Add letsencrypt

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-20 08:24:52 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-20 11:25:25 +0100
commit: e345248bd85980f6fefe7bc62251cc5b97f64854 (patch)
tree: a79915044f1b86322ce4d2c085eb5ddda58c0c46 /modules/profile
parent: 8af3ea1e76efa88a52d089a4f6ac65a175f31369 (diff)
download: Puppet-e345248bd85980f6fefe7bc62251cc5b97f64854.tar.gz
Puppet-e345248bd85980f6fefe7bc62251cc5b97f64854.tar.zst
Puppet-e345248bd85980f6fefe7bc62251cc5b97f64854.zip
1 files changed, 47 insertions, 5 deletions
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index b965944..7f7c3a6 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -35,8 +35,7 @@ class profile::apache {
    filename => 'letsencrypt.conf'
  }
-  # FIXME: default values ignored?
+  $apache_vhost_default = {
-  Apache::Vhost {
    no_proxy_uris       => [
      "/maintenance_immae.html",
      "/googleb6d69446ff4ca3e5.html",
@@ -50,14 +49,58 @@ class profile::apache {
    ]
  }
+  $letsencrypt_certonly_default = {
+    plugin        => "webroot",
+    webroot_paths => ["/srv/http/"],
+    notify        => Class['Apache::Service'],
+    require       => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+    manage_cron   => true,
+  }
+  class { '::letsencrypt':
+    install_method  => "package",
+    package_name    => "certbot",
+    package_command => "certbot",
+    # FIXME
+    email           => 'sites+letsencrypt@mail.immae.eu',
+  }
  $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
  unless empty($real_hostname) {
+    if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+      letsencrypt::certonly { $real_hostname:
+        before => Apache::Vhost["default_ssl"];
+        default: * => $::profile::apache::letsencrypt_certonly_default;
+      }
+      $ssl_cert  = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+      $ssl_key   = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+      $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+    } else {
+      ssl::self_signed_certificate { $real_hostname:
+        common_name  => $real_hostname,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        directory    => "/etc/httpd/conf/ssl",
+        before       => Apache::Vhost["default_ssl"],
+      }
+      $ssl_key   = "/etc/httpd/conf/ssl/$real_hostname.key"
+      $ssl_cert  = "/etc/httpd/conf/ssl/$real_hostname.crt"
+      $ssl_chain = undef
+    }
    apache::vhost { "default_ssl":
      port           => '443',
      docroot        => '/srv/http',
      servername     => $real_hostname,
      directoryindex => 'index.htm index.html',
-      priority       => 0,
+      ssl            => true,
+      ssl_key        => $ssl_key,
+      ssl_cert       => $ssl_cert,
+      ssl_chain      => $ssl_chain,
+      priority       => 0;
+    default: * => $::profile::apache::apache_vhost_default;
    }
  }
@@ -102,8 +145,7 @@ class profile::apache {
  file { [
    "/srv/http",
-    "/srv/http/.well-known",
+    "/srv/http/.well-known"]:
-    "/srv/http/.well-known/acme-challenge"]:
      ensure => "directory",
      mode   => "0755",
      owner  => "root",
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-20 08:24:52 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-20 11:25:25 +0100
commit	e345248bd85980f6fefe7bc62251cc5b97f64854 (patch)
tree	a79915044f1b86322ce4d2c085eb5ddda58c0c46 /modules/profile
parent	8af3ea1e76efa88a52d089a4f6ac65a175f31369 (diff)
download	Puppet-e345248bd85980f6fefe7bc62251cc5b97f64854.tar.gz Puppet-e345248bd85980f6fefe7bc62251cc5b97f64854.tar.zst Puppet-e345248bd85980f6fefe7bc62251cc5b97f64854.zip

diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index b965944..7f7c3a6 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp
@@ -35,8 +35,7 @@ class profile::apache {
35	filename => 'letsencrypt.conf'	35	filename => 'letsencrypt.conf'
36	}	36	}
37		37
38	# FIXME: default values ignored?	38	$apache_vhost_default = {
39	Apache::Vhost {
40	no_proxy_uris => [	39	no_proxy_uris => [
41	"/maintenance_immae.html",	40	"/maintenance_immae.html",
42	"/googleb6d69446ff4ca3e5.html",	41	"/googleb6d69446ff4ca3e5.html",
@@ -50,14 +49,58 @@ class profile::apache {
50	]	49	]
51	}	50	}
52		51
		52	$letsencrypt_certonly_default = {
		53	plugin => "webroot",
		54	webroot_paths => ["/srv/http/"],
		55	notify => Class['Apache::Service'],
		56	require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
		57	manage_cron => true,
		58	}
		59
		60	class { '::letsencrypt':
		61	install_method => "package",
		62	package_name => "certbot",
		63	package_command => "certbot",
		64	# FIXME
		65	email => 'sites+letsencrypt@mail.immae.eu',
		66	}
		67
53	$real_hostname = lookup("base_installation::real_hostname") \|$key\| { {} }	68	$real_hostname = lookup("base_installation::real_hostname") \|$key\| { {} }
54	unless empty($real_hostname) {	69	unless empty($real_hostname) {
		70	if (lookup("ssl::try_letsencrypt_for_real_hostname") \|$key\| { true }) {
		71	letsencrypt::certonly { $real_hostname:
		72	before => Apache::Vhost["default_ssl"];
		73	default: * => $::profile::apache::letsencrypt_certonly_default;
		74	}
		75	$ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
		76	$ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
		77	$ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
		78	} else {
		79	ssl::self_signed_certificate { $real_hostname:
		80	common_name => $real_hostname,
		81	country => "FR",
		82	days => "3650",
		83	organization => "Immae",
		84	directory => "/etc/httpd/conf/ssl",
		85	before => Apache::Vhost["default_ssl"],
		86	}
		87
		88	$ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
		89	$ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
		90	$ssl_chain = undef
		91	}
		92
55	apache::vhost { "default_ssl":	93	apache::vhost { "default_ssl":
56	port => '443',	94	port => '443',
57	docroot => '/srv/http',	95	docroot => '/srv/http',
58	servername => $real_hostname,	96	servername => $real_hostname,
59	directoryindex => 'index.htm index.html',	97	directoryindex => 'index.htm index.html',
60	priority => 0,	98	ssl => true,
		99	ssl_key => $ssl_key,
		100	ssl_cert => $ssl_cert,
		101	ssl_chain => $ssl_chain,
		102	priority => 0;
		103	default: * => $::profile::apache::apache_vhost_default;
61	}	104	}
62	}	105	}
63		106
@@ -102,8 +145,7 @@ class profile::apache {
102		145
103	file { [	146	file { [
104	"/srv/http",	147	"/srv/http",
105	"/srv/http/.well-known",	148	"/srv/http/.well-known"]:
106	"/srv/http/.well-known/acme-challenge"]:
107	ensure => "directory",	149	ensure => "directory",
108	mode => "0755",	150	mode => "0755",
109	owner => "root",	151	owner => "root",