10 files changed, 231 insertions, 8 deletions

diff --git a/.gitmodules b/.gitmodules
index e893f13..2b29861 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -31,12 +31,12 @@
 [submodule "modules/postgresql"]
         path = modules/postgresql
         url = git://git.immae.eu/github/puppetlabs/puppetlabs-postgresql.git
-[submodule "modules/nginx"]
-        path = modules/nginx
-        url = git://git.immae.eu/github/voxpupuli/puppet-nginx.git
 [submodule "modules/archive"]
         path = modules/archive
         url = git://git.immae.eu/github/voxpupuli/puppet-archive.git
+[submodule "modules/apache"]
+        path = modules/apache
+        url = git://git.immae.eu/github/puppetlabs/puppetlabs-apache.git
 [submodule "python/ovh"]
         path = python/ovh
         url = git://git.immae.eu/github/ovh/python-ovh
diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml
index 968bf6b..4647a25 100644
--- a/environments/production/data/types/vps-ovhssd-1.yaml
+++ b/environments/production/data/types/vps-ovhssd-1.yaml
@@ -3,5 +3,6 @@ classes:
   base_installation:
     stage: "setup"
 
+base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net"
 base_installation::grub_device: "/dev/sdb"
 base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt"
diff --git a/modules/apache b/modules/apache
new file mode 160000
+Subproject 42c1b5cae109630a53be89eda10c5c761c6d368
diff --git a/modules/profile/files/apache/document_root.conf b/modules/profile/files/apache/document_root.conf
new file mode 100644
index 0000000..ed9a9ab
--- /dev/null
+++ b/modules/profile/files/apache/document_root.conf
@@ -0,0 +1,6 @@
+DocumentRoot "/srv/http"
+<Directory "/srv/http">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
diff --git a/modules/profile/files/apache/googleb6d69446ff4ca3e5.html b/modules/profile/files/apache/googleb6d69446ff4ca3e5.html
new file mode 100644
index 0000000..f732bac
--- /dev/null
+++ b/modules/profile/files/apache/googleb6d69446ff4ca3e5.html
@@ -0,0 +1 @@
+google-site-verification: googleb6d69446ff4ca3e5.html
diff --git a/modules/profile/files/apache/immae.conf b/modules/profile/files/apache/immae.conf
new file mode 100644
index 0000000..5e0f3c4
--- /dev/null
+++ b/modules/profile/files/apache/immae.conf
@@ -0,0 +1,13 @@
+ErrorDocument 500 /maintenance_immae.html
+ErrorDocument 501 /maintenance_immae.html
+ErrorDocument 502 /maintenance_immae.html
+ErrorDocument 503 /maintenance_immae.html
+ErrorDocument 504 /maintenance_immae.html
+Alias /maintenance_immae.html /srv/http/maintenance_immae.html
+
+RedirectMatch ^/licen[cs]es?_et_tip(ping)?$   https://www.immae.eu/licences_et_tip.html
+RedirectMatch ^/licen[cs]es?_and_tip(ping)?$  https://www.immae.eu/licenses_and_tipping.html
+RedirectMatch ^/licen[cs]es?$                 https://www.immae.eu/licenses_and_tipping.html
+RedirectMatch ^/tip(ping)?$                   https://www.immae.eu/licenses_and_tipping.html
+
+AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" /srv/http/googleb6d69446ff4ca3e5.html
diff --git a/modules/profile/files/apache/letsencrypt.conf b/modules/profile/files/apache/letsencrypt.conf
new file mode 100644
index 0000000..b2eaae2
--- /dev/null
+++ b/modules/profile/files/apache/letsencrypt.conf
@@ -0,0 +1,6 @@
+Alias /.well-known/acme-challenge /srv/http/.well-known/acme-challenge
+<Directory /srv/http/.well-known/acme-challenge>
+  Require all granted
+  AllowOverride None
+  ErrorDocument 404 "Not Found"
+</Directory>
diff --git a/modules/profile/files/apache/maintenance_immae.html b/modules/profile/files/apache/maintenance_immae.html
new file mode 100644
index 0000000..90f265f
--- /dev/null
+++ b/modules/profile/files/apache/maintenance_immae.html
@@ -0,0 +1,58 @@
+<!doctype html>
+<html>
+  <head>
+    <title>Maintenance</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style>
+      body {
+        padding-left: 5px;
+        padding-right: 5px;
+        text-align: center;
+        margin: auto;
+        font: 20px Helvetica, sans-serif;
+        color: #333;
+      }
+      h1 {
+        margin: 0px;
+        font-size: 40px;
+      }
+      article {
+        display: block;
+        max-width: 650px;
+        margin: 0 auto;
+        padding-top: 30px;
+      }
+      article + article {
+        border-top: 1px solid lightgrey;
+      }
+      article div {
+        text-align: justify;
+      }
+      a {
+        color: #dc8100;
+        text-decoration: none;
+      }
+      a:hover {
+        color: #333;
+      }
+    </style>
+    <script type="text/javascript">
+      setTimeout(function () { location.reload(true); }, 5000);
+    </script>
+  </head>
+  <body>
+    <article>
+      <h1>Erreur serveur ou maintenance en cours&nbsp;!</h1>
+      <div>
+        <p>Une mise à jour ou une opération de maintenance est en cours sur le site. <a href="">Retentez</a> dans quelques instants ou patientez, la page se rechargera automatiquement.</p>
+      </div>
+    </article>
+
+    <article>
+      <h1>Server error or website in maintenance!</h1>
+      <div>
