diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-02-20 11:32:40 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-02-20 11:32:40 +0100 |
commit | 73bca64c33744027a0e800ce6c98a549ec924c6e (patch) | |
tree | 42cc09c283a7b0f6fce4f7dde22cd9213408111f /modules/profile/manifests/apache.pp | |
parent | 428fcf14be3943fc01d234a5e622c7f8706bcb73 (diff) | |
parent | 5be7de41fe02fe60fbbac530e6729f74e206aea3 (diff) | |
download | Puppet-73bca64c33744027a0e800ce6c98a549ec924c6e.tar.gz Puppet-73bca64c33744027a0e800ce6c98a549ec924c6e.tar.zst Puppet-73bca64c33744027a0e800ce6c98a549ec924c6e.zip |
Merge branch 'letsencrypt'
Diffstat (limited to 'modules/profile/manifests/apache.pp')
-rw-r--r-- | modules/profile/manifests/apache.pp | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp new file mode 100644 index 0000000..605b701 --- /dev/null +++ b/modules/profile/manifests/apache.pp | |||
@@ -0,0 +1,173 @@ | |||
1 | class profile::apache { | ||
2 | class { 'apache': | ||
3 | root_directory_secured => true, | ||
4 | root_directory_options => ["All"], | ||
5 | default_mods => false, | ||
6 | default_vhost => false, | ||
7 | log_formats => { | ||
8 | combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p', | ||
9 | common => '%h %l %u %t \"%r\" %>s %b', | ||
10 | } | ||
11 | } | ||
12 | |||
13 | ::apache::custom_config { 'log_config.conf': | ||
14 | content => 'CustomLog "/var/log/httpd/access_log" combined', | ||
15 | filename => 'log_config.conf' | ||
16 | } | ||
17 | |||
18 | ::apache::custom_config { 'protocols.conf': | ||
19 | content => 'Protocols h2 http/1.1', | ||
20 | filename => 'protocols.conf' | ||
21 | } | ||
22 | |||
23 | ::apache::custom_config { 'document_root.conf': | ||
24 | source => "puppet:///modules/profile/apache/document_root.conf", | ||
25 | filename => "document_root.conf" | ||
26 | } | ||
27 | |||
28 | ::apache::custom_config { 'immae.conf': | ||
29 | source => "puppet:///modules/profile/apache/immae.conf", | ||
30 | filename => 'immae.conf' | ||
31 | } | ||
32 | |||
33 | ::apache::custom_config { 'letsencrypt.conf': | ||
34 | source => "puppet:///modules/profile/apache/letsencrypt.conf", | ||
35 | filename => 'letsencrypt.conf' | ||
36 | } | ||
37 | |||
38 | $apache_vhost_default = { | ||
39 | no_proxy_uris => [ | ||
40 | "/maintenance_immae.html", | ||
41 | "/googleb6d69446ff4ca3e5.html", | ||
42 | "/.well-known/acme-challenge" | ||
43 | ], | ||
44 | no_proxy_uris_match => [ | ||
45 | '^/licen[cs]es?_et_tip(ping)?$', | ||
46 | '^/licen[cs]es?_and_tip(ping)?$', | ||
47 | '^/licen[cs]es?$', | ||
48 | '^/tip(ping)?$', | ||
49 | ] | ||
50 | } | ||
51 | |||
52 | $letsencrypt_certonly_default = { | ||
53 | plugin => "webroot", | ||
54 | webroot_paths => ["/srv/http/"], | ||
55 | notify => Class['Apache::Service'], | ||
56 | require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]], | ||
57 | manage_cron => true, | ||
58 | } | ||
59 | |||
60 | class { '::letsencrypt': | ||
61 | install_method => "package", | ||
62 | package_name => "certbot", | ||
63 | package_command => "certbot", | ||
64 | # FIXME | ||
65 | email => 'sites+letsencrypt@mail.immae.eu', | ||
66 | } | ||
67 | |||
68 | $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } | ||
69 | unless empty($real_hostname) { | ||
70 | if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { | ||
71 | letsencrypt::certonly { $real_hostname: | ||
72 | before => Apache::Vhost["default_ssl"]; | ||
