536
apache_packages_present:
  - lynx
  # - libapache2-mod-geoip
apache_sites_enabled:
  - localhost
  - 000-default
apache_sites_disabled: []
apache_conf_enabled:
  - charset
  - le
  - localized-error-pages
  - other-vhosts-access-log
  - security
  - version-control
apache_conf_disabled:
  - mc3
  - serve-cgi-bin
  - webarch
apache_mods_enabled:
  - access_compat
  - alias
  - auth_basic
  - authn_core
  - authn_file
  - authz_core
  - authz_host
  - authz_user
  - autoindex
  - deflate
  - dir
  - env
  - expires
  - filter
  - headers
  - http2
  - include
  - mime
  - mpm_event
  - negotiation
  - proxy
  - proxy_fcgi
  - proxy_http2
  - proxy_http
  - proxy_wstunnel
  - reqtimeout
  - remoteip
  - rewrite
  - setenvif
  - socache_shmcb
  - ssl
  - status
apache_mods_disabled:
  - actions
  - allowmethods
  - asis
  - auth_digest
  - auth_form
  - authn_anon
  - authn_dbd
  - authn_dbm
  - authn_socache
  - authnz_fcgi
  - authnz_ldap
  - authz_dbd
  - authz_dbm
  - authz_groupfile
  - authz_owner
  - brotli
  - buffer
  - cache_disk
  - cache
  - cache_socache
  - cern_meta
  - cgid
  - cgi
  - charset_lite
  - data
  - dav_fs
  - dav
  - dav_lock
  - dbd
  - dialup
  - dump_io
  - echo
  - ext_filter
  - fcgid
  - file_cache
  - heartbeat
  - heartmonitor
  - ident
  - imagemap
  - info
  - lbmethod_bybusyness
  - lbmethod_byrequests
  - lbmethod_bytraffic
  - lbmethod_heartbeat
  - ldap
  - log_debug
  - log_forensic
  - lua
  - macro
  - md
  - mime_magic
  - mpm_worker
  - proxy_ajp
  - proxy_balancer
  - proxy_connect
  - proxy_express
  - proxy_fdpass
  - proxy_ftp
  - proxy_hcheck
  - proxy_html
  - proxy_scgi
  - proxy_uwsgi
  - ratelimit
  - reflector
  - request
  - sed
  - session_cookie
  - session_crypto
  - session_dbd
  - session
  - slotmem_plain
  - slotmem_shm
  - socache_dbm
  - socache_memcache
  - speling
  - substitute
  - suexec
  - unique_id
  - userdir
  - usertrack
  - vhost_alias
  - xml2enc
# See this issue https://github.com/icing/mod_md/issues/260
apache_md_private_keys:
  - rsa3072
  - secp384r1
# Specify a version from here https://github.com/icing/mod_md/releases
# Use latest for the latest release or default for the packaged version
apache_md_version: latest
...