Add letsencrypt

[perso/Immae/Projets/Puppet.git] / modules / profile / manifests / apache.pp

diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index b965944487321c6b615feb6e86912067c7504e32..7f7c3a627554a2259dc930eb94a7fffc238407a1 100644 (file)
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -35,8 +35,7 @@ class profile::apache {
     filename => 'letsencrypt.conf'
   }
 
-  # FIXME: default values ignored?
-  Apache::Vhost {
+  $apache_vhost_default = {
     no_proxy_uris       => [
       "/maintenance_immae.html",
       "/googleb6d69446ff4ca3e5.html",
@@ -50,14 +49,58 @@ class profile::apache {
     ]
   }
 
+  $letsencrypt_certonly_default = {
+    plugin        => "webroot",
+    webroot_paths => ["/srv/http/"],
+    notify        => Class['Apache::Service'],
+    require       => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+    manage_cron   => true,
+  }
+
+  class { '::letsencrypt':
+    install_method  => "package",
+    package_name    => "certbot",
+    package_command => "certbot",
+    # FIXME
+    email           => 'sites+letsencrypt@mail.immae.eu',
+  }
+
   $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
   unless empty($real_hostname) {
+    if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+      letsencrypt::certonly { $real_hostname:
+        before => Apache::Vhost["default_ssl"];
+        default: * => $::profile::apache::letsencrypt_certonly_default;
+      }
+      $ssl_cert  = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+      $ssl_key   = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+      $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+    } else {
+      ssl::self_signed_certificate { $real_hostname:
+        common_name  => $real_hostname,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        directory    => "/etc/httpd/conf/ssl",
+        before       => Apache::Vhost["default_ssl"],
+      }
+
+      $ssl_key   = "/etc/httpd/conf/ssl/$real_hostname.key"
+      $ssl_cert  = "/etc/httpd/conf/ssl/$real_hostname.crt"
+      $ssl_chain = undef
+    }
+
     apache::vhost { "default_ssl":
       port           => '443',
       docroot        => '/srv/http',
       servername     => $real_hostname,
       directoryindex => 'index.htm index.html',
-      priority       => 0,
+      ssl            => true,
+      ssl_key        => $ssl_key,
+      ssl_cert       => $ssl_cert,
+      ssl_chain      => $ssl_chain,
+      priority       => 0;
+    default: * => $::profile::apache::apache_vhost_default;
     }
   }
 
@@ -102,8 +145,7 @@ class profile::apache {
 
   file { [
     "/srv/http",
-    "/srv/http/.well-known",
-    "/srv/http/.well-known/acme-challenge"]:
+    "/srv/http/.well-known"]:
       ensure => "directory",
       mode   => "0755",
       owner  => "root",