Mercurial > repos > other > Puppet
diff modules/website/manifests/init.pp @ 298:61e90445c899
Merge CentOS8 and CentOS7 branches
Also includes some fixes to get it working on CentOS7
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Mon, 17 Feb 2020 16:08:20 +0000 |
parents | be66955bf27d |
children | 49e66019faf7 |
line wrap: on
line diff
--- a/modules/website/manifests/init.pp Sun Feb 09 20:31:12 2020 +0000 +++ b/modules/website/manifests/init.pp Mon Feb 17 16:08:20 2020 +0000 @@ -1,20 +1,17 @@ class website( - $base_dir, - $cert_dir = '/etc/pki/custom', - $primary_ip, - $secondary_ip, - $default_owner, - $default_group, - $default_tld = 'com', - $default_extra_tlds = [] + Pattern[/^(\/[^\/]+)*$/] $base_dir, + Pattern[/^(\/[^\/]+)*$/] $cert_dir = '/etc/pki/custom', + Stdlib::IP::Address $primary_ip, + Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef, + Optional[Integer] $proxy_4to6_mask = undef, + Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [], + Optional[Array] $proxy_upstream = undef, + String $default_owner, + String $default_group, + String $default_tld = 'com', + Array $default_extra_tlds = [] ){ - validate_re($base_dir, '^(/[^/]+)*$', - "${base_dir} is invalid - base_dir must be a directory without trailing slash.") - validate_re($cert_dir, '^(/[^/]+)*$', - "${cert_dir} is invalid - cert_dir must be a directory without trailing slash.") - validate_array($default_extra_tlds) - $basedir = $base_dir $certdir = $cert_dir $docroot_owner = $default_owner @@ -124,6 +121,39 @@ file { $cert_dir: ensure => directory; } + firewall { '100 allow https and http': + destination => $primary_ip, + dport => [80, 443], + proto => tcp, + action => accept, + } + if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) { + $ipv6_secondaries = join($proxy_4to6_addresses, " ") + + augeas {'IPv6 secondary addresses': + context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0", + changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'", + } + + apache::mod { "remoteip": } + $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask" + + $proxy_upstream.each |String $upstream_addr| { + firewall { "100 limit PROXY protocol to upstream $upstream_addr": + source => $upstream_addr, + destination => $proxy_4to6_ip, + dport => [80, 443], + proto => tcp, + action => accept, + } + } + firewall { "101 block all other PROXY protocol access": + destination => $proxy_4to6_ip, + dport => [80, 443], + proto => tcp, + action => reject, + } + } if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 { exec { 'set_apache_defaults': command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"', @@ -136,7 +166,12 @@ hour => '*/12', minute => '21', } - package { 'python-certbot-apache': + if versioncmp($operatingsystemrelease, '8') < 0 { + $certbot_pkg = 'python2-certbot-apache' + } else { + $certbot_pkg = 'python3-certbot-apache' + } + package { $certbot_pkg: ensure => installed, } }