Added virtual host support for Debian/Ubuntu to apache module

apache/manifests/debian.pp

@@ -10,7 +10,9 @@ class apache::debian::common {
     file { [ "/srv/www/http",
              "/srv/www/http/${fqdn}",
              "/srv/www/log/http",
-             "/srv/www/log/http/${fqdn}", ]:
+             "/srv/www/log/http/${fqdn}",
+             "/etc/apache2/conf.d",
+             "/etc/apache2/sites-enabled", ]:
         ensure  => directory,
         mode    => 0644,
         owner   => root,
@@ -19,22 +21,43 @@ class apache::debian::common {
         before  => File["/etc/apache2/apache2.conf"],
     }
 
+    File["/etc/apache2/conf.d", "/etc/apache2/sites-enabled"] {
+        purge   => true,
+        force   => true,
+        recurse => true,
+        source  => "puppet:///custom/empty",
+    }
+
     file { "/etc/apache2/envvars":
         ensure  => present,
         content => template("apache/apache2.envvars.erb"),
         mode    => 0644,
         owner   => root,
         group   => root,
+        before  => File["/etc/apache2/apache2.conf"],
+        require => Package["httpd"],
+        notify  => Service["apache2"],
+    }
+
+    file { "/etc/apache2/httpd.conf":
+        ensure  => present,
+        content => template("apache/apache2.httpd.conf.erb"),
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        before  => File["/etc/apache2/apache2.conf"],
         require => Package["httpd"],
         notify  => Service["apache2"],
     }
 
     file { "/etc/apache2/ports.conf":
         ensure  => present,
-        content => "# HTTP server disabled\n"
+        content => "# HTTP server disabled\n",
         mode    => 0644,
         owner   => root,
         group   => root,
+        before  => File["/etc/apache2/apache2.conf"],
+        require => Package["httpd"],
         notify  => Service["apache2"],
     }
 
@@ -44,7 +67,6 @@ class apache::debian::common {
         mode    => 0644,
         owner   => root,
         group   => root,
-        require => File["/etc/apache2/envvars", "/etc/apache2/ports.conf" ],
         notify  => Service["apache2"],
     }
 
@@ -60,7 +82,7 @@ class apache::debian::common {
 class apache::debian::server inherits apache::debian::common {
 
     File["/etc/apache2/ports.conf"] {
-        content => "NameVirtualHost *:80\nListen80\n"
+        content => "NameVirtualHost *:80\nListen 80\n"
     }
 
 }
@@ -68,12 +90,12 @@ class apache::debian::server inherits apache::debian::common {
 
 define apache::debian::site($aliases, $root, $config, $redirect) {
 
-    $site_conf = "/etc/apache2/sites-available/${name}.conf"
-
     if $name == "default" {
         $site_fqdn = $fqdn
+        $site_conf = "/etc/apache2/sites-enabled/00-${site_fqdn}.conf"
     } else {
         $site_fqdn = $name
+        $site_conf = "/etc/apache2/sites-enabled/${site_fqdn}.conf"
 
         if !$redirect {
             if $root {
@@ -107,7 +129,7 @@ define apache::debian::site($aliases, $root, $config, $redirect) {
         mode   => 0644,
         owner  => root,
         group  => root,
-        notify => Service["httpd"],
+        notify => Service["apache2"],
     }
 
     if $config {
@@ -149,6 +171,102 @@ class apache::debian::sslserver inherits apache::debian::common {
 }
 
 
+define apache::debian::sslsite($root, $config, $ssl_cert, $ssl_key, $ssl_chain) {
+
+    if $name == "default" {
+        $site_fqdn = $fqdn
+    } else {
+        $site_fqdn = $name
+
+        if $root {
+            file { "/srv/www/https/${site_fqdn}":
+                ensure => link,
+                target => $root,
+                before => Service["apache2"],
+            }
+        } else {
+            file { "/srv/www/https/${site_fqdn}":
+                ensure => directory,
+                mode   => 0755,
+                owner  => root,
+                group  => root,
+                before => Service["apache2"],
+            }
+        }
+
+        file { "/srv/www/log/https/${site_fqdn}":
+            ensure => directory,
+            mode   => 0755,
+            owner  => root,
+            group  => root,
+            before => Service["apache2"],
+        }
+    }
+
+    if $ssl_cert {
+        $real_ssl_cert = $ssl_cert
+    } else {
+        $real_ssl_cert = "${puppet_ssldir}/certs/${fqdn}.pem"
+    }
+
+    file { "/etc/ssl/certs/${site_fqdn}.crt":
+        ensure => present,
+        source => $real_ssl_cert,
+        mode   => 0644,
+        owner  => root,
+        group  => root,
+        notify => Service["apache2"],
+    }
+
+    if $ssl_key {
+        $real_ssl_key = $ssl_key
+    } else {
+        $real_ssl_key = "${puppet_ssldir}/private_keys/${fqdn}.pem"
+    }
+
+    file { "/etc/ssl/private/${site_fqdn}.key":
+        ensure => present,
+        source => $real_ssl_key,
+        mode   => 0600,
+        owner  => root,
+        group  => root,
+        notify => Service["apache2"],
+    }
+
+    if $ssl_chain {
+        file { "/etc/ssl/certs/${site_fqdn}.chain.crt":
+            ensure => present,
+            source => $ssl_chain,
+            mode   => 0644,
+            owner  => root,
+            group  => root,
+            notify => Service["apache2"],
+        }
+    }
+
+    file { "/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf":
+        ensure  => present,
+        mode    => 0644,
+        owner   => root,
+        group   => root,
+        notify  => Service["apache2"],
+        require => [ File["/etc/ssl/certs/${site_fqdn}.crt"],
+                     File["/etc/ssl/private/${site_fqdn}.key"], ],
+    }
+
+    if $config {
+        File["/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"] {
+            source => $config,
+        }
+    } else {
+        File["/etc/apache2/sites-enabled/${site_fqdn}-ssl.conf"] {
+            content => template("apache/site.https.conf.erb"),
+        }
+    }
+
+}
+
+
 define apache::debian::configfile($source, $content, $http, $https) {
 
     file { "/etc/apache2/conf.d/${name}":
@@ -218,26 +336,3 @@ define apache::debian::a2enmod($source="", $content="") {
     }
 
 }
-
-
-# Enable virtual host on Debian/Ubuntu Apache.
-#
-# === Parameters
-#
-#   $name:
-#       FQDN of virtual host.
-#
-define apache::debian::a2ensite() {
-
-    exec { "a2ensite-${name}":
-        path    => "/bin:/usr/bin:/sbin:/usr/sbin",
-        command => "a2ensite ${name}",
-        unless  => $name ? {
-            "default" => "test -h /etc/apache2/sites-enabled/000-default",
-            default   => "test -h /etc/apache2/sites-enabled/${name}",
-        },
-        notify  => Service["apache2"],
-        require => Package["httpd"],
-    }
-
-}

apache/manifests/init.pp

@@ -202,6 +202,7 @@ define apache::sslsite($root="", $config="", $ssl_cert="", $ssl_key="", $ssl_cha
 
     case $operatingsystem {
         debian,ubuntu: {
+            $apache_ssldir = "/etc/ssl"
             apache::debian::sslsite { "${name}":
                 root      => $root,
                 config    => $config,
@@ -211,6 +212,7 @@ define apache::sslsite($root="", $config="", $ssl_cert="", $ssl_key="", $ssl_cha
             }
         }
         centos,fedora: {
+            $apache_ssldir = "/etc/pki/tls"
             apache::redhat::sslsite { "${name}":
                 root      => $root,
                 config    => $config,

apache/templates/apache2.httpd.conf.erb

@@ -0,0 +1,93 @@
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin adm@<%= domain %>
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work.  See also the UseCanonicalName directive.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address anyway, and this will make 
+# redirections work in a sensible way.
+#
+ServerName <%= fqdn %>
+
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing 
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client.  When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+ServerSignature Off
+
+#
+# Each directory to which Apache has access can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories). 
+#
+# First, we configure the "default" to be a very restrictive set of 
+# features.  
+#
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# This should be changed to whatever you set DocumentRoot to.
+#
+<Directory "/srv/www">
+
+#
+# Possible values for the Options directive are "None", "All",
+# or any combination of:
+#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+#
+# Note that "MultiViews" must be named *explicitly* --- "Options All"
+# doesn't give it to you.
+#
+# The Options directive is both complicated and important.  Please see
+# http://httpd.apache.org/docs/2.2/mod/core.html#options
+# for more information.
+#
+    Options Indexes FollowSymLinks
+
+#
+# AllowOverride controls what directives may be placed in .htaccess files.
+# It can be "All", "None", or any combination of the keywords:
+#   Options FileInfo AuthConfig Limit
+#
+    AllowOverride None
+
+#
+# Controls who can get stuff from this server.
+#
+    Order allow,deny
+    Allow from all
+
+</Directory>

apache/templates/site.https.conf.erb

@@ -9,7 +9,12 @@
 # consult the online docs. You have been warned.  
 #
 
+#
+# Load SSL module if not loaded
+#
+<IfModule !mod_ssl.c>
 LoadModule ssl_module modules/mod_ssl.so
+</IfModule>
 
 #
 # When we also provide SSL we have to listen to the 
@@ -17,6 +22,7 @@ LoadModule ssl_module modules/mod_ssl.so
 #
 Listen 443
 
+<% if operatingsystem == 'CentOS' or operatingsystem == 'Fedora' -%>
 ##
 ##  SSL Global Context
 ##
@@ -73,6 +79,7 @@ SSLRandomSeed connect builtin
 #
 SSLCryptoDevice builtin
 #SSLCryptoDevice ubsec
+<% end -%>
 
 ##
 ## SSL Virtual Host Context
@@ -109,14 +116,14 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 # the certificate is encrypted, then you will be prompted for a
 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 # certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/certs/<%= site_fqdn %>.crt
+SSLCertificateFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/private/<%= site_fqdn %>.key
+SSLCertificateKeyFile <%= apache_ssldir %>/private/<%= site_fqdn %>.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -126,7 +133,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<%= site_fqdn %>.key
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
 <% if ssl_chain != "" -%>
-SSLCertificateChainFile /etc/pki/tls/certs/<%= site_fqdn %>.chain.crt
+SSLCertificateChainFile <%= apache_ssldir %>/certs/<%= site_fqdn %>.chain.crt
 <% end -%>
 
 #   Certificate Authority (CA):