Mercurial > repos > other > Puppet

annotate modules/website/manifests/init.pp @ 426:1d6cf5d981be

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Try to resolve more CSP errors
author IBBoard <dev@ibboard.co.uk>
date Fri, 14 Oct 2022 19:18:57 +0100
parents 575764c36e16
children a08a2f718f9d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
1 class website(
277
13825cc1ec57 Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents: 266
diff changeset
2 Pattern[/^(\/[^\/]+)*$/] $base_dir,
13825cc1ec57 Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents: 266
diff changeset
3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom',
279
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
4 Stdlib::IP::Address $primary_ip,
288
be66955bf27d Fix another optional argument
IBBoard <dev@ibboard.co.uk>
parents: 287
diff changeset
5 Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef,
284
9431aec4d998 Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents: 281
diff changeset
6 Optional[Integer] $proxy_4to6_mask = undef,
287
97e732f67770 Make upstream proxies optional to match undef default
IBBoard <dev@ibboard.co.uk>
parents: 286
diff changeset
7 Optional[Array] $proxy_upstream = undef,
277
13825cc1ec57 Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents: 266
diff changeset
8 String $default_owner,
13825cc1ec57 Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents: 266
diff changeset
9 String $default_group,
13825cc1ec57 Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents: 266
diff changeset
10 String $default_tld = 'com',
13825cc1ec57 Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents: 266
diff changeset
11 Array $default_extra_tlds = []
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
12 ){
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
13
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
14 $basedir = $base_dir
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
15 $certdir = $cert_dir
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
16 $docroot_owner = $default_owner
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
17 $docroot_group = $default_group
133
9337c9ce648a Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents: 119
diff changeset
18 $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem"
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
19 $tld = $default_tld
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
20 $extra_tlds = $default_extra_tlds
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
21 $htmlphpfragment = "Include conf.extra/html-php.conf"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
22 $filterfragment = "Include conf.custom/filter.conf"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
23 $cmsfragment = "Include conf.extra/cms_rewrites.conf"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
24
410
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
25 $csp_base = {
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
26 "frame-ancestors" => "'none'",
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
27 "base-uri" => "'none'",
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
28 "object-src" => "'none'",
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
29 }
236
4519b727cc4c Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents: 135
diff changeset
30 $csp_report_base = {
4519b727cc4c Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents: 135
diff changeset
31 "default-src" => "'none'",
4519b727cc4c Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents: 135
diff changeset
32 "img-src" => "'self'",
410
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
33 "script-src" => "'self' 'nonce-%{CSP_NONCE}e'",
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
34 "style-src" => "'self' 'nonce-%{CSP_NONCE}e'",
575764c36e16 Setup CSP Nonce on the server
IBBoard <dev@ibboard.co.uk>
parents: 390
diff changeset
35 "font-src" => "'self' 'nonce-%{CSP_NONCE}e'"
236
4519b727cc4c Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents: 135
diff changeset
36 }
4519b727cc4c Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents: 135
diff changeset
37
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
38 if $osfamily == 'RedHat' {
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
39 $apache_base_dir = "/etc/httpd/"
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
40 $vhost_dir = "/etc/httpd/conf.d/vhosts"
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
41 $apache_user = 'apache'
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
42 $apache_group = $apache_user
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
43 $apache_log_group = $apache_user
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
44 }
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
45 elsif $osfamily == 'Debian' {
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
46 $apache_base_dir = "/etc/apache2/"
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
47 $vhost_dir = "/etc/apache2/sites-available"
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
48 $apache_user = 'www-data'
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
49 $apache_group = $apache_user
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
50 $apache_log_group = $apache_user
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
51 }
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
52
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
53
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
54 class { 'apache':
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
55 vhost_dir => $vhost_dir,
359
05cad5ba9506 Enable HTTP/2
IBBoard <dev@ibboard.co.uk>
parents: 354
diff changeset
56 protocols => ["h2", "http/1.1"],
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
57 default_mods => false,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
58 default_vhost => false,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
59 mpm_module => false,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
60 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
61 class { 'apache::mod::dir': indexes => [ 'index.html' ] }
354
aad5c00b0525 Switch to Apache "events" and PHP via FCGI
IBBoard <dev@ibboard.co.uk>
parents: 353
diff changeset
62 class { 'apache::mod::event': }
359
05cad5ba9506 Enable HTTP/2
IBBoard <dev@ibboard.co.uk>
parents: 354
diff changeset
63 class { 'apache::mod::http2': }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
64 class { 'apache::mod::mime': mime_types_config => "${apache_base_dir}mime.types" }
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
65 apache::mod {
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
66 'rewrite':;
254
5a903aa91469 Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents: 236
diff changeset
67 'expires':;
5a903aa91469 Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents: 236
diff changeset
68 'env':;
5a903aa91469 Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents: 236
diff changeset
69 'setenvif':;
5a903aa91469 Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents: 236
diff changeset
70 'headers':;
353
e046606cf218 Fix access control rules
IBBoard <dev@ibboard.co.uk>
parents: 313
diff changeset
71 'allowmethods':;
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
72 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
73 if $osfamily == 'RedHat' {
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
74 # Ubuntu builds the "version" module in, but CentOS doesn't
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
75 apache::mod {
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
76 'version':;
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
77 }
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
78 }
119
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
79
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
80 # Updating the httpd package puts back some configs that we
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
81 # don't load the relevant modules for, so we'll try to make
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
82 # them blank so that RPM/Yum makes ".rpmnew" files instead
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
83 $unused_default_mods = [
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
84 "${::apache::mod_dir}/autoindex.conf",
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
85 "${::apache::mod_dir}/userdir.conf",
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
86 "${::apache::mod_dir}/welcome.conf",
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
87 ]
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
88 file { $unused_default_mods:
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
89 ensure => file,
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
