From 482c3d5a77d05043f5276d4f19168d2b777d3ef0 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 23 Mar 2014 16:11:32 -0700 Subject: modules/site_static: part 1 - amber --- puppet/modules/site_static/README | 3 +++ puppet/modules/site_static/manifests/domain.pp | 9 +++++++++ puppet/modules/site_static/manifests/init.pp | 13 ++++++++++++ puppet/modules/site_static/manifests/location.pp | 25 ++++++++++++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 puppet/modules/site_static/README create mode 100644 puppet/modules/site_static/manifests/domain.pp create mode 100644 puppet/modules/site_static/manifests/init.pp create mode 100644 puppet/modules/site_static/manifests/location.pp (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/README b/puppet/modules/site_static/README new file mode 100644 index 00000000..bc719782 --- /dev/null +++ b/puppet/modules/site_static/README @@ -0,0 +1,3 @@ +Deploy one or more static websites to a node. + +For now, it only supports `amber` based static sites. Should support plain html and jekyll in the future. diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp new file mode 100644 index 00000000..48284106 --- /dev/null +++ b/puppet/modules/site_static/manifests/domain.pp @@ -0,0 +1,9 @@ +define site_static::domain ( + $locations, + $ca_cert, + $key, + $cert, + $tls_only) { + + create_resources(site_static::location, $locations) +} diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp new file mode 100644 index 00000000..cc447cf7 --- /dev/null +++ b/puppet/modules/site_static/manifests/init.pp @@ -0,0 +1,13 @@ +class site_static { + tag 'leap_service' + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + + if (member($formats, 'amber')) { + include site_config::ruby::dev + rubygems::gem{'amber': } + } + + create_resources(site_static::domain, $domains) +} \ No newline at end of file diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp new file mode 100644 index 00000000..1ba6807e --- /dev/null +++ b/puppet/modules/site_static/manifests/location.pp @@ -0,0 +1,25 @@ +define site_static::location($path, $format, $source) { + + $file_path = "/srv/static/${name}" + + if ($format == 'amber') { + exec {"amber_build_${name}": + cwd => $file_path, + command => 'amber rebuild', + user => 'www-data', + timeout => 600, + subscribe => Vcsrepo[$file_path] + } + } + + vcsrepo { $file_path: + ensure => present, + force => true, + revision => $source['revision'], + provider => $source['type'], + source => $source['repo'], + owner => 'www-data', + group => 'www-data' + } + +} -- cgit v1.2.3 From 51f320178a58d7a05860cfd8d6129a16cd4ca9d8 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 24 Mar 2014 01:47:46 -0700 Subject: modules/site_static: part 2 - apache --- puppet/modules/site_static/manifests/domain.pp | 19 ++++ puppet/modules/site_static/manifests/init.pp | 4 + .../modules/site_static/templates/apache.conf.erb | 109 +++++++++++++++++++++ 3 files changed, 132 insertions(+) create mode 100644 puppet/modules/site_static/templates/apache.conf.erb (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 48284106..8af2230f 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -5,5 +5,24 @@ define site_static::domain ( $cert, $tls_only) { + $domain = $name + $base_dir = '/srv/static' + create_resources(site_static::location, $locations) + + x509::cert { $domain: content => $cert } + x509::key { $domain: content => $key } + x509::ca { "${domain}_ca": content => $ca_cert } + + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + apache::vhost::file { $domain: + content => template('site_static/apache.conf.erb') + } + } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index cc447cf7..91a4a7a9 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -10,4 +10,8 @@ class site_static { } create_resources(site_static::domain, $domains) + + include site_shorewall::defaults + include site_shorewall::service::http + include site_shorewall::service::https } \ No newline at end of file diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb new file mode 100644 index 00000000..76534911 --- /dev/null +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -0,0 +1,109 @@ +<%- + ## + ## An apache config for static websites. + ## + def location_directory(name, location) + if location['format'] == 'amber' + File.join(@base_dir, name, 'public') + else + File.join(@base_dir, name) + end + end + document_root = '/var/www' + @locations.each do |name, location| + if location['path'] == '/' + document_root = location_directory(name, location) + end + end +-%> + + + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= @domain %> + ServerAlias www.