diff --git a/apache/manifests/debian.pp b/apache/manifests/debian.pp
index 395f782..116cf73 100644
--- a/apache/manifests/debian.pp
+++ b/apache/manifests/debian.pp
@@ -10,7 +10,9 @@ class apache::debian::common {
file { [ "/srv/www/http",
"/srv/www/http/${fqdn}",
"/srv/www/log/http",
- "/srv/www/log/http/${fqdn}", ]:
+ "/srv/www/log/http/${fqdn}",
+ "/etc/apache2/conf.d",
+ "/etc/apache2/sites-enabled", ]:
ensure => directory,
mode => 0644,
owner => root,
@@ -19,22 +21,43 @@ class apache::debian::common {
before => File["/etc/apache2/apache2.conf"],
}
+ File["/etc/apache2/conf.d", "/etc/apache2/sites-enabled"] {
+ purge => true,
+ force => true,
+ recurse => true,
+ source => "puppet:///custom/empty",
+ }
+
file { "/etc/apache2/envvars":
ensure => present,
content => template("apache/apache2.envvars.erb"),
mode => 0644,
owner => root,
group => root,
+ before => File["/etc/apache2/apache2.conf"],
+ require => Package["httpd"],
+ notify => Service["apache2"],
+ }
+
+ file { "/etc/apache2/httpd.conf":
+ ensure => present,
+ content => template("apache/apache2.httpd.conf.erb"),
+ mode => 0644,
+ owner => root,
+ group => root,
+ before => File["/etc/apache2/apache2.conf"],
require => Package["httpd"],
notify => Service["apache2"],
}
file { "/etc/apache2/ports.conf":
ensure => present,
- content => "# HTTP server disabled\n"
+ content => "# HTTP server disabled\n",
mode => 0644,
owner => root,
group => root,
+ before => File["/etc/apache2/apache2.conf"],
+ require => Package["httpd"],
notify => Service["apache2"],
}
@@ -44,7 +67,6 @@ class apache::debian::common {
mode => 0644,
owner => root,
group => root,
- require => File["/etc/apache2/envvars", "/etc/apache2/ports.conf" ],
notify => Service["apache2"],
}
@@ -60,7 +82,7 @@ class apache::debian::common {
class apache::debian::server inherits apache::debian::common {
File["/etc/apache2/ports.conf"] {
- content => "NameVirtualHost *:80\nListen80\n"
+ content => "NameVirtualHost *:80\nListen 80\n"
}
}
@@ -68,12 +90,12 @@ class apache::debian::server inherits apache::debian::common {
define apache::debian::site($aliases, $root, $config, $redirect) {
- $site_conf = "/etc/apache2/sites-available/${name}.conf"
-
if $name == "default" {
$site_fqdn = $fqdn
+ $site_conf = "/etc/apache2/sites-enabled/00-${site_fqdn}.conf"
} else {
$site_fqdn = $name
+ $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}.conf"
if !$redirect {
if $root {
@@ -107,7 +129,7 @@ define apache::debian::site($aliases, $root, $config, $redirect) {
mode => 0644,
owner => root,
group => root,
- notify => Service["httpd"],
+ notify => Service["apache2"],
}
if $config {
@@ -149,6 +171,102 @@ class apache::debian::sslserver inherits apache::debian::common {
}
+define apache::debian::sslsite($root, $config, $ssl_cert, $ssl_key, $ssl_chain) {
+
+ if $name == "default" {
+ $site_fqdn = $fqdn
+ } else {
+ $site_fqdn = $name
+
+ if $root {
+ file { "/srv/www/https/${site_fqdn}":
+ ensure => link,
+ target => $root,
+ before => Service["apache2"],
+ }
+ } else {
+ file { "/srv/www/https/${site_fqdn}":
+ ensure => directory,
+ mode => 0755,
+ owner => root,
+ group => root,
+ before => Service["apache2"],
+ }
+ }
+
+ file { "/srv/www/log/https/${site_fqdn}":
+ ensure => directory,
+ mode => 0755,
+ owner => root,
+ group => root,
+ before => Service["apache2"],
+ }
+ }
+
+ if $ssl_cert {
+ $real_ssl_cert = $ssl_cert
+ } else {
+ $real_ssl_cert = "${puppet_ssldir}/certs/${fqdn}.pem"
+ }
+
+ file { "/etc/ssl/certs/${site_fqdn}.crt":
+ ensure => present,
+ source => $real_ssl_cert,
+ mode => 0644,
+ owner => root,
+ group => root,
+ notify => Service["apache2"],
+ }
+
+ if $ssl_key {
+ $real_ssl_key = $ssl_key
+ } else {
+ $real_ssl_key = "${puppet_ssldir}/private_keys/${fqdn}.pem"
+ }
+
+ file { "/etc/ssl/private/${site_fqdn}.key":
+ ensure => present,
+ source => $real_ssl_key,
+ mode => 0600,
+ owner => root,
+ group => root,
+ notify => Service["apache2"],
+ }
+
+ if $ssl_chain {
+ file { "/etc/ssl/certs/${site_fqdn}.chain.crt":
+ ensure => present,
+ source => $ssl_chain,
+ mode => 0644,
+ owner => root,
+ group => root,
+ notify => Service["apache2"],
+ }
+ }
+
+ file { "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf":
+ ensure => present,
+ mode => 0644,
+ owner => root,
+ group => root,
+ notify => Service["apache2"],
+ require => [ File["/etc/ssl/certs/${site_fqdn}.crt"],
+ File["/etc/ssl/private/${site_fqdn}.key"], ],
+ }
+
+ if $config {
+ File["/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"] {
+ source => $config,
+ }
+ } else {
+ File["/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"] {
+ content => template("apache/site.https.conf.erb"),
+ }
+ }
+
+}
+
+
define apache::debian::configfile($source, $content, $http, $https) {
file { "/etc/apache2/conf.d/${name}":
@@ -218,26 +336,3 @@ define apache::debian::a2enmod($source="", $content="") {
}
}
-
-
-# Enable virtual host on Debian/Ubuntu Apache.
