X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=inline;f=modules%2Fprofile%2Fmanifests%2Fapache.pp;h=382633bb3f8c60d802356b43ce973d019066db91;hb=f25ad097f24e0d39d5dd9ac2cef39760e671e08f;hp=b965944487321c6b615feb6e86912067c7504e32;hpb=2bb35074eef353f03b4373f695834c0be41609ad;p=perso%2FImmae%2FProjets%2FPuppet.git

diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index b965944..382633b 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -35,8 +35,7 @@ class profile::apache {
     filename => 'letsencrypt.conf'
   }
 
-  # FIXME: default values ignored?
-  Apache::Vhost {
+  $apache_vhost_default = {
     no_proxy_uris       => [
       "/maintenance_immae.html",
       "/googleb6d69446ff4ca3e5.html",
@@ -50,14 +49,71 @@ class profile::apache {
     ]
   }
 
-  $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+  exec { 'Start-apache':
+    command => "/usr/bin/systemctl start httpd",
+    before  => Class["::letsencrypt"],
+    unless  => "/usr/bin/systemctl is-active httpd",
+  }
+
+  $letsencrypt_certonly_default = {
+    plugin        => "webroot",
+    webroot_paths => ["/srv/http/"],
+    notify        => Class['Apache::Service'],
+    require       => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+    manage_cron   => true,
+  }
+
+  class { '::letsencrypt':
+    install_method  => "package",
+    package_name    => "certbot",
+    package_command => "certbot",
+    email           => lookup('letsencrypt::email'),
+  }
+
+  $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
   unless empty($real_hostname) {
+    if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
+      letsencrypt::certonly { $real_hostname:
+        before => Apache::Vhost["default_ssl"];
+        default: * => $::profile::apache::letsencrypt_certonly_default;
+      }
+      $ssl_cert  = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+      $ssl_key   = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+      $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+    } else {
+      ssl::self_signed_certificate { $real_hostname:
+        common_name  => $real_hostname,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        directory    => "/etc/httpd/conf/ssl",
+        before       => Apache::Vhost["default_ssl"],
+      }
+
+      $ssl_key   = "/etc/httpd/conf/ssl/$real_hostname.key"
+      $ssl_cert  = "/etc/httpd/conf/ssl/$real_hostname.crt"
+      $ssl_chain = undef
+    }
+
     apache::vhost { "default_ssl":
       port           => '443',
       docroot        => '/srv/http',
       servername     => $real_hostname,
       directoryindex => 'index.htm index.html',
-      priority       => 0,
+      ssl            => true,
+      ssl_key        => $ssl_key,
+      ssl_cert       => $ssl_cert,
+      ssl_chain      => $ssl_chain,
+      priority       => 0;
+    default: * => $::profile::apache::apache_vhost_default;
+    }
+  }
+
+  lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
+    if ($host != $real_hostname) { # Done above already
+      letsencrypt::certonly { $host: ;
+        default: * => $letsencrypt_certonly_default;
+      }
     }
   }
 
@@ -102,14 +158,19 @@ class profile::apache {
 
   file { [
     "/srv/http",
-    "/srv/http/.well-known",
-    "/srv/http/.well-known/acme-challenge"]:
+    "/srv/http/.well-known"]:
       ensure => "directory",
       mode   => "0755",
       owner  => "root",
       group  => "root",
   }
 
+  file { "/srv/http/index.html":
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/apache/index.html",
+  }
   file { "/srv/http/maintenance_immae.html":
     mode   => "0644",
     owner  => "root",