Mercurial > repos > other > Puppet
annotate modules/website/manifests/init.pp @ 287:97e732f67770
Make upstream proxies optional to match undef default
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 16 Feb 2020 19:55:29 +0000 |
| parents | e765073832d9 |
| children | be66955bf27d |
| rev | line source |
|---|---|
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 class website( |
|
277
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
2 Pattern[/^(\/[^\/]+)*$/] $base_dir, |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
3 Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', |
| 279 | 4 Stdlib::IP::Address $primary_ip, |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
5 Stdlib::IP::Address::V6 $proxy_4to6_ip_prefix = undef, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
6 Optional[Integer] $proxy_4to6_mask = undef, |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
7 Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [], |
|
287
97e732f67770
Make upstream proxies optional to match undef default
IBBoard <dev@ibboard.co.uk>
parents:
286
diff
changeset
|
8 Optional[Array] $proxy_upstream = undef, |
|
277
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
9 String $default_owner, |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
10 String $default_group, |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
11 String $default_tld = 'com', |
|
13825cc1ec57
Replace deprecated validation methods
IBBoard <dev@ibboard.co.uk>
parents:
266
diff
changeset
|
12 Array $default_extra_tlds = [] |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 $basedir = $base_dir |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 $certdir = $cert_dir |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 $docroot_owner = $default_owner |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 $docroot_group = $default_group |
|
133
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
19 $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem" |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 $tld = $default_tld |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 $extra_tlds = $default_extra_tlds |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 $htmlphpfragment = "Include conf.extra/html-php.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 $filterfragment = "Include conf.custom/filter.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 $cmsfragment = "Include conf.extra/cms_rewrites.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 |
|
236
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
26 $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"} |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
27 $csp_report_base = { |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
28 "default-src" => "'none'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
29 "img-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
30 "script-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
31 "style-src" => "'self'", |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
32 "font-src" => "'self'" |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
33 } |
|
4519b727cc4c
Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents:
135
diff
changeset
|
34 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 class { 'apache': |
|
261
c3ecb1e58713
Fix more CentOS 7 vs 8 differences
IBBoard <dev@ibboard.co.uk>
parents:
252
diff
changeset
|
36 vhost_dir => "/etc/httpd/conf.d/vhosts", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
37 default_mods => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 default_vhost => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
39 mpm_module => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
40 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 class { 'apache::mod::dir': indexes => [ 'index.html' ] } |
|
84
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
42 class { 'apache::mod::prefork': |
|
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
43 serverlimit => 45, |
|
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
44 maxclients => 45, |
|
98
00453eecda4c
Reduce the number of spare servers, because we're quiet and need spare memory
IBBoard <dev@ibboard.co.uk>
parents:
84
diff
changeset
|
45 maxspareservers => 6, |
|
84
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
46 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
47 apache::mod { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
48 'rewrite':; |
|
254
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
49 'expires':; |
|
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
50 'env':; |
|
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
51 'setenvif':; |
|
5a903aa91469
Change header types and add module to fix NextCloud header checks
IBBoard <dev@ibboard.co.uk>
parents:
236
diff
changeset
|
52 'headers':; |
|
34
29d330d2056a
Make sure that we have mod_version installed so that Apache config fragments that try to support 2.2 and 2.4 work properly
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
53 'version':; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
54 } |
|
119
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
55 |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
56 # Updating the httpd package puts back some configs that we |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
57 # don't load the relevant modules for, so we'll try to make |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
58 # them blank so that RPM/Yum makes ".rpmnew" files instead |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
59 $unused_default_mods = [ |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
60 "${::apache::mod_dir}/autoindex.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
61 "${::apache::mod_dir}/userdir.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
62 "${::apache::mod_dir}/welcome.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
63 ] |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
64 file { $unused_default_mods: |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
65 ensure => file, |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
66 content => '', |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
67 require => Class['apache'], |
|
119
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
68 } |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
69 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 file { $base_dir: |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 ensure => directory; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 file { '/var/log/apache': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
74 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 mode => '0750', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 group => 'apache', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
78 file { '/etc/httpd/conf.extra': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
79 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
80 recurse => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
