Mercurial > repos > other > Puppet
diff modules/website/manifests/https.pp @ 0:956e484adc12
Initial public release of Puppet configs
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 16 Aug 2014 19:47:38 +0000 |
| parents | |
| children | 16e9e26337be |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/website/manifests/https.pp Sat Aug 16 19:47:38 2014 +0000 @@ -0,0 +1,145 @@ +# If the SSL cert and key are defined then the definer deals with them existing +# If the SSL cert and key are not defined then we use template file paths and ensure they exist +define website::https( + $docroot = undef, + $ip = $website::primary_ip, + $ssl_cert = undef, + $ssl_key = undef, + $ssl_ca_chain = $website::ca_chain, + $priority = undef, + $docroot_owner = undef, + $docroot_group = undef, + $serveraliases = [], + $ensure = 'present', + $custom_fragment = '', + $force_no_www = true, + $force_no_index = true, + $lockdown_requests = true, + ) { + + if ! defined(Class['website']) { + fail('You must include the website base class before using any website defined resources') + } + + validate_re($ensure, '^(present|absent)$', + "${ensure} is not supported for ensure. + Allowed values are 'present' and 'absent'.") + + $shortname = domain_to_short_name($name) + $logpart = $shortname + $shortdomain = domain_to_short_domain($name) + + $custom_conf0 = 'Header add Strict-Transport-Security "max-age=16070400; includeSubDomains"' + + if $force_no_index { + $custom_conf1 = "$custom_conf0 +Include conf.extra/no-index.conf" + } else { + $custom_conf1 = $custom_conf0 + } + + if $lockdown_requests { + $custom_conf2 = "$custom_conf1 +Include conf.custom/filter-core.conf" + } else { + $custom_conf2 = $custom_conf1 + } + + if $force_no_www { + $custom_conf3 = "$custom_conf2 +Include conf.extra/no-www.conf" + } else { + $custom_conf3 = $custom_conf2 + } + + if $custom_fragment { + $custom_conf = "$custom_conf3 +#Additional custom fragment +$custom_fragment" + } else { + $custom_conf = $custom_conf3 + } + + if $docroot == undef { + $siteroot = "${website::basedir}/${shortname}" + } else { + $siteroot = $docroot + } + + if $ssl_cert == undef { + $sslcert = "${website::certdir}/${shortdomain}.crt" + $sslkey = "${website::certdir}/${shortdomain}.key" + file { $sslcert: + source => "puppet:///private/pki/custom/${shortdomain}.crt", + before => Apache::Vhost[$name], + notify => Service['httpd'], + ensure => present; + } + file { $sslkey: + source => "puppet:///private/pki/custom/${shortdomain}.key", + before => Apache::Vhost[$name], + notify => Service['httpd'], + ensure => present; + } + } else { + $sslcert = $ssl_cert + $sslkey = $ssl_key + } + + if $ssl_ca_chain == '' { + # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert + $ssl_chain = undef + } else { + $ssl_chain = "/etc/pki/custom/$ssl_ca_chain" + if ! defined(File[$ssl_chain]) { + file { $ssl_chain: + ensure => present, + source => "puppet:///private/pki/custom/$ssl_ca_chain", + notify => Service['httpd'], + } + } + } + + if $docroot_owner == undef { + $owner = $website::docroot_owner + } else { + $owner = $docroot_owner + } + + if $docroot_group == undef { + $group = $website::docroot_group + } else { + $group = $docroot_group + } + + apache::vhost { $name: + ip => $ip, + port => '443', + priority => $priority, + docroot => $siteroot, + docroot_owner => $owner, + docroot_group => $group, + custom_fragment => $custom_conf, + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}.log", + error_log_file => "error_${logpart}.log", + serveraliases => $serveraliases, + ssl => true, + ssl_cert => $sslcert, + ssl_key => $sslkey, + ssl_chain => $ssl_chain, + ensure => $ensure, + } + + apache::vhost { "${name}-80": + servername => $name, + port => 80, + docroot => $siteroot, + redirect_status => 'permanent', + redirect_dest => "https://$name/", + serveraliases => $serveraliases, + logroot => '/var/log/apache/', + access_log_file => "access_${logpart}_nossl.log", + error_log_file => "error_${logpart}_nossl.log", + } +}