root_directory_options => ["All"],
default_mods => false,
default_vhost => false,
+ user => "http",
+ group => "http",
log_formats => {
combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
common => '%h %l %u %t \"%r\" %>s %b',
filename => 'protocols.conf'
}
+ ::apache::custom_config { 'protocols.load':
+ content => 'LoadModule http2_module /etc/httpd/modules/mod_http2.so',
+ filename => 'protocols.load'
+ }
+
::apache::custom_config { 'document_root.conf':
source => "puppet:///modules/profile/apache/document_root.conf",
filename => "document_root.conf"
filename => 'letsencrypt.conf'
}
- # FIXME: default values ignored?
- Apache::Vhost {
+ $apache_vhost_default = {
no_proxy_uris => [
"/maintenance_immae.html",
"/googleb6d69446ff4ca3e5.html",
]
}
- $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+ exec { 'Start-apache':
+ command => "/usr/bin/systemctl start httpd",
+ before => Class["::letsencrypt"],
+ unless => "/usr/bin/systemctl is-active httpd",
+ }
+
+ $letsencrypt_certonly_default = {
+ plugin => "webroot",
+ webroot_paths => ["/srv/http/"],
+ notify => Class['Apache::Service'],
+ require => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+ manage_cron => true,
+ }
+
+ class { '::letsencrypt':
+ install_method => "package",
+ package_name => "certbot",
+ package_command => "certbot",
+ email => lookup('letsencrypt::email'),
+ }
+
+ $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
unless empty($real_hostname) {
+ if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
+ letsencrypt::certonly { $real_hostname:
+ before => Apache::Vhost["default_ssl"];
+ default: * => $::profile::apache::letsencrypt_certonly_default;
+ }
+ $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+ $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+ $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+ } else {
+ ssl::self_signed_certificate { $real_hostname:
+ common_name => $real_hostname,
+ country => "FR",
+ days => "3650",
+ organization => "Immae",
+ directory => "/etc/httpd/conf/ssl",
+ before => Apache::Vhost["default_ssl"],
+ }
+
+ $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
+ $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
+ $ssl_chain = undef
+ }
+
apache::vhost { "default_ssl":
port => '443',
docroot => '/srv/http',
servername => $real_hostname,
directoryindex => 'index.htm index.html',
- priority => 0,
+ ssl => true,
+ ssl_key => $ssl_key,
+ ssl_cert => $ssl_cert,
+ ssl_chain => $ssl_chain,
+ priority => 0;
+ default: * => $::profile::apache::apache_vhost_default;
+ }
+ }
+
+ lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
+ if ($host != $real_hostname) { # Done above already
+ letsencrypt::certonly { $host: ;
+ default: * => $letsencrypt_certonly_default;
+ }
}
}
file { [
"/srv/http",
- "/srv/http/.well-known",
- "/srv/http/.well-known/acme-challenge"]:
+ "/srv/http/.well-known"]:
ensure => "directory",
mode => "0755",
owner => "root",
group => "root",
}
+ file { "/srv/http/index.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/index.html",
+ }
file { "/srv/http/maintenance_immae.html":
mode => "0644",
owner => "root",