6 files changed, 48 insertions, 42 deletions
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index b9177f25..b26cc9e3 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -1,3 +1,4 @@
+# configure static service for domain
 define site_static::domain (
   $ca_cert,
   $key,
@@ -10,19 +11,19 @@ define site_static::domain (
   $domain = $name
   $base_dir = '/srv/static'
 
-  create_resources(site_static::location, $locations)
+  $cafile = "${cert}\n${ca_cert}"
+
+  if is_hash($locations) {
+    create_resources(site_static::location, $locations)
+  }
 
   x509::cert { $domain:
-    content => $cert,
-    notify => Service[apache]
+    content => $cafile,
+    notify  => Service[apache]
   }
   x509::key { $domain:
     content => $key,
-    notify => Service[apache]
-  }
-  x509::ca { "${domain}_ca":
-    content => $ca_cert,
-    notify => Service[apache]
+    notify  => Service[apache]
   }
 
   apache::vhost::file { $domain:
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 1efc510b..4a722d62 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -1,6 +1,8 @@
+# deploy static service
 class site_static {
   tag 'leap_service'
 
+  include site_config::default
   include site_config::x509::cert
   include site_config::x509::key
   include site_config::x509::ca_bundle
@@ -9,6 +11,7 @@ class site_static {
   $domains       = $static['domains']
   $formats       = $static['formats']
   $bootstrap     = $static['bootstrap_files']
+  $tor           = hiera('tor', false)
 
   if $bootstrap['enabled'] {
     $bootstrap_domain  = $bootstrap['domain']
@@ -27,14 +30,13 @@ class site_static {
     }
   }
 
-  class { '::apache': no_default_site => true, ssl => true }
-  include site_apache::module::headers
-  include site_apache::module::alias
-  include site_apache::module::expires
-  include site_apache::module::removeip
-  include site_apache::module::rewrite
-  apache::config::include{ 'ssl_common.inc': }
-
+  include apache::module::headers
+  include apache::module::alias
+  include apache::module::expires
+  include apache::module::removeip
+  include apache::module::dir
+  include apache::module::negotiation
+  include site_apache::common
   include site_config::ruby::dev
 
   if (member($formats, 'rack')) {
@@ -46,9 +48,9 @@ class site_static {
   }
 
   if (member($formats, 'amber')) {
-    rubygems::gem{'amber-0.3.7':  
-       require =>  Package['zlib1g-dev']
-     }
+    rubygems::gem{'amber-0.3.8':
+      require =>  Package['zlib1g-dev']
+    }
 
     package { 'zlib1g-dev':
         ensure => installed
@@ -57,6 +59,13 @@ class site_static {
 
   create_resources(site_static::domain, $domains)
 
+  if $tor {
+    $hidden_service = $tor['hidden_service']
+    if $hidden_service['active'] {
+      include site_webapp::hidden_service
+    }
+  }
+
   include site_shorewall::defaults
   include site_shorewall::service::http
   include site_shorewall::service::https
diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp
index ce2af9af..d116de2f 100644
--- a/puppet/modules/site_static/manifests/location.pp
+++ b/puppet/modules/site_static/manifests/location.pp
@@ -1,3 +1,4 @@
+# configure static service for location
 define site_static::location($path, $format, $source) {
 
   $file_path = "/srv/static/${name}"
@@ -14,10 +15,10 @@ define site_static::location($path, $format, $source) {
 
   if ($format == 'amber') {
     exec {"amber_build_${name}":
-      cwd     => $file_path,
-      command => 'amber rebuild',
-      user    => 'www-data',
-      timeout => 600,
+      cwd       => $file_path,
+      command   => 'amber rebuild',
+      user      => 'www-data',
+      timeout   => 600,
       subscribe => Vcsrepo[$file_path]
     }
   }
diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb
index 17dc2ad6..694f1136 100644
--- a/puppet/modules/site_static/templates/amber.erb
+++ b/puppet/modules/site_static/templates/amber.erb
@@ -1,15 +1,13 @@
-<%- if @location_path == '' -%>
-  <Directory "<%= @directory %>/">
-    AllowOverride FileInfo Indexes Options=All,MultiViews
-    Order deny,allow
-    Allow from all
-  </Directory>
-<%- else -%>
+<%- if @location_path != '' -%>
   AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1"
   Alias /<%=@location_path%> "<%=@directory%>/"
+<%- end -%>
   <Directory "<%=@directory%>/">
     AllowOverride FileInfo Indexes Options=All,MultiViews
+<% if scope.function_guess_apache_version([]) == '2.4' %>
+    Require all granted
+<% else %>
     Order deny,allow
     Allow from all
+<% end %>
   </Directory>
-<%- end -%>
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 4d61cc08..6b969d1c 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -48,7 +48,7 @@
   Include include.d/ssl_common.inc
   
 <%- if @tls_only -%>
-  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+  Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
 <%- end -%>
   Header set X-Frame-Options "deny"
   Header always unset X-Powered-By
@@ -56,7 +56,6 @@
 
   SSLCertificateKeyFile    /etc/x509/keys/<%= @domain %>.key
   SSLCertificateFile       /etc/x509/certs/<%= @domain %>.crt
-  SSLCertificateChainFile  /etc/ssl/certs/<%= @domain %>_ca.pem
 
   RequestHeader set X_FORWARDED_PROTO 'https'
 
diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb
index aae91f1c..431778bb 100644
--- a/puppet/modules/site_static/templates/rack.erb
+++ b/puppet/modules/site_static/templates/rack.erb
@@ -1,21 +1,19 @@
   #PassengerLogLevel 1
   #PassengerAppEnv production
   #PassengerFriendlyErrorPages on
-<%- if @location_path == '' -%>
-  <Directory "<%=@directory%>">
-    Order deny,allow
-    Allow from all
-    Options -MultiViews
-  </Directory>
-<%- else -%>
+<%- if @location_path != '' -%>
   Alias /<%=@location_path%> "<%=@directory%>"
   <Location /<%=@location_path%>>
     PassengerBaseURI /<%=@location_path%>
     PassengerAppRoot "<%=File.dirname(@directory)%>"
   </Location>
+<%- end -%>
   <Directory "<%=@directory%>">
+    Options -MultiViews
+<% if scope.function_guess_apache_version([]) == '2.4' %>
+    Require all granted
+<% else %>
     Order deny,allow
     Allow from all
-    Options -MultiViews
+<% end %>
   </Directory>
-<%- end -%>