From 2bb35074eef353f03b4373f695834c0be41609ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 18 Feb 2018 23:51:53 +0100 Subject: Migrate to apache --- .gitmodules | 6 +- .../production/data/types/vps-ovhssd-1.yaml | 1 + modules/apache | 1 + modules/profile/files/apache/document_root.conf | 6 + .../files/apache/googleb6d69446ff4ca3e5.html | 1 + modules/profile/files/apache/immae.conf | 13 +++ modules/profile/files/apache/letsencrypt.conf | 6 + .../profile/files/apache/maintenance_immae.html | 58 ++++++++++ modules/profile/manifests/apache.pp | 125 +++++++++++++++++++++ modules/role/manifests/cryptoportfolio.pp | 23 +++- 10 files changed, 232 insertions(+), 8 deletions(-) create mode 160000 modules/apache create mode 100644 modules/profile/files/apache/document_root.conf create mode 100644 modules/profile/files/apache/googleb6d69446ff4ca3e5.html create mode 100644 modules/profile/files/apache/immae.conf create mode 100644 modules/profile/files/apache/letsencrypt.conf create mode 100644 modules/profile/files/apache/maintenance_immae.html create mode 100644 modules/profile/manifests/apache.pp diff --git a/.gitmodules b/.gitmodules index e893f13..2b29861 100644 --- a/.gitmodules +++ b/.gitmodules @@ -31,12 +31,12 @@ [submodule "modules/postgresql"] path = modules/postgresql url = git://git.immae.eu/github/puppetlabs/puppetlabs-postgresql.git -[submodule "modules/nginx"] - path = modules/nginx - url = git://git.immae.eu/github/voxpupuli/puppet-nginx.git [submodule "modules/archive"] path = modules/archive url = git://git.immae.eu/github/voxpupuli/puppet-archive.git +[submodule "modules/apache"] + path = modules/apache + url = git://git.immae.eu/github/puppetlabs/puppetlabs-apache.git [submodule "python/ovh"] path = python/ovh url = git://git.immae.eu/github/ovh/python-ovh diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml index 968bf6b..4647a25 100644 --- a/environments/production/data/types/vps-ovhssd-1.yaml +++ b/environments/production/data/types/vps-ovhssd-1.yaml @@ -3,5 +3,6 @@ classes: base_installation: stage: "setup" +base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" base_installation::grub_device: "/dev/sdb" base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" diff --git a/modules/apache b/modules/apache new file mode 160000 index 0000000..42c1b5c --- /dev/null +++ b/modules/apache @@ -0,0 +1 @@ +Subproject commit 42c1b5cae109630a53be89eda10c5c761c6d3689 diff --git a/modules/profile/files/apache/document_root.conf b/modules/profile/files/apache/document_root.conf new file mode 100644 index 0000000..ed9a9ab --- /dev/null +++ b/modules/profile/files/apache/document_root.conf @@ -0,0 +1,6 @@ +DocumentRoot "/srv/http" + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + diff --git a/modules/profile/files/apache/googleb6d69446ff4ca3e5.html b/modules/profile/files/apache/googleb6d69446ff4ca3e5.html new file mode 100644 index 0000000..f732bac --- /dev/null +++ b/modules/profile/files/apache/googleb6d69446ff4ca3e5.html @@ -0,0 +1 @@ +google-site-verification: googleb6d69446ff4ca3e5.html diff --git a/modules/profile/files/apache/immae.conf b/modules/profile/files/apache/immae.conf new file mode 100644 index 0000000..5e0f3c4 --- /dev/null +++ b/modules/profile/files/apache/immae.conf @@ -0,0 +1,13 @@ +ErrorDocument 500 /maintenance_immae.html +ErrorDocument 501 /maintenance_immae.html +ErrorDocument 502 /maintenance_immae.html +ErrorDocument 503 /maintenance_immae.html +ErrorDocument 504 /maintenance_immae.html +Alias /maintenance_immae.html /srv/http/maintenance_immae.html + +RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html +RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html +RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html +RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html + +AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" /srv/http/googleb6d69446ff4ca3e5.html diff --git a/modules/profile/files/apache/letsencrypt.conf b/modules/profile/files/apache/letsencrypt.conf new file mode 100644 index 0000000..b2eaae2 --- /dev/null +++ b/modules/profile/files/apache/letsencrypt.conf @@ -0,0 +1,6 @@ +Alias /.well-known/acme-challenge /srv/http/.well-known/acme-challenge + + Require all granted + AllowOverride None + ErrorDocument 404 "Not Found" + diff --git a/modules/profile/files/apache/maintenance_immae.html b/modules/profile/files/apache/maintenance_immae.html new file mode 100644 index 0000000..90f265f --- /dev/null +++ b/modules/profile/files/apache/maintenance_immae.html @@ -0,0 +1,58 @@ + + + + Maintenance + + + + + +
+

Erreur serveur ou maintenance en cours !

