Add support for Let's Encrypt in PHPMyAdmin / SysCheck for Apache and Nginx

roles/webserver/templates/apache2/pma_vhost.j2

@@ -4,9 +4,12 @@
 {% endif -%}
 # Apache vhost for phpmyadmin
 
-<VirtualHost {%if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}{% else %}*{% endif %}:{{ phpmyadmin_vhostport }}>
+<VirtualHost {%if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}{% else %}*{% endif %}:{%if phpmyadmin_vhostport %}{{ phpmyadmin_vhostport }}{% else %}80{% endif %}>
     ServerName {{ phpmyadmin_vhostname }}
 
+{% if phpmyadmin_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpmyadmin_vhostname in ssl_certs_auto_installed.stdout_lines %}
+    RedirectMatch permanent (.*) https://{{ phpmyadmin_vhostname }}$1
+{% else %}
     DocumentRoot /usr/share/phpmyadmin
     DirectoryIndex index.php
 
@@ -30,5 +33,37 @@
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/pma.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/pma.error.log
+{% endif %}
+</VirtualHost>
+{% if phpmyadmin_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpmyadmin_vhostname in ssl_certs_auto_installed.stdout_lines %}
+
+<VirtualHost {%if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}{% else %}*{% endif %}:{%if phpmyadmin_vhostport %}{{ phpmyadmin_vhostport }}{% else %}443{% endif %}>
+    ServerName {{ phpmyadmin_vhostname }}
+
+    Include vhost_ssl_auto-{{ phpmyadmin_vhostname }}.conf
+
+    DocumentRoot /usr/share/phpmyadmin
+    DirectoryIndex index.php
 
+{% if http_auth_phpmyadmin %}
+    <Location />
+        AuthType basic
+        AuthName "Restricted Access"
+        AuthUserFile /etc/apache2/auth_admin
+        Require valid-user
+    </Location>
+{% endif %}
+
+    Include /etc/phpmyadmin/apache.conf
+
+    <IfModule mod_php5.c>
+        php_admin_value max_execution_time 240
+        php_admin_value upload_max_filesize 128M
+        php_admin_value post_max_size 128M
+    </IfModule>
+
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/pma.access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/pma.error.log
 </VirtualHost>
+{% endif %}

roles/webserver/templates/apache2/sys_vhost.j2

@@ -4,9 +4,12 @@
 {% endif -%}
 # Apache vhost for PHP system checks
 
-<VirtualHost {%if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}{% else %}*{% endif %}:{{ phpsyscheck_vhostport }}>
+<VirtualHost {%if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}{% else %}*{% endif %}:{%if phpsyscheck_vhostport %}{{ phpsyscheck_vhostport }}{% else %}80{% endif %}>
     ServerName {{ phpsyscheck_vhostname }}
 
+{% if phpsyscheck_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpsyscheck_vhostname in ssl_certs_auto_installed.stdout_lines %}
+    RedirectMatch permanent (.*) https://{{ phpsyscheck_vhostname }}$1
+{% else %}
     DocumentRoot /etc/php5/syscheck.d
     DirectoryIndex index.php
 
@@ -27,5 +30,37 @@
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/sys.access.log combined
     ErrorLog ${APACHE_LOG_DIR}/sys.error.log
+{% endif %}
+</VirtualHost>
+{% if phpsyscheck_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpsyscheck_vhostname in ssl_certs_auto_installed.stdout_lines %}
+
+<VirtualHost {%if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}{% else %}*{% endif %}:{%if phpsyscheck_vhostport %}{{ phpsyscheck_vhostport }}{% else %}443{% endif %}>
+    ServerName {{ phpsyscheck_vhostname }}
+
+    Include vhost_ssl_auto-{{ phpsyscheck_vhostname }}.conf
+
+    DocumentRoot /etc/php5/syscheck.d
+    DirectoryIndex index.php
 
+{% if http_auth_phpmyadmin %}
+    <Location />
+        AuthType basic
+        AuthName "Restricted Access"
+        AuthUserFile /etc/apache2/auth_admin
+        Require valid-user
+    </Location>
+{% endif %}
+
+    <Directory /etc/php5/syscheck.d>
+        Options None
+        AllowOverride None
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/sys.access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/sys.error.log
 </VirtualHost>
+{% endif %}
+

