Mercurial > repos > other > Puppet
changeset 150:060f81349dd6 puppet-3.6
Restructure HTTPS certificates and multiple TLD sites for clarity
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Tue, 28 Mar 2017 20:46:35 +0100 |
| parents | af30a5eb468f |
| children | 1ad747713519 |
| files | manifests/templates.pp modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp modules/website/manifests/https/redir.pp |
| diffstat | 4 files changed, 49 insertions(+), 59 deletions(-) [+] |
line wrap: on
line diff
--- a/manifests/templates.pp Sun Mar 26 16:53:34 2017 +0100 +++ b/manifests/templates.pp Tue Mar 28 20:46:35 2017 +0100 @@ -517,8 +517,6 @@ ensure => 'present', custom_fragment => 'Include conf.extra/no-index.conf Include conf.custom/filter-core.conf -Include conf.extra/no-www.conf -Include conf.extra/no-com.conf Include conf.extra/html-php.conf #Additional custom fragment ErrorDocument 404 /error.php',
--- a/modules/website/manifests/https.pp Sun Mar 26 16:53:34 2017 +0100 +++ b/modules/website/manifests/https.pp Tue Mar 28 20:46:35 2017 +0100 @@ -6,6 +6,7 @@ $ssl_cert = undef, $ssl_key = undef, $ssl_ca_chain = undef, + $letsencrypt_name = undef, $priority = undef, $docroot_owner = undef, $docroot_group = undef, @@ -29,10 +30,7 @@ $logpart = $shortname $shortdomain = domain_to_short_domain($name) - $custom_conf0 = 'Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" -Header always set X-Xss-Protection "1; mode=block" -Header always set X-Content-Type-Options "nosniff" -Header always set X-Frame-Options "SAMEORIGIN"' + $custom_conf0 = template('website/https_core_conf.erb') if $force_no_index { $custom_conf1 = "$custom_conf0 @@ -48,19 +46,12 @@ $custom_conf2 = $custom_conf1 } - if $force_no_www { - $custom_conf3 = "$custom_conf2 -Include conf.extra/no-www.conf" - } else { - $custom_conf3 = $custom_conf2 - } - if $custom_fragment { - $custom_conf = "$custom_conf3 + $custom_conf = "$custom_conf2 #Additional custom fragment $custom_fragment" } else { - $custom_conf = $custom_conf3 + $custom_conf = $custom_conf2 } if $docroot == undef { @@ -74,10 +65,10 @@ # because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case # It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html), # but that threw syntax errors. - if $ssl_cert == undef and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { - $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" - $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" - } elsif $ssl_cert == undef { + if $ssl_cert != undef { + $sslcert = $ssl_cert + $sslkey = $ssl_key + } elsif $ssl_ca_chain == "" and ("" in [$ssl_ca_chain]) { $sslcert = "${website::certdir}/${shortdomain}.crt" $sslkey = "${website::certdir}/${shortdomain}.key" File { @@ -97,18 +88,15 @@ notify => Service['httpd'], ensure => present; } + } elsif $letsencrypt_name != undef { + $sslcert = "/etc/letsencrypt/live/${letsencrypt_name}/cert.pem" + $sslkey = "/etc/letsencrypt/live/${letsencrypt_name}/privkey.pem" } else { - $sslcert = $ssl_cert - $sslkey = $ssl_key + $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" + $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" } - if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { - $ssl_chain = $website::ca_chain - } - elsif $ssl_ca_chain == '' { - # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert - $ssl_chain = undef - } else { + if $ssl_ca_chain != '' { $ssl_chain = "/etc/pki/custom/$ssl_ca_chain" if ! defined(File[$ssl_chain]) { file { $ssl_chain: @@ -117,6 +105,13 @@ notify => Service['httpd'], } } + } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] { + # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert + $ssl_chain = undef + } elsif $letsencrypt_name != undef { + $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem" + } else { + $ssl_chain = $website::ca_chain } if $docroot_owner == undef {
