diff options
author | Micah Anderson <micah@riseup.net> | 2017-11-28 11:35:01 -0500 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2017-11-28 11:35:01 -0500 |
commit | 0d251e2ceddd3e02ed8bba8725830689dbdd1397 (patch) | |
tree | 37d7096d9e458ca1e6431dff8a2f571553011c44 /puppet/modules/site_static | |
parent | 93a181d44e2d8163ae44945aac1b6477e268170d (diff) | |
parent | bf6c56d86c7ba45e7ca766d990a9e9162025e5ac (diff) |
Merge tag 'refs/tags/0.10.0' into stable
Release 0.10.0
Diffstat (limited to 'puppet/modules/site_static')
-rw-r--r-- | puppet/modules/site_static/manifests/domain.pp | 13 | ||||
-rw-r--r-- | puppet/modules/site_static/manifests/hidden_service.pp | 36 | ||||
-rw-r--r-- | puppet/modules/site_static/manifests/init.pp | 30 | ||||
-rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 14 |
4 files changed, 58 insertions, 35 deletions
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 6cf2c653..e456c94e 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,25 +1,30 @@ # configure static service for domain define site_static::domain ( - $ca_cert, + $ca_cert=undef, $key, $cert, $tls_only=true, $use_hidden_service=false, $locations=undef, $aliases=undef, - $apache_config=undef) { + $apache_config=undef, + $www_alias=false) { $domain = $name $base_dir = '/srv/static' - $cafile = "${cert}\n${ca_cert}" + if ($ca_cert) { + $certfile = "${cert}\n${ca_cert}" + } else { + $certfile = $cert + } if is_hash($locations) { create_resources(site_static::location, $locations) } x509::cert { $domain: - content => $cafile, + content => $certfile, notify => Service[apache] } x509::key { $domain: diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index f1f15f8e..c5d12c34 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,26 +1,32 @@ # create hidden service for static sites -class site_static::hidden_service { +class site_static::hidden_service ( $single_hop = false, $v3 = false ) { + Class['site_tor::hidden_service'] -> Class['site_static::hidden_service'] + include site_tor::hidden_service + + tor::daemon::hidden_service { 'static': + ports => [ '80 127.0.0.1:80'], + single_hop => $single_hop, + v3 => $v3 + } - include tor::daemon - tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } file { - '/var/lib/tor/webapp/': - ensure => directory, - owner => 'debian-tor', - group => 'debian-tor', - mode => '2700'; + '/var/lib/tor/static/': + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; '/var/lib/tor/static/private_key': - ensure => present, - source => "/srv/leap/files/nodes/${::hostname}/tor.key", - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', - notify => Service['tor']; + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; '/var/lib/tor/static/hostname': ensure => present, - content => "${::site_static::tor_domain}\n", + content => "${::site_static::onion_domain}\n", owner => 'debian-tor', group => 'debian-tor', mode => '0600', diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index dd3f912d..fdc5782f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -7,11 +7,17 @@ class site_static { include site_config::x509::key include site_config::x509::ca_bundle - $static = hiera('static') - $domains = $static['domains'] - $formats = $static['formats'] - $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) + $services = hiera('services', []) + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) + if $tor and member($services, 'tor_hidden_service') { + $onion_active = true + } else { + $onion_active = false + } file { '/srv/static/': @@ -54,10 +60,8 @@ class site_static { include site_config::ruby::dev if (member($formats, 'rack')) { - include site_apt::preferences::passenger class { 'passenger': manage_munin => false, - require => Class['site_apt::preferences::passenger'] } } @@ -67,16 +71,18 @@ class site_static { } package { 'zlib1g-dev': - ensure => installed + ensure => installed } } - if $tor { + if $onion_active { $hidden_service = $tor['hidden_service'] - $tor_domain = "${hidden_service['address']}.onion" - if $hidden_service['active'] { - include site_static::hidden_service + $onion_domain = "${hidden_service['address']}.onion" + class { 'site_static::hidden_service': + single_hop => $hidden_service['single_hop'], + v3 => $hidden_service['v3'] } + # Currently, we only support a single hidden service address per server. # So if there is more than one domain configured, then we need to make sure # we don't enable the hidden service for every domain. diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index dd04ca43..716df437 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -74,13 +74,15 @@ Require all granted </Directory> -<%- if @tor && (@always_use_hidden_service || @use_hidden_service) -%> +<%- if @onion_active && (@always_use_hidden_service || @use_hidden_service) -%> ## -## Tor +## Hidden Service ## <VirtualHost 127.0.0.1:80> - ServerName <%= @tor_domain %> - ServerAlias www.<%= @tor_domain %> + ServerName <%= @onion_domain %> +<%- if @www_alias -%> + ServerAlias www.<%= @onion_domain %> +<%- end -%> <IfModule mod_headers.c> Header set X-Frame-Options "deny" @@ -102,7 +104,9 @@ ## <VirtualHost *:80> ServerName <%= @domain %> +<%- if @www_alias -%> ServerAlias www.<%= @domain %> +<%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> @@ -122,7 +126,9 @@ ## <VirtualHost *:443> ServerName <%= @domain %> +<%- if @www_alias -%> ServerAlias www.<%= @domain %> +<%- end -%> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> |