[submodule "modules/apache"]
path = modules/apache
url = git://git.immae.eu/github/puppetlabs/puppetlabs-apache.git
+[submodule "modules/letsencrypt"]
+ path = modules/letsencrypt
+ url = git://git.immae.eu/github/voxpupuli/puppet-letsencrypt.git
[submodule "python/ovh"]
path = python/ovh
url = git://git.immae.eu/github/ovh/python-ovh
+[submodule "modules/ssl"]
+ path = modules/ssl
+ url = git://git.immae.eu/github/fnerdwq/puppet-ssl
filename => 'letsencrypt.conf'
}
- # FIXME: default values ignored?
- Apache::Vhost {
+ $apache_vhost_default = {
no_proxy_uris => [
"/maintenance_immae.html",
"/googleb6d69446ff4ca3e5.html",
]
}
+ $letsencrypt_certonly_default = {
+ plugin => "webroot",
+ webroot_paths => ["/srv/http/"],
+ notify => Class['Apache::Service'],
+ require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+ manage_cron => true,
+ }
+
+ class { '::letsencrypt':
+ install_method => "package",
+ package_name => "certbot",
+ package_command => "certbot",
+ # FIXME
+ email => 'sites+letsencrypt@mail.immae.eu',
+ }
+
$real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
unless empty($real_hostname) {
+ if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+ letsencrypt::certonly { $real_hostname:
+ before => Apache::Vhost["default_ssl"];
+ default: * => $::profile::apache::letsencrypt_certonly_default;
+ }
+ $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+ $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+ $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+ } else {
+ ssl::self_signed_certificate { $real_hostname:
+ common_name => $real_hostname,
+ country => "FR",
+ days => "3650",
+ organization => "Immae",
+ directory => "/etc/httpd/conf/ssl",
+ before => Apache::Vhost["default_ssl"],
+ }
+
+ $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
+ $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
+ $ssl_chain = undef
+ }
+
apache::vhost { "default_ssl":
port => '443',
docroot => '/srv/http',
servername => $real_hostname,
directoryindex => 'index.htm index.html',
- priority => 0,
+ ssl => true,
+ ssl_key => $ssl_key,
+ ssl_cert => $ssl_cert,
+ ssl_chain => $ssl_chain,
+ priority => 0;
+ default: * => $::profile::apache::apache_vhost_default;
}
}
file { [
"/srv/http",
- "/srv/http/.well-known",
- "/srv/http/.well-known/acme-challenge"]:
+ "/srv/http/.well-known"]:
ensure => "directory",
mode => "0755",
owner => "root",
order => "b0",
}
+ letsencrypt::certonly { $cf_front_app_host: ;
+ default: * => $::profile::apache::letsencrypt_certonly_default;
+ }
+
+ class { 'apache::mod::headers': }
apache::vhost { $cf_front_app_host:
- port => '80',
+ port => '443',
docroot => false,
manage_docroot => false,
proxy_dest => "http://localhost:8000",
- proxy_preserve_host => true,
- no_proxy_uris => [
- "/maintenance_immae.html",
- "/googleb6d69446ff4ca3e5.html",
- "/.well-known/acme-challenge"
- ],
- no_proxy_uris_match => [
- '^/licen[cs]es?_et_tip(ping)?$',
- '^/licen[cs]es?_and_tip(ping)?$',
- '^/licen[cs]es?$',
- '^/tip(ping)?$',
- ]
+ request_headers => 'set X-Forwarded-Proto "https"',
+ ssl => true,
+ ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+ ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+ ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ proxy_preserve_host => true;
+ default: * => $::profile::apache::apache_vhost_default;
}
user { $cf_user:
projects / perso / Immae / Projets / Puppet.git / commitdiff
