summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp5
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb5
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/common.conf.erb5
-rw-r--r--puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg7
-rw-r--r--puppet/modules/site_check_mk/manifests/agent/openvpn.pp10
-rw-r--r--puppet/modules/site_config/manifests/packages/base.pp15
-rw-r--r--puppet/modules/site_config/manifests/packages/build_essential.pp8
-rw-r--r--puppet/modules/site_config/manifests/packages/uninstall.pp20
-rw-r--r--puppet/modules/site_config/manifests/params.pp1
-rw-r--r--puppet/modules/site_config/manifests/ruby/dev.pp2
-rw-r--r--puppet/modules/site_couchdb/manifests/designs.pp5
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp36
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp8
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp6
-rw-r--r--puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp12
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtp_tls.pp2
-rw-r--r--puppet/modules/site_postfix/manifests/satellite.pp33
-rw-r--r--puppet/modules/site_static/README3
-rw-r--r--puppet/modules/site_static/manifests/domain.pp28
-rw-r--r--puppet/modules/site_static/manifests/init.pp17
-rw-r--r--puppet/modules/site_static/manifests/location.pp25
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb109
22 files changed, 314 insertions, 48 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index d83a189d..f8726fa9 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -39,3 +39,8 @@ if $services =~ /\bmx\b/ {
include site_mx
}
+if $services =~ /\bstatic\b/ {
+ include site_static
+}
+
+include site_config::packages::uninstall
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 5f1f4c1d..3360ac59 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %>
ServerName <%= api_domain %>
SSLEngine on
- SSLProtocol -all +SSLv3 +TLSv1
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLProtocol all -SSLv2
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index 30f0a6b1..ed430510 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -11,9 +11,10 @@
ServerAlias www.<%= domain %>
SSLEngine on
- SSLProtocol -all +SSLv3 +TLSv1
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLProtocol all -SSLv2
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg
new file mode 100644
index 00000000..d58e876d
--- /dev/null
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/syslog/openvpn.cfg
@@ -0,0 +1,7 @@
+# ignore openvpn TLS initialization errors when clients
+# suddenly hangup before properly establishing
+# a tls connection
+ I ovpn-.*TLS Error: Unroutable control packet received from
+ I ovpn-.*TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
+ I ovpn-.*TLS Error: TLS handshake failed
+
diff --git a/puppet/modules/site_check_mk/manifests/agent/openvpn.pp b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp
new file mode 100644
index 00000000..919a408d
--- /dev/null
+++ b/puppet/modules/site_check_mk/manifests/agent/openvpn.pp
@@ -0,0 +1,10 @@
+class site_check_mk::agent::openvpn {
+
+ # check syslog
+ concat::fragment { 'syslog_openpvn':
+ source => 'puppet:///modules/site_check_mk/agent/logwatch/syslog/openvpn.cfg',
+ target => '/etc/check_mk/logwatch.d/syslog.cfg',
+ order => '02';
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp
index 9d416043..ae47963c 100644
--- a/puppet/modules/site_config/manifests/packages/base.pp
+++ b/puppet/modules/site_config/manifests/packages/base.pp
@@ -1,6 +1,5 @@
class site_config::packages::base {
- include site_config::params
# base set of packages that we want to have installed everywhere
package { [ 'etckeeper', 'screen', 'less', 'ntp' ]:
@@ -16,18 +15,4 @@ class site_config::packages::base {
'x11-utils', 'xterm' ]:
ensure => absent;
}
-
- if $::site_config::params::environment == 'local' or $::services =~ /\bwebapp\b/ {
- $dev_packages_ensure = present
- } else {
- $dev_packages_ensure = absent
- }
-
- # g++ and ruby1.9.1-dev are needed for nickserver/eventmachine (#4079)
- # dev_packages are needed for building gems on the webapp node
-
- package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc',
- 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]:
- ensure => $dev_packages_ensure
- }
}
diff --git a/puppet/modules/site_config/manifests/packages/build_essential.pp b/puppet/modules/site_config/manifests/packages/build_essential.pp
new file mode 100644
index 00000000..c9efaafb
--- /dev/null
+++ b/puppet/modules/site_config/manifests/packages/build_essential.pp
@@ -0,0 +1,8 @@
+#
+# include this whenever you want to ensure build-essential package and related compilers are installed.