<%= @domain %> + + #RewriteLog "/var/log/apache2/rewrite.log" + #RewriteLogLevel 3 + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" + Header set X-Frame-Options "deny" + + SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key + SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt + SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot <%= document_root %> + +<%- @locations.each do |name, location| -%> + ## + ## <%= name %> + ## + <%- if location['path'] == '/' -%> + # Location / + <%- else -%> + Alias <%= location['path'] %> <%= location_directory(name, location) %> + > + <%- end -%> + # remove trailing slashes + RewriteEngine On + RewriteRule ^(.+)/$ /$1 [R=301,L] + + # e.g. /de/blah => /blah/index.de.html + RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f + RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] + + # e.g. /de/foo/bar => /foo/bar.de.html + RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f + RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] + + # e.g. /de => /index.de.html + RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f + RewriteRule ^/([a-z]{2})$ /index.$1.html [L] + + # e.g. /de/img.png => /img.png + RewriteCond %{DOCUMENT_ROOT}/$2 -f + RewriteRule ^/([a-z]{2})/(.*) /$2 [L] + + # Simulate "DirectorySlash On" + # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) + RewriteCond %{DOCUMENT_ROOT}/$1 -d + RewriteRule ^/(.*[^/])$ /$1/ [PT] + <%- if location['path'] == '/' -%> + # end Location / + <%- else -%> + + <%- end -%> + > + ## + ## PERMISSIONS + ## + AllowOverride None + Order deny,allow + Allow from all + + ## + ## LOCALE SUPPORT (e.g. index.en.html) + ## + LanguagePriority en + ForceLanguagePriority Prefer Fallback + DirectoryIndex index + DirectorySlash Off + Options +MultiViews + + +<%- end -%> + + -- cgit v1.2.3 From c07e3d075149af0bbcd840ad0743df46d3baca5f Mon Sep 17 00:00:00 2001 From: elijah Date: Sat, 5 Apr 2014 11:39:03 -0700 Subject: update site_static to work with new amber and have better tls ciphers --- .../modules/site_static/templates/apache.conf.erb | 70 ++++++---------------- 1 file changed, 19 insertions(+), 51 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 76534911..2abe1a98 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -15,6 +15,7 @@ document_root = location_directory(name, location) end end + document_root = document_root.gsub(%r{^/|/$}, '') -%> @@ -32,9 +33,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" Header set X-Frame-Options "deny" @@ -45,64 +47,30 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot <%= document_root %> + DocumentRoot "/<%= document_root %>/" + AccessFileName .htaccess <%- @locations.each do |name, location| -%> + <%- path = location['path'].gsub(%r{^/|/$}, '') -%> + <%- directory = location_directory(name, location) -%> ## ## <%= name %> ## - <%- if location['path'] == '/' -%> - # Location / - <%- else -%> - Alias <%= location['path'] %> <%= location_directory(name, location) %> - > - <%- end -%> - # remove trailing slashes - RewriteEngine On - RewriteRule ^(.+)/$ /$1 [R=301,L] - - # e.g. /de/blah => /blah/index.de.html - RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] - - # e.g. /de/foo/bar => /foo/bar.de.html - RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] - - # e.g. /de => /index.de.html - RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f - RewriteRule ^/([a-z]{2})$ /index.$1.html [L] - - # e.g. /de/img.png => /img.png - RewriteCond %{DOCUMENT_ROOT}/$2 -f - RewriteRule ^/([a-z]{2})/(.*) /$2 [L] - - # Simulate "DirectorySlash On" - # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) - RewriteCond %{DOCUMENT_ROOT}/$1 -d - RewriteRule ^/(.*[^/])$ /$1/ [PT] - <%- if location['path'] == '/' -%> - # end Location / + <%- if path == '' -%> + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + <%- else -%> - - <%- end -%> - > - ## - ## PERMISSIONS - ## - AllowOverride None + AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" + Alias /<%=path%> "/<%=directory%>/" + /"> + AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all - - ## - ## LOCALE SUPPORT (e.g. index.en.html) - ## - LanguagePriority en - ForceLanguagePriority Prefer Fallback - DirectoryIndex index - DirectorySlash Off - Options +MultiViews + <%- end -%> <%- end -%> -- cgit v1.2.3