annotate modules/website/manifests/https/redir.pp @ 8:16e9e26337be

Lock down ownership and permissions on certificates
author IBBoard <dev@ibboard.co.uk>
date Wed, 08 Oct 2014 19:45:54 +0000
parents 956e484adc12
children 4b42f65ae875
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
1 # If the SSL cert and key are defined then the definer deals with them existing
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
2 # If the SSL cert and key are not defined then we use template file paths and ensure they exist
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
3 define website::https::redir(
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
4 $docroot = undef,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
5 $ip = $website::primary_ip,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
6 $redir,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
7 $ssl_cert = undef,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
8 $ssl_key = undef,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
9 $ssl_ca_chain = $website::ca_chain,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
10 $docroot_owner = undef,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
11 $docroot_group = undef,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
12 $serveraliases = [],
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
13 $ensure = 'present',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
14 $separate_log = false,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
15 ) {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
16
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
17 validate_re($ensure, '^(present|absent)$',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
18 "${ensure} is not supported for ensure.
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
19 Allowed values are 'present' and 'absent'.")
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
20
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
21 $shortname = domain_to_short_name($name)
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
22 $logpart = $shortname
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
23 $shortdomain = domain_to_short_domain($name)
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
24
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
25 if $separate_log {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
26 $log_extra = '_redir'
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
27 } else {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
28 $log_extra = ''
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
29 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
30
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
31 if $docroot == undef {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
32 $siteroot = "${website::basedir}/${shortname}"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
33 } else {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
34 $siteroot = $docroot
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
35 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
36
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
37 if $ssl_cert == undef {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
38 $sslcert = "${website::certdir}/${shortdomain}.crt"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
39 $sslkey = "${website::certdir}/${shortdomain}.key"
8
16e9e26337be Lock down ownership and permissions on certificates
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
40 File {
16e9e26337be Lock down ownership and permissions on certificates
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
41 mode => '0400',
16e9e26337be Lock down ownership and permissions on certificates
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
42 owner => 'root',
16e9e26337be Lock down ownership and permissions on certificates
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
43 group => 'root',
16e9e26337be Lock down ownership and permissions on certificates
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
44 }
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
45 if ! defined(File[$sslcert]) {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
46 file { $sslcert:
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
47 source => "puppet:///private/pki/custom/${shortdomain}.crt",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
48 before => Apache::Vhost[$name],
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
49 notify => Service['httpd'],
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
50 ensure => present;
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
51 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
52 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
53 if ! defined(File["/etc/pki/custom/$ssl_chain"]) {
8
16e9e26337be Lock down ownership and permissions on certificates
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
54 file { $sslkey:
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
55 source => "puppet:///private/pki/custom/${shortdomain}.key",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
56 before => Apache::Vhost[$name],
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
57 notify => Service['httpd'],
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
58 ensure => present;
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
59 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
60 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
61 } else {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
62 $sslcert = $ssl_cert
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
63 $sslkey = $ssl_key
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
64 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
65
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
66 if $ssl_ca_chain == '' {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
67 # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
68 $ssl_chain = undef
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
69 } else {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
70 $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
71 if ! defined(File[$ssl_chain]) {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
72 file { $ssl_chain:
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
73 ensure => present,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
74 source => "puppet:///private/pki/custom/$ssl_ca_chain",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
75 notify => Service['httpd'],
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
76 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
77 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
78 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
79
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
80 if $docroot_owner == undef {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
81 $owner = $website::docroot_owner
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
82 } else {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
83 $owner = $docroot_owner
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
84 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
85
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
86 if $docroot_group == undef {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
87 $group = $website::docroot_group
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
88 } else {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
89 $group = $docroot_group
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
90 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
91
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
92 apache::vhost { $name:
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
93 ip => $ip,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
94 port => '443',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
95 docroot => $siteroot,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
96 docroot_owner => $owner,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
97 docroot_group => $group,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
98 redirect_status => 'permanent',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
99 redirect_dest => $redir,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
100 custom_fragment => 'Header add Strict-Transport-Security "max-age=16070400; includeSubDomains"',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
101 logroot => '/var/log/apache/',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
102 access_log_file => "access_${logpart}${log_extra}.log",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
103 error_log_file => "error_${logpart}${log_extra}.log",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
104 serveraliases => $serveraliases,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
105 ssl => true,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
106 ssl_cert => $sslcert,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
107 ssl_key => $sslkey,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
108 ssl_chain => $ssl_chain,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
109 ensure => $ensure,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
110 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
111
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
112 apache::vhost { "${name}-80":
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
113 servername => $name,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
114 port => 80,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
115 docroot => $siteroot,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
116 docroot_owner => $owner,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
117 docroot_group => $group,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
118 redirect_status => 'permanent',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
119 redirect_dest => $redir,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
120 serveraliases => $serveraliases,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
121 logroot => '/var/log/apache/',
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
122 access_log_file => "access_${logpart}${log_extra}_nossl.log",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
123 error_log_file => "error_${logpart}${log_extra}_nossl.log",
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
124 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
125 }