Mercurial > repos > other > Puppet

class website(
  Pattern[/^(\/[^\/]+)*$/] $base_dir,
  Pattern[/^(\/[^\/]+)*$/] $cert_dir           = '/etc/pki/custom',
  Stdlib::IP::Address $primary_ip,
  Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef,
  Optional[Integer] $proxy_4to6_mask = undef,
  Array[Stdlib::IP::Address::V6] $proxy_4to6_addresses = [],
  Optional[Array] $proxy_upstream = undef,
  String $default_owner,
  String $default_group,
  String $default_tld        = 'com',
  Array $default_extra_tlds = []
  ){

  $basedir = $base_dir
  $certdir = $cert_dir
  $docroot_owner = $default_owner
  $docroot_group = $default_group
  $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem"
  $tld = $default_tld
  $extra_tlds = $default_extra_tlds
  $htmlphpfragment = "Include conf.extra/html-php.conf"
  $filterfragment = "Include conf.custom/filter.conf"
  $cmsfragment = "Include conf.extra/cms_rewrites.conf"

  $csp_base = {"frame-ancestors" => "'none'", "base-uri" => "'none'"}
  $csp_report_base = {
    "default-src" => "'none'",
    "img-src" => "'self'",
    "script-src" => "'self'",
    "style-src" => "'self'",
    "font-src" => "'self'"
  }

  class { 'apache':
    vhost_dir => "/etc/httpd/conf.d/vhosts",
    default_mods => false,
    default_vhost => false,
    mpm_module => false,
  }
  class { 'apache::mod::dir': indexes => [ 'index.html' ] }
  class { 'apache::mod::prefork':
    serverlimit => 45,
    maxclients => 45,
    maxspareservers => 6,
  }
  apache::mod {
    'rewrite':;
    'expires':;
    'env':;
    'setenvif':;
    'headers':;
    'version':;
  }

  # Updating the httpd package puts back some configs that we
  # don't load the relevant modules for, so we'll try to make
  # them blank so that RPM/Yum makes ".rpmnew" files instead
  $unused_default_mods = [
    "${::apache::mod_dir}/autoindex.conf",
    "${::apache::mod_dir}/userdir.conf",
    "${::apache::mod_dir}/welcome.conf",
  ]
  file { $unused_default_mods:
    ensure => file,
    content => '',
    require => Class['apache'],
  }

  file { $base_dir:
    ensure => directory;
  }
  file { '/var/log/apache':
    ensure => directory,
    mode   => '0750',
    group  => 'apache',
  }
  file { '/etc/httpd/conf.extra':
    ensure => directory,
    recurse => true,
    source => "puppet:///modules/website/conf.extra",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf/mime.types':
    ensure => present,
    source => "puppet:///modules/website/mime.types",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/php.d/datetime.ini':
    ensure => present,
    source => "puppet:///modules/website/datetime.ini",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/zzz-custom.conf':
    ensure => absent,
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/zzz-0-custom.conf':
    ensure => present,
    source => "puppet:///modules/website/zzz-0-custom.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.d/php.conf':
    ensure => present,
    source => "puppet:///modules/website/php.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { '/etc/httpd/conf.custom':
    ensure => directory,
    recurse => true,
    source => "puppet:///private/apache/conf.custom",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { $cert_dir:
    ensure => directory;
  }
  firewall { '100 allow https and http':
    destination => $primary_ip,
    dport => [80, 443],
    proto => tcp,
    action => accept,
  }
  if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
    $ipv6_secondaries = join($proxy_4to6_addresses, " ")

    augeas {'IPv6 secondary addresses':
      context => "/files/etc/sysconfig/network-scripts/ifcfg-eth0",
      changes => "set IPV6ADDR_SECONDARIES '\"$ipv6_secondaries\"'",
    }

    apache::mod { "remoteip": }
    $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"

    $proxy_upstream.each |String $upstream_addr| {
      firewall { "100 limit PROXY protocol to upstream $upstream_addr":
        source => $upstream_addr,
        destination => $proxy_4to6_ip,
        dport => [80, 443],
        proto => tcp,
        action => accept,
      }
    }
    firewall { "101 block all other PROXY protocol access":
      destination => $proxy_4to6_ip,
      dport => [80, 443],
      proto => tcp,
      action => reject,
    }
  }
  if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, '7') >= 0 {
    exec { 'set_apache_defaults':
      command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"',
      path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
      require => Package['policycoreutils-python'],
      unless  => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"',
    }
    cron { 'letsencrypt-renewal':
      command => '/usr/bin/certbot renew --quiet',
      hour => '*/12',
      minute => '21',
    }
    if versioncmp($operatingsystemrelease, '7') == 0 {
        $certbot_pkg = 'python2-certbot-apache'
    } else {
        $certbot_pkg = 'python3-certbot-apache'
    }
    package { $certbot_pkg:
      ensure => installed,
    }
  }
}
author	IBBoard <dev@ibboard.co.uk>
date	Sun, 16 Feb 2020 20:11:00 +0000
parents	97e732f67770
children	61e90445c899