move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096)

5 files changed, 62 insertions, 24 deletions

diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index c3e2b954..142a4b5e 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -2,5 +2,14 @@
   "nagios": {
     "nagiosadmin_pw": "= secret :nagios_admin_password",
     "hosts": "= nodes_like_me.pick_fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')"
+  },
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
 }
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
new file mode 100644
index 00000000..72f24838
--- /dev/null
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -0,0 +1,26 @@
+class site_apache::common {
+  # installs x509 cert + key and common config
+  # that both nagios + leap webapp use
+
+  $web_domain       = hiera('domain')
+  $domain_name      = $web_domain['name']
+
+  include x509::variables
+  include site_config::x509::commercial::cert
+  include site_config::x509::commercial::key
+  include site_config::x509::commercial::ca
+
+  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+  include site_apache::module::rewrite
+
+  class { '::apache': no_default_site => true, ssl => true }
+
+  apache::vhost::file {
+    'common':
+      content => template('site_apache/vhosts.d/common.conf.erb')
+  }
+
+}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a001552a..30f0a6b1 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -23,13 +23,14 @@
   RequestHeader set X_FORWARDED_PROTO 'https'
 
   <IfModule mod_headers.c>
-<% if @webapp['secure'] -%>
+<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
   </IfModule>
 
+<% if (defined? @services) and (@services.include? 'webapp') -%>
   DocumentRoot /srv/leap/webapp/public
 
   RewriteEngine On
@@ -52,16 +53,20 @@
     ExpiresActive On
     ExpiresDefault "access plus 1 year"
   </Location>
+<% end -%>
+
 
- <% if (defined? @services) and (@services.include? 'monitor') -%>
+<% if (defined? @services) and (@services.include? 'monitor') -%>
  <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <% if (defined? @services) and (@services.include? 'webapp') -%>
     PassengerEnabled off
+ <% end -%>
     AllowOverride all
     # Nagios won't work with setting this option to "DENY",
     # as set in conf.d/security (#4169). Therefor we allow
     # it here, only for nagios.
     Header set X-Frame-Options: "ALLOW"
   </DirectoryMatch>
- <% end -%>
+<% end -%>
 </VirtualHost>
 
diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp
index 3e1ef7e7..9f66c8ea 100644
--- a/puppet/modules/site_nagios/manifests/server.pp
+++ b/puppet/modules/site_nagios/manifests/server.pp
@@ -11,18 +11,32 @@ class site_nagios::server inherits nagios::base {
 
   include nagios::defaults
   include nagios::base
-  #Class ['nagios'] -> Class ['nagios::defaults']
-  class {'nagios::apache':
+  class {'nagios':
+    # don't manage apache class from nagios, cause we already include
+    # it in site_apache::common
+    httpd              => 'absent',
     allow_external_cmd => true,
     stored_config      => false,
-    #before             => Class ['nagios::defaults']
   }
 
+  # - [monitor2] err: /Stage[main]/Site_nagios::Server/Apache::Config::Global[nagios3.conf]/Apache::Config::File[nagios3.conf]/File[apache_nagios3.conf]/ensure: change from absent to link failed: Cannot create a symlink without a target at /srv/leap/puppet/modules/apache/manifests/config/file.pp:32
+  #apache::config::global { 'nagios3.conf':
+  #  ensure  => link,
+  #  target  => '/usr/share/doc/nagios3-common/examples/apache2.conf',
+  #}
+
+  file { '/etc/apache2/conf.d/nagios3.conf':
+    ensure => link,
+    target => '/usr/share/doc/nagios3-common/examples/apache2.conf',
+    notify => Service['apache']
+  }
+
+  include site_apache::common
   include site_apache::module::headers
 
   File ['nagios_htpasswd'] {
     source  => undef,
-    content => "nagiosadmin:$nagiosadmin_pw",
+    content => "nagiosadmin:${nagiosadmin_pw}",
     mode    => '0640',
   }
 
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index d327877a..21243d34 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -7,19 +7,8 @@ class site_webapp::apache {
   $web_domain       = hiera('domain')
   $domain_name      = $web_domain['name']
 
-  include x509::variables
-  include site_config::x509::commercial::cert
-  include site_config::x509::commercial::key
-  include site_config::x509::commercial::ca
-
-  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
-  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
-
-  class { '::apache': no_default_site => true, ssl => true }
-
+  include site_apache::common
   include site_apache::module::headers
-  include site_apache::module::rewrite
   include site_apache::module::alias
   include site_apache::module::expires
   include site_apache::module::removeip
@@ -27,11 +16,6 @@ class site_webapp::apache {
   class { 'passenger': use_munin => false }
 
   apache::vhost::file {
-    'leap_webapp':
-      content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
-  }
-
-  apache::vhost::file {
     'api':
       content => template('site_apache/vhosts.d/api.conf.erb')
   }