summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2012-11-27 11:49:08 -0500
committerMicah Anderson <micah@riseup.net>2012-11-27 12:28:46 -0500
commit0876cc7c712f273991cbb1177d7416afd0a1462d (patch)
tree7b683253b28dc7c920e709f2734d5de267fc6c8a /puppet
parenta2e2f558bcfc4b35c7d81f282d73e06f78590113 (diff)
add site_webapp class to install the certs/keys/CAs and virtual host configurations
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb36
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb39
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp61
3 files changed, 136 insertions, 0 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
new file mode 100644
index 00000000..fc26190c
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -0,0 +1,36 @@
+<VirtualHost *:80>
+ ServerName <%= api_domain %>
+ RewriteEngine On
+ RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName <%= api_domain %>
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ SSLCACertificatePath /etc/ssl/certs
+ SSLCertificateChainFile /etc/ssl/certs/leap_api.crt
+ SSLCertificateKeyFile /etc/x509/keys/leap_api.key
+ SSLCertificateFile /etc/x509/certs/leap_api.crt
+
+ RequestHeader set X_FORWARDED_PROTO 'https'
+
+ DocumentRoot /srv/leap_webapp/public
+
+ # Check for maintenance file and redirect all requests
+ RewriteEngine On
+ RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+ RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+ RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+ RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+ # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+ AllowEncodedSlashes on
+ PassengerAllowEncodedSlashes on
+ PassengerFriendlyErrorPages off
+ SetEnv TMPDIR /var/tmp
+</VirtualHost>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
new file mode 100644
index 00000000..bb035cd2
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
@@ -0,0 +1,39 @@
+<VirtualHost *:80>
+ ServerName <%= domain %>
+ ServerAlias www.<%= domain %>
+ RewriteEngine On
+ RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName <%= domain %>
+ ServerAlias www.<%= domain %>
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ SSLCACertificatePath /etc/ssl/certs
+ SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt
+ SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key
+ SSLCertificateFile /etc/x509/certs/leap_webapp.crt
+
+ RequestHeader set X_FORWARDED_PROTO 'https'
+
+ DocumentRoot /srv/leap_webapp/public
+
+ # Check for maintenance file and redirect all requests
+ RewriteEngine On
+ RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+ RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+ RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+ RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+ # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+ AllowEncodedSlashes on
+ PassengerAllowEncodedSlashes on
+ PassengerFriendlyErrorPages off
+ SetEnv TMPDIR /var/tmp
+</VirtualHost>
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
new file mode 100644
index 00000000..d6470186
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -0,0 +1,61 @@
+class site_webapp::apache {
+
+ $api_domain = hiera('api_domain')
+ $x509 = hiera('x509')
+ $commercial_key = $x509['commercial_key']
+ $commercial_cert = $x509['commercial_cert']
+ $commercial_root = $x509['commercial_ca_cert']
+ $api_key = $x509['key']
+ $api_cert = $x509['cert']
+ $api_root = $x509['ca_cert']
+
+ $apache_no_default_site = true
+ include apache::ssl
+
+ apache::module {
+ 'rewrite': ensure => present;
+ 'headers': ensure => present;
+ }
+
+ class { 'passenger': use_munin => false }
+
+ apache::vhost::file {
+ 'leap_webapp':
+ content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
+ }
+
+ apache::vhost::file {
+ 'api':
+ content => template('site_apache/vhosts.d/api.conf.erb')
+ }
+
+ x509::key {
+ 'leap_webapp':
+ content => $commercial_key,
+ notify => Service[apache];
+
+ 'leap_api':
+ content => $api_key,
+ notify => Service[apache];
+ }
+
+ x509::cert {
+ 'leap_webapp':
+ content => $commercial_cert,
+ notify => Service[apache];
+
+ 'leap_api':
+ content => $api_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca {
+ 'leap_webapp':
+ content => $commercial_root,
+ notify => Service[apache];
+
+ 'leap_api':
+ content => $api_root,
+ notify => Service[apache];
+ }
+}