diff --git a/site-modules/profile/manifests/annex_web.pp b/site-modules/profile/manifests/annex_web.pp
index ac034311..de344c44 100644
--- a/site-modules/profile/manifests/annex_web.pp
+++ b/site-modules/profile/manifests/annex_web.pp
@@ -1,137 +1,139 @@
# Deployment of web-facing public Git-annex
class profile::annex_web {
$annex_basepath = lookup('annex::basepath')
$annex_vhost_name = lookup('annex::vhost::name')
$annex_vhost_docroot = lookup('annex::vhost::docroot')
$annex_vhost_basic_auth_file = "${annex_basepath}/http_auth"
$annex_vhost_provenance_basic_auth_file = "${annex_basepath}/http_auth_provenance"
$annex_vhost_basic_auth_content = lookup('annex::vhost::basic_auth_content')
$annex_vhost_provenance_basic_auth_content = lookup('annex::vhost::provenance::basic_auth_content')
$annex_vhost_ssl_protocol = lookup('annex::vhost::ssl_protocol')
$annex_vhost_ssl_honorcipherorder = lookup('annex::vhost::ssl_honorcipherorder')
$annex_vhost_ssl_cipher = lookup('annex::vhost::ssl_cipher')
$annex_vhost_hsts_header = lookup('annex::vhost::hsts_header')
include ::profile::apache::common
::apache::vhost {"${annex_vhost_name}_non-ssl":
servername => $annex_vhost_name,
port => '80',
docroot => $annex_vhost_docroot,
redirect_status => 'permanent',
redirect_dest => "https://${annex_vhost_name}/",
}
::profile::letsencrypt::certificate {$annex_vhost_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($annex_vhost_name)
::apache::vhost {"${annex_vhost_name}_ssl":
servername => $annex_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $annex_vhost_ssl_protocol,
ssl_honorcipherorder => $annex_vhost_ssl_honorcipherorder,
ssl_cipher => $annex_vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$annex_vhost_hsts_header],
docroot => $annex_vhost_docroot,
directories => [{
'path' => $annex_vhost_docroot,
'require' => 'all granted',
'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'],
custom_fragment => 'IndexIgnore private provenance-index',
},
{ # hide (annex) .git directory
'path' => '.*/\.git/?$',
'provider' => 'directorymatch',
'require' => 'all denied',
},
{ # 'basic' provenance-index authentication
'path' => "$annex_vhost_docroot/provenance-index",
'auth_type' => 'basic',
'auth_name' => 'SWH - Password Required',
'auth_user_file' => $annex_vhost_provenance_basic_auth_file,
'auth_require' => 'valid-user',
'index_options' => 'FancyIndexing',
custom_fragment => 'ReadmeName readme.txt',
},
],
require => [
- File[$ssl_cert],
- File[$ssl_chain],
- File[$ssl_key],
+ File[$cert_paths['cert']],
+ File[$cert_paths['chain']],
+ File[$cert_paths['privkey']],
],
}
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
+
file {"${annex_vhost_docroot}/public":
ensure => link,
target => "../annexroot/public",
require => File[$annex_vhost_docroot],
}
file {$annex_vhost_basic_auth_file:
ensure => absent,
}
file {$annex_vhost_provenance_basic_auth_file:
ensure => present,
owner => 'root',
group => 'www-data',
mode => '0640',
content => "$annex_vhost_provenance_basic_auth_content",
}
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"annex http redirect on ${::fqdn}":
service_name => 'annex http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $annex_vhost_name,
http_vhost => $annex_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"annex https on ${::fqdn}":
service_name => 'annex https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $annex_vhost_name,
http_vhost => $annex_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"annex https certificate ${::fqdn}":
service_name => 'annex https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $annex_vhost_name,
http_vhost => $annex_vhost_name,
http_ssl => true,
http_sni => true,
