[perso/Immae/Projets/Puppet.git] / modules / profile / manifests / apache.pp

class profile::apache {
  class { 'apache':
    root_directory_secured => true,
    root_directory_options => ["All"],
    default_mods           => false,
    default_vhost          => false,
    user                   => "http",
    group                  => "http",
    log_formats            => {
      combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
      common   => '%h %l %u %t \"%r\" %>s %b',
    }
  }

  ::apache::custom_config { 'log_config.conf':
    content  => 'CustomLog "/var/log/httpd/access_log" combined',
    filename => 'log_config.conf'
  }

  ::apache::custom_config { 'protocols.conf':
    content  => 'Protocols h2 http/1.1',
    filename => 'protocols.conf'
  }

  ::apache::custom_config { 'protocols.load':
    content  => 'LoadModule http2_module /etc/httpd/modules/mod_http2.so',
    filename => 'protocols.load'
  }

  ::apache::custom_config { 'document_root.conf':
    source   => "puppet:///modules/profile/apache/document_root.conf",
    filename => "document_root.conf"
  }

  ::apache::custom_config { 'immae.conf':
    source   => "puppet:///modules/profile/apache/immae.conf",
    filename => 'immae.conf'
  }

  ::apache::custom_config { 'letsencrypt.conf':
    source   => "puppet:///modules/profile/apache/letsencrypt.conf",
    filename => 'letsencrypt.conf'
  }

  $apache_vhost_default = {
    no_proxy_uris       => [
      "/maintenance_immae.html",
      "/googleb6d69446ff4ca3e5.html",
      "/.well-known/acme-challenge"
    ],
    no_proxy_uris_match => [
      '^/licen[cs]es?_et_tip(ping)?$',
      '^/licen[cs]es?_and_tip(ping)?$',
      '^/licen[cs]es?$',
      '^/tip(ping)?$',
    ]
  }

  exec { 'Start-apache':
    command => "/usr/bin/systemctl start httpd",
    before  => Class["::letsencrypt"],
    unless  => "/usr/bin/systemctl is-active httpd",
  }

  $letsencrypt_certonly_default = {
    plugin        => "webroot",
    webroot_paths => ["/srv/http/"],
    notify        => Class['Apache::Service'],
    require       => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
    manage_cron   => true,
  }

  class { '::letsencrypt':
    install_method  => "package",
    package_name    => "certbot",
    package_command => "certbot",
    email           => lookup('letsencrypt::email'),
  }

  $real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
  unless empty($real_hostname) {
    if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
      letsencrypt::certonly { $real_hostname:
        before => Apache::Vhost["default_ssl"];
        default: * => $::profile::apache::letsencrypt_certonly_default;
      }
      $ssl_cert  = "/etc/letsencrypt/live/$real_hostname/cert.pem"
      $ssl_key   = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
      $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
    } else {
      ssl::self_signed_certificate { $real_hostname:
        common_name  => $real_hostname,
        country      => "FR",
        days         => "3650",
        organization => "Immae",
        directory    => "/etc/httpd/conf/ssl",
        before       => Apache::Vhost["default_ssl"],
      }

      $ssl_key   = "/etc/httpd/conf/ssl/$real_hostname.key"
      $ssl_cert  = "/etc/httpd/conf/ssl/$real_hostname.crt"
      $ssl_chain = undef
    }

    apache::vhost { "default_ssl":
      port           => '443',
      docroot        => '/srv/http',
      servername     => $real_hostname,
      directoryindex => 'index.htm index.html',
      ssl            => true,
      ssl_key        => $ssl_key,
      ssl_cert       => $ssl_cert,
      ssl_chain      => $ssl_chain,
      priority       => 0;
    default: * => $::profile::apache::apache_vhost_default;
    }
  }

  lookup("letsencrypt::hosts", { "default_value" => [] }).each |$host| {
    if ($host != $real_hostname) { # Done above already
      letsencrypt::certonly { $host: ;
        default: * => $letsencrypt_certonly_default;
      }
    }
  }