+
+

Une mise à jour ou une opération de maintenance est en cours sur le site. Retentez dans quelques instants ou patientez, la page se rechargera automatiquement.

+
+
+ +
+

Server error or website in maintenance!

+
+

An update or a maintenance is on track on the website. Please try again in a few seconds or wait, the page will reload automatically.

+
+
+ + diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp new file mode 100644 index 0000000..b965944 --- /dev/null +++ b/modules/profile/manifests/apache.pp @@ -0,0 +1,125 @@ +class profile::apache { + class { 'apache': + root_directory_secured => true, + root_directory_options => ["All"], + default_mods => false, + default_vhost => false, + log_formats => { + combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p', + common => '%h %l %u %t \"%r\" %>s %b', + } + } + + ::apache::custom_config { 'log_config.conf': + content => 'CustomLog "/var/log/httpd/access_log" combined', + filename => 'log_config.conf' + } + + ::apache::custom_config { 'protocols.conf': + content => 'Protocols h2 http/1.1', + filename => 'protocols.conf' + } + + ::apache::custom_config { 'document_root.conf': + source => "puppet:///modules/profile/apache/document_root.conf", + filename => "document_root.conf" + } + + ::apache::custom_config { 'immae.conf': + source => "puppet:///modules/profile/apache/immae.conf", + filename => 'immae.conf' + } + + ::apache::custom_config { 'letsencrypt.conf': + source => "puppet:///modules/profile/apache/letsencrypt.conf", + filename => 'letsencrypt.conf' + } + + # FIXME: default values ignored? + Apache::Vhost { + no_proxy_uris => [ + "/maintenance_immae.html", + "/googleb6d69446ff4ca3e5.html", + "/.well-known/acme-challenge" + ], + no_proxy_uris_match => [ + '^/licen[cs]es?_et_tip(ping)?$', + '^/licen[cs]es?_and_tip(ping)?$', + '^/licen[cs]es?$', + '^/tip(ping)?$', + ] + } + + $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } + unless empty($real_hostname) { + apache::vhost { "default_ssl": + port => '443', + docroot => '/srv/http', + servername => $real_hostname, + directoryindex => 'index.htm index.html', + priority => 0, + } + } + + apache::vhost { "redirect_no_ssl": + port => '80', + error_log => false, + log_level => undef, + access_log => false, + docroot => false, + servername => "", + serveraliases => "*", + priority => 99, + rewrites => [ + { + rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"', + rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]' + } + ] + } + + class { 'apache::mod::ssl': + ssl_protocol => [ 'all', '-SSLv3' ], + # Given by + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", + # FIXME: need SSLSessionTickets off + ssl_stapling => true, + ssl_stapling_return_errors => false, + # FIXME: SSLStaplingResponderTimeout 5 + ssl_ca => '/etc/ssl/certs/ca-certificates.crt', + } + class { 'apache::mod::alias': } + class { 'apache::mod::autoindex': } + # Included by ssl + # class { 'apache::mod::mime': } + class { 'apache::mod::deflate': } + class { 'apache::mod::rewrite': } + + class { 'apache::mod::dir': + indexes => ["index.html"] + } + + file { [ + "/srv/http", + "/srv/http/.well-known", + "/srv/http/.well-known/acme-challenge"]: + ensure => "directory", + mode => "0755", + owner => "root", + group => "root", + } + + file { "/srv/http/maintenance_immae.html": + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/apache/maintenance_immae.html", + } + file { "/srv/http/googleb6d69446ff4ca3e5.html": + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html", + } +} diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 0f26527..084419e 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -2,6 +2,7 @@ class role::cryptoportfolio { include "base_installation" include "profile::postgresql" + include "profile::apache" $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } @@ -47,11 +48,23 @@ class role::cryptoportfolio { order => "b0", } - class { 'nginx': } - - nginx::resource::server { $cf_front_app_host: - listen_port => 80, - proxy => 'http://localhost:8000', + apache::vhost { $cf_front_app_host: + port => '80', + docroot => false, + manage_docroot => false, + proxy_dest => "http://localhost:8000", + proxy_preserve_host => true, + no_proxy_uris => [ + "/maintenance_immae.html", + "/googleb6d69446ff4ca3e5.html", + "/.well-known/acme-challenge" + ], + no_proxy_uris_match => [ + '^/licen[cs]es?