Mercurial > repos > other > Puppet
annotate modules/website/manifests/init.pp @ 284:9431aec4d998
Switch to using IPv6 prefix and IP per site
This is because the proxy seems to break SNI, so we need an IP
per SSL cert. We're not short of IPv6 addresses, though!
Also corrected to "4to6" naming, because we're letting IPv4 access
an IPv6 site
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 16 Feb 2020 12:07:35 +0000 |
| parents | af7df930a670 |
| children | e765073832d9 |
| rev | line source |
|---|---|
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 class website( |
|
277
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
2 Pattern[/^(\/[^\/]+)*$/] $base_dir, |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', |
| 279 | 4 Stdlib::IP::Address $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
5 Stdlib::IP::Address::V6 $proxy_4to6_ip_prefix = undef, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
6 Optional[Integer] $proxy_4to6_mask = undef, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
7 Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [], |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
8 Array $proxy_upstream = undef, |
|
277
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
9 String $default_owner, |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
10 String $default_group, |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
11 String $default_tld = 'com', |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
12 Array $default_extra_tlds = [] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 $basedir = $base_dir |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 $certdir = $cert_dir |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 $docroot_owner = $default_owner |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 $docroot_group = $default_group |
|
133
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
19 $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem" |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 $tld = $default_tld |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 $extra_tlds = $default_extra_tlds |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 $htmlphpfragment = "Include conf.extra/html-php.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 $filterfragment = "Include conf.custom/filter.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 $cmsfragment = "Include conf.extra/cms_rewrites.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
26 $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"} |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
27 $csp_report_base = { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
28 "default-src" => "'none'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
29 "img-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
30 "script-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
31 "style-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
32 "font-src" => "'self'" |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
33 } |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
34 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 class { 'apache': |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
252
diff
changeset
|
36 vhost_dir => "/etc/httpd/conf.d/vhosts", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
37 default_mods => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 default_vhost => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
39 mpm_module => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
40 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 class { 'apache::mod::dir': indexes => [ 'index.html' ] } |
|
84
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
42 class { 'apache::mod::prefork': |
|
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
43 serverlimit => 45, |
|
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
44 maxclients => 45, |
|
98
00453eecda4c
Reduce the number of spare servers, because we're quiet and need spare memory
IBBoard <dev@ibboard.co.uk>
parents:
84
diff
changeset
|
45 maxspareservers => 6, |
|
84
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
46 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
47 apache::mod { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
48 'rewrite':; |
|
254
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
49 'expires':; |
|
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
50 'env':; |
|
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
51 'setenvif':; |
|
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
52 'headers':; |
|
34
29d330d2056a
Make sure that we have mod_version installed so that Apache config fragments that try to support 2.2 and 2.4 work properly
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
53 'version':; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
54 } |
|
119
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
55 |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
56 # Updating the httpd package puts back some configs that we |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
57 # don't load the relevant modules for, so we'll try to make |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
58 # them blank so that RPM/Yum makes ".rpmnew" files instead |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
59 $unused_default_mods = [ |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
60 "${::apache::mod_dir}/autoindex.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
61 "${::apache::mod_dir}/userdir.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
62 "${::apache::mod_dir}/welcome.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
63 ] |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
64 file { $unused_default_mods: |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
65 ensure => file, |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
66 content => '', |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
67 require => Class['apache'], |
|
119
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
68 } |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
69 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 file { $base_dir: |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 ensure => directory; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 file { '/var/log/apache': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
74 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 mode => '0750', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 group => 'apache', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
78 file { '/etc/httpd/conf.extra': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
79 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
80 recurse => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
81 source => "puppet:///modules/website/conf.extra", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
82 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
84 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
85 file { '/etc/httpd/conf/mime.types': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
86 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
87 source => "puppet:///modules/website/mime.types", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
88 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
89 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
90 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
91 file { '/etc/php.d/datetime.ini': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
92 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
93 source => "puppet:///modules/website/datetime.ini", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
94 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
95 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
96 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
97 file { '/etc/httpd/conf.d/zzz-custom.conf': |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
98 ensure => absent, |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
99 require => Class['apache'], |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
100 notify => Service['httpd']; |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
101 } |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
102 file { '/etc/httpd/conf.d/zzz-0-custom.conf': |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
103 ensure => present, |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
104 source => "puppet:///modules/website/zzz-0-custom.conf", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
105 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
106 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
107 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
108 file { '/etc/httpd/conf.d/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
109 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
110 source => "puppet:///modules/website/php.conf", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
111 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
112 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
113 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
114 file { '/etc/httpd/conf.custom': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
115 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
116 recurse => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
117 source => "puppet:///private/apache/conf.custom", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
118 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
119 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
120 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
121 file { $cert_dir: |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
122 ensure => directory; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
123 } |
| 279 | 124 firewall { '100 allow https and http': |
| 125 destination => $primary_ip, | |
| 126 dport => [80, 443], | |
| 127 proto => tcp, | |
| 128 action => accept, | |
| 129 } | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
130 if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
131 $ipv6_secondaries = join($proxy_4to6_addresses, " ") |
| 279 | 132 augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0': |
| 133 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
134 changes => "set IPV6ADDR_SECONDARIES '$ipv6_secondaries'", |
| 279 | 135 } |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
136 |
|
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
137 apache::mod { "remoteip": } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
138 $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask" |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
139 |
| 279 | 140 $proxy_upstream.each |String $upstream_addr| { |
| 141 firewall { "100 limit PROXY protocol to upstream $upstream_addr": | |
| 142 source => $upstream_addr, | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
143 destination => $proxy_4to6_ip, |
| 279 | 144 dport => [80, 443], |
| 145 proto => tcp, | |
| 146 action => accept, | |
| 147 } | |
| 148 } | |
| 149 firewall { "101 block all other PROXY protocol access": | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
150 destination => $proxy_4to6_ip, |
| 279 | 151 dport => [80, 443], |
| 152 proto => tcp, | |
| 153 action => reject, | |
| 154 } | |
| 155 } | |
| 246 | 156 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
157 exec { 'set_apache_defaults': |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
158 command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
159 path => '/bin:/usr/bin/:/sbin:/usr/sbin', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
160 require => Package['policycoreutils-python'], |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
161 unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
162 } |
|
133
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
163 cron { 'letsencrypt-renewal': |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
164 command => '/usr/bin/certbot renew --quiet', |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
165 hour => '*/12', |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
166 minute => '21', |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
167 } |
|
278
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
168 if versioncmp($operatingsystemrelease, '7') == 0 { |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
169 $certbot_pkg = 'python2-certbot-apache' |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
170 } else { |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
171 $certbot_pkg = 'python3-certbot-apache' |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
172 } |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
173 package { $certbot_pkg: |
|
135
b3f6c7a910d0
Add Certbot packages we depend on for commands and providing certs
IBBoard <dev@ibboard.co.uk>
parents:
133
diff
changeset
|
174 ensure => installed, |
|
b3f6c7a910d0
Add Certbot packages we depend on for commands and providing certs
IBBoard <dev@ibboard.co.uk>
parents:
133
diff
changeset
|
175 } |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
176 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
177 } |