filename => 'letsencrypt.conf'
}
- # FIXME: default values ignored?
- Apache::Vhost {
+ $apache_vhost_default = {
no_proxy_uris => [
"/maintenance_immae.html",
"/googleb6d69446ff4ca3e5.html",
]
}
+ $letsencrypt_certonly_default = {
+ plugin => "webroot",
+ webroot_paths => ["/srv/http/"],
+ notify => Class['Apache::Service'],
+ require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+ manage_cron => true,
+ }
+
+ class { '::letsencrypt':
+ install_method => "package",
+ package_name => "certbot",
+ package_command => "certbot",
+ # FIXME
+ email => 'sites+letsencrypt@mail.immae.eu',
+ }
+
$real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
unless empty($real_hostname) {
+ if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+ letsencrypt::certonly { $real_hostname:
+ before => Apache::Vhost["default_ssl"];
+ default: * => $::profile::apache::letsencrypt_certonly_default;
+ }
+ $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+ $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+ $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+ } else {
+ ssl::self_signed_certificate { $real_hostname:
+ common_name => $real_hostname,
+ country => "FR",
+ days => "3650",
+ organization => "Immae",
+ directory => "/etc/httpd/conf/ssl",
+ before => Apache::Vhost["default_ssl"],
+ }
+
+ $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
+ $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
+ $ssl_chain = undef
+ }
+
apache::vhost { "default_ssl":
port => '443',
docroot => '/srv/http',
servername => $real_hostname,
directoryindex => 'index.htm index.html',
- priority => 0,
+ ssl => true,
+ ssl_key => $ssl_key,
+ ssl_cert => $ssl_cert,
+ ssl_chain => $ssl_chain,
+ priority => 0;
+ default: * => $::profile::apache::apache_vhost_default;
}
}
file { [
"/srv/http",
- "/srv/http/.well-known",
- "/srv/http/.well-known/acme-challenge"]:
+ "/srv/http/.well-known"]:
ensure => "directory",
mode => "0755",
owner => "root",