roles/webserver/templates/nginx/pma_vhost.j2

@@ -5,11 +5,51 @@
 # Nginx vhost for phpmyadmin
 
 server {
-    listen {%if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}:{% endif %}{{ phpmyadmin_vhostport }};
+{% if phpmyadmin_vhostip or phpmyadmin_vhostport %}
+    listen {% if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}{% endif %}{% if phpmyadmin_vhostip and phpmyadmin_vhostport %}:{% endif %}{% if phpmyadmin_vhostport %}{{ phpmyadmin_vhostport }}{% endif %};
+{% endif %}
+
+    server_name {{ phpmyadmin_vhostname }};
+
+    access_log  /var/log/nginx/pma.access.log main;
+    error_log   /var/log/nginx/pma.error.log;
+
+{% if phpmyadmin_ssl %}
+    include letsencrypt_sh;
+{% endif %}
+
+{% if phpmyadmin_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpmyadmin_vhostname in ssl_certs_auto_installed.stdout_lines %}
+    location / {
+        return 301 https://{{ phpmyadmin_vhostname }}$request_uri;
+    }
+{% else %}
+    root /usr/share/phpmyadmin;
+    index index.php;
+    try_files $uri $uri/ /index.php;
+
+{% if http_auth_phpmyadmin %}
+    auth_basic "Restricted Access";
+    auth_basic_user_file /etc/nginx/auth_admin;
+{% endif %}
+
+    client_max_body_size 128m;
+
+    location ~ \.php(/|$) {
+        include fastcgi_pass_fpm;
+        fastcgi_param PHP_ADMIN_VALUE "max_execution_time=240\nupload_max_filesize=128M\npost_max_size=128M";
+    }
+{% endif %}
+}
+{% if phpmyadmin_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpmyadmin_vhostname in ssl_certs_auto_installed.stdout_lines %}
+
+server {
+    listen {% if phpmyadmin_vhostip %}{{ phpmyadmin_vhostip }}:{% endif %}{% if phpmyadmin_vhostport %}{{ phpmyadmin_vhostport }}{% else %}443{% endif %} ssl;
 
     server_name {{ phpmyadmin_vhostname }};
 
-    access_log  /var/log/nginx/pma.access.log;
+    include vhost_ssl_auto-{{ phpmyadmin_vhostname }};
+
+    access_log  /var/log/nginx/pma.access.log main;
     error_log   /var/log/nginx/pma.error.log;
 
     root /usr/share/phpmyadmin;
@@ -28,3 +68,4 @@ server {
         fastcgi_param PHP_ADMIN_VALUE "max_execution_time=240\nupload_max_filesize=128M\npost_max_size=128M";
     }
 }
+{% endif %}

roles/webserver/templates/nginx/sys_vhost.j2

@@ -5,11 +5,46 @@
 # Nginx vhost for PHP system checks
 
 server {
-    listen {%if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}:{% endif %}{{ phpsyscheck_vhostport }};
+{% if phpsyscheck_vhostip or phpsyscheck_vhostport %}
+    listen {% if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}{% endif %}{% if phpsyscheck_vhostip and phpsyscheck_vhostport %}:{% endif %}{% if phpsyscheck_vhostport %}{{ phpsyscheck_vhostport }}{% endif %};
+{% endif %}
 
     server_name {{ phpsyscheck_vhostname }};
 
-    access_log  /var/log/nginx/sys.access.log;
+    access_log  /var/log/nginx/sys.access.log main;
+    error_log   /var/log/nginx/sys.error.log;
+
+{% if phpsyscheck_ssl %}
+    include letsencrypt_sh;
+{% endif %}
+
+{% if phpsyscheck_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpsyscheck_vhostname in ssl_certs_auto_installed.stdout_lines %}
+    location / {
+        return 301 https://{{ phpsyscheck_vhostname }}$request_uri;
+    }
+{% else %}
+    root /etc/php5/syscheck.d;
+    index index.php;
+    try_files $uri $uri/ /index.php;
+
+    auth_basic "Restricted Access";
+    auth_basic_user_file /etc/nginx/auth_admin;
+
+    location ~ \.php(/|$) {
+        include fastcgi_pass_fpm;
+    }
+{% endif %}
+}
+{% if phpsyscheck_ssl and ssl_certs_auto_installed.stdout_lines is defined and phpsyscheck_vhostname in ssl_certs_auto_installed.stdout_lines %}
+
+server {
+    listen {% if phpsyscheck_vhostip %}{{ phpsyscheck_vhostip }}:{% endif %}{% if phpsyscheck_vhostport %}{{ phpsyscheck_vhostport }}{% else %}443{% endif %} ssl;
+
+    server_name {{ phpsyscheck_vhostname }};
+
+    include vhost_ssl_auto-{{ phpsyscheck_vhostname }};
+
+    access_log  /var/log/nginx/sys.access.log main;
     error_log   /var/log/nginx/sys.error.log;
 
     root /etc/php5/syscheck.d;
@@ -23,3 +58,4 @@ server {
         include fastcgi_pass_fpm;
     }
 }
+{% endif %}