From e345248bd85980f6fefe7bc62251cc5b97f64854 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 20 Feb 2018 08:24:52 +0100 Subject: [PATCH] Add letsencrypt --- .gitmodules | 6 +++ .../production/data/types/vps-ovhssd-1.yaml | 1 + modules/letsencrypt | 1 + modules/nginx | 1 - modules/profile/manifests/apache.pp | 52 +++++++++++++++++-- modules/role/manifests/cryptoportfolio.pp | 27 +++++----- modules/ssl | 1 + 7 files changed, 70 insertions(+), 19 deletions(-) create mode 160000 modules/letsencrypt delete mode 160000 modules/nginx create mode 160000 modules/ssl diff --git a/.gitmodules b/.gitmodules index 2b29861..35df238 100644 --- a/.gitmodules +++ b/.gitmodules @@ -37,6 +37,12 @@ [submodule "modules/apache"] path = modules/apache url = git://git.immae.eu/github/puppetlabs/puppetlabs-apache.git +[submodule "modules/letsencrypt"] + path = modules/letsencrypt + url = git://git.immae.eu/github/voxpupuli/puppet-letsencrypt.git [submodule "python/ovh"] path = python/ovh url = git://git.immae.eu/github/ovh/python-ovh +[submodule "modules/ssl"] + path = modules/ssl + url = git://git.immae.eu/github/fnerdwq/puppet-ssl diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml index 4647a25..9130ad1 100644 --- a/environments/production/data/types/vps-ovhssd-1.yaml +++ b/environments/production/data/types/vps-ovhssd-1.yaml @@ -6,3 +6,4 @@ classes: base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" base_installation::grub_device: "/dev/sdb" base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" +ssl::try_letsencrypt_for_real_hostname: false diff --git a/modules/letsencrypt b/modules/letsencrypt new file mode 160000 index 0000000..55ac1e9 --- /dev/null +++ b/modules/letsencrypt @@ -0,0 +1 @@ +Subproject commit 55ac1e9c731b6dbfc380cd282c39f273223fcd53 diff --git a/modules/nginx b/modules/nginx deleted file mode 160000 index a7f40a8..0000000 --- a/modules/nginx +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a7f40a8893e394cc57695ff81ea53254bcf1ff3a diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index b965944..7f7c3a6 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp @@ -35,8 +35,7 @@ class profile::apache { filename => 'letsencrypt.conf' } - # FIXME: default values ignored? - Apache::Vhost { + $apache_vhost_default = { no_proxy_uris => [ "/maintenance_immae.html", "/googleb6d69446ff4ca3e5.html", @@ -50,14 +49,58 @@ class profile::apache { ] } + $letsencrypt_certonly_default = { + plugin => "webroot", + webroot_paths => ["/srv/http/"], + notify => Class['Apache::Service'], + require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]], + manage_cron => true, + } + + class { '::letsencrypt': + install_method => "package", + package_name => "certbot", + package_command => "certbot", + # FIXME + email => 'sites+letsencrypt@mail.immae.eu', + } + $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } unless empty($real_hostname) { + if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { + letsencrypt::certonly { $real_hostname: + before => Apache::Vhost["default_ssl"]; + default: * => $::profile::apache::letsencrypt_certonly_default; + } + $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem" + $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem" + $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem" + } else { + ssl::self_signed_certificate { $real_hostname: + common_name => $real_hostname, + country => "FR", + days => "3650", + organization => "Immae", + directory => "/etc/httpd/conf/ssl", + before => Apache::Vhost["default_ssl"], + } + + $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key" + $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt" + $ssl_chain = undef + } + apache::vhost { "default_ssl": port => '443', docroot => '/srv/http', servername => $real_hostname, directoryindex => 'index.htm index.html', - priority => 0, + ssl => true, + ssl_key => $ssl_key, + ssl_cert => $ssl_cert, + ssl_chain => $ssl_chain, + priority => 0; + default: * => $::profile::apache::apache_vhost_default; } } @@ -102,8 +145,7 @@ class profile::apache { file { [ "/srv/http", - "/srv/http/.well-known", - "/srv/http/.well-known/acme-challenge"]: + "/srv/http/.well-known"]: ensure => "directory", mode => "0755", owner => "root", diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 49ab57b..d2323a4 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -49,23 +49,24 @@ class role::cryptoportfolio { order => "b0", } + letsencrypt::certonly { $cf_front_app_host: ; + default: * => $::profile::apache::letsencrypt_certonly_default; + } + + class { 'apache::mod::headers': } apache::vhost { $cf_front_app_host: - port => '80', + port => '443', docroot => false, manage_docroot => false, proxy_dest => "http://localhost:8000", - proxy_preserve_host => true, - no_proxy_uris => [ - "/maintenance_immae.html", - "/googleb6d69446ff4ca3e5.html", - "/.well-known/acme-challenge" - ], - no_proxy_uris_match => [ - '^/licen[cs]es?_et_tip(ping)?$', - '^/licen[cs]es?_and_tip(ping)?$', - '^/licen[cs]es?$', - '^/tip(ping)?$', - ] + request_headers => 'set X-Forwarded-Proto "https"', + ssl => true, + ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", + ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", + ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", + require => Letsencrypt::Certonly[$cf_front_app_host], + proxy_preserve_host => true; + default: * => $::profile::apache::apache_vhost_default; } user { $cf_user: diff --git a/modules/ssl b/modules/ssl new file mode 160000 index 0000000..c1cef11 --- /dev/null +++ b/modules/ssl @@ -0,0 +1 @@ +Subproject commit c1cef11d63da71c7599e905ff0598d21799ab8cc -- 2.41.0