Mercurial > repos > other > Puppet

view modules/website/manifests/init.pp @ 471:65290cb0cec2 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tidy up SSH firewall handling We can be generic while referencing private values for specific ports
author IBBoard <dev@ibboard.co.uk>
date Sun, 12 May 2024 19:51:53 +0100
parents a08a2f718f9d
children
line wrap: on
line source

class website(
  Pattern[/^(\/[^\/]+)*$/] $base_dir,
  Pattern[/^(\/[^\/]+)*$/] $cert_dir           = '/etc/pki/custom',
  Stdlib::IP::Address $primary_ip,
  Optional[Stdlib::IP::Address::V6] $proxy_4to6_ip_prefix = undef,
  Optional[Integer] $proxy_4to6_mask = undef,
  Optional[Array] $proxy_upstream = undef,
  String $default_owner,
  String $default_group,
  String $default_tld        = 'com',
  Array $default_extra_tlds = []
  ){

  $basedir = $base_dir
  $certdir = $cert_dir
  $docroot_owner = $default_owner
  $docroot_group = $default_group
  $ca_chain = "/etc/letsencrypt/live/${::fqdn}/chain.pem"
  $tld = $default_tld
  $extra_tlds = $default_extra_tlds
  $htmlphpfragment = "Include conf.extra/html-php.conf"
  $filterfragment = "Include conf.custom/filter.conf"
  $cmsfragment = "Include conf.extra/cms_rewrites.conf"

  $csp_base = {
    "frame-ancestors" => "'none'",
    "base-uri" => "'none'",
    "object-src" => "'none'",
  }
  $csp_report_base = {
    "default-src" => "'none'",
    "img-src" => "'self'",
    "script-src" => "'self' 'nonce-%{CSP_NONCE}e'",
    "style-src" => "'self' 'nonce-%{CSP_NONCE}e'",
    "font-src" => "'self' 'nonce-%{CSP_NONCE}e'"
  }

  if $osfamily == 'RedHat' {
    $apache_base_dir = "/etc/httpd/"
    $vhost_dir = "/etc/httpd/conf.d/vhosts"
    $apache_user = 'apache'
    $apache_group = $apache_user
    $apache_log_group = $apache_user
  }
  elsif $osfamily == 'Debian' {
    $apache_base_dir = "/etc/apache2/"
    $vhost_dir = "/etc/apache2/sites-available"
    $apache_user = 'www-data'
    $apache_group = $apache_user
    $apache_log_group = $apache_user
  }


  class { 'apache':
    vhost_dir => $vhost_dir,
    protocols => ["h2", "http/1.1"],
    default_mods => false,
    default_vhost => false,
    mpm_module => false,
  }
  class { 'apache::mod::dir': indexes => [ 'index.html' ] }
  class { 'apache::mod::event': }
  class { 'apache::mod::http2': }
  class { 'apache::mod::mime': mime_types_config => "${apache_base_dir}mime.types" }
  apache::mod {
    'rewrite':;
    'expires':;
    'env':;
    'setenvif':;
    'headers':;
    'allowmethods':;
  }
  if $osfamily == 'RedHat' {
    # Ubuntu builds the "version" module in, but CentOS doesn't
    apache::mod {
      'version':;
    }
  }

  # Updating the httpd package puts back some configs that we
  # don't load the relevant modules for, so we'll try to make
  # them blank so that RPM/Yum makes ".rpmnew" files instead
  $unused_default_mods = [
    "${::apache::mod_dir}/autoindex.conf",
    "${::apache::mod_dir}/userdir.conf",
    "${::apache::mod_dir}/welcome.conf",
  ]
  file { $unused_default_mods:
    ensure => file,
    content => '',
    require => Class['apache'],
  }

  file { $base_dir:
    ensure => directory;
  }
  file { '/var/log/apache':
    ensure => directory,
    mode   => '0750',
    group  => $apache_log_group,
  }
  file { "${apache_base_dir}conf.extra":
    ensure => directory,
    recurse => true,
    source => "puppet:///modules/website/conf.extra",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { "${apache_base_dir}mime.types":
    ensure => present,
    source => "puppet:///modules/website/mime.types",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { "${apache_base_dir}conf.d/zzz-custom.conf":
    ensure => absent,
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { "${apache_base_dir}conf.d/zzz-0-custom.conf":
    ensure => present,
    source => "puppet:///modules/website/zzz-0-custom.conf",
    require => Class['apache'],
    notify => Service['httpd'];
  }
  file { "${apache_base_dir}conf.custom":
    ensure => directory,
    recurse => true,
    source => "puppet:///private/apache/conf.custom",
    require => Class['apache'],
    notify => Service['httpd']; 
  }
  file { $cert_dir:
    ensure => directory;
  }
  firewall { '100 allow https and http':
    destination => $primary_ip,
    dport => [80, 443],
    proto => tcp,
    action => accept,
  }
  if ($proxy_4to6_ip_prefix != undef) and ($proxy_upstream != undef) {
    apache::mod { "remoteip": }
    $proxy_4to6_ip = "$proxy_4to6_ip_prefix:0000/$proxy_4to6_mask"

    $proxy_upstream.each |String $upstream_addr| {
      firewall { "100 limit PROXY protocol to upstream $upstream_addr":
        source => $upstream_addr,
        destination => $proxy_4to6_ip,
        dport => [80, 443],
        proto => tcp,
        action => accept,
      }
    }
    firewall { "101 block all other PROXY protocol access":
      destination => $proxy_4to6_ip,
      dport => [80, 443],
      proto => tcp,
      action => reject,
    }
  }
  if $operatingsystem == 'CentOS' {
    exec { 'set_apache_defaults':
      command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"',
      path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
      require => Package['policycoreutils-python'],
      unless  => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"',
    }
    if versioncmp($operatingsystemrelease, '8') < 0 {
        $certbot_pkg = 'python2-certbot-apache'
    } else {
        $certbot_pkg = 'python3-certbot-apache'
    }
  }
  elsif $operatingsystem == 'Ubuntu' {
    $certbot_pkg = 'python3-certbot-apache'
  }
  cron { 'letsencrypt-renewal':
    command => '/usr/bin/certbot renew --quiet',
    hour => '*/12',
    minute => '21',
  }
  package { $certbot_pkg:
    ensure => installed,
  }
}