_et_tip(ping)?$', + '^/licen[cs]es?_and_tip(ping)?$', + '^/licen[cs]es?$', + '^/tip(ping)?$', + ] } user { $cf_user: -- cgit v1.2.3 From 8af3ea1e76efa88a52d089a4f6ac65a175f31369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 19 Feb 2018 22:30:16 +0100 Subject: Add tools --- modules/profile/manifests/tools.pp | 3 +++ modules/role/manifests/cryptoportfolio.pp | 1 + 2 files changed, 4 insertions(+) create mode 100644 modules/profile/manifests/tools.pp diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp new file mode 100644 index 0000000..52e3cea --- /dev/null +++ b/modules/profile/manifests/tools.pp @@ -0,0 +1,3 @@ +class profile::tools { + ensure_packages(['vim', 'bash-completion']) +} diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 084419e..49ab57b 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -1,6 +1,7 @@ class role::cryptoportfolio { include "base_installation" + include "profile::tools" include "profile::postgresql" include "profile::apache" -- cgit v1.2.3 From e345248bd85980f6fefe7bc62251cc5b97f64854 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 20 Feb 2018 08:24:52 +0100 Subject: Add letsencrypt --- .gitmodules | 6 +++ .../production/data/types/vps-ovhssd-1.yaml | 1 + modules/letsencrypt | 1 + modules/nginx | 1 - modules/profile/manifests/apache.pp | 52 +++++++++++++++++++--- modules/role/manifests/cryptoportfolio.pp | 27 +++++------ modules/ssl | 1 + 7 files changed, 70 insertions(+), 19 deletions(-) create mode 160000 modules/letsencrypt delete mode 160000 modules/nginx create mode 160000 modules/ssl diff --git a/.gitmodules b/.gitmodules index 2b29861..35df238 100644 --- a/.gitmodules +++ b/.gitmodules @@ -37,6 +37,12 @@ [submodule "modules/apache"] path = modules/apache url = git://git.immae.eu/github/puppetlabs/puppetlabs-apache.git +[submodule "modules/letsencrypt"] + path = modules/letsencrypt + url = git://git.immae.eu/github/voxpupuli/puppet-letsencrypt.git [submodule "python/ovh"] path = python/ovh url = git://git.immae.eu/github/ovh/python-ovh +[submodule "modules/ssl"] + path = modules/ssl + url = git://git.immae.eu/github/fnerdwq/puppet-ssl diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml index 4647a25..9130ad1 100644 --- a/environments/production/data/types/vps-ovhssd-1.yaml +++ b/environments/production/data/types/vps-ovhssd-1.yaml @@ -6,3 +6,4 @@ classes: base_installation::real_hostname: "%{facts.ec2_metadata.hostname}.ovh.net" base_installation::grub_device: "/dev/sdb" base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt" +ssl::try_letsencrypt_for_real_hostname: false diff --git a/modules/letsencrypt b/modules/letsencrypt new file mode 160000 index 0000000..55ac1e9 --- /dev/null +++ b/modules/letsencrypt @@ -0,0 +1 @@ +Subproject commit 55ac1e9c731b6dbfc380cd282c39f273223fcd53 diff --git a/modules/nginx b/modules/nginx deleted file mode 160000 index a7f40a8..0000000 --- a/modules/nginx +++ /dev/null @@ -1 +0,0 @@ -Subproject commit a7f40a8893e394cc57695ff81ea53254bcf1ff3a diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index b965944..7f7c3a6 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp @@ -35,8 +35,7 @@ class profile::apache { filename => 'letsencrypt.conf' } - # FIXME: default values ignored? - Apache::Vhost { + $apache_vhost_default = { no_proxy_uris => [ "/maintenance_immae.html", "/googleb6d69446ff4ca3e5.html", @@ -50,14 +49,58 @@ class profile::apache { ] } + $letsencrypt_certonly_default = { + plugin => "webroot", + webroot_paths => ["/srv/http/"], + notify => Class['Apache::Service'], + require => [Apache::Vhost["redirect_no_ssl"],Apache::Custom_config["letsencrypt.conf"]], + manage_cron => true, + } + + class { '::letsencrypt': + install_method => "package", + package_name => "certbot", + package_command => "certbot", + # FIXME + email => 'sites+letsencrypt@mail.immae.eu', + } + $real_hostname = lookup("base_installation::real_hostname") |$key| { {} } unless empty($real_hostname) { + if (lookup("ssl::try_letsencrypt_for_real_hostname") |$key| { true }) { + letsencrypt::certonly { $real_hostname: + before => Apache::Vhost["default_ssl"]; + default: * => $::profile::apache::letsencrypt_certonly_default; + } + $ssl_cert = "/etc/letsencrypt/live/$real_hostname/cert.pem" + $ssl_key = "/etc/letsencrypt/live/$real_hostname/privkey.pem" + $ssl_chain = "/etc/letsencrypt/live/$real_hostname/chain.pem" + } else { + ssl::self_signed_certificate { $real_hostname: + common_name => $real_hostname, + country => "FR", + days => "3650", + organization => "Immae", + directory => "/etc/httpd/conf/ssl", + before => Apache::Vhost["default_ssl"], + } + + $ssl_key = "/etc/httpd/conf/ssl/$real_hostname.key" + $ssl_cert = "/etc/httpd/conf/ssl/$real_hostname.crt" + $ssl_chain = undef + } + apache::vhost { "default_ssl": port => '443', docroot => '/srv/http', servername => $real_hostname, directoryindex => 'index.htm index.html', - priority => 0, + ssl => true, + ssl_key => $ssl_key, + ssl_cert => $ssl_cert, + ssl_chain => $ssl_chain, + priority => 0; + default: * => $::profile::apache::apache_vhost_default; } } @@ -102,8 +145,7 @@ class profile::apache { file { [ "/srv/http", - "/srv/http/.well-known", - "/srv/http/.well-known/acme-challenge"]: + "/srv/http/.well-known"]: ensure => "directory", mode => "0755", owner => "root", diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 49ab57b..d2323a4 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -49,23 +49,24 @@ class role::cryptoportfolio { order => "b0", } + letsencrypt::certonly { $cf_front_app_host: ; + default: * => $::profile::apache::letsencrypt_certonly_default; + } + + class { 'apache::mod::headers': } apache::vhost { $cf_front_app_host: - port => '80', + port => '443', docroot => false, manage_docroot => false, proxy_dest => "http://localhost:8000", - proxy_preserve_host => true, - no_proxy_uris => [ - "/maintenance_immae.html", - "/googleb6d69446ff4ca3e5.html", - "/.well-known/acme-challenge" - ], - no_proxy_uris_match => [ - '^/licen[cs]es?_et_tip(ping)?$', - '^/licen[cs]es?_and_tip(ping)?$', - '^/licen[cs]es?$', - '^/tip(ping)?$', - ] + request_headers => 'set X-Forwarded-Proto "https"', + ssl => true, + ssl_cert => "/etc/letsencrypt/live/$cf_front_app_host/cert.pem", + ssl_key => "/etc/letsencrypt/live/$cf_front_app_host/privkey.pem", + ssl_chain => "/etc/letsencrypt/live/$cf_front_app_host/chain.pem", + require => Letsencrypt::Certonly[$cf_front_app_host], + proxy_preserve_host => true; + default: * => $::profile::apache::apache_vhost_default; } user { $cf_user: diff --git a/modules/ssl b/modules/ssl new file mode 160000 index 0000000..c1cef11 --- /dev/null +++ b/modules/ssl @@ -0,0 +1 @@ +Subproject commit c1cef11d63da71c7599e905ff0598d21799ab8cc -- cgit v1.2.3 From 5be7de41fe02fe60fbbac530e6729f74e206aea3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 20 Feb 2018 11:31:08 +0100 Subject: Add index to default location --- modules/profile/files/apache/index.html | 9 +++++++++ modules/profile/manifests/apache.pp | 6 ++++++ 2 files changed, 15 insertions(+) create mode 100644 modules/profile/files/apache/index.html diff --git a/modules/profile/files/apache/index.html b/modules/profile/files/apache/index.html new file mode 100644 index 0000000..0274251 --- /dev/null +++ b/modules/profile/files/apache/index.html @@ -0,0 +1,9 @@ + + + + Hello World HTML + + +

It works!

+ + diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index 7f7c3a6..605b701 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp @@ -152,6 +152,12 @@ class profile::apache { group => "root", } + file { "/srv/http/index.html": + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/apache/index.html", + } file { "/srv/http/maintenance_immae.html": mode => "0644", owner => "root", -- cgit v1.2.3