+        <p>An update or a maintenance is on track on the website. Please try <a href="">again</a> in a few seconds or wait, the page will reload automatically.</p>
+      </div>
+    </article>
+  </body>
+</html>
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
new file mode 100644
index 0000000..b965944
--- /dev/null
+++ b/modules/profile/manifests/apache.pp
@@ -0,0 +1,125 @@
+class profile::apache {
+  class { 'apache':
+    root_directory_secured => true,
+    root_directory_options => ["All"],
+    default_mods           => false,
+    default_vhost          => false,
+    log_formats            => {
+      combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
+      common   => '%h %l %u %t \"%r\" %>s %b',
+    }
+  }
+
+  ::apache::custom_config { 'log_config.conf':
+    content  => 'CustomLog "/var/log/httpd/access_log" combined',
+    filename => 'log_config.conf'
+  }
+
+  ::apache::custom_config { 'protocols.conf':
+    content  => 'Protocols h2 http/1.1',
+    filename => 'protocols.conf'
+  }
+
+  ::apache::custom_config { 'document_root.conf':
+    source   => "puppet:///modules/profile/apache/document_root.conf",
+    filename => "document_root.conf"
+  }
+
+  ::apache::custom_config { 'immae.conf':
+    source   => "puppet:///modules/profile/apache/immae.conf",
+    filename => 'immae.conf'
+  }
+
+  ::apache::custom_config { 'letsencrypt.conf':
+    source   => "puppet:///modules/profile/apache/letsencrypt.conf",
+    filename => 'letsencrypt.conf'
+  }
+
+  # FIXME: default values ignored?
+  Apache::Vhost {
+    no_proxy_uris       => [
+      "/maintenance_immae.html",
+      "/googleb6d69446ff4ca3e5.html",
+      "/.well-known/acme-challenge"
+    ],
+    no_proxy_uris_match => [
+      '^/licen[cs]es?_et_tip(ping)?$',
+      '^/licen[cs]es?_and_tip(ping)?$',
+      '^/licen[cs]es?$',
+      '^/tip(ping)?$',
+    ]
+  }
+
+  $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+  unless empty($real_hostname) {
+    apache::vhost { "default_ssl":
+      port           => '443',
+      docroot        => '/srv/http',
+      servername     => $real_hostname,
+      directoryindex => 'index.htm index.html',
+      priority       => 0,
+    }
+  }
+
+  apache::vhost { "redirect_no_ssl":
+    port          => '80',
+    error_log     => false,
+    log_level     => undef,
+    access_log    => false,
+    docroot       => false,
+    servername    => "",
+    serveraliases => "*",
+    priority      => 99,
+    rewrites      => [
+      {
+        rewrite_cond => '"%{REQUEST_URI}"   "!^/\.well-known"',
+        rewrite_rule => '^(.+)              https://%{HTTP_HOST}$1 [R=301]'
+      }
+    ]
+  }
+
+  class { 'apache::mod::ssl':
+    ssl_protocol               => [ 'all', '-SSLv3' ],
+    # Given by
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    ssl_cipher                 => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
+    # FIXME: need SSLSessionTickets       off
+    ssl_stapling               => true,
+    ssl_stapling_return_errors => false,
+    # FIXME: SSLStaplingResponderTimeout 5
+    ssl_ca                     => '/etc/ssl/certs/ca-certificates.crt',
+  }
+  class { 'apache::mod::alias': }
+  class { 'apache::mod::autoindex': }
+  # Included by ssl
+  # class { 'apache::mod::mime': }
+  class { 'apache::mod::deflate': }
+  class { 'apache::mod::rewrite': }
+
+  class { 'apache::mod::dir':
+    indexes => ["index.html"]
+  }
+
+  file { [
+    "/srv/http",
+    "/srv/http/.well-known",
+    "/srv/http/.well-known/acme-challenge"]:
+      ensure => "directory",
+      mode   => "0755",
+      owner  => "root",
+      group  => "root",
+  }
+
+  file { "/srv/http/maintenance_immae.html":
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/apache/maintenance_immae.html",
+  }
+  file { "/srv/http/googleb6d69446ff4ca3e5.html":
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
+  }
+}
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 0f26527..084419e 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -2,6 +2,7 @@ class role::cryptoportfolio {
   include "base_installation"
 
   include "profile::postgresql"
+  include "profile::apache"
 
   $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
 
@@ -47,11 +48,23 @@ class role::cryptoportfolio {
     order       => "b0",
   }
 
-  class { 'nginx': }
-
-  nginx::resource::server { $cf_front_app_host:
-    listen_port => 80,
-    proxy       => 'http://localhost:8000',
+  apache::vhost { $cf_front_app_host:
+    port                => '80',
+    docroot             => false,
+    manage_docroot      => false,
+    proxy_dest          => "http://localhost:8000",
+    proxy_preserve_host => true,
+    no_proxy_uris       => [
+      "/maintenance_immae.html",
+      "/googleb6d69446ff4ca3e5.html",
+      "/.well-known/acme-challenge"
+    ],
+    no_proxy_uris_match => [
+      '^/licen[cs]es?_et_tip(ping)?$',
+      '^/licen[cs]es?_and_tip(ping)?$',
+      '^/licen[cs]es?$',
+      '^/tip(ping)?$',
+    ]
   }
 
   user { $cf_user: