Mercurial > repos > other > Puppet
diff modules/website/manifests/init.pp @ 480:2c3e745be8d2
Update server defs and own modules to match
* $osver and $fqdn and others are now all in $facts
* Firewall swapped action for jump and has new way to do IPv6
* SSH server setup changed
* Resolve warnings from fileserver.conf
* has_key() no longer exists because Puppet can do "key in array"
* Some variables are now more strictly typed
Also:
* Try to configure full IPv6 DNS resolver
* Clean up old config - unused servers and some CentOS complexity
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Thu, 29 Aug 2024 18:58:49 +0100 |
| parents | a08a2f718f9d |
| children |
line wrap: on
line diff
--- a/modules/website/manifests/init.pp Thu Aug 29 18:48:03 2024 +0100 +++ b/modules/website/manifests/init.pp Thu Aug 29 18:58:49 2024 +0100 @@ -15,7 +15,7 @@ $certdir = $cert_dir $docroot_owner = $default_owner $docroot_group = $default_group - $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem" + $ca_chain = "/etc/letsencrypt/live/${facts['networking']['fqdn']}/chain.pem" $tld = $default_tld $extra_tlds = $default_extra_tlds $htmlphpfragment = "Include conf.extra/html-php.conf" @@ -35,14 +35,14 @@ "font-src" => "'self' 'nonce-%{CSP_NONCE}e'" } - if $osfamily == 'RedHat' { + if $facts["os"]["family"] == 'RedHat' { $apache_base_dir = "/etc/httpd/" $vhost_dir = "/etc/httpd/conf.d/vhosts" $apache_user = 'apache' $apache_group = $apache_user $apache_log_group = $apache_user } - elsif $osfamily == 'Debian' { + elsif $facts["os"]["family"] == 'Debian' { $apache_base_dir = "/etc/apache2/" $vhost_dir = "/etc/apache2/sites-available" $apache_user = 'www-data' @@ -60,7 +60,7 @@ } class { 'apache::mod::dir': indexes => [ 'index.html' ] } class { 'apache::mod::event': } - class { 'apache::mod::http2': } +# class { 'apache::mod::http2': } class { 'apache::mod::mime': mime_types_config => "${apache_base_dir}mime.types" } apache::mod { 'rewrite':; @@ -70,12 +70,6 @@ 'headers':; 'allowmethods':; } - if $osfamily == 'RedHat' { - # Ubuntu builds the "version" module in, but CentOS doesn't - apache::mod { - 'version':; - } - } # Updating the httpd package puts back some configs that we # don't load the relevant modules for, so we'll try to make @@ -137,7 +131,7 @@ destination => $primary_ip, dport => [80, 443], proto => tcp, - action => accept, + jump => accept, } if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { apache::mod { "remoteip": } @@ -149,31 +143,21 @@ destination => $proxy_4to6_ip, dport => [80, 443], proto => tcp, - action => accept, + jump => accept, } } firewall { "101 block all other PROXY protocol access": destination => $proxy_4to6_ip, dport => [80, 443], proto => tcp, - action => reject, + jump => reject, } } - if $operatingsystem == 'CentOS' { - exec { 'set_apache_defaults': - command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"', - path => '/bin:/usr/bin/:/sbin:/usr/sbin', - require => Package['policycoreutils-python'], - unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"', - } - if versioncmp($operatingsystemrelease, '8') < 0 { - $certbot_pkg = 'python2-certbot-apache' - } else { - $certbot_pkg = 'python3-certbot-apache' - } + if $facts["os"]["name"] == 'Ubuntu' { + $certbot_pkg = 'python3-certbot-apache' } - elsif $operatingsystem == 'Ubuntu' { - $certbot_pkg = 'python3-certbot-apache' + else { + fail("Unsupported OS: ${facts['os']['name']}") } cron { 'letsencrypt-renewal': command => '/usr/bin/certbot renew --quiet',