changeset 150:060f81349dd6 puppet-3.6

Restructure HTTPS certificates and multiple TLD sites for clarity
author IBBoard <dev@ibboard.co.uk>
date Tue, 28 Mar 2017 20:46:35 +0100
parents af30a5eb468f
children 1ad747713519
files manifests/templates.pp modules/website/manifests/https.pp modules/website/manifests/https/multitld.pp modules/website/manifests/https/redir.pp
diffstat 4 files changed, 49 insertions(+), 59 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/templates.pp	Sun Mar 26 16:53:34 2017 +0100
+++ b/manifests/templates.pp	Tue Mar 28 20:46:35 2017 +0100
@@ -517,8 +517,6 @@
 		ensure             => 'present',
 		custom_fragment    => 'Include conf.extra/no-index.conf
 Include conf.custom/filter-core.conf
-Include conf.extra/no-www.conf
-Include conf.extra/no-com.conf
 Include conf.extra/html-php.conf
 #Additional custom fragment
 ErrorDocument 404 /error.php',
--- a/modules/website/manifests/https.pp	Sun Mar 26 16:53:34 2017 +0100
+++ b/modules/website/manifests/https.pp	Tue Mar 28 20:46:35 2017 +0100
@@ -6,6 +6,7 @@
     $ssl_cert           = undef,
     $ssl_key            = undef,
     $ssl_ca_chain       = undef,
+    $letsencrypt_name   = undef,
     $priority           = undef,
     $docroot_owner      = undef,
     $docroot_group      = undef,
@@ -29,10 +30,7 @@
   $logpart = $shortname
   $shortdomain = domain_to_short_domain($name)
 
-  $custom_conf0 = 'Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
-Header always set X-Xss-Protection "1; mode=block"
-Header always set X-Content-Type-Options "nosniff"
-Header always set X-Frame-Options "SAMEORIGIN"'
+  $custom_conf0 = template('website/https_core_conf.erb')
 
   if $force_no_index {
     $custom_conf1 = "$custom_conf0
@@ -48,19 +46,12 @@
     $custom_conf2 = $custom_conf1
   }
 
-  if $force_no_www {
-    $custom_conf3 = "$custom_conf2
-Include conf.extra/no-www.conf"
-  } else {
-    $custom_conf3 = $custom_conf2
-  }
-
   if $custom_fragment {
-    $custom_conf = "$custom_conf3
+    $custom_conf = "$custom_conf2
 #Additional custom fragment
 $custom_fragment"
   } else {
-    $custom_conf = $custom_conf3
+    $custom_conf = $custom_conf2
   }
 
   if $docroot == undef {
@@ -74,10 +65,10 @@
 # because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
 # It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
 # but that threw syntax errors.
-  if $ssl_cert == undef and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
-    $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
-    $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
-  } elsif $ssl_cert == undef {
+  if $ssl_cert != undef {
+    $sslcert = $ssl_cert
+    $sslkey = $ssl_key   
+  } elsif $ssl_ca_chain == "" and ("" in [$ssl_ca_chain]) {
     $sslcert = "${website::certdir}/${shortdomain}.crt"
     $sslkey = "${website::certdir}/${shortdomain}.key"
     File {
@@ -97,18 +88,15 @@
       notify => Service['httpd'],
       ensure => present;
     }
+  } elsif $letsencrypt_name != undef {
+    $sslcert = "/etc/letsencrypt/live/${letsencrypt_name}/cert.pem"
+    $sslkey = "/etc/letsencrypt/live/${letsencrypt_name}/privkey.pem"
   } else {
-    $sslcert = $ssl_cert
-    $sslkey = $ssl_key   
+    $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
+    $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
   }
 
-  if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
-    $ssl_chain = $website::ca_chain
-  }
-  elsif $ssl_ca_chain == '' {
-    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
-    $ssl_chain = undef
-  } else {
+  if $ssl_ca_chain != '' {
     $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
     if ! defined(File[$ssl_chain]) {
       file { $ssl_chain:
@@ -117,6 +105,13 @@
         notify  => Service['httpd'],
       }
     }
+  } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
+    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
+    $ssl_chain = undef
+  } elsif $letsencrypt_name != undef {
+    $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem"
+  } else {
+    $ssl_chain = $website::ca_chain
   }
 
   if $docroot_owner == undef {
--- a/modules/website/manifests/https/multitld.pp	Sun Mar 26 16:53:34 2017 +0100
+++ b/modules/website/manifests/https/multitld.pp	Tue Mar 28 20:46:35 2017 +0100
@@ -6,6 +6,7 @@
   $main_tld        = $website::tld,
   $extra_tlds      = $website::extra_tlds,
   $ssl_ca_chain    = undef,
+  $letsencrypt_name = undef,
   $docroot_owner   = undef,
   $docroot_group   = undef,
   $custom_fragment = undef,
@@ -21,35 +22,26 @@
   validate_re($main_tld, '^[a-z]+(\.[a-z]+)?', 'TLD must be in the form "com" or "co.uk"')
   $alias = domain_to_short_domain($base)
 