90 content => '',
248
72deb9ebb15e Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents: 246
diff changeset
91 require => Class['apache'],
119
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
92 }
95502bafeaa3 Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
93
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
94 file { $base_dir:
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
95 ensure => directory;
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
96 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
97 file { '/var/log/apache':
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
98 ensure => directory,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
99 mode => '0750',
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
100 group => $apache_log_group,
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
101 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
102 file { "${apache_base_dir}conf.extra":
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
103 ensure => directory,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
104 recurse => true,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
105 source => "puppet:///modules/website/conf.extra",
248
72deb9ebb15e Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents: 246
diff changeset
106 require => Class['apache'],
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
107 notify => Service['httpd'];
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
108 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
109 file { "${apache_base_dir}mime.types":
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
110 ensure => present,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
111 source => "puppet:///modules/website/mime.types",
248
72deb9ebb15e Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents: 246
diff changeset
112 require => Class['apache'],
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
113 notify => Service['httpd'];
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
114 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
115 file { "${apache_base_dir}conf.d/zzz-custom.conf":
115
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 98
diff changeset
116 ensure => absent,
248
72deb9ebb15e Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents: 246
diff changeset
117 require => Class['apache'],
115
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 98
diff changeset
118 notify => Service['httpd'];
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 98
diff changeset
119 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
120 file { "${apache_base_dir}conf.d/zzz-0-custom.conf":
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
121 ensure => present,
115
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 98
diff changeset
122 source => "puppet:///modules/website/zzz-0-custom.conf",
248
72deb9ebb15e Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents: 246
diff changeset
123 require => Class['apache'],
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
124 notify => Service['httpd'];
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
125 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
126 file { "${apache_base_dir}conf.custom":
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
127 ensure => directory,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
128 recurse => true,
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
129 source => "puppet:///private/apache/conf.custom",
248
72deb9ebb15e Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents: 246
diff changeset
130 require => Class['apache'],
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
131 notify => Service['httpd'];
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
132 }
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
133 file { $cert_dir:
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
134 ensure => directory;
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
135 }
279
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
136 firewall { '100 allow https and http':
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
137 destination => $primary_ip,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
138 dport => [80, 443],
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
139 proto => tcp,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
140 action => accept,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
141 }
284
9431aec4d998 Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents: 281
diff changeset
142 if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
281
af7df930a670 Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents: 279
diff changeset
143 apache::mod { "remoteip": }
284
9431aec4d998 Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents: 281
diff changeset
144 $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"
281
af7df930a670 Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents: 279
diff changeset
145
279
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
146 $proxy_upstream.each |String $upstream_addr| {
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
147 firewall { "100 limit PROXY protocol to upstream $upstream_addr":
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
148 source => $upstream_addr,
284
9431aec4d998 Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents: 281
diff changeset
149 destination => $proxy_4to6_ip,
279
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
150 dport => [80, 443],
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
151 proto => tcp,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
152 action => accept,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
153 }
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
154 }
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
155 firewall { "101 block all other PROXY protocol access":
284
9431aec4d998 Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents: 281
diff changeset
156 destination => $proxy_4to6_ip,
279
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
157 dport => [80, 443],
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
158 proto => tcp,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
159 action => reject,
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
160 }
e36b7f4f85f2 Start to support IPv6 servers
IBBoard <dev@ibboard.co.uk>
parents: 278
diff changeset
161 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
162 if $operatingsystem == 'CentOS' {
48
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
163 exec { 'set_apache_defaults':
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
164 command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"',
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
165 path => '/bin:/usr/bin/:/sbin:/usr/sbin',
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
166 require => Package['policycoreutils-python'],
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
167 unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"',
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
168 }
298
61e90445c899 Merge CentOS8 and CentOS7 branches
IBBoard <dev@ibboard.co.uk>
parents: 288
diff changeset
169 if versioncmp($operatingsystemrelease, '8') < 0 {
278
a8bf3a400712 Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents: 277
diff changeset
170 $certbot_pkg = 'python2-certbot-apache'
a8bf3a400712 Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents: 277
diff changeset
171 } else {
a8bf3a400712 Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents: 277
diff changeset
172 $certbot_pkg = 'python3-certbot-apache'
a8bf3a400712 Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents: 277
diff changeset
173 }
390
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
174 }
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
175 elsif $operatingsystem == 'Ubuntu' {
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
176 $certbot_pkg = 'certbot'
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
177 }
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
178 cron { 'letsencrypt-renewal':
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
179 command => '/usr/bin/certbot renew --quiet',
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
180 hour => '*/12',
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
181 minute => '21',
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
182 }
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
183 package { $certbot_pkg:
df5ad1612af7 Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents: 359
diff changeset
184 ensure => installed,
48
5cdc1c96c477 Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents: 1
diff changeset
185 }
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
186 }