-#
-# === Parameters
-#
-# $name:
-# FQDN of virtual host.
-#
-define apache::debian::a2ensite() {
-
- exec { "a2ensite-${name}":
- path => "/bin:/usr/bin:/sbin:/usr/sbin",
- command => "a2ensite ${name}",
- unless => $name ? {
- "default" => "test -h /etc/apache2/sites-enabled/000-default",
- default => "test -h /etc/apache2/sites-enabled/${name}",
- },
- notify => Service["apache2"],
- require => Package["httpd"],
- }
-
-}
diff --git a/apache/manifests/init.pp b/apache/manifests/init.pp
index 207b580..f639ea9 100644
--- a/apache/manifests/init.pp
+++ b/apache/manifests/init.pp
@@ -202,6 +202,7 @@ define apache::sslsite($root="", $config="", $ssl_cert="", $ssl_key="", $ssl_cha
case $operatingsystem {
debian,ubuntu: {
+ $apache_ssldir = "/etc/ssl"
apache::debian::sslsite { "${name}":
root => $root,
config => $config,
@@ -211,6 +212,7 @@ define apache::sslsite($root="", $config="", $ssl_cert="", $ssl_key="", $ssl_cha
}
}
centos,fedora: {
+ $apache_ssldir = "/etc/pki/tls"
apache::redhat::sslsite { "${name}":
root => $root,
config => $config,
diff --git a/apache/templates/apache2.httpd.conf.erb b/apache/templates/apache2.httpd.conf.erb
new file mode 100644
index 0000000..feb1e41
--- /dev/null
+++ b/apache/templates/apache2.httpd.conf.erb
@@ -0,0 +1,93 @@
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents. e.g. admin@your-domain.com
+#
+ServerAdmin adm@<%= domain %>
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work. See also the UseCanonicalName directive.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address anyway, and this will make
+# redirections work in a sensible way.
+#
+ServerName <%= fqdn %>
+
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client. When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+#
+ServerSignature Off
+
+#
+# Each directory to which Apache has access can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories).
+#
+# First, we configure the "default" to be a very restrictive set of
+# features.
+#
+
+ Options FollowSymLinks
+ AllowOverride None
+
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# This should be changed to whatever you set DocumentRoot to.
+#
+
+
+#
+# Possible values for the Options directive are "None", "All",
+# or any combination of:
+# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+#
+# Note that "MultiViews" must be named *explicitly* --- "Options All"
+# doesn't give it to you.
+#
+# The Options directive is both complicated and important. Please see
+# http://httpd.apache.org/docs/2.2/mod/core.html#options
+# for more information.
+#
+ Options Indexes FollowSymLinks
+
+#
+# AllowOverride controls what directives may be placed in .htaccess files.
+# It can be "All", "None", or any combination of the keywords:
+# Options FileInfo AuthConfig Limit
+#
+ AllowOverride None
+
+#
+# Controls who can get stuff from this server.
+#
+ Order allow,deny
+ Allow from all
+
+
diff --git a/apache/templates/site.https.conf.erb b/apache/templates/site.https.conf.erb
index 2697c2b..221bbac 100644
--- a/apache/templates/site.https.conf.erb
+++ b/apache/templates/site.https.conf.erb
@@ -9,7 +9,12 @@
# consult the online docs. You have been warned.
#
+#
+# Load SSL module if not loaded
+#
+
LoadModule ssl_module modules/mod_ssl.so
+
#
# When we also provide SSL we have to listen to the
@@ -17,6 +22,7 @@ LoadModule ssl_module modules/mod_ssl.so
#
Listen 443
+<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
##
## SSL Global Context
##
@@ -73,6 +79,7 @@ SSLRandomSeed connect builtin
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
+<% end -%>
##
## SSL Virtual Host Context
@@ -109,14 +116,14 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/certs/<%= site_fqdn %>.crt
+SSLCertificateFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/private/<%= site_fqdn %>.key
+SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@@ -126,7 +133,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<%= site_fqdn %>.key
# when the CA certificates are directly appended to the server
# certificate for convinience.
<% if ssl_chain != "" -%>
-SSLCertificateChainFile /etc/pki/tls/certs/<%= site_fqdn %>.chain.crt
+SSLCertificateChainFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
<% end -%>
# Certificate Authority (CA):