73 | default: * => $::profile::apache::letsencrypt_certonly_default; | ||
74 | } | ||
75 | $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem" | ||
76 | $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem" | ||
77 | $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem" | ||
78 | } else { | ||
79 | ssl::self_signed_certificate { $real_hostname: | ||
80 | common_name => $real_hostname, | ||
81 | country => "FR", | ||
82 | days => "3650", | ||
83 | organization => "Immae", | ||
84 | directory => "/etc/httpd/conf/ssl", | ||
85 | before => Apache::Vhost["default_ssl"], | ||
86 | } | ||
87 | |||
88 | $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key" | ||
89 | $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt" | ||
90 | $ssl_chain = undef | ||
91 | } | ||
92 | |||
93 | apache::vhost { "default_ssl": | ||
94 | port => '443', | ||
95 | docroot => '/srv/http', | ||
96 | servername => $real_hostname, | ||
97 | directoryindex => 'index.htm index.html', | ||
98 | ssl => true, | ||
99 | ssl_key => $ssl_key, | ||
100 | ssl_cert => $ssl_cert, | ||
101 | ssl_chain => $ssl_chain, | ||
102 | priority => 0; | ||
103 | default: * => $::profile::apache::apache_vhost_default; | ||
104 | } | ||
105 | } | ||
106 | |||
107 | apache::vhost { "redirect_no_ssl": | ||
108 | port => '80', | ||
109 | error_log => false, | ||
110 | log_level => undef, | ||
111 | access_log => false, | ||
112 | docroot => false, | ||
113 | servername => "", | ||
114 | serveraliases => "*", | ||
115 | priority => 99, | ||
116 | rewrites => [ | ||
117 | { | ||
118 | rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"', | ||
119 | rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]' | ||
120 | } | ||
121 | ] | ||
122 | } | ||
123 | |||
124 | class { 'apache::mod::ssl': | ||
125 | ssl_protocol => [ 'all', '-SSLv3' ], | ||
126 | # Given by | ||
127 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | ||
128 | ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", | ||
129 | # FIXME: need SSLSessionTickets off | ||
130 | ssl_stapling => true, | ||
131 | ssl_stapling_return_errors => false, | ||
132 | # FIXME: SSLStaplingResponderTimeout 5 | ||
133 | ssl_ca => '/etc/ssl/certs/ca-certificates.crt', | ||
134 | } | ||
135 | class { 'apache::mod::alias': } | ||
136 | class { 'apache::mod::autoindex': } | ||
137 | # Included by ssl | ||
138 | # class { 'apache::mod::mime': } | ||
139 | class { 'apache::mod::deflate': } | ||
140 | class { 'apache::mod::rewrite': } | ||
141 | |||
142 | class { 'apache::mod::dir': | ||
143 | indexes => ["index.html"] | ||
144 | } | ||
145 | |||
146 | file { [ | ||
147 | "/srv/http", | ||
148 | "/srv/http/.well-known"]: | ||
149 | ensure => "directory", | ||
150 | mode => "0755", | ||
151 | owner => "root", | ||
152 | group => "root", | ||
153 | } | ||
154 | |||
155 | file { "/srv/http/index.html": | ||
156 | mode => "0644", | ||
157 | owner => "root", | ||
158 | group => "root", | ||
159 | source => "puppet:///modules/profile/apache/index.html", | ||
160 | } | ||
161 | file { "/srv/http/maintenance_immae.html": | ||
162 | mode => "0644", | ||
163 | owner => "root", | ||
164 | group => "root", | ||
165 | source => "puppet:///modules/profile/apache/maintenance_immae.html", | ||
166 | } | ||
167 | file { "/srv/http/googleb6d69446ff4ca3e5.html": | ||
168 | mode => "0644", | ||
169 | owner => "root", | ||
170 | group => "root", | ||
171 | source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html", | ||
172 | } | ||
173 | } | ||