+#
+class site_config::packages::build_essential {
+ if $install_build_essential == undef {
+ $install_build_essential = true
+ }
+} \ No newline at end of file
diff --git a/puppet/modules/site_config/manifests/packages/uninstall.pp b/puppet/modules/site_config/manifests/packages/uninstall.pp
new file mode 100644
index 00000000..2919cc96
--- /dev/null
+++ b/puppet/modules/site_config/manifests/packages/uninstall.pp
@@ -0,0 +1,20 @@
+#
+# this should be included last to allow other modules to set $::install_build_packages
+#
+class site_config::packages::uninstall {
+
+ if $site_config::packages::build_essential::install_essential == true {
+ $dev_packages_ensure = present
+ } else {
+ $dev_packages_ensure = absent
+ }
+
+ # generally, dev packages are needed for installing ruby gems with native extensions.
+ # (nickserver, webapp, etc)
+
+ package { [ 'build-essential', 'g++', 'g++-4.7', 'gcc',
+ 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]:
+ ensure => $dev_packages_ensure
+ }
+
+} \ No newline at end of file
diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index 5bdc0077..012b3ce0 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -8,6 +8,7 @@ class site_config::params {
if $environment == 'local' {
$interface = 'eth1'
+ include site_config::packages::build_essential
}
elsif hiera('interface','') != '' {
$interface = hiera('interface')
diff --git a/puppet/modules/site_config/manifests/ruby/dev.pp b/puppet/modules/site_config/manifests/ruby/dev.pp
index dbc77ae7..3ea6ca96 100644
--- a/puppet/modules/site_config/manifests/ruby/dev.pp
+++ b/puppet/modules/site_config/manifests/ruby/dev.pp
@@ -3,4 +3,6 @@ class site_config::ruby::dev inherits site_config::ruby {
ruby_version => '1.9.3',
install_dev => true
}
+ # building gems locally probably requires build-essential and gcc:
+ include site_config::packages::build_essential
}
diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp
index 83d6c8cd..9e88de64 100644
--- a/puppet/modules/site_couchdb/manifests/designs.pp
+++ b/puppet/modules/site_couchdb/manifests/designs.pp
@@ -12,9 +12,8 @@ class site_couchdb::designs {
}
exec { '/srv/leap/couchdb/scripts/load_design_documents.sh':
- subscribe => File['/srv/leap/couchdb/designs'],
- refreshonly => true,
- require => Vcsrepo['/srv/leap/couchdb/scripts']
+ require => Vcsrepo['/srv/leap/couchdb/scripts'],
+ refreshonly => false
}
}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 42146741..7aec0faa 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -27,22 +27,23 @@ class site_openvpn {
Class['site_config::default'] -> Class['site_openvpn']
- $openvpn_config = hiera('openvpn')
- $openvpn_ports = $openvpn_config['ports']
+ $openvpn = hiera('openvpn')
+ $openvpn_ports = $openvpn['ports']
+ $openvpn_config = $openvpn['configuration']
if $::ec2_instance_id {
$openvpn_gateway_address = $::ipaddress
} else {
- $openvpn_gateway_address = $openvpn_config['gateway_address']
- if $openvpn_config['second_gateway_address'] {
- $openvpn_second_gateway_address = $openvpn_config['second_gateway_address']
+ $openvpn_gateway_address = $openvpn['gateway_address']
+ if $openvpn['second_gateway_address'] {
+ $openvpn_second_gateway_address = $openvpn['second_gateway_address']
} else {
$openvpn_second_gateway_address = undef
}
}
- $openvpn_allow_unlimited = $openvpn_config['allow_unlimited']
- $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix']
+ $openvpn_allow_unlimited = $openvpn['allow_unlimited']
+ $openvpn_unlimited_prefix = $openvpn['unlimited_prefix']
$openvpn_unlimited_tcp_network_prefix = '10.41.0'
$openvpn_unlimited_tcp_netmask = '255.255.248.0'
$openvpn_unlimited_tcp_cidr = '21'
