view modules/website/manifests/https.pp @ 57:3674aac72674 puppet-3.6

Merge Default changes to Puppet 3.6 and fix conflict
author IBBoard <dev@ibboard.co.uk>
date Sun, 26 Jul 2015 17:55:43 +0100
parents 16e9e26337be
children e50dab7495d7
line wrap: on
line source

# If the SSL cert and key are defined then the definer deals with them existing
# If the SSL cert and key are not defined then we use template file paths and ensure they exist
define website::https(
    $docroot            = undef,
    $ip                 = $website::primary_ip,
    $ssl_cert           = undef,
    $ssl_key            = undef,
    $ssl_ca_chain       = $website::ca_chain,
    $priority           = undef,
    $docroot_owner      = undef,
    $docroot_group      = undef,
    $serveraliases      = [],
    $ensure             = 'present',
    $custom_fragment    = '',
    $force_no_www       = true,
    $force_no_index     = true,
    $lockdown_requests  = true,
  ) {

  if ! defined(Class['website']) {
    fail('You must include the website base class before using any website defined resources')
  }

  validate_re($ensure, '^(present|absent)$',
  "${ensure} is not supported for ensure.
  Allowed values are 'present' and 'absent'.")

  $shortname = domain_to_short_name($name)
  $logpart = $shortname
  $shortdomain = domain_to_short_domain($name)

  $custom_conf0 = 'Header add Strict-Transport-Security "max-age=16070400; includeSubDomains"'

  if $force_no_index {
    $custom_conf1 = "$custom_conf0
Include conf.extra/no-index.conf"
  } else {
    $custom_conf1 = $custom_conf0
  }

  if $lockdown_requests {
    $custom_conf2 = "$custom_conf1
Include conf.custom/filter-core.conf"
  } else {
    $custom_conf2 = $custom_conf1
  }

  if $force_no_www {
    $custom_conf3 = "$custom_conf2
Include conf.extra/no-www.conf"
  } else {
    $custom_conf3 = $custom_conf2
  }

  if $custom_fragment {
    $custom_conf = "$custom_conf3
#Additional custom fragment
$custom_fragment"
  } else {
    $custom_conf = $custom_conf3
  }

  if $docroot == undef {
    $siteroot = "${website::basedir}/${shortname}"
  } else {
    $siteroot = $docroot
  }

  if $ssl_cert == undef {
    $sslcert = "${website::certdir}/${shortdomain}.crt"
    $sslkey = "${website::certdir}/${shortdomain}.key"
    File {
      mode => '0400',
      owner => 'root',
      group => 'root',
    }
    file { $sslcert:
      source => "puppet:///private/pki/custom/${shortdomain}.crt",
      before => Apache::Vhost[$name],
      notify => Service['httpd'],
      ensure => present;
    }
    file { $sslkey:
      source => "puppet:///private/pki/custom/${shortdomain}.key",
      before => Apache::Vhost[$name],
      notify => Service['httpd'],
      ensure => present;
    }
  } else {
    $sslcert = $ssl_cert
    $sslkey = $ssl_key
  }

  if $ssl_ca_chain == '' {
    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
    $ssl_chain = undef
  } else {
    $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
    if ! defined(File[$ssl_chain]) {
      file { $ssl_chain:
        ensure => present,
        source => "puppet:///private/pki/custom/$ssl_ca_chain",
        notify  => Service['httpd'],
      }
    }
  }

  if $docroot_owner == undef {
    $owner = $website::docroot_owner
  } else {
    $owner = $docroot_owner
  }

  if $docroot_group == undef {
    $group = $website::docroot_group
  } else {
    $group = $docroot_group
  }

  apache::vhost { $name:
    ip              => $ip,
    port            => '443',
    priority        => $priority,
    docroot         => $siteroot,
    docroot_owner   => $owner,
    docroot_group   => $group,
    custom_fragment => $custom_conf,
    logroot         => '/var/log/apache/',
    access_log_file => "access_${logpart}.log",
    error_log_file  => "error_${logpart}.log",
    serveraliases   => $serveraliases,
    ssl             => true,
    ssl_cert        => $sslcert,
    ssl_key         => $sslkey,
    ssl_chain       => $ssl_chain,
    ensure          => $ensure,
  }

  apache::vhost { "${name}-80":
    servername => $name,
    port => 80,
    docroot => $siteroot,
    redirect_status => 'permanent',
    redirect_dest => "https://$name/",
    serveraliases   => $serveraliases,
    logroot         => '/var/log/apache/',
    access_log_file => "access_${logpart}_nossl.log",
    error_log_file  => "error_${logpart}_nossl.log",
  }
}