--- a/modules/website/manifests/https/multitld.pp Sun Mar 26 16:53:34 2017 +0100 +++ b/modules/website/manifests/https/multitld.pp Tue Mar 28 20:46:35 2017 +0100 @@ -6,6 +6,7 @@ $main_tld = $website::tld, $extra_tlds = $website::extra_tlds, $ssl_ca_chain = undef, + $letsencrypt_name = undef, $docroot_owner = undef, $docroot_group = undef, $custom_fragment = undef, @@ -21,35 +22,26 @@ validate_re($main_tld, '^[a-z]+(\.[a-z]+)?', 'TLD must be in the form "com" or "co.uk"') $alias = domain_to_short_domain($base) - if $base == $alias { - $main_alias = [] + $base_aliases = prefix($extra_tlds, "${base}.") + if $base != $alias { + $aliases = concat(concat($base_aliases, "${alias}.${main_tld}"), + prefix($extra_tlds, "${alias}.")) } else { - $main_alias = [ "${alias}.${main_tld}" ] + $aliases = $base_aliases } + $main_domain = "${base}.${main_tld}" website::https { $main_domain: priority => $priority, ip => $ip, - serveraliases => $main_alias, + serveraliases => $aliases, docroot => $docroot, docroot_owner => $docroot_owner, docroot_group => $docroot_group, ssl_ca_chain => $ssl_ca_chain, + letsencrypt_name => $letsencrypt_name, custom_fragment => $custom_fragment, force_no_index => $force_no_index, force_no_www => $force_no_www, } - - if count($extra_tlds) > 0 { - $base_extras = prefix($extra_tlds, "${base}.") - - website::https::multitldredir { $base_extras: - ip => $ip, - main_domain => $main_domain, - ssl_ca_chain => $ssl_ca_chain, - docroot => $docroot, - docroot_owner => $docroot_owner, - docroot_group => $docroot_group, - } - } }
--- a/modules/website/manifests/https/redir.pp Sun Mar 26 16:53:34 2017 +0100 +++ b/modules/website/manifests/https/redir.pp Tue Mar 28 20:46:35 2017 +0100 @@ -7,6 +7,7 @@ $ssl_cert = undef, $ssl_key = undef, $ssl_ca_chain = undef, + $letsencrypt_name = undef, $docroot_owner = undef, $docroot_group = undef, $serveraliases = [], @@ -39,10 +40,10 @@ # because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case # It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html), # but that threw syntax errors. - if $ssl_cert == undef and !("" in [$ssl_cert]) and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { - $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" - $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" - } elsif $ssl_cert == undef and !("" in [$ssl_cert]) { + if $ssl_cert != undef { + $sslcert = $ssl_cert + $sslkey = $ssl_key + } elsif $ssl_ca_chain == "" and ("" in [$ssl_ca_chain]) { $sslcert = "${website::certdir}/${shortdomain}.crt" $sslkey = "${website::certdir}/${shortdomain}.key" File { @@ -62,18 +63,15 @@ notify => Service['httpd'], ensure => present; } + } elsif $letsencrypt_name != undef { + $sslcert = "/etc/letsencrypt/live/${letsencrypt_name}/cert.pem" + $sslkey = "/etc/letsencrypt/live/${letsencrypt_name}/privkey.pem" } else { - $sslcert = $ssl_cert - $sslkey = $ssl_key - } + $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" + $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" + } - if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { - $ssl_chain = $website::ca_chain - } - elsif $ssl_ca_chain == '' { - # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert - $ssl_chain = undef - } else { + if $ssl_ca_chain != '' { $ssl_chain = "/etc/pki/custom/$ssl_ca_chain" if ! defined(File[$ssl_chain]) { file { $ssl_chain: @@ -82,6 +80,13 @@ notify => Service['httpd'], } } + } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] { + # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert + $ssl_chain = undef + } elsif $letsencrypt_name != undef { + $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem" + } else { + $ssl_chain = $website::ca_chain } if $docroot_owner == undef {