diff --git a/site-modules/profile/manifests/annex_web.pp b/site-modules/profile/manifests/annex_web.pp index de344c44..6d4c10d0 100644 --- a/site-modules/profile/manifests/annex_web.pp +++ b/site-modules/profile/manifests/annex_web.pp @@ -1,139 +1,144 @@ # Deployment of web-facing public Git-annex class profile::annex_web { $annex_basepath = lookup('annex::basepath') $annex_vhost_name = lookup('annex::vhost::name') $annex_vhost_docroot = lookup('annex::vhost::docroot') $annex_vhost_basic_auth_file = "${annex_basepath}/http_auth" $annex_vhost_provenance_basic_auth_file = "${annex_basepath}/http_auth_provenance" $annex_vhost_basic_auth_content = lookup('annex::vhost::basic_auth_content') $annex_vhost_provenance_basic_auth_content = lookup('annex::vhost::provenance::basic_auth_content') $annex_vhost_ssl_protocol = lookup('annex::vhost::ssl_protocol') $annex_vhost_ssl_honorcipherorder = lookup('annex::vhost::ssl_honorcipherorder') $annex_vhost_ssl_cipher = lookup('annex::vhost::ssl_cipher') $annex_vhost_hsts_header = lookup('annex::vhost::hsts_header') include ::profile::apache::common + exec {"create ${annex_vhost_docroot}": + creates => $annex_vhost_docroot, + command => "mkdir -p ${annex_vhost_docroot}", + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + } + ::apache::vhost {"${annex_vhost_name}_non-ssl": servername => $annex_vhost_name, port => '80', docroot => $annex_vhost_docroot, redirect_status => 'permanent', redirect_dest => "https://${annex_vhost_name}/", } ::profile::letsencrypt::certificate {$annex_vhost_name:} $cert_paths = ::profile::letsencrypt::certificate_paths($annex_vhost_name) ::apache::vhost {"${annex_vhost_name}_ssl": servername => $annex_vhost_name, port => '443', ssl => true, ssl_protocol => $annex_vhost_ssl_protocol, ssl_honorcipherorder => $annex_vhost_ssl_honorcipherorder, ssl_cipher => $annex_vhost_ssl_cipher, ssl_cert => $cert_paths['cert'], ssl_chain => $cert_paths['chain'], ssl_key => $cert_paths['privkey'], headers => [$annex_vhost_hsts_header], docroot => $annex_vhost_docroot, directories => [{ 'path' => $annex_vhost_docroot, 'require' => 'all granted', 'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'], custom_fragment => 'IndexIgnore private provenance-index', }, { # hide (annex) .git directory 'path' => '.*/\.git/?$', 'provider' => 'directorymatch', 'require' => 'all denied', }, { # 'basic' provenance-index authentication 'path' => "$annex_vhost_docroot/provenance-index", 'auth_type' => 'basic', 'auth_name' => 'SWH - Password Required', 'auth_user_file' => $annex_vhost_provenance_basic_auth_file, 'auth_require' => 'valid-user', 'index_options' => 'FancyIndexing', custom_fragment => 'ReadmeName readme.txt', }, ], require => [ File[$cert_paths['cert']], File[$cert_paths['chain']], File[$cert_paths['privkey']], ], } File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service'] file {"${annex_vhost_docroot}/public": ensure => link, target => "../annexroot/public", require => File[$annex_vhost_docroot], } file {$annex_vhost_basic_auth_file: ensure => absent, } file {$annex_vhost_provenance_basic_auth_file: ensure => present, owner => 'root', group => 'www-data', mode => '0640', content => "$annex_vhost_provenance_basic_auth_content", } - $icinga_checks_file = lookup('icinga2::exported_checks::filename') @@::icinga2::object::service {"annex http redirect on ${::fqdn}": service_name => 'annex http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $annex_vhost_name, http_vhost => $annex_vhost_name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"annex https on ${::fqdn}": service_name => 'annex https', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $annex_vhost_name, http_vhost => $annex_vhost_name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"annex https certificate ${::fqdn}": service_name => 'annex https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $annex_vhost_name, http_vhost => $annex_vhost_name, http_ssl => true, http_sni => true, http_certificate => 25, }, target => $icinga_checks_file, tag => 'icinga2::exported', } } diff --git a/site-modules/profile/manifests/bitbucket_archive_web.pp b/site-modules/profile/manifests/bitbucket_archive_web.pp index 6b37e87c..1640cb79 100644 --- a/site-modules/profile/manifests/bitbucket_archive_web.pp +++ b/site-modules/profile/manifests/bitbucket_archive_web.pp @@ -1,102 +1,108 @@ # Deployment of web-facing public Git-bitbucket_archive class profile::bitbucket_archive_web { $vhost_name = lookup('bitbucket_archive::vhost::name') $vhost_docroot = lookup('bitbucket_archive::vhost::docroot') $vhost_ssl_protocol = lookup('bitbucket_archive::vhost::ssl_protocol') $vhost_ssl_honorcipherorder = lookup('bitbucket_archive::vhost::ssl_honorcipherorder') $vhost_ssl_cipher = lookup('bitbucket_archive::vhost::ssl_cipher') $vhost_hsts_header = lookup('bitbucket_archive::vhost::hsts_header') include ::profile::apache::common + exec {"create ${vhost_docroot}": + creates => $vhost_docroot, + command => "mkdir -p ${vhost_docroot}", + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + } + ::apache::vhost {"${vhost_name}_non-ssl": servername => $vhost_name, port => '80', docroot => $vhost_docroot, manage_docroot => false, redirect_status => 'permanent', redirect_dest => "https://${vhost_name}/", } ::profile::letsencrypt::certificate {$vhost_name:} $cert_paths = ::profile::letsencrypt::certificate_paths($vhost_name) ::apache::vhost {"${vhost_name}_ssl": servername => $vhost_name, port => '443', ssl => true, ssl_protocol => $vhost_ssl_protocol, ssl_honorcipherorder => $vhost_ssl_honorcipherorder, ssl_cipher => $vhost_ssl_cipher, ssl_cert => $cert_paths['cert'], ssl_chain => $cert_paths['chain'], ssl_key => $cert_paths['privkey'], headers => [$vhost_hsts_header], docroot => $vhost_docroot, manage_docroot => false, directories => [ { 'path' => $vhost_docroot, 'require' => 'all granted', 'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'], }, ], require => [ File[$ssl_cert], File[$ssl_chain], File[$ssl_key], ], } File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service'] $icinga_checks_file = lookup('icinga2::exported_checks::filename') @@::icinga2::object::service {"bitbucket_archive http redirect on ${::fqdn}": service_name => 'bitbucket_archive http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, http_vhost => $vhost_name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"bitbucket_archive https on ${::fqdn}": service_name => 'bitbucket_archive https', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, http_vhost => $vhost_name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"bitbucket_archive https certificate ${::fqdn}": service_name => 'bitbucket_archive https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $vhost_name, http_vhost => $vhost_name, http_ssl => true, http_sni => true, http_certificate => 25, }, target => $icinga_checks_file, tag => 'icinga2::exported', } } diff --git a/site-modules/profile/manifests/docs_web.pp b/site-modules/profile/manifests/docs_web.pp index 1b5eb3ac..4a6adb86 100644 --- a/site-modules/profile/manifests/docs_web.pp +++ b/site-modules/profile/manifests/docs_web.pp @@ -1,110 +1,116 @@ # Deployment of web-facing static documentation class profile::docs_web { $docs_basepath = lookup('docs::basepath') $docs_vhost_name = lookup('docs::vhost::name') $docs_vhost_docroot = lookup('docs::vhost::docroot') $docs_vhost_docroot_owner = lookup('docs::vhost::docroot_owner') $docs_vhost_docroot_group = lookup('docs::vhost::docroot_group') $docs_vhost_docroot_mode = lookup('docs::vhost::docroot_mode') $docs_vhost_ssl_protocol = lookup('docs::vhost::ssl_protocol') $docs_vhost_ssl_honorcipherorder = lookup('docs::vhost::ssl_honorcipherorder') $docs_vhost_ssl_cipher = lookup('docs::vhost::ssl_cipher') $docs_vhost_hsts_header = lookup('docs::vhost::hsts_header') include ::profile::apache::common + exec {"create ${docs_vhost_docroot}": + creates => $docs_vhost_docroot, + command => "mkdir -p ${docs_vhost_docroot}", + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + } + ::apache::vhost {"${docs_vhost_name}_non-ssl": servername => $docs_vhost_name, port => '80', docroot => $docs_vhost_docroot, manage_docroot => false, # will be managed by the SSL resource redirect_status => 'permanent', redirect_dest => "https://${docs_vhost_name}/", } ::profile::letsencrypt::certificate {$docs_vhost_name:} $cert_paths = ::profile::letsencrypt::certificate_paths($docs_vhost_name) ::apache::vhost {"${docs_vhost_name}_ssl": servername => $docs_vhost_name, port => '443', ssl => true, ssl_protocol => $docs_vhost_ssl_protocol, ssl_honorcipherorder => $docs_vhost_ssl_honorcipherorder, ssl_cipher => $docs_vhost_ssl_cipher, ssl_cert => $cert_paths['cert'], ssl_chain => $cert_paths['chain'], ssl_key => $cert_paths['privkey'], headers => [$docs_vhost_hsts_header], docroot => $docs_vhost_docroot, docroot_owner => $docs_vhost_docroot_owner, docroot_group => $docs_vhost_docroot_group, docroot_mode => $docs_vhost_docroot_mode, directories => [{ 'path' => $docs_vhost_docroot, 'require' => 'all granted', 'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'], }], rewrites => [ { rewrite_rule => '^/?$ /devel/ [R,L]' }, ], require => [ File[$cert_paths['cert']], File[$cert_paths['chain']], File[$cert_paths['privkey']], ], } File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service'] $icinga_checks_file = lookup('icinga2::exported_checks::filename') @@::icinga2::object::service {"docs http redirect on ${::fqdn}": service_name => 'docs http redirect', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $docs_vhost_name, http_vhost => $docs_vhost_name, http_uri => '/', }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"docs https on ${::fqdn}": service_name => 'docs https', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $docs_vhost_name, http_vhost => $docs_vhost_name, http_ssl => true, http_sni => true, http_uri => '/', http_onredirect => sticky }, target => $icinga_checks_file, tag => 'icinga2::exported', } @@::icinga2::object::service {"docs https certificate ${::fqdn}": service_name => 'docs https certificate', import => ['generic-service'], host_name => $::fqdn, check_command => 'http', vars => { http_address => $docs_vhost_name, http_vhost => $docs_vhost_name, http_ssl => true, http_sni => true, http_certificate => 25, }, target => $icinga_checks_file, tag => 'icinga2::exported', } }