]> git.immae.eu Git - perso/Immae/Projets/Puppet.git/blob - modules/profile/manifests/apache.pp
projects / perso / Immae / Projets / Puppet.git / blob
? search:


8db58da99beb5aed81e044791bf7393213ba5682
[perso/Immae/Projets/Puppet.git] / modules / profile / manifests / apache.pp
1 class profile::apache {
2 class { 'apache':
3 root_directory_secured => true,
4 root_directory_options => ["All"],
5 default_mods => false,
6 default_vhost => false,
7 log_formats => {
8 combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
9 common => '%h %l %u %t \"%r\" %>s %b',
10 }
11 }
12
13 ::apache::custom_config { 'log_config.conf':
14 content => 'CustomLog "/var/log/httpd/access_log" combined',
15 filename => 'log_config.conf'
16 }
17
18 ::apache::custom_config { 'protocols.conf':
19 content => 'Protocols h2 http/1.1',
20 filename => 'protocols.conf'
21 }
22
23 ::apache::custom_config { 'document_root.conf':
24 source => "puppet:///modules/profile/apache/document_root.conf",
25 filename => "document_root.conf"
26 }
27
28 ::apache::custom_config { 'immae.conf':
29 source => "puppet:///modules/profile/apache/immae.conf",
30 filename => 'immae.conf'
31 }
32
33 ::apache::custom_config { 'letsencrypt.conf':
34 source => "puppet:///modules/profile/apache/letsencrypt.conf",
35 filename => 'letsencrypt.conf'
36 }
37
38 $apache_vhost_default = {
39 no_proxy_uris => [
40 "/maintenance_immae.html",
41 "/googleb6d69446ff4ca3e5.html",
42 "/.well-known/acme-challenge"
43 ],
44 no_proxy_uris_match => [
45 '^/licen[cs]es?_et_tip(ping)?$',
46 '^/licen[cs]es?_and_tip(ping)?$',
47 '^/licen[cs]es?$',
48 '^/tip(ping)?$',
49 ]
50 }
51
52 exec { 'Start-apache':
53 command => "/usr/bin/systemctl start httpd",
54 before => Class["::letsencrypt"],
55 unless => "/usr/bin/systemctl is-active httpd",
56 }
57
58 $letsencrypt_certonly_default = {
59 plugin => "webroot",
60 webroot_paths => ["/srv/http/"],
61 notify => Class['Apache::Service'],
62 require => [Exec['Start-apache'],Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
63 manage_cron => true,
64 }
65
66 class { '::letsencrypt':
67 install_method => "package",
68 package_name => "certbot",
69 package_command => "certbot",
70 # FIXME
71 email => 'sites+letsencrypt@mail.immae.eu',
72 }
73
74 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
75 unless empty($real_hostname) {
76 if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
77 letsencrypt::certonly { $real_hostname:
78 before => Apache::Vhost["default_ssl"];
79 default: * => $::profile::apache::letsencrypt_certonly_default;
80 }
81 $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
82 $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
83 $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
84 } else {
85 ssl::self_signed_certificate { $real_hostname:
86 common_name => $real_hostname,
87 country => "FR",
88 days => "3650",
89 organization => "Immae",
90 directory => "/etc/httpd/conf/ssl",
91 before => Apache::Vhost["default_ssl"],
92 }
93
94 $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
95 $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
96 $ssl_chain = undef
97 }
98
99 apache::vhost { "default_ssl":
100 port => '443',
101 docroot => '/srv/http',
102 servername => $real_hostname,
103 directoryindex => 'index.htm index.html',
104 ssl => true,
105 ssl_key => $ssl_key,
106 ssl_cert => $ssl_cert,
107 ssl_chain => $ssl_chain,
108 priority => 0;
109 default: * => $::profile::apache::apache_vhost_default;
110 }
111 }
112
113 apache::vhost { "redirect_no_ssl":
114 port => '80',
115 error_log => false,
116 log_level => undef,
117 access_log => false,
118 docroot => false,
119 servername => "",
120 serveraliases => "*",
121 priority => 99,
122 rewrites => [
123 {
124 rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
125 rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
126 }
127 ]
128 }
129
130 class { 'apache::mod::ssl':
131 ssl_protocol => [ 'all', '-SSLv3' ],
132 # Given by
133 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
134 ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
135 # FIXME: need SSLSessionTickets off
136 ssl_stapling => true,
137 ssl_stapling_return_errors => false,
138 # FIXME: SSLStaplingResponderTimeout 5
139 ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
140 }
141 class { 'apache::mod::alias': }
142 class { 'apache::mod::autoindex': }
143 # Included by ssl
144 # class { 'apache::mod::mime': }
145 class { 'apache::mod::deflate': }
146 class { 'apache::mod::rewrite': }
147
148 class { 'apache::mod::dir':
149 indexes => ["index.html"]
150 }
151
152 file { [
153 "/srv/http",
154 "/srv/http/.well-known"]:
155 ensure => "directory",
156 mode => "0755",
157 owner => "root",
158 group => "root",
159 }
160
161 file { "/srv/http/index.html":
162 mode => "0644",
163 owner => "root",
164 group => "root",
165 source => "puppet:///modules/profile/apache/index.html",
166 }
167 file { "/srv/http/maintenance_immae.html":
168 mode => "0644",
169 owner => "root",
170 group => "root",
171 source => "puppet:///modules/profile/apache/maintenance_immae.html",
172 }
173 file { "/srv/http/googleb6d69446ff4ca3e5.html":
174 mode => "0644",
175 owner => "root",
176 group => "root",
177 source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
178 }
179 }
My infrastructure configuration - Deprecated, replaced with Nix