diff options
Diffstat (limited to 'puppet')
4 files changed, 58 insertions, 2 deletions
diff --git a/puppet/modules/site_apache/files/conf.d/acme.conf b/puppet/modules/site_apache/files/conf.d/acme.conf new file mode 100644 index 00000000..cdddf53e --- /dev/null +++ b/puppet/modules/site_apache/files/conf.d/acme.conf @@ -0,0 +1,10 @@ +# +# Allow ACME certificate verification if /srv/acme exists. +# +<IfModule mod_headers.c> + Alias "/.well-known/acme-challenge/" "/srv/acme/" + <Directory "/srv/acme/*"> + Require all granted + Header set Content-Type "application/jose+json" + </Directory> +</IfModule> diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 8a11759a..208c15d5 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -27,4 +27,6 @@ class site_apache::common { } include site_apache::common::tls + include site_apache::common::acme + } diff --git a/puppet/modules/site_apache/manifests/common/acme.pp b/puppet/modules/site_apache/manifests/common/acme.pp new file mode 100644 index 00000000..eda4148b --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/acme.pp @@ -0,0 +1,38 @@ +# +# Allows for potential ACME validations (aka Let's Encrypt) +# +class site_apache::common::acme { + # + # well, this doesn't work: + # + # apache::config::global {'acme.conf':} + # + # since /etc/apache2/conf.d is NEVER LOADED BY APACHE + # https://gitlab.com/shared-puppet-modules-group/apache/issues/11 + # + + file { + '/etc/apache2/conf-available/acme.conf': + ensure => present, + source => 'puppet:///modules/site_apache/conf.d/acme.conf', + require => Package[apache], + notify => Service[apache]; + '/etc/apache2/conf-enabled/acme.conf': + ensure => link, + target => '/etc/apache2/conf-available/acme.conf', + require => Package[apache], + notify => Service[apache]; + } + + file { + '/srv/acme': + ensure => 'directory', + owner => 'www-data', + group => 'www-data', + mode => '0755'; + '/srv/acme/ok': + owner => 'www-data', + group => 'www-data', + content => 'ok'; + } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp index c76a9dbb..21d57445 100644 --- a/puppet/modules/site_config/manifests/x509/commercial/ca.pp +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -5,7 +5,13 @@ class site_config::x509::commercial::ca { $x509 = hiera('x509') $ca = $x509['commercial_ca_cert'] - x509::ca { $site_config::params::commercial_ca_name: - content => $ca + # + # CA cert might be empty, if it was bundled with 'commercial_cert' + # instead of specified separately. + # + if ($ca) { + x509::ca { $site_config::params::commercial_ca_name: + content => $ca + } } } |