81 source => "puppet:///modules/website/conf.extra", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
82 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
84 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
85 file { '/etc/httpd/conf/mime.types': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
86 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
87 source => "puppet:///modules/website/mime.types", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
88 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
89 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
90 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
91 file { '/etc/php.d/datetime.ini': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
92 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
93 source => "puppet:///modules/website/datetime.ini", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
94 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
95 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
96 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
97 file { '/etc/httpd/conf.d/zzz-custom.conf': |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
98 ensure => absent, |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
99 require => Class['apache'], |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
100 notify => Service['httpd']; |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
101 } |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
102 file { '/etc/httpd/conf.d/zzz-0-custom.conf': |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
103 ensure => present, |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
104 source => "puppet:///modules/website/zzz-0-custom.conf", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
105 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
106 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
107 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
108 file { '/etc/httpd/conf.d/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
109 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
110 source => "puppet:///modules/website/php.conf", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
111 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
112 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
113 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
114 file { '/etc/httpd/conf.custom': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
115 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
116 recurse => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
117 source => "puppet:///private/apache/conf.custom", |
|
248
72deb9ebb15e
Make sure that web server files come after package creates dir
IBBoard <dev@ibboard.co.uk>
parents:
246
diff
changeset
|
118 require => Class['apache'], |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
119 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
120 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
121 file { $cert_dir: |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
122 ensure => directory; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
123 } |
| 279 | 124 firewall { '100 allow https and http': |
| 125 destination => $primary_ip, | |
| 126 dport => [80, 443], | |
| 127 proto => tcp, | |
| 128 action => accept, | |
| 129 } | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
130 if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { |
|
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
131 $ipv6_secondaries = join($proxy_4to6_addresses, " ") |
|
286
e765073832d9
Fix Augeas setting extra IPv6 lines
IBBoard <dev@ibboard.co.uk>
parents:
284
diff
changeset
|
132 |
|
e765073832d9
Fix Augeas setting extra IPv6 lines
IBBoard <dev@ibboard.co.uk>
parents:
284
diff
changeset
|
133 augeas {'IPv6 secondary addresses': |
| 279 | 134 context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", |
|
286
e765073832d9
Fix Augeas setting extra IPv6 lines
IBBoard <dev@ibboard.co.uk>
parents:
284
diff
changeset
|
135 changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", |
| 279 | 136 } |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
137 |
|
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
138 apache::mod { "remoteip": } |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
139 $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask" |
|
281
af7df930a670
Add 4-to-6 proxy and mod_remoteip setup
IBBoard <dev@ibboard.co.uk>
parents:
279
diff
changeset
|
140 |
| 279 | 141 $proxy_upstream.each |String $upstream_addr| { |
| 142 firewall { "100 limit PROXY protocol to upstream $upstream_addr": | |
| 143 source => $upstream_addr, | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
144 destination => $proxy_4to6_ip, |
| 279 | 145 dport => [80, 443], |
| 146 proto => tcp, | |
| 147 action => accept, | |
| 148 } | |
| 149 } | |
| 150 firewall { "101 block all other PROXY protocol access": | |
|
284
9431aec4d998
Switch to using IPv6 prefix and IP per site
IBBoard <dev@ibboard.co.uk>
parents:
281
diff
changeset
|
151 destination => $proxy_4to6_ip, |
| 279 | 152 dport => [80, 443], |
| 153 proto => tcp, | |
| 154 action => reject, | |
| 155 } | |
| 156 } | |
| 246 | 157 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
158 exec { 'set_apache_defaults': |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
159 command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
160 path => '/bin:/usr/bin/:/sbin:/usr/sbin', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
161 require => Package['policycoreutils-python'], |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
162 unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
163 } |
|
133
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
164 cron { 'letsencrypt-renewal': |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
165 command => '/usr/bin/certbot renew --quiet', |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
166 hour => '*/12', |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
167 minute => '21', |
|
9337c9ce648a
Switch to using LetsEncrypt certs by default
IBBoard <dev@ibboard.co.uk>
parents:
119
diff
changeset
|
168 } |
|
278
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
169 if versioncmp($operatingsystemrelease, '7') == 0 { |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
170 $certbot_pkg = 'python2-certbot-apache' |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
171 } else { |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
172 $certbot_pkg = 'python3-certbot-apache' |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
173 } |
|
a8bf3a400712
Make Certbot package version specific
IBBoard <dev@ibboard.co.uk>
parents:
277
diff
changeset
|
174 package { $certbot_pkg: |
|
135
b3f6c7a910d0
Add Certbot packages we depend on for commands and providing certs
IBBoard <dev@ibboard.co.uk>
parents:
133
diff
changeset
|
175 ensure => installed, |
|
b3f6c7a910d0
Add Certbot packages we depend on for commands and providing certs
IBBoard <dev@ibboard.co.uk>
parents:
133
diff
changeset
|
176 } |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
177 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
178 } |