]> git.immae.eu Git - perso/Immae/Projets/Puppet.git/blob - modules/profile/manifests/apache.pp
projects / perso / Immae / Projets / Puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add letsencrypt
[perso/Immae/Projets/Puppet.git] / modules / profile / manifests / apache.pp
1 class profile::apache {
2 class { 'apache':
3 root_directory_secured => true,
4 root_directory_options => ["All"],
5 default_mods => false,
6 default_vhost => false,
7 log_formats => {
8 combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
9 common => '%h %l %u %t \"%r\" %>s %b',
10 }
11 }
12
13 ::apache::custom_config { 'log_config.conf':
14 content => 'CustomLog "/var/log/httpd/access_log" combined',
15 filename => 'log_config.conf'
16 }
17
18 ::apache::custom_config { 'protocols.conf':
19 content => 'Protocols h2 http/1.1',
20 filename => 'protocols.conf'
21 }
22
23 ::apache::custom_config { 'document_root.conf':
24 source => "puppet:///modules/profile/apache/document_root.conf",
25 filename => "document_root.conf"
26 }
27
28 ::apache::custom_config { 'immae.conf':
29 source => "puppet:///modules/profile/apache/immae.conf",
30 filename => 'immae.conf'
31 }
32
33 ::apache::custom_config { 'letsencrypt.conf':
34 source => "puppet:///modules/profile/apache/letsencrypt.conf",
35 filename => 'letsencrypt.conf'
36 }
37
38 $apache_vhost_default = {
39 no_proxy_uris => [
40 "/maintenance_immae.html",
41 "/googleb6d69446ff4ca3e5.html",
42 "/.well-known/acme-challenge"
43 ],
44 no_proxy_uris_match => [
45 '^/licen[cs]es?_et_tip(ping)?$',
46 '^/licen[cs]es?_and_tip(ping)?$',
47 '^/licen[cs]es?$',
48 '^/tip(ping)?$',
49 ]
50 }
51
52 $letsencrypt_certonly_default = {
53 plugin => "webroot",
54 webroot_paths => ["/srv/http/"],
55 notify => Class['Apache::Service'],
56 require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
57 manage_cron => true,
58 }
59
60 class { '::letsencrypt':
61 install_method => "package",
62 package_name => "certbot",
63 package_command => "certbot",
64 # FIXME
65 email => 'sites+letsencrypt@mail.immae.eu',
66 }
67
68 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
69 unless empty($real_hostname) {
70 if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
71 letsencrypt::certonly { $real_hostname:
72 before => Apache::Vhost["default_ssl"];
73 default: * => $::profile::apache::letsencrypt_certonly_default;
74 }
75 $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
76 $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
77 $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
78 } else {
79 ssl::self_signed_certificate { $real_hostname:
80 common_name => $real_hostname,
81 country => "FR",
82 days => "3650",
83 organization => "Immae",
84 directory => "/etc/httpd/conf/ssl",
85 before => Apache::Vhost["default_ssl"],
86 }
87
88 $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
89 $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
90 $ssl_chain = undef
91 }
92
93 apache::vhost { "default_ssl":
94 port => '443',
95 docroot => '/srv/http',
96 servername => $real_hostname,
97 directoryindex => 'index.htm index.html',
98 ssl => true,
99 ssl_key => $ssl_key,
100 ssl_cert => $ssl_cert,
101 ssl_chain => $ssl_chain,
102 priority => 0;
103 default: * => $::profile::apache::apache_vhost_default;
104 }
105 }
106
107 apache::vhost { "redirect_no_ssl":
108 port => '80',
109 error_log => false,
110 log_level => undef,
111 access_log => false,
112 docroot => false,
113 servername => "",
114 serveraliases => "*",
115 priority => 99,
116 rewrites => [
117 {
118 rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
119 rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
120 }
121 ]
122 }
123
124 class { 'apache::mod::ssl':
125 ssl_protocol => [ 'all', '-SSLv3' ],
126 # Given by
127 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
128 ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
129 # FIXME: need SSLSessionTickets off
130 ssl_stapling => true,
131 ssl_stapling_return_errors => false,
132 # FIXME: SSLStaplingResponderTimeout 5
133 ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
134 }
135 class { 'apache::mod::alias': }
136 class { 'apache::mod::autoindex': }
137 # Included by ssl
138 # class { 'apache::mod::mime': }
139 class { 'apache::mod::deflate': }
140 class { 'apache::mod::rewrite': }
141
142 class { 'apache::mod::dir':
143 indexes => ["index.html"]
144 }
145
146 file { [
147 "/srv/http",
148 "/srv/http/.well-known"]:
149 ensure => "directory",
150 mode => "0755",
151 owner => "root",
152 group => "root",
153 }
154
155 file { "/srv/http/maintenance_immae.html":
156 mode => "0644",
157 owner => "root",
158 group => "root",
159 source => "puppet:///modules/profile/apache/maintenance_immae.html",
160 }
161 file { "/srv/http/googleb6d69446ff4ca3e5.html":
162 mode => "0644",
163 owner => "root",
164 group => "root",
165 source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
166 }
167 }
My infrastructure configuration - Deprecated, replaced with Nix