diff --git a/manifests/annex_web.pp b/manifests/annex_web.pp index a324fdc9..e918e304 100644 --- a/manifests/annex_web.pp +++ b/manifests/annex_web.pp @@ -1,120 +1,123 @@ # Deployment of web-facing public Git-annex class profile::annex_web { $annex_basepath = hiera('annex::basepath') $annex_vhost_name = hiera('annex::vhost::name') $annex_vhost_docroot = hiera('annex::vhost::docroot') $annex_vhost_basic_auth_file = "${annex_basepath}/http_auth" $annex_vhost_basic_auth_content = hiera('annex::vhost::basic_auth_content') $annex_vhost_ssl_protocol = hiera('annex::vhost::ssl_protocol') $annex_vhost_ssl_honorcipherorder = hiera('annex::vhost::ssl_honorcipherorder') $annex_vhost_ssl_cipher = hiera('annex::vhost::ssl_cipher') $annex_vhost_hsts_header = hiera('annex::vhost::hsts_header') include ::profile::ssl include ::profile::apache::common ::apache::vhost {"${annex_vhost_name}_non-ssl": servername => $annex_vhost_name, port => '80', docroot => $annex_vhost_docroot, redirect_status => 'permanent', redirect_dest => "https://${annex_vhost_name}/", } $ssl_cert_name = 'star_softwareheritage_org' $ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name] $ssl_ca = $::profile::ssl::ca_paths[$ssl_cert_name] $ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name] ::apache::vhost {"${annex_vhost_name}_ssl": servername => $annex_vhost_name, port => '443', ssl => true, ssl_protocol => $annex_vhost_ssl_protocol, ssl_honorcipherorder => $annex_vhost_ssl_honorcipherorder, ssl_cipher => $annex_vhost_ssl_cipher, ssl_cert => $ssl_cert, ssl_ca => $ssl_ca, ssl_key => $ssl_key, headers => [$annex_vhost_hsts_header], docroot => $annex_vhost_docroot, directories => [{ 'path' => $annex_vhost_docroot, 'require' => 'all granted', 'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'], }, { # hide (annex) .git directory 'path' => '.*/\.git/?$', 'provider' => 'directorymatch', 'require' => 'all denied', }], require => [ File[$ssl_cert], File[$ssl_ca], File[$ssl_key], ], } file {"${annex_vhost_docroot}/public": ensure => link, target => "../annexroot/public", require => File[$annex_vhost_docroot], } file {$annex_vhost_basic_auth_file: ensure => present, owner => 'root', group => 'www-data', mode => '0640', content => '$annex_vhost_basic_auth_content', } $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf' @@::icinga2::object::service {"annex http redirect on ${::fqdn}": service_name => 'annex http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $annex_vhost_name, + http_vhost => $annex_vhost_name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"annex https on ${::fqdn}": service_name => 'annex https', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $annex_vhost_name, + http_vhost => $annex_vhost_name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"annex https certificate ${::fqdn}": service_name => 'annex https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $annex_vhost_name, + http_vhost => $annex_vhost_name, http_ssl => true, http_sni => true, http_certificate => 60, }, target => $icinga_checks_file, tag => 'icinga2::exported', } } diff --git a/manifests/mediawiki.pp b/manifests/mediawiki.pp index 0f1cd5d0..eac6de4f 100644 --- a/manifests/mediawiki.pp +++ b/manifests/mediawiki.pp @@ -1,101 +1,104 @@ # Deployment of mediawiki for the Software Heritage intranet class profile::mediawiki { $mediawiki_fpm_root = hiera('mediawiki::php::fpm_listen') $mediawiki_vhosts = hiera_hash('mediawiki::vhosts') include ::php::fpm::daemon ::php::fpm::conf {'mediawiki': listen => $mediawiki_fpm_root, user => 'www-data', } include ::profile::ssl $ssl_cert_name = 'star_softwareheritage_org' $ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name] $ssl_ca = $::profile::ssl::ca_paths[$ssl_cert_name] $ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name] include ::mediawiki $mediawiki_vhost_docroot = hiera('mediawiki::vhost::docroot') $mediawiki_vhost_ssl_protocol = hiera('mediawiki::vhost::ssl_protocol') $mediawiki_vhost_ssl_honorcipherorder = hiera('mediawiki::vhost::ssl_honorcipherorder') $mediawiki_vhost_ssl_cipher = hiera('mediawiki::vhost::ssl_cipher') $mediawiki_vhost_hsts_header = hiera('mediawiki::vhost::hsts_header') $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf' each ($mediawiki_vhosts) |$name, $data| { $secret_key = $data['secret_key'] $upgrade_key = $data['upgrade_key'] $basic_auth_content = $data['basic_auth'] ::mediawiki::instance { $name: vhost_docroot => $mediawiki_vhost_docroot, vhost_aliases => $data['aliases'], vhost_fpm_root => $mediawiki_fpm_root, vhost_basic_auth => $data['basic_auth_content'], vhost_ssl_protocol => $mediawiki_vhost_ssl_protocol, vhost_ssl_honorcipherorder => $mediawiki_vhost_ssl_honorcipherorder, vhost_ssl_cipher => $mediawiki_vhost_ssl_cipher, vhost_ssl_cert => $ssl_cert, vhost_ssl_ca => $ssl_ca, vhost_ssl_key => $ssl_key, vhost_ssl_hsts_header => $mediawiki_vhost_hsts_header, db_host => 'localhost', db_basename => $data['mysql']['dbname'], db_user => $data['mysql']['username'], db_password => $data['mysql']['password'], secret_key => $secret_key, upgrade_key => $upgrade_key, swh_logo => $data['swh_logo'], } @@::icinga2::object::service {"mediawiki (${name}) http redirect on ${::fqdn}": service_name => "mediawiki ${name} http redirect", import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $name, + http_vhost => $name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"mediawiki ${name} https on ${::fqdn}": service_name => "mediawiki ${name}", import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $name, + http_vhost => $name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"mediawiki ${name} https certificate ${::fqdn}": service_name => "mediawiki ${name} https certificate", import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { + http_vhost => $name, http_address => $name, http_ssl => true, http_sni => true, http_certificate => 60, }, target => $icinga_checks_file, tag => 'icinga2::exported', } } } diff --git a/manifests/phabricator.pp b/manifests/phabricator.pp index c774a3a7..0f2d3dd6 100644 --- a/manifests/phabricator.pp +++ b/manifests/phabricator.pp @@ -1,329 +1,332 @@ # Setup an instance of phabricator class profile::phabricator { $phabricator_basepath = hiera('phabricator::basepath') $phabricator_user = hiera('phabricator::user') $phabricator_vcs_user = hiera('phabricator::vcs_user') $phabricator_db_root_password = hiera('phabricator::mysql::root_password') $phabricator_db_basename = hiera('phabricator::mysql::database_prefix') $phabricator_db_user = hiera('phabricator::mysql::username') $phabricator_db_password = hiera('phabricator::mysql::password') $phabricator_db_max_allowed_packet = hiera('phabricator::mysql::conf::max_allowed_packet') $phabricator_db_sql_mode = hiera('phabricator::mysql::conf::sql_mode') $phabricator_db_ft_stopword_file = hiera('phabricator::mysql::conf::ft_stopword_file') $phabricator_db_ft_min_word_len = hiera('phabricator::mysql::conf::ft_min_word_len') $phabricator_db_ft_boolean_syntax = hiera('phabricator::mysql::conf::ft_boolean_syntax') $phabricator_db_innodb_buffer_pool_size = hiera('phabricator::mysql::conf::innodb_buffer_pool_size') $phabricator_db_innodb_file_per_table = hiera('phabricator::mysql::conf::innodb_file_per_table') $phabricator_db_innodb_flush_method = hiera('phabricator::mysql::conf::innodb_flush_method') $phabricator_db_innodb_log_file_size = hiera('phabricator::mysql::conf::innodb_log_file_size') $phabricator_fpm_listen = hiera('phabricator::php::fpm_listen') $phabricator_max_size = hiera('phabricator::php::max_file_size') $phabricator_opcache_validate_timestamps = hiera('phabricator::php::opcache_validate_timestamps') $phabricator_notification_listen = hiera('phabricator::notification::listen') $phabricator_notification_client_host = hiera('phabricator::notification::client_host') $phabricator_notification_client_port = hiera('phabricator::notification::client_port') $phabricator_vhost_name = hiera('phabricator::vhost::name') $phabricator_vhost_docroot = hiera('phabricator::vhost::docroot') $phabricator_vhost_basic_auth_file = "${phabricator_basepath}/http_auth" $phabricator_vhost_basic_auth_content = hiera('phabricator::vhost::basic_auth_content') $phabricator_vhost_ssl_protocol = hiera('phabricator::vhost::ssl_protocol') $phabricator_vhost_ssl_honorcipherorder = hiera('phabricator::vhost::ssl_honorcipherorder') $phabricator_vhost_ssl_cipher = hiera('phabricator::vhost::ssl_cipher') $phabricator_vhost_hsts_header = hiera('phabricator::vhost::hsts_header') include ::systemd $homedirs = { $phabricator_user => $phabricator_basepath, $phabricator_vcs_user => "${phabricator_basepath}/vcshome", } $homedir_modes = { $phabricator_user => '0644', $phabricator_vcs_user => '0640', } each([$phabricator_user, $phabricator_vcs_user]) |$name| { user {$name: ensure => present, system => true, shell => '/bin/bash', home => $homedirs[$name], } file {$homedirs[$name]: ensure => directory, owner => $name, group => $name, mode => $homedir_modes[$name], } } ::sudo::conf {'phabricator-ssh': ensure => present, content => "${phabricator_vcs_user} ALL=(${phabricator_user}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg", } ::sudo::conf {'phabricator-http': ensure => present, content => "www-data ALL=(${phabricator_user}) SETENV: NOPASSWD: /usr/bin/git-http-backend, /usr/bin/hg", require => File['/usr/bin/git-http-backend'], } file {'/usr/bin/git-http-backend': ensure => link, target => '/usr/lib/git-core/git-http-backend', } $phabricator_ssh_hook = '/usr/bin/phabricator-ssh-hook.sh' $phabricator_ssh_config = '/etc/ssh/ssh_config.phabricator' file {$phabricator_ssh_hook: ensure => present, owner => 'root', group => 'root', mode => '0755', content => template('profile/phabricator/phabricator-ssh-hook.sh.erb'), } file {$phabricator_ssh_config: ensure => present, owner => 'root', group => 'root', mode => '0600', content => template('profile/phabricator/sshd_config.phabricator.erb'), require => File[$phabricator_ssh_hook], } file {'/etc/systemd/system/phabricator-sshd.service': ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/phabricator/phabricator-sshd.service.erb'), notify => Exec['systemd-daemon-reload'], require => File[$phabricator_ssh_config], } service {'phabricator-sshd': ensure => 'running', enable => true, require => [ File['/etc/systemd/system/phabricator-sshd.service'], Exec['systemd-daemon-reload'], ], } include ::mysql::client class {'::mysql::server': root_password => $phabricator_db_root_password, override_options => { mysqld => { max_allowed_packet => $phabricator_db_max_allowed_packet, sql_mode => $phabricator_db_sql_mode, ft_stopword_file => $phabricator_db_ft_stopword_file, ft_min_word_len => $phabricator_db_ft_min_word_len, ft_boolean_syntax => $phabricator_db_ft_boolean_syntax, innodb_buffer_pool_size => $phabricator_db_innodb_buffer_pool_size, innodb_file_per_table => $phabricator_db_innodb_file_per_table, innodb_flush_method => $phabricator_db_innodb_flush_method, innodb_log_file_size => $phabricator_db_innodb_log_file_size, } } } $mysql_username = "${phabricator_db_user}@localhost" $mysql_tables = "${phabricator_db_basename}_%.*" mysql_user {$mysql_username: ensure => present, password_hash => mysql_password($phabricator_db_password), } mysql_grant {"${mysql_username}/${mysql_tables}": user => $mysql_username, table => $mysql_tables, privileges => ['ALL'], require => Mysql_user[$mysql_username], } include ::php::cli include ::php::fpm::daemon ::php::ini {'/etc/php5/cli/php.ini':} ::php::fpm::conf {'phabricator': listen => $phabricator_fpm_listen, user => 'www-data', php_admin_value => { post_max_size => $phabricator_max_size, upload_max_filesize => $phabricator_max_size, 'opcache.validate_timestamps' => $phabricator_opcache_validate_timestamps, }, } ::php::module {[ 'apcu', 'curl', 'gd', 'mailparse', 'mysql', ]: } include ::profile::ssl include ::profile::apache::common include ::apache::mod::proxy include ::profile::apache::mod_proxy_fcgi ::apache::mod {'proxy_wstunnel':} ::apache::vhost {"${phabricator_vhost_name}_non-ssl": servername => $phabricator_vhost_name, port => '80', docroot => $phabricator_vhost_docroot, docroot_owner => $phabricator_user, docroot_group => $phabricator_user, redirect_status => 'permanent', redirect_dest => "https://${phabricator_vhost_name}/", } $ssl_cert_name = 'star_softwareheritage_org' $ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name] $ssl_ca = $::profile::ssl::ca_paths[$ssl_cert_name] $ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name] ::apache::vhost {"${phabricator_vhost_name}_ssl": servername => $phabricator_vhost_name, port => '443', ssl => true, ssl_protocol => $phabricator_vhost_ssl_protocol, ssl_honorcipherorder => $phabricator_vhost_ssl_honorcipherorder, ssl_cipher => $phabricator_vhost_ssl_cipher, ssl_cert => $ssl_cert, ssl_ca => $ssl_ca, ssl_key => $ssl_key, headers => [$phabricator_vhost_hsts_header], docroot => $phabricator_vhost_docroot, docroot_owner => $phabricator_user, docroot_group => $phabricator_user, rewrites => [ { rewrite_rule => '^/rsrc/(.*) - [L,QSA]' }, { rewrite_rule => '^/favicon.ico - [L,QSA]' }, { rewrite_rule => "^/ws/(.*)$ ws://${phabricator_notification_listen}/\$1 [L,P]" }, { rewrite_rule => "^(.*)$ fcgi://${phabricator_fpm_listen}${phabricator_vhost_docroot}/index.php?__path__=\$1 [B,L,P,QSA]" }, ], setenvif => [ "Authorization \"(.*)\" HTTP_AUTHORIZATION=\$1", ], require => [ File[$ssl_cert], File[$ssl_ca], File[$ssl_key], ], } file {$phabricator_vhost_basic_auth_file: ensure => absent, } # Uses: # $phabricator_basepath # $phabricator_user file {'/etc/systemd/system/phabricator-phd.service': ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/phabricator/phabricator-phd.service.erb'), notify => Exec['systemd-daemon-reload'], } service {'phabricator-phd': ensure => 'running', enable => true, require => [ File['/etc/systemd/system/phabricator-phd.service'], Exec['systemd-daemon-reload'], ], } # Uses: # $phabricator_basepath # $phabricator_user # $phabricator_notification_* file {'/etc/systemd/system/phabricator-aphlict.service': ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/phabricator/phabricator-aphlict.service.erb'), notify => Exec['systemd-daemon-reload'], } service {'phabricator-aphlict': ensure => 'running', enable => true, require => [ File['/etc/systemd/system/phabricator-aphlict.service'], Exec['systemd-daemon-reload'], ], } package {'python-pygments': ensure => installed, } $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf' @@::icinga2::object::service {"phabricator http redirect on ${::fqdn}": service_name => 'phabricator http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $phabricator_vhost_name, + http_vhost => $phabricator_vhost_name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"phabricator https on ${::fqdn}": service_name => 'phabricator', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $phabricator_vhost_name, + http_vhost => $phabricator_vhost_name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"phabricator https certificate ${::fqdn}": service_name => 'phabricator https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $phabricator_vhost_name, + http_vhost => $phabricator_vhost_name, http_ssl => true, http_sni => true, http_certificate => 60, }, target => $icinga_checks_file, tag => 'icinga2::exported', } } diff --git a/manifests/swh/deploy/webapp.pp b/manifests/swh/deploy/webapp.pp index f232207c..88af9cab 100644 --- a/manifests/swh/deploy/webapp.pp +++ b/manifests/swh/deploy/webapp.pp @@ -1,228 +1,231 @@ # WebApp deployment class profile::swh::deploy::webapp { $conf_directory = hiera('swh::deploy::webapp::conf_directory') $conf_file = hiera('swh::deploy::webapp::conf_file') $user = hiera('swh::deploy::webapp::user') $group = hiera('swh::deploy::webapp::group') $webapp_config = hiera('swh::deploy::webapp::config') $conf_log_dir = hiera('swh::deploy::webapp::conf::log_dir') $uwsgi_listen_address = hiera('swh::deploy::webapp::uwsgi::listen') $uwsgi_protocol = hiera('swh::deploy::webapp::uwsgi::protocol') $uwsgi_workers = hiera('swh::deploy::webapp::uwsgi::workers') $uwsgi_max_requests = hiera('swh::deploy::webapp::uwsgi::max_requests') $uwsgi_max_requests_delta = hiera('swh::deploy::webapp::uwsgi::max_requests_delta') $uwsgi_reload_mercy = hiera('swh::deploy::webapp::uwsgi::reload_mercy') $swh_packages = ['python3-swh.web.ui'] $static_dir = '/usr/lib/python3/dist-packages/swh/web/ui/static' $vhost_name = hiera('swh::deploy::webapp::vhost::name') $vhost_aliases = hiera('swh::deploy::webapp::vhost::aliases') $vhost_docroot = hiera('swh::deploy::webapp::vhost::docroot') $vhost_basic_auth_file = "${conf_directory}/http_auth" $vhost_basic_auth_content = hiera('swh::deploy::webapp::vhost::basic_auth_content') $vhost_ssl_protocol = hiera('swh::deploy::webapp::vhost::ssl_protocol') $vhost_ssl_honorcipherorder = hiera('swh::deploy::webapp::vhost::ssl_honorcipherorder') $vhost_ssl_cipher = hiera('swh::deploy::webapp::vhost::ssl_cipher') $locked_endpoints = hiera_array('swh::deploy::webapp::locked_endpoints') $endpoint_directories = $locked_endpoints.map |$endpoint| { { path => "^${endpoint}", provider => 'locationmatch', auth_type => 'Basic', auth_name => 'Software Heritage development', auth_user_file => $vhost_basic_auth_file, auth_require => 'valid-user', } } include ::uwsgi package {$swh_packages: ensure => latest, require => Apt::Source['softwareheritage'], notify => Service['uwsgi'], } file {$conf_directory: ensure => directory, owner => 'root', group => $group, mode => '0755', } file {$conf_log_dir: ensure => directory, owner => 'root', group => $group, mode => '0770', } file {$vhost_docroot: ensure => directory, owner => 'root', group => $group, mode => '0755', } file {$conf_file: ensure => present, owner => 'root', group => $group, mode => '0640', content => inline_template("<%= @webapp_config.to_yaml %>\n"), notify => Service['uwsgi'], } ::uwsgi::site {'swh-webapp': ensure => enabled, settings => { plugin => 'python3', protocol => $uwsgi_protocol, socket => $uwsgi_listen_address, workers => $uwsgi_workers, max_requests => $uwsgi_max_requests, max_requests_delta => $uwsgi_max_requests_delta, worker_reload_mercy => $uwsgi_reload_mercy, reload_mercy => $uwsgi_reload_mercy, uid => $user, gid => $user, umask => '022', module => 'swh.web.ui.main', callable => 'run_from_webserver', } } include ::profile::ssl include ::profile::apache::common include ::apache::mod::proxy include ::apache::mod::headers ::apache::mod {'proxy_uwsgi':} ::apache::vhost {"${vhost_name}_non-ssl": servername => $vhost_name, serveraliases => $vhost_aliases, port => '80', docroot => $vhost_docroot, redirect_status => 'permanent', redirect_dest => "https://${vhost_name}/", } $ssl_cert_name = 'star_softwareheritage_org' $ssl_cert = $::profile::ssl::certificate_paths[$ssl_cert_name] $ssl_ca = $::profile::ssl::ca_paths[$ssl_cert_name] $ssl_key = $::profile::ssl::private_key_paths[$ssl_cert_name] ::apache::vhost {"${vhost_name}_ssl": servername => $vhost_name, serveraliases => $vhost_aliases, port => '443', ssl => true, ssl_protocol => $vhost_ssl_protocol, ssl_honorcipherorder => $vhost_ssl_honorcipherorder, ssl_cipher => $vhost_ssl_cipher, ssl_cert => $ssl_cert, ssl_ca => $ssl_ca, ssl_key => $ssl_key, docroot => $vhost_docroot, proxy_pass => [ { path => '/static', url => '!', }, { path => '/robots.txt', url => '!', }, { path => '/favicon.ico', url => '!', }, { path => '/', url => "uwsgi://${uwsgi_listen_address}/", }, ], directories => [ { path => '/api', provider => 'location', allow => 'from all', satisfy => 'Any', headers => ['add Access-Control-Allow-Origin "*"'], }, { path => $static_dir, options => ['-Indexes'], }, ] + $endpoint_directories, aliases => [ { alias => '/static', path => $static_dir, }, { alias => '/robots.txt', path => "${static_dir}/robots.txt", }, ], require => [ File[$vhost_basic_auth_file], File[$ssl_cert], File[$ssl_ca], File[$ssl_key], ], } file {$vhost_basic_auth_file: ensure => present, owner => 'root', group => 'www-data', mode => '0640', content => $vhost_basic_auth_content, } $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf' @@::icinga2::object::service {"swh-webapp http redirect on ${::fqdn}": service_name => 'swh webapp http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, + http_vhost => $vhost_name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"swh-webapp https on ${::fqdn}": service_name => 'swh webapp', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, + http_vhost => $vhost_name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"swh-webapp https certificate ${::fqdn}": service_name => 'swh webapp https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, + http_vhost => $vhost_name, http_ssl => true, http_sni => true, http_certificate => 60, }, target => $icinga_checks_file, tag => 'icinga2::exported', } }