@@ -51,9 +52,9 @@ class site_openvpn {
$openvpn_unlimited_udp_cidr = '21'
if !$::ec2_instance_id {
- $openvpn_allow_limited = $openvpn_config['allow_limited']
- $openvpn_limited_prefix = $openvpn_config['limited_prefix']
- $openvpn_rate_limit = $openvpn_config['rate_limit']
+ $openvpn_allow_limited = $openvpn['allow_limited']
+ $openvpn_limited_prefix = $openvpn['limited_prefix']
+ $openvpn_rate_limit = $openvpn['rate_limit']
$openvpn_limited_tcp_network_prefix = '10.43.0'
$openvpn_limited_tcp_netmask = '255.255.248.0'
$openvpn_limited_tcp_cidr = '21'
@@ -90,7 +91,8 @@ class site_openvpn {
tls_remote => "\"${openvpn_unlimited_prefix}\"",
server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}",
push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1000'
+ management => '127.0.0.1 1000',
+ config => $openvpn_config
}
site_openvpn::server_config { 'udp_config':
port => '1194',
@@ -99,7 +101,8 @@ class site_openvpn {
tls_remote => "\"${openvpn_unlimited_prefix}\"",
server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}",
push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"",
- management => '127.0.0.1 1001'
+ management => '127.0.0.1 1001',
+ config => $openvpn_config
}
} else {
tidy { '/etc/openvpn/tcp_config.conf': }
@@ -114,7 +117,8 @@ class site_openvpn {
tls_remote => "\"${openvpn_limited_prefix}\"",
server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}",
push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"",
- management => '127.0.0.1 1002'
+ management => '127.0.0.1 1002',
+ config => $openvpn_config
}
site_openvpn::server_config { 'limited_udp_config':
port => '1194',
@@ -123,7 +127,8 @@ class site_openvpn {
tls_remote => "\"${openvpn_limited_prefix}\"",
server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}",
push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"",
- management => '127.0.0.1 1003'
+ management => '127.0.0.1 1003',
+ config => $openvpn_config
}
} else {
tidy { '/etc/openvpn/limited_tcp_config.conf': }
@@ -213,4 +218,7 @@ class site_openvpn {
target => '/etc/default/openvpn',
order => 10;
}
+
+ include site_check_mk::agent::openvpn
+
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index befeaef7..6246a836 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -54,7 +54,7 @@
define site_openvpn::server_config(
$port, $proto, $local, $server, $push,
- $management, $tls_remote = undef) {
+ $management, $config, $tls_remote = undef) {
$openvpn_configname = $name
@@ -96,15 +96,15 @@ define site_openvpn::server_config(
server => $openvpn_configname;
"tls-cipher ${openvpn_configname}":
key => 'tls-cipher',
- value => 'DHE-RSA-AES128-SHA',
+ value => $config['tls-cipher'],
server => $openvpn_configname;
"auth ${openvpn_configname}":
key => 'auth',
- value => 'SHA1',
+ value => $config['auth'],
server => $openvpn_configname;
"cipher ${openvpn_configname}":
key => 'cipher',
- value => 'AES-128-CBC',
+ value => $config['cipher'],
server => $openvpn_configname;
"dev ${openvpn_configname}":
key => 'dev',
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index de89c26e..bdfee665 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -4,7 +4,7 @@ class site_postfix::mx {
$domain = $domain_hash['full_suffix']
$host_domain = $domain_hash['full']
$cert_name = hiera('name')
- $mynetworks = join(hiera('mx_nodes'), ' ')
+ $mynetworks = join(hiera('mynetworks'), ' ')
$root_mail_recipient = hiera ('contacts')
$postfix_smtp_listen = 'all'
@@ -31,6 +31,10 @@ class site_postfix::mx {
value => 'vmail';
'smtpd_tls_received_header':
value => 'yes';
+ # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+ # because the satellites need to have a different value
+ 'smtp_tls_security_level':
+ value => 'may';
}
include site_postfix::mx::smtpd_checks
diff --git a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
index aea66f78..83e27376 100644
--- a/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
+++ b/puppet/modules/site_postfix/manifests/mx/reserved_aliases.pp
@@ -1,11 +1,13 @@
+# Defines which mail addresses shouldn't be available and where they should fwd
class site_postfix::mx::reserved_aliases {
postfix::mailalias {
- [ 'postmaster', 'hostmaster', 'domainadmin', 'certmaster', 'ssladmin',
- 'arin-admin', 'administrator', 'webmaster', 'www-data', 'www',
- 'nobody', 'sys', 'postgresql', 'mysql', 'bin', 'cron', 'lp', 'games',
- 'maildrop', 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp',
- 'ftp' ]:
+ [ 'abuse', 'admin', 'arin-admin', 'administrator', 'bin', 'cron',
+ 'certmaster', 'domainadmin', 'games', 'ftp', 'hostmaster', 'lp',
+ 'maildrop', 'mysql', 'news', 'nobody', 'noc', 'postmaster', 'postgresql',
+ 'security', 'ssladmin', 'sys', 'usenet', 'uucp', 'webmaster', 'www',
+ 'www-data',
+ ]:
ensure => present,
recipient => 'root'
}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
index 3cc7ea72..d9b59f40 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp
@@ -20,8 +20,6 @@ class site_postfix::mx::smtp_tls {
value => 'sha1';
'smtp_tls_session_cache_database':
value => 'btree:${data_directory}/smtp_cache';
- 'smtp_tls_security_level':
- value => 'may';
# see issue #4011
'smtp_tls_protocols':
value => '!SSLv2, !SSLv3';
diff --git a/puppet/modules/site_postfix/manifests/satellite.pp b/puppet/modules/site_postfix/manifests/satellite.pp
index 7be51b22..5725e6b8 100644
--- a/puppet/modules/site_postfix/manifests/satellite.pp
+++ b/puppet/modules/site_postfix/manifests/satellite.pp
@@ -10,5 +10,38 @@ class site_postfix::satellite {
root_mail_recipient => $root_mail_recipient
}
+ # There are special conditions for satellite hosts that will make them not be
+ # able to contact their relayhost:
+ #
+ # 1. they are on openstack/amazon/PC and are on the same cluster as the relay
+ # host, the MX lookup for the relay host will use the public IP, which cannot
+ # be contacted
+ #
+ # 2. When a domain is used that is not in DNS, because it is internal,
+ # a testing domain, etc. eg. a .local domain cannot be looked up in DNS
+ #
+ # to resolve this, so the satellite can contact the relayhost, we need to set
+ # the http://www.postfix.org/postconf.5.html#smtp_host_lookup to be 'native'
+ # which will cause the lookup to use the native naming service
+ # (nsswitch.conf), which typically defaults to 'files, dns' allowing the
+ # /etc/hosts to be consulted first, then DNS if the entry doesn't exist.
+ #
+ # NOTE: this will make it not possible to enable DANE support through DNSSEC
+ # with http://www.postfix.org/postconf.5.html#smtp_dns_support_level - but
+ # this parameter is not available until 2.11. If this ends up being important
+ # we could also make this an optional parameter for providers without
+ # dns / local domains
+
+ postfix::config {
+ 'smtp_host_lookup':
+ value => 'native';
+
+ # Note: we are setting this here, instead of in site_postfix::mx::smtp_tls
+ # because the mx server has to have a different value
+ 'smtp_tls_security_level':
+ value => 'encrypt';
+ }
+
include site_postfix::mx::smtp_tls
+
}
diff --git a/puppet/modules/site_static/README b/puppet/modules/site_static/README
new file mode 100644
index 00000000..bc719782
--- /dev/null
+++ b/puppet/modules/site_static/README
@@ -0,0 +1,3 @@
+Deploy one or more static websites to a node.
+
+For now, it only supports `amber` based static sites. Should support plain html and jekyll in the future.
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
new file mode 100644
index 00000000..8af2230f
--- /dev/null
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -0,0 +1,28 @@
+define site_static::domain (
+ $locations,
+ $ca_cert,
+ $key,
+ $cert,
+ $tls_only) {
+
+ $domain = $name
+ $base_dir = '/srv/static'
+
+ create_resources(site_static::location, $locations)
+
+ x509::cert { $domain: content => $cert }
+ x509::key { $domain: content => $key }
+ x509::ca { "${domain}_ca": content => $ca_cert }
+
+ class { '::apache': no_default_site => true, ssl => true }
+ include site_apache::module::headers
+ include site_apache::module::alias
+ include site_apache::module::expires
+ include site_apache::module::removeip
+ include site_apache::module::rewrite
+
+ apache::vhost::file { $domain:
+ content => template('site_static/apache.conf.erb')
+ }
+
+}
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
new file mode 100644
index 00000000..91a4a7a9
--- /dev/null
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -0,0 +1,17 @@
+class site_static {
+ tag 'leap_service'
+ $static = hiera('static')
+ $domains = $static['domains']
+ $formats = $static['formats']
+
+ if (member($formats, 'amber')) {
+ include site_config::ruby::dev
+ rubygems::gem{'amber': }
+ }
+
+ create_resources(site_static::domain, $domains)
+
+ include site_shorewall::defaults
+ include site_shorewall::service::http
+ include site_shorewall::service::https
+} \ No newline at end of file
diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp
new file mode 100644
index 00000000..1ba6807e
--- /dev/null
+++ b/puppet/modules/site_static/manifests/location.pp
@@ -0,0 +1,25 @@
+define site_static::location($path, $format, $source) {
+
+ $file_path = "/srv/static/${name}"
+
+ if ($format == 'amber') {
+ exec {"amber_build_${name}":
+ cwd => $file_path,
+ command => 'amber rebuild',
+ user => 'www-data',
+ timeout => 600,
+ subscribe => Vcsrepo[$file_path]
+ }
+ }
+
+ vcsrepo { $file_path:
+ ensure => present,
+ force => true,
+ revision => $source['revision'],
+ provider => $source['type'],
+ source => $source['repo'],
+ owner => 'www-data',
+ group => 'www-data'
+ }
+
+}
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
new file mode 100644
index 00000000..76534911
--- /dev/null
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -0,0 +1,109 @@
+<%-
+ ##
+ ## An apache config for static websites.
+ ##
+ def location_directory(name, location)
+ if location['format'] == 'amber'
+ File.join(@base_dir, name, 'public')
+ else
+ File.join(@base_dir, name)
+ end
+ end
+ document_root = '/var/www'
+ @locations.each do |name, location|
+ if location['path'] == '/'
+ document_root = location_directory(name, location)
+ end
+ end
+-%>
+
+<VirtualHost *:80>
+ ServerName <%= @domain %>
+ ServerAlias www.<%= @domain %>
+ RewriteEngine On
+ RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName <%= @domain %>
+ ServerAlias www.<%= @domain %>
+
+ #RewriteLog "/var/log/apache2/rewrite.log"
+ #RewriteLogLevel 3
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+ Header set X-Frame-Options "deny"
+
+ SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key
+ SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt
+ SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem
+
+ RequestHeader set X_FORWARDED_PROTO 'https'
+
+ DocumentRoot <%= document_root %>
+
+<%- @locations.each do |name, location| -%>
+ ##
+ ## <%= name %>
+ ##
+ <%- if location['path'] == '/' -%>
+ # Location /
+ <%- else -%>
+ Alias <%= location['path'] %> <%= location_directory(name, location) %>
+ <Location <%= location['path'] %>>
+ <%- end -%>
+ # remove trailing slashes
+ RewriteEngine On
+ RewriteRule ^(.+)/$ /$1 [R=301,L]
+
+ # e.g. /de/blah => /blah/index.de.html
+ RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f
+ RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L]
+
+ # e.g. /de/foo/bar => /foo/bar.de.html
+ RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f
+ RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L]
+
+ # e.g. /de => /index.de.html
+ RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f
+ RewriteRule ^/([a-z]{2})$ /index.$1.html [L]
+
+ # e.g. /de/img.png => /img.png
+ RewriteCond %{DOCUMENT_ROOT}/$2 -f
+ RewriteRule ^/([a-z]{2})/(.*) /$2 [L]
+
+ # Simulate "DirectorySlash On"
+ # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file)
+ RewriteCond %{DOCUMENT_ROOT}/$1 -d
+ RewriteRule ^/(.*[^/])$ /$1/ [PT]
+ <%- if location['path'] == '/' -%>
+ # end Location /
+ <%- else -%>
+ </Location>
+ <%- end -%>
+ <Directory <%= location_directory(name, location) %>>
+ ##
+ ## PERMISSIONS
+ ##
+ AllowOverride None
+ Order deny,allow
+ Allow from all
+
+ ##
+ ## LOCALE SUPPORT (e.g. index.en.html)
+ ##
+ LanguagePriority en
+ ForceLanguagePriority Prefer Fallback
+ DirectoryIndex index
+ DirectorySlash Off
+ Options +MultiViews
+ </Directory>
+
+<%- end -%>
+
+</VirtualHost>