Mercurial > repos > other > Puppet

diff modules/website/manifests/init.pp @ 298:61e90445c899

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge CentOS8 and CentOS7 branches Also includes some fixes to get it working on CentOS7
author IBBoard <dev@ibboard.co.uk>
date Mon, 17 Feb 2020 16:08:20 +0000
parents be66955bf27d
children 49e66019faf7
line wrap: on
line diff
--- a/modules/website/manifests/init.pp	Sun Feb 09 20:31:12 2020 +0000
+++ b/modules/website/manifests/init.pp	Mon Feb 17 16:08:20 2020 +0000
@@ -1,20 +1,17 @@
 class website(
-  $base_dir,
-  $cert_dir           = '/etc/pki/custom',
-  $primary_ip,
-  $secondary_ip,
-  $default_owner,
-  $default_group,
-  $default_tld        = 'com',
-  $default_extra_tlds = []
+  Pattern[/^(\/[^\/]+)*$/] $base_dir,
+  Pattern[/^(\/[^\/]+)*$/] $cert_dir           = '/etc/pki/custom',
+  Stdlib::IP::Address $primary_ip,
+  Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef,
+  Optional[Integer] $proxy_4to6_mask = undef,
+  Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [],
+  Optional[Array] $proxy_upstream = undef,
+  String $default_owner,
+  String $default_group,
+  String $default_tld        = 'com',
+  Array $default_extra_tlds = []
   ){
 
-  validate_re($base_dir, '^(/[^/]+)*$',
-  "${base_dir} is invalid - base_dir must be a directory without trailing slash.")
-  validate_re($cert_dir, '^(/[^/]+)*$',
-  "${cert_dir} is invalid - cert_dir must be a directory without trailing slash.")
-  validate_array($default_extra_tlds)
-
   $basedir = $base_dir
   $certdir = $cert_dir
   $docroot_owner = $default_owner
@@ -124,6 +121,39 @@
   file { $cert_dir:
     ensure => directory;
   }
+  firewall { '100 allow https and http':
+    destination => $primary_ip,
+    dport => [80, 443],
+    proto => tcp,
+    action => accept,
+  }
+  if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
+    $ipv6_secondaries = join($proxy_4to6_addresses, " ")
+
+    augeas {'IPv6 secondary addresses':
+      context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
+      changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'",
+    }
+
+    apache::mod { "remoteip": }
+    $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"
+
+    $proxy_upstream.each |String $upstream_addr| {
+      firewall { "100 limit PROXY protocol to upstream $upstream_addr":
+        source => $upstream_addr,
+        destination => $proxy_4to6_ip,
+        dport => [80, 443],
+        proto => tcp,
+        action => accept,
+      }
+    }
+    firewall { "101 block all other PROXY protocol access":
+      destination => $proxy_4to6_ip,
+      dport => [80, 443],
+      proto => tcp,
+      action => reject,
+    }
+  }
   if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 {
     exec { 'set_apache_defaults':
       command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"',
@@ -136,7 +166,12 @@
       hour => '*/12',
       minute => '21',
     }
-    package { 'python-certbot-apache':
+    if versioncmp($operatingsystemrelease, '8') < 0 {
+        $certbot_pkg = 'python2-certbot-apache'
+    } else {
+        $certbot_pkg = 'python3-certbot-apache'
+    }
+    package { $certbot_pkg:
       ensure => installed,
     }
   }