[perso/Immae/Projets/Puppet.git] / modules / profile / manifests / apache.pp

class profile::apache {
  class { 'apache':
    root_directory_secured => true,
    root_directory_options => ["All"],
    default_mods           => false,
    default_vhost          => false,
    log_formats            => {
      combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
      common   => '%h %l %u %t \"%r\" %>s %b',
    }
  }

  ::apache::custom_config { 'log_config.conf':
    content  => 'CustomLog "/var/log/httpd/access_log" combined',
    filename => 'log_config.conf'
  }

  ::apache::custom_config { 'protocols.conf':
    content  => 'Protocols h2 http/1.1',
    filename => 'protocols.conf'
  }

  ::apache::custom_config { 'document_root.conf':
    source   => "puppet:///modules/profile/apache/document_root.conf",
    filename => "document_root.conf"
  }

  ::apache::custom_config { 'immae.conf':
    source   => "puppet:///modules/profile/apache/immae.conf",
    filename => 'immae.conf'
  }

  ::apache::custom_config { 'letsencrypt.conf':
    source   => "puppet:///modules/profile/apache/letsencrypt.conf",
    filename => 'letsencrypt.conf'
  }

  $apache_vhost_default = {
    no_proxy_uris       => [
      "/maintenance_immae.html",
      "/googleb6d69446ff4ca3e5.html",
      "/.well-known/acme-challenge"
    ],
    no_proxy_uris_match => [
      '^/licen[cs]es?_et_tip(ping)?$',
      '^/licen[cs]es?_and_tip(ping)?$',
      '^/licen[cs]es?$',
      '^/tip(ping)?$',
    ]
  }

  exec { 'Start-apache':
    command => "/usr/bin/systemctl start httpd",
    before  => Class["::letsencrypt"],
    unless  => "/usr/bin/systemctl is-active httpd",
  }

  $letsencrypt_certonly_default = {
    plugin        => "webroot",
    webroot_paths => ["/srv/http/"],
    notify        => Class['Apache::Service'],
    require       => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
    manage_cron   => true,
  }

  class { '::letsencrypt':
    install_method  => "package",
    package_name    => "certbot",
    package_command => "certbot",
    email           => lookup('letsencrypt::email'),
  }

  $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
  unless empty($real_hostname) {
    if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
      letsencrypt::certonly { $real_hostname:
        before => Apache::Vhost["default_ssl"];
        default: * => $::profile::apache::letsencrypt_certonly_default;
      }
      $ssl_cert  = "/etc/letsencrypt/live/$real_hostname/cert.pem"
      $ssl_key   = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
      $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
    } else {
      ssl::self_signed_certificate { $real_hostname:
        common_name  => $real_hostname,
        country      => "FR",
        days         => "3650",
        organization => "Immae",
        directory    => "/etc/httpd/conf/ssl",
        before       => Apache::Vhost["default_ssl"],
      }

      $ssl_key   = "/etc/httpd/conf/ssl/$real_hostname.key"
      $ssl_cert  = "/etc/httpd/conf/ssl/$real_hostname.crt"
      $ssl_chain = undef
    }

    apache::vhost { "default_ssl":
      port           => '443',
      docroot        => '/srv/http',
      servername     => $real_hostname,
      directoryindex => 'index.htm index.html',
      ssl            => true,
      ssl_key        => $ssl_key,
      ssl_cert       => $ssl_cert,
      ssl_chain      => $ssl_chain,
      priority       => 0;
    default: * => $::profile::apache::apache_vhost_default;
    }
  }

  lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
    if ($host != $real_hostname) { # Done above already
      letsencrypt::certonly { $host: ;
        default: * => $letsencrypt_certonly_default;
      }
    }
  }

