]>
Commit | Line | Data |
---|---|---|
2bb35074 IB |
1 | class profile::apache { |
2 | class { 'apache': | |
3 | root_directory_secured => true, | |
4 | root_directory_options => ["All"], | |
5 | default_mods => false, | |
6 | default_vhost => false, | |
3f379c2a IB |
7 | user => "http", |
8 | group => "http", | |
2bb35074 IB |
9 | log_formats => { |
10 | combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p', | |
11 | common => '%h %l %u %t \"%r\" %>s %b', | |
12 | } | |
13 | } | |
14 | ||
15 | ::apache::custom_config { 'log_config.conf': | |
16 | content => 'CustomLog "/var/log/httpd/access_log" combined', | |
17 | filename => 'log_config.conf' | |
18 | } | |
19 | ||
20 | ::apache::custom_config { 'protocols.conf': | |
21 | content => 'Protocols h2 http/1.1', | |
22 | filename => 'protocols.conf' | |
23 | } | |
24 | ||
25 | ::apache::custom_config { 'document_root.conf': | |
26 | source => "puppet:///modules/profile/apache/document_root.conf", | |
27 | filename => "document_root.conf" | |
28 | } | |
29 | ||
30 | ::apache::custom_config { 'immae.conf': | |
31 | source => "puppet:///modules/profile/apache/immae.conf", | |
32 | filename => 'immae.conf' | |
33 | } | |
34 | ||
35 | ::apache::custom_config { 'letsencrypt.conf': | |
36 | source => "puppet:///modules/profile/apache/letsencrypt.conf", | |
37 | filename => 'letsencrypt.conf' | |
38 | } | |
39 | ||
e345248b | 40 | $apache_vhost_default = { |
2bb35074 IB |
41 | no_proxy_uris => [ |
42 | "/maintenance_immae.html", | |
43 | "/googleb6d69446ff4ca3e5.html", | |
44 | "/.well-known/acme-challenge" | |
45 | ], | |
46 | no_proxy_uris_match => [ | |
47 | '^/licen[cs]es?_et_tip(ping)?$', | |
48 | '^/licen[cs]es?_and_tip(ping)?$', | |
49 | '^/licen[cs]es?$', | |
50 | '^/tip(ping)?$', | |
51 | ] | |
52 | } | |
53 | ||
85abd2fd IB |
54 | exec { 'Start-apache': |
55 | command => "/usr/bin/systemctl start httpd", | |
56 | before => Class["::letsencrypt"], | |
57 | unless => "/usr/bin/systemctl is-active httpd", | |
58 | } | |
59 | ||
e345248b IB |
60 | $letsencrypt_certonly_default = { |
61 | plugin => "webroot", | |
62 | webroot_paths => ["/srv/http/"], | |
63 | notify => Class['Apache::Service'], | |
85abd2fd | 64 | require => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]], |
e345248b IB |
65 | manage_cron => true, |
66 | } | |
67 | ||
68 | class { '::letsencrypt': | |
69 | install_method => "package", | |
70 | package_name => "certbot", | |
71 | package_command => "certbot", | |
0a21fb6c | 72 | email => lookup('letsencrypt::email'), |
e345248b IB |
73 | } |
74 | ||
0a21fb6c | 75 | $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef }) |
2bb35074 | 76 | unless empty($real_hostname) { |
0a21fb6c | 77 | if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) { |
e345248b IB |
78 | letsencrypt::certonly { $real_hostname: |
79 | before => Apache::Vhost["default_ssl"]; | |
80 | default: * => $::profile::apache::letsencrypt_certonly_default; | |
81 | } | |
82 | $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem" | |
83 | $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem" | |
84 | $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem" | |
85 | } else { | |
86 | ssl::self_signed_certificate { $real_hostname: | |
87 | common_name => $real_hostname, | |
88 | country => "FR", | |
89 | days => "3650", | |
90 | organization => "Immae", | |
91 | directory => "/etc/httpd/conf/ssl", | |
92 | before => Apache::Vhost["default_ssl"], | |
93 | } | |
94 | ||
95 | $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key" | |
96 | $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt" | |
97 | $ssl_chain = undef | |
98 | } | |
99 | ||
2bb35074 IB |
100 | apache::vhost { "default_ssl": |
101 | port => '443', | |
102 | docroot => '/srv/http', | |
103 | servername => $real_hostname, | |
104 | directoryindex => 'index.htm index.html', | |
e345248b IB |
105 | ssl => true, |
106 | ssl_key => $ssl_key, | |
107 | ssl_cert => $ssl_cert, | |
108 | ssl_chain => $ssl_chain, | |
109 | priority => 0; | |
110 | default: * => $::profile::apache::apache_vhost_default; | |
2bb35074 IB |
111 | } |
112 | } | |
113 | ||
0a21fb6c IB |
114 | lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| { |
115 | if ($host != $real_hostname) { # Done above already | |
116 | letsencrypt::certonly { $host: ; | |
117 | default: * => $letsencrypt_certonly_default; | |
118 | } | |
119 | } | |
120 | } | |
121 | ||
2bb35074 IB |
122 | apache::vhost { "redirect_no_ssl": |
123 | port => '80', | |
124 | error_log => false, | |
125 | log_level => undef, | |
126 | access_log => false, | |
127 | docroot => false, | |
128 | servername => "", | |
129 | serveraliases => "*", | |
130 | priority => 99, | |
131 | rewrites => [ | |
132 | { | |
133 | rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"', | |
134 | rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]' | |
135 | } | |
136 | ] | |
137 | } | |
138 | ||
139 | class { 'apache::mod::ssl': | |
140 | ssl_protocol => [ 'all', '-SSLv3' ], | |
141 | # Given by | |
142 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
143 | ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", | |
144 | # FIXME: need SSLSessionTickets off | |
145 | ssl_stapling => true, | |
146 | ssl_stapling_return_errors => false, | |
147 | # FIXME: SSLStaplingResponderTimeout 5 | |
148 | ssl_ca => '/etc/ssl/certs/ca-certificates.crt', | |
149 | } | |
150 | class { 'apache::mod::alias': } | |
151 | class { 'apache::mod::autoindex': } | |
152 | # Included by ssl | |
153 | # class { 'apache::mod::mime': } | |
154 | class { 'apache::mod::deflate': } | |
155 | class { 'apache::mod::rewrite': } | |
156 | ||
157 | class { 'apache::mod::dir': | |
158 | indexes => ["index.html"] | |
159 | } | |
160 | ||
161 | file { [ | |
162 | "/srv/http", | |
e345248b | 163 | "/srv/http/.well-known"]: |
2bb35074 IB |
164 | ensure => "directory", |
165 | mode => "0755", | |
166 | owner => "root", | |
167 | group => "root", | |
168 | } | |
169 | ||
5be7de41 IB |
170 | file { "/srv/http/index.html": |
171 | mode => "0644", | |
172 | owner => "root", | |
173 | group => "root", | |
174 | source => "puppet:///modules/profile/apache/index.html", | |
175 | } | |
2bb35074 IB |
176 | file { "/srv/http/maintenance_immae.html": |
177 | mode => "0644", | |
178 | owner => "root", | |
179 | group => "root", | |
180 | source => "puppet:///modules/profile/apache/maintenance_immae.html", | |
181 | } | |
182 | file { "/srv/http/googleb6d69446ff4ca3e5.html": | |
183 | mode => "0644", | |
184 | owner => "root", | |
185 | group => "root", | |
186 | source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html", | |
187 | } | |
188 | } |