7 files changed, 68 insertions, 18 deletions

diff --git a/.gitmodules b/.gitmodules
index 2b29861..35df238 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -37,6 +37,12 @@
 [submodule "modules/apache"]
         path = modules/apache
         url = git://git.immae.eu/github/puppetlabs/puppetlabs-apache.git
+[submodule "modules/letsencrypt"]
+        path = modules/letsencrypt
+        url = git://git.immae.eu/github/voxpupuli/puppet-letsencrypt.git
 [submodule "python/ovh"]
         path = python/ovh
         url = git://git.immae.eu/github/ovh/python-ovh
+[submodule "modules/ssl"]
+        path = modules/ssl
+        url = git://git.immae.eu/github/fnerdwq/puppet-ssl
diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml
index 4647a25..9130ad1 100644
--- a/environments/production/data/types/vps-ovhssd-1.yaml
+++ b/environments/production/data/types/vps-ovhssd-1.yaml
@@ -6,3 +6,4 @@ classes:
 base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net"
 base_installation::grub_device: "/dev/sdb"
 base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt"
+ssl::try_letsencrypt_for_real_hostname: false
diff --git a/modules/letsencrypt b/modules/letsencrypt
new file mode 160000
+Subproject 55ac1e9c731b6dbfc380cd282c39f273223fcd5
diff --git a/modules/nginx b/modules/nginx
deleted file mode 160000
-Subproject a7f40a8893e394cc57695ff81ea53254bcf1ff3
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index b965944..7f7c3a6 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -35,8 +35,7 @@ class profile::apache {
     filename => 'letsencrypt.conf'
   }
 
-  # FIXME: default values ignored?
-  Apache::Vhost {
+  $apache_vhost_default = {
     no_proxy_uris       => [
       "/maintenance_immae.html",
       "/googleb6d69446ff4ca3e5.html",
@@ -50,14 +49,58 @@ class profile::apache {
     ]
   }
 
+  $letsencrypt_certonly_default = {
+    plugin        => "webroot",
+    webroot_paths => ["/srv/http/"],
+    notify        => Class['Apache::Service'],
+    require       => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
+    manage_cron   => true,
+  }
+
+  class { '::letsencrypt':
+    install_method  => "package",
+    package_name    => "certbot",
+    package_command => "certbot",
+    # FIXME
+    email           => 'sites+letsencrypt@mail.immae.eu',
+  }
+
   $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
   unless empty($real_hostname) {
+    if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
+      letsencrypt::certonly { $real_hostname:
+        before => Apache::Vhost["default_ssl"];
+        default: * => $::profile::apache::letsencrypt_certonly_default;
+      }
+      $ssl_cert  = "/etc/letsencrypt/live/$real_hostname/cert.pem"
+      $ssl_key   = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
+      $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
+    } else {
+      ssl::self_signed_certificate { $real_hostname:
+        common_name  => $real_hostname,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        directory    => "/etc/httpd/conf/ssl",
+        before       => Apache::Vhost["default_ssl"],
+      }
+
+      $ssl_key   = "/etc/httpd/conf/ssl/$real_hostname.key"
+      $ssl_cert  = "/etc/httpd/conf/ssl/$real_hostname.crt"
+      $ssl_chain = undef
+    }
+
     apache::vhost { "default_ssl":
       port           => '443',
       docroot        => '/srv/http',
       servername     => $real_hostname,
       directoryindex => 'index.htm index.html',
-      priority       => 0,
+      ssl            => true,
+      ssl_key        => $ssl_key,
+      ssl_cert       => $ssl_cert,
+      ssl_chain      => $ssl_chain,
+      priority       => 0;
+    default: * => $::profile::apache::apache_vhost_default;
     }
   }
 
@@ -102,8 +145,7 @@ class profile::apache {
 
   file { [
     "/srv/http",
-    "/srv/http/.well-known",
-    "/srv/http/.well-known/acme-challenge"]:
+    "/srv/http/.well-known"]:
       ensure => "directory",
       mode   => "0755",
       owner  => "root",
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 49ab57b..d2323a4 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -49,23 +49,24 @@ class role::cryptoportfolio {
     order       => "b0",
   }
 
+  letsencrypt::certonly { $cf_front_app_host: ;
+    default: * => $::profile::apache::letsencrypt_certonly_default;
+  }
+
+  class { 'apache::mod::headers': }
   apache::vhost { $cf_front_app_host:
-    port                => '80',
+    port                => '443',
     docroot             => false,
     manage_docroot      => false,
     proxy_dest          => "http://localhost:8000",
-    proxy_preserve_host => true,
-    no_proxy_uris       => [
-      "/maintenance_immae.html",
-      "/googleb6d69446ff4ca3e5.html",
-      "/.well-known/acme-challenge"
-    ],
-    no_proxy_uris_match => [
-      '^/licen[cs]es?_et_tip(ping)?$',
-      '^/licen[cs]es?_and_tip(ping)?$',
-      '^/licen[cs]es?$',
-      '^/tip(ping)?$',
-    ]
+    request_headers     => 'set X-Forwarded-Proto "https"',
+    ssl                 => true,
+    ssl_cert            => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+    ssl_key             => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+    ssl_chain           => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
+    require             => Letsencrypt::Certonly[$cf_front_app_host],
+    proxy_preserve_host => true;
+    default: *          => $::profile::apache::apache_vhost_default;
   }
 
   user { $cf_user:
diff --git a/modules/ssl b/modules/ssl
new file mode 160000
+Subproject c1cef11d63da71c7599e905ff0598d21799ab8c