  apache::vhost { "redirect_no_ssl":
    port          => '80',
    error_log     => false,
    log_level     => undef,
    access_log    => false,
    docroot       => false,
    servername    => "",
    serveraliases => "*",
    priority      => 99,
    rewrites      => [
      {
        rewrite_cond => '"%{REQUEST_URI}"   "!^/\.well-known"',
        rewrite_rule => '^(.+)              https://%{HTTP_HOST}$1 [R=301]'
      }
    ]
  }

  class { 'apache::mod::ssl':
    ssl_protocol               => [ 'all', '-SSLv3' ],
    # Given by
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_cipher                 => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
    # FIXME: need SSLSessionTickets       off
    ssl_stapling               => true,
    ssl_stapling_return_errors => false,
    # FIXME: SSLStaplingResponderTimeout 5
    ssl_ca                     => '/etc/ssl/certs/ca-certificates.crt',
  }
  class { 'apache::mod::alias': }
  class { 'apache::mod::autoindex': }
  # Included by ssl
  # class { 'apache::mod::mime': }
  class { 'apache::mod::deflate': }
  class { 'apache::mod::rewrite': }

  class { 'apache::mod::dir':
    indexes => ["index.html"]
  }

  file { [
    "/srv/http",
    "/srv/http/.well-known"]:
      ensure => "directory",
      mode   => "0755",
      owner  => "root",
      group  => "root",
  }

  file { "/srv/http/index.html":
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/apache/index.html",
  }
  file { "/srv/http/maintenance_immae.html":
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/apache/maintenance_immae.html",
  }
  file { "/srv/http/googleb6d69446ff4ca3e5.html":
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
  }
}
Commit	Line	Data
2bb35074 IB	1	class profile::apache {
	2	class { 'apache':
	3	root_directory_secured => true,
	4	root_directory_options => ["All"],
	5	default_mods => false,
	6	default_vhost => false,
	7	log_formats => {
	8	combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
	9	common => '%h %l %u %t \"%r\" %>s %b',
	10	}
	11	}
	12
	13	::apache::custom_config { 'log_config.conf':
	14	content => 'CustomLog "/var/log/httpd/access_log" combined',
	15	filename => 'log_config.conf'
	16	}
	17
	18	::apache::custom_config { 'protocols.conf':
	19	content => 'Protocols h2 http/1.1',
	20	filename => 'protocols.conf'
	21	}
	22
	23	::apache::custom_config { 'document_root.conf':
	24	source => "puppet:///modules/profile/apache/document_root.conf",
	25	filename => "document_root.conf"
	26	}
	27
	28	::apache::custom_config { 'immae.conf':
	29	source => "puppet:///modules/profile/apache/immae.conf",
	30	filename => 'immae.conf'
	31	}
	32
	33	::apache::custom_config { 'letsencrypt.conf':
	34	source => "puppet:///modules/profile/apache/letsencrypt.conf",
	35	filename => 'letsencrypt.conf'
	36	}
	37
e345248b	38	$apache_vhost_default = {
2bb35074 IB	39	no_proxy_uris => [
	40	"/maintenance_immae.html",
	41	"/googleb6d69446ff4ca3e5.html",
	42	"/.well-known/acme-challenge"
	43	],
	44	no_proxy_uris_match => [
	45	'^/licen[cs]es?_et_tip(ping)?$',
	46	'^/licen[cs]es?_and_tip(ping)?$',
	47	'^/licen[cs]es?$',
	48	'^/tip(ping)?$',
	49	]
	50	}
	51
85abd2fd IB	52	exec { 'Start-apache':
	53	command => "/usr/bin/systemctl start httpd",
	54	before => Class["::letsencrypt"],
	55	unless => "/usr/bin/systemctl is-active httpd",
	56	}
	57
e345248b IB	58	$letsencrypt_certonly_default = {
	59	plugin => "webroot",
	60	webroot_paths => ["/srv/http/"],
	61	notify => Class['Apache::Service'],
85abd2fd	62	require => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
e345248b IB	63	manage_cron => true,
	64	}
	65
	66	class { '::letsencrypt':
	67	install_method => "package",
	68	package_name => "certbot",
	69	package_command => "certbot",
0a21fb6c	70	email => lookup('letsencrypt::email'),
e345248b IB	71	}
e345248b IB	72
0a21fb6c	73	$real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
2bb35074	74	unless empty($real_hostname) {
0a21fb6c	75	if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
e345248b IB	76	letsencrypt::certonly { $real_hostname:
	77	before => Apache::Vhost["default_ssl"];
	78	default: * => $::profile::apache::letsencrypt_certonly_default;
	79	}
	80	$ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
	81	$ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
	82	$ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
	83	} else {
	84	ssl::self_signed_certificate { $real_hostname:
	85	common_name => $real_hostname,
	86	country => "FR",
	87	days => "3650",
	88	organization => "Immae",
	89	directory => "/etc/httpd/conf/ssl",
	90	before => Apache::Vhost["default_ssl"],
	91	}
	92
	93	$ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
	94	$ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
	95	$ssl_chain = undef
	96	}
	97
2bb35074 IB	98	apache::vhost { "default_ssl":
	99	port => '443',
	100	docroot => '/srv/http',
	101	servername => $real_hostname,
	102	directoryindex => 'index.htm index.html',
e345248b IB	103	ssl => true,
	104	ssl_key => $ssl_key,
	105	ssl_cert => $ssl_cert,
	106	ssl_chain => $ssl_chain,
	107	priority => 0;
	108	default: * => $::profile::apache::apache_vhost_default;
2bb35074 IB	109	}
	110	}
	111
0a21fb6c IB	112	lookup("letsencrypt::hosts", { "default_value" => [] }).each \|$host\| {
	113	if ($host != $real_hostname) { # Done above already
	114	letsencrypt::certonly { $host: ;
	115	default: * => $letsencrypt_certonly_default;
	116	}
	117	}
	118	}
	119
2bb35074 IB	120	apache::vhost { "redirect_no_ssl":
	121	port => '80',
	122	error_log => false,
	123	log_level => undef,
	124	access_log => false,
	125	docroot => false,
	126	servername => "",
	127	serveraliases => "*",
	128	priority => 99,
	129	rewrites => [
	130	{
	131	rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
	132	rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
	133	}
	134	]
	135	}
	136
	137	class { 'apache::mod::ssl':
	138	ssl_protocol => [ 'all', '-SSLv3' ],
	139	# Given by
	140	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	141	ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
	142	# FIXME: need SSLSessionTickets off
	143	ssl_stapling => true,
	144	ssl_stapling_return_errors => false,
	145	# FIXME: SSLStaplingResponderTimeout 5
	146	ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
	147	}
	148	class { 'apache::mod::alias': }
	149	class { 'apache::mod::autoindex': }
	150	# Included by ssl
	151	# class { 'apache::mod::mime': }
	152	class { 'apache::mod::deflate': }
	153	class { 'apache::mod::rewrite': }
	154
	155	class { 'apache::mod::dir':
	156	indexes => ["index.html"]
	157	}
	158
	159	file { [
	160	"/srv/http",
e345248b	161	"/srv/http/.well-known"]:
2bb35074 IB	162	ensure => "directory",
	163	mode => "0755",
	164	owner => "root",
	165	group => "root",
	166	}
	167
5be7de41 IB	168	file { "/srv/http/index.html":
	169	mode => "0644",
	170	owner => "root",
	171	group => "root",
	172	source => "puppet:///modules/profile/apache/index.html",
	173	}
2bb35074 IB	174	file { "/srv/http/maintenance_immae.html":
	175	mode => "0644",
	176	owner => "root",
	177	group => "root",
	178	source => "puppet:///modules/profile/apache/maintenance_immae.html",
	179	}
	180	file { "/srv/http/googleb6d69446ff4ca3e5.html":
	181	mode => "0644",
	182	owner => "root",
	183	group => "root",
	184	source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
	185	}
	186	}