Mercurial > repos > other > Puppet

view modules/website/manifests/init.pp @ 284:9431aec4d998

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Switch to using IPv6 prefix and IP per site This is because the proxy seems to break SNI, so we need an IP per SSL cert. We're not short of IPv6 addresses, though! Also corrected to "4to6" naming, because we're letting IPv4 access an IPv6 site
author IBBoard <dev@ibboard.co.uk>
date Sun, 16 Feb 2020 12:07:35 +0000
parents af7df930a670
children e765073832d9
line wrap: on
line source

class website(
  Pattern[/^(\/[^\/]+)*$/] $base_dir,
  Pattern[/^(\/[^\/]+)*$/] $cert_dir           = '/etc/pki/custom',
  Stdlib::IP::Address $primary_ip,
  Stdlib::IP::Address::V6 $proxy_4to6_ip_prefix = undef,
  Optional[Integer] $proxy_4to6_mask = undef,
  Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [],
  Array $proxy_upstream = undef,
  String $default_owner,
  String $default_group,
  String $default_tld        = 'com',
  Array $default_extra_tlds = []
  ){

  $basedir = $base_dir
  $certdir = $cert_dir
  $docroot_owner = $default_owner
  $docroot_group = $default_group
  $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem"
  $tld = $default_tld
  $extra_tlds = $default_extra_tlds
  $htmlphpfragment = "Include conf.extra/html-php.conf"
  $filterfragment = "Include conf.custom/filter.conf"
  $cmsfragment = "Include conf.extra/cms_rewrites.conf"

  $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"}
  $csp_report_base = {
    "default-src" => "'none'",
    "img-src" => "'self'",
    "script-src" => "'self'",
    "style-src" => "'self'",
    "font-src" => "'self'"
  }

  class { 'apache':
    vhost_dir => "/etc/httpd/conf.d/vhosts",
    default_mods => false,
    default_vhost => false,
    mpm_module => false,
  }
  class { 'apache::mod::dir': indexes => [ 'index.html' ] }
  class { 'apache::mod::prefork':
    serverlimit => 45,
    maxclients => 45,
    maxspareservers => 6,
  }
  apache::mod {
    'rewrite':;
    'expires':;
    'env':;
    'setenvif':;
    'headers':;
    'version':;
  }

  # Updating the httpd package puts back some configs that we
  # don't load the relevant modules for, so we'll try to make
  # them blank so that RPM/Yum makes ".rpmnew" files instead
  $unused_default_mods = [
    "${::apache::mod_dir}/autoindex.conf",
    "${::apache::mod_dir}/userdir.conf",
    "${::apache::mod_dir}/welcome.conf",
  ]
  file { $unused_default_mods:
    ensure => file,
    content => '',
    require => Class['apache'],
  }

  file { $base_dir:
    ensure => directory;
  }
  file { '/var/log/apache':
    ensure => directory,
    mode   => '0750',
    group  => 'apache',
  }
  file { '/etc/httpd/conf.extra':
    ensure => directory,
    recurse => true,
    source => "puppet:///modules/website/conf.extra",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf/mime.types':
    ensure => present,
    source => "puppet:///modules/website/mime.types",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/php.d/datetime.ini':
    ensure => present,
    source => "puppet:///modules/website/datetime.ini",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/zzz-custom.conf':
    ensure => absent,
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/zzz-0-custom.conf':
    ensure => present,
    source => "puppet:///modules/website/zzz-0-custom.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/php.conf':
    ensure => present,
    source => "puppet:///modules/website/php.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.custom':
    ensure => directory,
    recurse => true,
    source => "puppet:///private/apache/conf.custom",
    require => Class['apache'],
    notify => Service['httpd']; 
  }
  file { $cert_dir:
    ensure => directory;
  }
  firewall { '100 allow https and http':
    destination => $primary_ip,
    dport => [80, 443],
    proto => tcp,
    action => accept,
  }
  if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
    $ipv6_secondaries = join($proxy_4to6_addresses, " ")
    augeas {'/etc/sysconfig/network-scripts/ifcfg-eth0':
      context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
      changes => "set IPV6ADDR_SECONDARIES '$ipv6_secondaries'",
    }

    apache::mod { "remoteip": }
    $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"

    $proxy_upstream.each |String $upstream_addr| {
      firewall { "100 limit PROXY protocol to upstream $upstream_addr":
        source => $upstream_addr,
        destination => $proxy_4to6_ip,
        dport => [80, 443],
        proto => tcp,
        action => accept,
      }
    }
    firewall { "101 block all other PROXY protocol access":
      destination => $proxy_4to6_ip,
      dport => [80, 443],
      proto => tcp,
      action => reject,
    }
  }
  if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 {
    exec { 'set_apache_defaults':
      command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"',
      path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
      require => Package['policycoreutils-python'],
      unless  => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"',
    }
    cron { 'letsencrypt-renewal':
      command => '/usr/bin/certbot renew --quiet',
      hour => '*/12',
      minute => '21',
    }
    if versioncmp($operatingsystemrelease, '7') == 0 {
        $certbot_pkg = 'python2-certbot-apache'
    } else {
        $certbot_pkg = 'python3-certbot-apache'
    }
    package { $certbot_pkg:
      ensure => installed,
    }
  }
}