view modules/website/manifests/init.pp @ 256:0ebd8efeef04

Merge Puppet divergences and fix SSL chain issues it caused
author IBBoard <dev@ibboard.co.uk>
date Sun, 29 Dec 2019 15:31:28 +0000
parents 5a903aa91469 47750947f4dc
children 241fbf45e6f3
line wrap: on
line source

class website(
  $base_dir,
  $cert_dir           = '/etc/pki/custom',
  $primary_ip,
  $secondary_ip,
  $default_owner,
  $default_group,
  $default_tld        = 'com',
  $default_extra_tlds = []
  ){

  validate_re($base_dir, '^(/[^/]+)*$',
  "${base_dir} is invalid - base_dir must be a directory without trailing slash.")
  validate_re($cert_dir, '^(/[^/]+)*$',
  "${cert_dir} is invalid - cert_dir must be a directory without trailing slash.")
  validate_array($default_extra_tlds)

  $basedir = $base_dir
  $certdir = $cert_dir
  $docroot_owner = $default_owner
  $docroot_group = $default_group
  $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem"
  $tld = $default_tld
  $extra_tlds = $default_extra_tlds
  $htmlphpfragment = "Include conf.extra/html-php.conf"
  $filterfragment = "Include conf.custom/filter.conf"
  $cmsfragment = "Include conf.extra/cms_rewrites.conf"

  $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"}
  $csp_report_base = {
    "default-src" => "'none'",
    "img-src" => "'self'",
    "script-src" => "'self'",
    "style-src" => "'self'",
    "font-src" => "'self'"
  }

  class { 'apache':
    default_mods => false,
    default_vhost => false,
    mpm_module => false,
  }
  class { 'apache::mod::dir': indexes => [ 'index.html' ] }
  class { 'apache::mod::prefork':
    serverlimit => 45,
    maxclients => 45,
    maxspareservers => 6,
  }
  apache::mod {
    'rewrite':;
    'expires':;
    'env':;
    'setenvif':;
    'headers':;
    'version':;
  }

  # Updating the httpd package puts back some configs that we
  # don't load the relevant modules for, so we'll try to make
  # them blank so that RPM/Yum makes ".rpmnew" files instead
  $unused_default_mods = [
    "${::apache::mod_dir}/autoindex.conf",
    "${::apache::mod_dir}/userdir.conf",
    "${::apache::mod_dir}/welcome.conf",
  ]
  file { $unused_default_mods:
    ensure => file,
    content => '',
    require => Class['apache'],
  }

  file { $base_dir:
    ensure => directory;
  }
  file { '/var/log/apache':
    ensure => directory,
    mode   => '0750',
    group  => 'apache',
  }
  file { '/etc/httpd/conf.extra':
    ensure => directory,
    recurse => true,
    source => "puppet:///modules/website/conf.extra",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf/mime.types':
    ensure => present,
    source => "puppet:///modules/website/mime.types",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/php.d/datetime.ini':
    ensure => present,
    source => "puppet:///modules/website/datetime.ini",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/zzz-custom.conf':
    ensure => absent,
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/zzz-0-custom.conf':
    ensure => present,
    source => "puppet:///modules/website/zzz-0-custom.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/php.conf':
    ensure => present,
    source => "puppet:///modules/website/php.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.custom':
    ensure => directory,
    recurse => true,
    source => "puppet:///private/apache/conf.custom",
    require => Class['apache'],
    notify => Service['httpd']; 
  }
  file { $cert_dir:
    ensure => directory;
  }
  if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 {
    exec { 'set_apache_defaults':
      command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"',
      path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
      require => Package['policycoreutils-python'],
      unless  => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"',
    }
    cron { 'letsencrypt-renewal':
      command => '/usr/bin/certbot renew --quiet',
      hour => '*/12',
      minute => '21',
    }
    if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '8') >= 0 {
      $certbot_package = 'python3-certbot-apache'
    } else {
      $certbot_package = 'python2-certbot-apache'
    }
    package { 'python-certbot-apache':
      name => $certbot_package,
      ensure => installed,
    }
  }
}