-  if $base == $alias {
-    $main_alias = []
+  $base_aliases = prefix($extra_tlds, "${base}.")
+  if $base != $alias {
+    $aliases = concat(concat($base_aliases, "${alias}.${main_tld}"),
+      prefix($extra_tlds, "${alias}."))
   } else {
-    $main_alias = [ "${alias}.${main_tld}" ]
+    $aliases = $base_aliases
   }
+
   $main_domain = "${base}.${main_tld}"
   website::https { $main_domain:
     priority        => $priority,
     ip              => $ip,
-    serveraliases   => $main_alias,
+    serveraliases   => $aliases,
     docroot         => $docroot,
     docroot_owner   => $docroot_owner,
     docroot_group   => $docroot_group,
     ssl_ca_chain    => $ssl_ca_chain,
+    letsencrypt_name => $letsencrypt_name,
     custom_fragment => $custom_fragment,
     force_no_index  => $force_no_index,
     force_no_www    => $force_no_www,
   }
-
-  if count($extra_tlds) > 0 {
-    $base_extras = prefix($extra_tlds, "${base}.")
-
-    website::https::multitldredir { $base_extras:
-      ip            => $ip,
-      main_domain   => $main_domain,
-      ssl_ca_chain  => $ssl_ca_chain,
-      docroot       => $docroot,
-      docroot_owner => $docroot_owner,
-      docroot_group => $docroot_group,
-    }
-  }
 }
--- a/modules/website/manifests/https/redir.pp	Sun Mar 26 16:53:34 2017 +0100
+++ b/modules/website/manifests/https/redir.pp	Tue Mar 28 20:46:35 2017 +0100
@@ -7,6 +7,7 @@
     $ssl_cert           = undef,
     $ssl_key            = undef,
     $ssl_ca_chain       = undef,
+    $letsencrypt_name   = undef,
     $docroot_owner      = undef,
     $docroot_group      = undef,
     $serveraliases      = [],
@@ -39,10 +40,10 @@
 # because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
 # It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
 # but that threw syntax errors.
-  if $ssl_cert == undef and !("" in [$ssl_cert]) and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
-    $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
-    $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
-  } elsif $ssl_cert == undef and !("" in [$ssl_cert]) {
+  if $ssl_cert != undef {
+    $sslcert = $ssl_cert
+    $sslkey = $ssl_key   
+  } elsif $ssl_ca_chain == "" and ("" in [$ssl_ca_chain]) {
     $sslcert = "${website::certdir}/${shortdomain}.crt"
     $sslkey = "${website::certdir}/${shortdomain}.key"
     File {
@@ -62,18 +63,15 @@
       notify => Service['httpd'],
       ensure => present;
     }
+  } elsif $letsencrypt_name != undef {
+    $sslcert = "/etc/letsencrypt/live/${letsencrypt_name}/cert.pem"
+    $sslkey = "/etc/letsencrypt/live/${letsencrypt_name}/privkey.pem"
   } else {
-    $sslcert = $ssl_cert
-    $sslkey = $ssl_key
-  } 
+    $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
+    $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
+  }
 
-  if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
-    $ssl_chain = $website::ca_chain
-  }
-  elsif $ssl_ca_chain == '' {
-    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
-    $ssl_chain = undef
-  } else {
+  if $ssl_ca_chain != '' {
     $ssl_chain = "/etc/pki/custom/$ssl_ca_chain"
     if ! defined(File[$ssl_chain]) {
       file { $ssl_chain:
@@ -82,6 +80,13 @@
         notify  => Service['httpd'],
       }
     }
+  } elsif $ssl_ca_chain == '' and '' in [$ssl_ca_chain] {
+    # Special case where we're directly under the CA and don't want to unnecessarily send the CA cert
+    $ssl_chain = undef
+  } elsif $letsencrypt_name != undef {
+    $ssl_chain = "/etc/letsencrypt/live/${letsencrypt_name}/chain.pem"
+  } else {
+    $ssl_chain = $website::ca_chain
   }
 
   if $docroot_owner == undef {