aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
m---------modules/letsencrypt0
m---------modules/nginx0
-rw-r--r--modules/profile/manifests/apache.pp52
-rw-r--r--modules/role/manifests/cryptoportfolio.pp27
m---------modules/ssl0
5 files changed, 61 insertions, 18 deletions
diff --git a/modules/letsencrypt b/modules/letsencrypt
new file mode 160000
Subproject 55ac1e9c731b6dbfc380cd282c39f273223fcd5
diff --git a/modules/nginx b/modules/nginx
deleted file mode 160000
Subproject a7f40a8893e394cc57695ff81ea53254bcf1ff3
diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
index b965944..7f7c3a6 100644
--- a/modules/profile/manifests/apache.pp
+++ b/modules/profile/manifests/apache.pp
@@ -35,8 +35,7 @@ class profile::apache {
35 filename => 'letsencrypt.conf' 35 filename => 'letsencrypt.conf'
36 } 36 }
37 37
38 # FIXME: default values ignored? 38 $apache_vhost_default = {
39 Apache::Vhost {
40 no_proxy_uris => [ 39 no_proxy_uris => [
41 "/maintenance_immae.html", 40 "/maintenance_immae.html",
42 "/googleb6d69446ff4ca3e5.html", 41 "/googleb6d69446ff4ca3e5.html",
@@ -50,14 +49,58 @@ class profile::apache {
50 ] 49 ]
51 } 50 }
52 51
52 $letsencrypt_certonly_default = {
53 plugin => "webroot",
54 webroot_paths => ["/srv/http/"],
55 notify => Class['Apache::Service'],
56 require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]],
57 manage_cron => true,
58 }
59
60 class { '::letsencrypt':
61 install_method => "package",
62 package_name => "certbot",
63 package_command => "certbot",
64 # FIXME
65 email => 'sites+letsencrypt@mail.immae.eu',
66 }
67
53 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } 68 $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
54 unless empty($real_hostname) { 69 unless empty($real_hostname) {
70 if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) {
71 letsencrypt::certonly { $real_hostname:
72 before => Apache::Vhost["default_ssl"];
73 default: * => $::profile::apache::letsencrypt_certonly_default;
74 }
75 $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem"
76 $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem"
77 $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem"
78 } else {
79 ssl::self_signed_certificate { $real_hostname:
80 common_name => $real_hostname,
81 country => "FR",
82 days => "3650",
83 organization => "Immae",
84 directory => "/etc/httpd/conf/ssl",
85 before => Apache::Vhost["default_ssl"],
86 }
87
88 $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key"
89 $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt"
90 $ssl_chain = undef
91 }
92
55 apache::vhost { "default_ssl": 93 apache::vhost { "default_ssl":
56 port => '443', 94 port => '443',
57 docroot => '/srv/http', 95 docroot => '/srv/http',
58 servername => $real_hostname, 96 servername => $real_hostname,
59 directoryindex => 'index.htm index.html', 97 directoryindex => 'index.htm index.html',
60 priority => 0, 98 ssl => true,
99 ssl_key => $ssl_key,
100 ssl_cert => $ssl_cert,
101 ssl_chain => $ssl_chain,
102 priority => 0;
103 default: * => $::profile::apache::apache_vhost_default;
61 } 104 }
62 } 105 }
63 106
@@ -102,8 +145,7 @@ class profile::apache {
102 145
103 file { [ 146 file { [
104 "/srv/http", 147 "/srv/http",
105 "/srv/http/.well-known", 148 "/srv/http/.well-known"]:
106 "/srv/http/.well-known/acme-challenge"]:
107 ensure => "directory", 149 ensure => "directory",
108 mode => "0755", 150 mode => "0755",
109 owner => "root", 151 owner => "root",
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 49ab57b..d2323a4 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -49,23 +49,24 @@ class role::cryptoportfolio {
49 order => "b0", 49 order => "b0",
50 } 50 }
51 51
52 letsencrypt::certonly { $cf_front_app_host: ;
53 default: * => $::profile::apache::letsencrypt_certonly_default;
54 }
55
56 class { 'apache::mod::headers': }
52 apache::vhost { $cf_front_app_host: 57 apache::vhost { $cf_front_app_host:
53 port => '80', 58 port => '443',
54 docroot => false, 59 docroot => false,
55 manage_docroot => false, 60 manage_docroot => false,
56 proxy_dest => "http://localhost:8000", 61 proxy_dest => "http://localhost:8000",
57 proxy_preserve_host => true, 62 request_headers => 'set X-Forwarded-Proto "https"',
58 no_proxy_uris => [ 63 ssl => true,
59 "/maintenance_immae.html", 64 ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem",
60 "/googleb6d69446ff4ca3e5.html", 65 ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
61 "/.well-known/acme-challenge" 66 ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem",
62 ], 67 require => Letsencrypt::Certonly[$cf_front_app_host],
63 no_proxy_uris_match => [ 68 proxy_preserve_host => true;
64 '^/licen[cs]es?_et_tip(ping)?$', 69 default: * => $::profile::apache::apache_vhost_default;
65 '^/licen[cs]es?_and_tip(ping)?$',
66 '^/licen[cs]es?$',
67 '^/tip(ping)?$',
68 ]
69 } 70 }
70 71
71 user { $cf_user: 72 user { $cf_user:
diff --git a/modules/ssl b/modules/ssl
new file mode 160000
Subproject c1cef11d63da71c7599e905ff0598d21799ab8c
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-04 06:28:48 +0000