  apache::vhost { "redirect_no_ssl":
    port          => '80',
    error_log     => false,
    log_level     => undef,
    access_log    => false,
    docroot       => false,
    servername    => "",
    serveraliases => "*",
    priority      => 99,
    rewrites      => [
      {
        rewrite_cond => '"%{REQUEST_URI}"   "!^/\.well-known"',
        rewrite_rule => '^(.+)              https://%{HTTP_HOST}$1 [R=301]'
      }
    ]
  }

  class { 'apache::mod::ssl':
    ssl_protocol               => [ 'all', '-SSLv3' ],
    # Given by
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_cipher                 => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
    # FIXME: need SSLSessionTickets       off
    ssl_stapling               => true,
    ssl_stapling_return_errors => false,
    # FIXME: SSLStaplingResponderTimeout 5
    ssl_ca                     => '/etc/ssl/certs/ca-certificates.crt',
  }
  class { 'apache::mod::alias': }
  class { 'apache::mod::autoindex': }
  # Included by ssl
  # class { 'apache::mod::mime': }
  class { 'apache::mod::deflate': }
  class { 'apache::mod::rewrite': }

  class { 'apache::mod::dir':
    indexes => ["index.html"]
  }

  file { [
    "/srv/http",
    "/srv/http/.well-known"]:
      ensure => "directory",
      mode   => "0755",
      owner  => "root",
      group  => "root",
  }

