From 2bb35074eef353f03b4373f695834c0be41609ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sun, 18 Feb 2018 23:51:53 +0100
Subject: Migrate to apache

---
 modules/profile/manifests/apache.pp | 125 ++++++++++++++++++++++++++++++++++++
 1 file changed, 125 insertions(+)
 create mode 100644 modules/profile/manifests/apache.pp

(limited to 'modules/profile/manifests')

diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp
new file mode 100644
index 0000000..b965944
--- /dev/null
+++ b/modules/profile/manifests/apache.pp
@@ -0,0 +1,125 @@
+class profile::apache {
+  class { 'apache':
+    root_directory_secured => true,
+    root_directory_options => ["All"],
+    default_mods           => false,
+    default_vhost          => false,
+    log_formats            => {
+      combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
+      common   => '%h %l %u %t \"%r\" %>s %b',
+    }
+  }
+
+  ::apache::custom_config { 'log_config.conf':
+    content  => 'CustomLog "/var/log/httpd/access_log" combined',
+    filename => 'log_config.conf'
+  }
+
+  ::apache::custom_config { 'protocols.conf':
+    content  => 'Protocols h2 http/1.1',
+    filename => 'protocols.conf'
+  }
+
+  ::apache::custom_config { 'document_root.conf':
+    source   => "puppet:///modules/profile/apache/document_root.conf",
+    filename => "document_root.conf"
+  }
+
+  ::apache::custom_config { 'immae.conf':
+    source   => "puppet:///modules/profile/apache/immae.conf",
+    filename => 'immae.conf'
+  }
+
+  ::apache::custom_config { 'letsencrypt.conf':
+    source   => "puppet:///modules/profile/apache/letsencrypt.conf",
+    filename => 'letsencrypt.conf'
+  }
+
+  # FIXME: default values ignored?
+  Apache::Vhost {
+    no_proxy_uris       => [
+      "/maintenance_immae.html",
+      "/googleb6d69446ff4ca3e5.html",
+      "/.well-known/acme-challenge"
+    ],
+    no_proxy_uris_match => [
+      '^/licen[cs]es?_et_tip(ping)?$',
+      '^/licen[cs]es?_and_tip(ping)?$',
+      '^/licen[cs]es?$',
+      '^/tip(ping)?$',
+    ]
+  }
+
+  $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+  unless empty($real_hostname) {
+    apache::vhost { "default_ssl":
+      port           => '443',
+      docroot        => '/srv/http',
+      servername     => $real_hostname,
+      directoryindex => 'index.htm index.html',
+      priority       => 0,
+    }
+  }
+
+  apache::vhost { "redirect_no_ssl":
+    port          => '80',
+    error_log     => false,
+    log_level     => undef,
+    access_log    => false,
+    docroot       => false,
+    servername    => "",
+    serveraliases => "*",
+    priority      => 99,
+    rewrites      => [
+      {
+        rewrite_cond => '"%{REQUEST_URI}"   "!^/\.well-known"',
+        rewrite_rule => '^(.+)              https://%{HTTP_HOST}$1 [R=301]'
+      }
+    ]
+  }
+
+  class { 'apache::mod::ssl':
+    ssl_protocol               => [ 'all', '-SSLv3' ],
+    # Given by
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    ssl_cipher                 => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
+    # FIXME: need SSLSessionTickets       off
+    ssl_stapling               => true,
+    ssl_stapling_return_errors => false,
+    # FIXME: SSLStaplingResponderTimeout 5
+    ssl_ca                     => '/etc/ssl/certs/ca-certificates.crt',
+  }
+  class { 'apache::mod::alias': }
+  class { 'apache::mod::autoindex': }
+  # Included by ssl
+  # class { 'apache::mod::mime': }
+  class { 'apache::mod::deflate': }
+  class { 'apache::mod::rewrite': }
+
+  class { 'apache::mod::dir':
+    indexes => ["index.html"]
+  }
+
+  file { [
+    "/srv/http",
+    "/srv/http/.well-known",
+    "/srv/http/.well-known/acme-challenge"]:
+      ensure => "directory",
+      mode   => "0755",
+      owner  => "root",
+      group  => "root",
+  }
+
+  file { "/srv/http/maintenance_immae.html":
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/apache/maintenance_immae.html",
+  }
+  file { "/srv/http/googleb6d69446ff4ca3e5.html":
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
+  }
+}
-- 
cgit v1.2.3