--- /dev/null
+class profile::apache {
+ class { 'apache':
+ root_directory_secured => true,
+ root_directory_options => ["All"],
+ default_mods => false,
+ default_vhost => false,
+ log_formats => {
+ combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
+ common => '%h %l %u %t \"%r\" %>s %b',
+ }
+ }
+
+ ::apache::custom_config { 'log_config.conf':
+ content => 'CustomLog "/var/log/httpd/access_log" combined',
+ filename => 'log_config.conf'
+ }
+
+ ::apache::custom_config { 'protocols.conf':
+ content => 'Protocols h2 http/1.1',
+ filename => 'protocols.conf'
+ }
+
+ ::apache::custom_config { 'document_root.conf':
+ source => "puppet:///modules/profile/apache/document_root.conf",
+ filename => "document_root.conf"
+ }
+
+ ::apache::custom_config { 'immae.conf':
+ source => "puppet:///modules/profile/apache/immae.conf",
+ filename => 'immae.conf'
+ }
+
+ ::apache::custom_config { 'letsencrypt.conf':
+ source => "puppet:///modules/profile/apache/letsencrypt.conf",
+ filename => 'letsencrypt.conf'
+ }
+
+ $apache_vhost_default = {
+ no_proxy_uris => [
+ "/maintenance_immae.html",
+ "/googleb6d69446ff4ca3e5.html",
+ "/.well-known/acme-challenge"
+ ],
+ no_proxy_uris_match => [
+ '^/licen[cs]es?_et_tip(ping)?$',
+ '^/licen[cs]es?_and_tip(ping)?$',
+ '^/licen[cs]es?$',
+ '^/tip(ping)?$',
+ ]
+ }
+
+ $letsencrypt_certonly_default = {
+ plugin => "webroot",
+ webroot_paths => ["/srv/http/"],
+ notify => Class['Apache::Service'],
+ require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+ manage_cron => true,
+ }
+
+ class { '::letsencrypt':
+ install_method => "package",
+ package_name => "certbot",
+ package_command => "certbot",
+ # FIXME
+ email => 'sites+letsencrypt@mail.immae.eu',
+ }
+
+ $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+ unless empty($real_hostname) {
+ if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+ letsencrypt::certonly { $real_hostname:
+ before => Apache::Vhost["default_ssl"];
+ default: * => $::profile::apache::letsencrypt_certonly_default;
+ }
+ $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+ $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+ $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+ } else {
+ ssl::self_signed_certificate { $real_hostname:
+ common_name => $real_hostname,
+ country => "FR",
+ days => "3650",
+ organization => "Immae",
+ directory => "/etc/httpd/conf/ssl",
+ before => Apache::Vhost["default_ssl"],
+ }
+
+ $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
+ $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
+ $ssl_chain = undef
+ }
+
+ apache::vhost { "default_ssl":
+ port => '443',
+ docroot => '/srv/http',
+ servername => $real_hostname,
+ directoryindex => 'index.htm index.html',
+ ssl => true,
+ ssl_key => $ssl_key,
+ ssl_cert => $ssl_cert,
+ ssl_chain => $ssl_chain,
+ priority => 0;
+ default: * => $::profile::apache::apache_vhost_default;
+ }
+ }
+
+ apache::vhost { "redirect_no_ssl":
+ port => '80',
+ error_log => false,
+ log_level => undef,
+ access_log => false,
+ docroot => false,
+ servername => "",
+ serveraliases => "*",
+ priority => 99,
+ rewrites => [
+ {
+ rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
+ rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
+ }
+ ]
+ }
+
+ class { 'apache::mod::ssl':
+ ssl_protocol => [ 'all', '-SSLv3' ],
+ # Given by
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
+ # FIXME: need SSLSessionTickets off
+ ssl_stapling => true,
+ ssl_stapling_return_errors => false,
+ # FIXME: SSLStaplingResponderTimeout 5
+ ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
+ }
+ class { 'apache::mod::alias': }
+ class { 'apache::mod::autoindex': }
+ # Included by ssl
+ # class { 'apache::mod::mime': }
+ class { 'apache::mod::deflate': }
+ class { 'apache::mod::rewrite': }
+
+ class { 'apache::mod::dir':
+ indexes => ["index.html"]
+ }
+
+ file { [
+ "/srv/http",
+ "/srv/http/.well-known"]:
+ ensure => "directory",
+ mode => "0755",
+ owner => "root",
+ group => "root",
+ }
+
+ file { "/srv/http/index.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/index.html",
+ }
+ file { "/srv/http/maintenance_immae.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/maintenance_immae.html",
+ }
+ file { "/srv/http/googleb6d69446ff4ca3e5.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
+ }
+}
class role::cryptoportfolio {
include "base_installation"
+ include "profile::tools"
include "profile::postgresql"
+ include "profile::apache"
$password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
order => "b0",
}
- class { 'nginx': }
+ letsencrypt::certonly { $cf_front_app_host: ;
+ default: * => $::profile::apache::letsencrypt_certonly_default;
+ }
- nginx::resource::server { $cf_front_app_host:
- listen_port => 80,
- proxy => 'http://localhost:8000',
+ class { 'apache::mod::headers': }
+ apache::vhost { $cf_front_app_host:
+ port => '443',
+ docroot => false,
+ manage_docroot => false,
+ proxy_dest => "http://localhost:8000",
+ request_headers => 'set X-Forwarded-Proto "https"',
+ ssl => true,
+ ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+ ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+ ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ proxy_preserve_host => true;
+ default: * => $::profile::apache::apache_vhost_default;
}
user { $cf_user: