From 68ac64b13f4687bcc87c594097fab52501ba7991 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Thu, 31 Jan 2013 20:53:08 +0200
Subject: [PATCH 1/3] Added 'first' parameter to apache::sslsite

When set to true, ensures the site configuration is loaded first, thus
becoming the default virtual host when NameVirtualHost (and SNI) is
used.
---
 apache/manifests/debian.pp | 12 +++++++++---
 apache/manifests/init.pp   |  7 ++++++-
 apache/manifests/redhat.pp | 12 +++++++++---
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp
index 41e6181..2cefa81 100644
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@@ -180,7 +180,8 @@ class apache::debian::sslserver inherits apache::debian::common {
 }
 
 
-define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
+define apache::debian::sslsite($first, $ipaddr, $root,
+                               $ssl_cert, $ssl_key, $ssl_chain) {
 
     if $name == "default" {
         $site_fqdn = $homename
@@ -253,8 +254,13 @@ define apache::debian::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain)
         }
     }
 
-    $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"
-    $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.d"
+    if $first == true {
+        $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf"
+        $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d"
+    } else {
+        $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf"
+        $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d"
+    }
 
     file { $site_conf:
         ensure  => present,
diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index 7a6ec23..cbfea9b 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -248,6 +248,9 @@ class apache::sslserver::listen {
 #
 #   $name:
 #       FQDN of virtual host.
+#   $first:
+#       Bool for whether this is the first (default) vhost
+#       when using NameVirtualHost. Defaults to false.
 #   $ipaddr:
 #       IP address of virtual host. Defaults to _default_.
 #   $root:
@@ -267,7 +270,7 @@ class apache::sslserver::listen {
 #     ssl_key  => "puppet:///path/to/www.example.com.key",
 # }
 #
-define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
+define apache::sslsite($first=false, $ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="", $ssl_chain="") {
 
     include apache::sslserver::listen
 
@@ -275,6 +278,7 @@ define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="",
         "debian","ubuntu": {
             $apache_ssldir = "/etc/ssl"
             apache::debian::sslsite { $name:
+                first     => $first,
                 ipaddr    => $ipaddr,
                 root      => $root,
                 ssl_cert  => $ssl_cert,
@@ -286,6 +290,7 @@ define apache::sslsite($ipaddr="_default_", $root="", $ssl_cert="", $ssl_key="",
         "centos","redhat","fedora": {
             $apache_ssldir = "/etc/pki/tls"
             apache::redhat::sslsite { $name:
+                first     => $first,
                 ipaddr    => $ipaddr,
                 root      => $root,
                 ssl_cert  => $ssl_cert,
diff --git a/apache/manifests/redhat.pp b/apache/manifests/redhat.pp
index eba1b58..023efe5 100644
--- a/apache/manifests/redhat.pp
+++ b/apache/manifests/redhat.pp
@@ -219,7 +219,8 @@ class apache::redhat::sslserver {
 }
 
 
-define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain) {
+define apache::redhat::sslsite($first, $ipaddr, $root,
+                               $ssl_cert, $ssl_key, $ssl_chain) {
 
     if $name == "default" {
         $site_fqdn = $homename
@@ -293,8 +294,13 @@ define apache::redhat::sslsite($ipaddr, $root, $ssl_cert, $ssl_key, $ssl_chain)
         }
     }
 
-    $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf"
-    $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d"
+    if $first == true {
+        $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf"
+        $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d"
+    } else {
+        $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf"
+        $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d"
+    }
 
     file { $site_conf:
         ensure  => present,

From 93f029a4a3532ba0f01f98ba2871747d92177a89 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Thu, 31 Jan 2013 21:01:41 +0200
Subject: [PATCH 2/3] Fixed paths in apache::debian::sslsite

---
 apache/manifests/debian.pp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp
index 2cefa81..c05721e 100644
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@@ -255,11 +255,11 @@ define apache::debian::sslsite($first, $ipaddr, $root,
     }
 
     if $first == true {
-        $site_conf = "/etc/httpd/site.https.d/00-${site_fqdn}.conf"
-        $site_confdir = "/etc/httpd/site.https.d/00-${site_fqdn}.d"
+        $site_conf = "/etc/apache2/sites-enabled/00-${site_fqdn}-ssl.conf"
+        $site_confdir = "/etc/apache2/sites-enabled/00-${site_fqdn}-ssl.d"
     } else {
-        $site_conf = "/etc/httpd/site.https.d/${site_fqdn}.conf"
-        $site_confdir = "/etc/httpd/site.https.d/${site_fqdn}.d"
+        $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"
+        $site_confdir = "/etc/apache2/sites-enabled/${site_fqdn}-ssl.d"
     }
 
     file { $site_conf:

From 2e6f13d0d688f9688102a22160537f85804419a0 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Sat, 9 Feb 2013 01:47:35 +0200
Subject: [PATCH 3/3] Added selinux::restorecond for managing restorecond
 service

---
 selinux/files/restorecond.conf |  8 ++++++++
 selinux/manifests/init.pp      | 28 ++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 selinux/files/restorecond.conf

diff --git a/selinux/files/restorecond.conf b/selinux/files/restorecond.conf
new file mode 100644
index 0000000..58b723a
--- /dev/null
+++ b/selinux/files/restorecond.conf
@@ -0,0 +1,8 @@
+/etc/services
+/etc/resolv.conf
+/etc/samba/secrets.tdb
+/etc/mtab
+/var/run/utmp
+/var/log/wtmp
+/root/*
+/root/.ssh/*
diff --git a/selinux/manifests/init.pp b/selinux/manifests/init.pp
index 76e57f2..13cd8e1 100644
--- a/selinux/manifests/init.pp
+++ b/selinux/manifests/init.pp
@@ -92,6 +92,34 @@ class selinux::tools {
 }
 
 
+# Enable restorecond service.
+#
+class selinux::restorecond {
+
+    if $::selinux == "true" {
+        file { "/etc/selinux/restorecond.conf":
+            ensure  => present,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            seltype => "selinux_config_t",
+            source  => [
+                "puppet:///files/selinux/restorecond.conf.${homename}",
+                "puppet:///files/selinux/restorecond.conf",
+                "puppet:///modules/selinux/restorecond.conf",
+            ],
+            notify  => Service["restorecond"],
+        }
+
+        service { "restorecond":
+            ensure => running,
+            enable => true,
+        }
+    }
+
+}
+
+
 # Set SELinux boolean value
 #
 # === Parameters