  file { "/srv/http/index.html":
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/apache/index.html",
  }
  file { "/srv/http/maintenance_immae.html":
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/apache/maintenance_immae.html",
  }
  file { "/srv/http/googleb6d69446ff4ca3e5.html":
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
  }
}
Commit	Line	Data
2bb35074 IB	1	class profile::apache {
	2	class { 'apache':
	3	root_directory_secured => true,
	4	root_directory_options => ["All"],
	5	default_mods => false,
	6	default_vhost => false,
3f379c2a IB	7	user => "http",
3f379c2a IB	8	group => "http",
2bb35074 IB	9	log_formats => {
	10	combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
	11	common => '%h %l %u %t \"%r\" %>s %b',
	12	}
	13	}
	14
	15	::apache::custom_config { 'log_config.conf':
	16	content => 'CustomLog "/var/log/httpd/access_log" combined',
	17	filename => 'log_config.conf'
	18	}
	19
	20	::apache::custom_config { 'protocols.conf':
	21	content => 'Protocols h2 http/1.1',
	22	filename => 'protocols.conf'
	23	}
	24
54cb56fe IB	25	::apache::custom_config { 'protocols.load':
	26	content => 'LoadModule http2_module /etc/httpd/modules/mod_http2.so',
	27	filename => 'protocols.load'
	28	}
	29
2bb35074 IB	30	::apache::custom_config { 'document_root.conf':
	31	source => "puppet:///modules/profile/apache/document_root.conf",
	32	filename => "document_root.conf"
	33	}
	34
	35	::apache::custom_config { 'immae.conf':
	36	source => "puppet:///modules/profile/apache/immae.conf",
	37	filename => 'immae.conf'
	38	}
	39
	40	::apache::custom_config { 'letsencrypt.conf':
	41	source => "puppet:///modules/profile/apache/letsencrypt.conf",
	42	filename => 'letsencrypt.conf'
	43	}
	44
e345248b	45	$apache_vhost_default = {
2bb35074 IB	46	no_proxy_uris => [
	47	"/maintenance_immae.html",
	48	"/googleb6d69446ff4ca3e5.html",
	49	"/.well-known/acme-challenge"
	50	],
	51	no_proxy_uris_match => [
	52	'^/licen[cs]es?_et_tip(ping)?$',
	53	'^/licen[cs]es?_and_tip(ping)?$',
	54	'^/licen[cs]es?$',
	55	'^/tip(ping)?$',
	56	]
	57	}
	58
85abd2fd IB	59	exec { 'Start-apache':
	60	command => "/usr/bin/systemctl start httpd",
	61	before => Class["::letsencrypt"],
	62	unless => "/usr/bin/systemctl is-active httpd",
	63	}
	64
e345248b IB	65	$letsencrypt_certonly_default = {
	66	plugin => "webroot",
	67	webroot_paths => ["/srv/http/"],
	68	notify => Class['Apache::Service'],
85abd2fd	69	require => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
e345248b IB	70	manage_cron => true,
	71	}
	72
	73	class { '::letsencrypt':
	74	install_method => "package",
	75	package_name => "certbot",
	76	package_command => "certbot",
0a21fb6c	77	email => lookup('letsencrypt::email'),
e345248b IB	78	}
e345248b IB	79
0a21fb6c	80	$real_hostname = lookup("base_installation::real_hostname", { "default_value" => undef })
2bb35074	81	unless empty($real_hostname) {
0a21fb6c	82	if (lookup("letsencrypt::try_for_real_hostname", { "default_value" => true })) {
e345248b IB	83	letsencrypt::certonly { $real_hostname:
	84	before => Apache::Vhost["default_ssl"];
	85	default: * => $::profile::apache::letsencrypt_certonly_default;
	86	}
	87	$ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
	88	$ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
	89	$ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
	90	} else {
	91	ssl::self_signed_certificate { $real_hostname:
	92	common_name => $real_hostname,
	93	country => "FR",
	94	days => "3650",
	95	organization => "Immae",
	96	directory => "/etc/httpd/conf/ssl",
	97	before => Apache::Vhost["default_ssl"],
	98	}
	99
	100	$ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
	101	$ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
	102	$ssl_chain = undef
	103	}
	104
2bb35074 IB	105	apache::vhost { "default_ssl":
	106	port => '443',
	107	docroot => '/srv/http',
	108	servername => $real_hostname,
	109	directoryindex => 'index.htm index.html',
e345248b IB	110	ssl => true,
	111	ssl_key => $ssl_key,
	112	ssl_cert => $ssl_cert,
	113	ssl_chain => $ssl_chain,
	114	priority => 0;
	115	default: * => $::profile::apache::apache_vhost_default;
2bb35074 IB	116	}
	117	}
	118
0a21fb6c IB	119	lookup("letsencrypt::hosts", { "default_value" => [] }).each \|$host\| {
	120	if ($host != $real_hostname) { # Done above already
	121	letsencrypt::certonly { $host: ;
	122	default: * => $letsencrypt_certonly_default;
	123	}
	124	}
	125	}
	126
2bb35074 IB	127	apache::vhost { "redirect_no_ssl":
	128	port => '80',
	129	error_log => false,
	130	log_level => undef,
	131	access_log => false,
	132	docroot => false,
	133	servername => "",
	134	serveraliases => "*",
	135	priority => 99,
	136	rewrites => [
	137	{
	138	rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
	139	rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
	140	}
	141	]
	142	}
	143
	144	class { 'apache::mod::ssl':
	145	ssl_protocol => [ 'all', '-SSLv3' ],
	146	# Given by
	147	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	148	ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
	149	# FIXME: need SSLSessionTickets off
	150	ssl_stapling => true,
	151	ssl_stapling_return_errors => false,
	152	# FIXME: SSLStaplingResponderTimeout 5
	153	ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
	154	}
	155	class { 'apache::mod::alias': }
	156	class { 'apache::mod::autoindex': }
	157	# Included by ssl
	158	# class { 'apache::mod::mime': }
	159	class { 'apache::mod::deflate': }
	160	class { 'apache::mod::rewrite': }
	161
	162	class { 'apache::mod::dir':
	163	indexes => ["index.html"]
	164	}
	165
	166	file { [
	167	"/srv/http",
e345248b	168	"/srv/http/.well-known"]:
2bb35074 IB	169	ensure => "directory",
	170	mode => "0755",
	171	owner => "root",
	172	group => "root",
	173	}
	174
5be7de41 IB	175	file { "/srv/http/index.html":
	176	mode => "0644",
	177	owner => "root",
	178	group => "root",
	179	source => "puppet:///modules/profile/apache/index.html",
	180	}
2bb35074 IB	181	file { "/srv/http/maintenance_immae.html":
	182	mode => "0644",
	183	owner => "root",
	184	group => "root",
	185	source => "puppet:///modules/profile/apache/maintenance_immae.html",
	186	}
	187	file { "/srv/http/googleb6d69446ff4ca3e5.html":
	188	mode => "0644",
	189	owner => "root",
	190	group => "root",
	191	source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
	192	}
	193	}