http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/site-modules/profile/manifests/apache/rewrite_domains.pp b/site-modules/profile/manifests/apache/rewrite_domains.pp
index d7e837f8..3f8ec621 100644
--- a/site-modules/profile/manifests/apache/rewrite_domains.pp
+++ b/site-modules/profile/manifests/apache/rewrite_domains.pp
@@ -1,43 +1,49 @@
# Simple apache domain rewriting
class profile::apache::rewrite_domains {
include ::profile::apache::common
$ssl_protocol = lookup('apache::ssl_protocol')
$ssl_honorcipherorder = lookup('apache::ssl_honorcipherorder')
$ssl_cipher = lookup('apache::ssl_cipher')
$hsts_header = lookup('apache::hsts_header')
$rewrite_domains = lookup('apache::rewrite_domains', Hash, 'deep')
each($rewrite_domains) |$name, $data| {
-
::profile::letsencrypt::certificate {$name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($name)
::apache::vhost {"${name}_non-ssl":
servername => $name,
port => '80',
docroot => '/var/www',
redirect_status => 'permanent',
redirect_dest => "https://${name}/",
}
::apache::vhost {"${name}_ssl":
servername => $name,
port => '443',
ssl => true,
ssl_protocol => $ssl_protocol,
ssl_honorcipherorder => $ssl_honorcipherorder,
ssl_cipher => $ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$hsts_header],
docroot => '/var/www',
rewrites => [
{ rewrite_rule => $data['rewrites'], },
],
+ require => [
+ File[$cert_paths['cert']],
+ File[$cert_paths['chain']],
+ File[$cert_paths['privkey']],
+ ],
}
+
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
}
}
diff --git a/site-modules/profile/manifests/debian_repository.pp b/site-modules/profile/manifests/debian_repository.pp
index 0a13f4e4..354b7eed 100644
--- a/site-modules/profile/manifests/debian_repository.pp
+++ b/site-modules/profile/manifests/debian_repository.pp
@@ -1,197 +1,199 @@
# Debian repository configuration
class profile::debian_repository {
$packages = ['reprepro']
package {$packages:
ensure => installed,
}
$basepath = lookup('debian_repository::basepath')
$owner = lookup('debian_repository::owner')
$group = lookup('debian_repository::group')
$mode = lookup('debian_repository::mode')
$owner_homedir = lookup('debian_repository::owner::homedir')
user {$owner:
ensure => present,
system => true,
home => $owner_homedir,
}
-> file {$owner_homedir:
ensure => 'directory',
owner => $owner,
group => $owner,
mode => '0750',
}
-> file {"${owner_homedir}/.ssh":
ensure => 'directory',
owner => $owner,
group => $owner,
mode => '0700',
}
$authorized_keys = lookup('debian_repository::ssh_authorized_keys', Hash)
each($authorized_keys) |$name, $key| {
ssh_authorized_key { "${owner} ${name}":
ensure => 'present',
user => $owner,
key => $key['key'],
type => $key['type'],
require => File["${owner_homedir}/.ssh"],
}
}
file {$basepath:
ensure => 'directory',
owner => $owner,
group => $group,
mode => $mode,
}
$incoming = "${basepath}/incoming"
file {$incoming:
ensure => 'directory',
owner => $owner,
group => $group,
mode => $mode,
}
$gpg_keys = lookup('debian_repository::gpg_keys', Array)
$gpg_raw_command = 'gpg --batch --pinentry-mode loopback'
each($gpg_keys) |$keyid| {
exec {"debian repository gpg key ${keyid}":
path => ['/usr/bin'],
command => "${gpg_raw_command} --recv-keys ${keyid}",
user => $owner,
unless => "${gpg_raw_command} --list-keys ${keyid}",
}
profile::cron::d {"debrepo-keyring-refresh-${keyid}":
target => 'debrepo-keyring-refresh',
user => $owner,
command => "chronic ${gpg_raw_command} --recv-keys ${keyid}",
random_seed => "debrepo-keyring-${keyid}",
minute => 'fqdn_rand',
hour => 'fqdn_rand',
}
}
file {"$basepath/conf":
ensure => 'directory',
owner => $owner,
group => $group,
mode => $mode,
}
file {"$basepath/conf/uploaders":
ensure => 'file',
owner => $owner,
group => $group,
mode => '0644',
content => template('profile/debian_repository/uploaders.erb')
}
$vhost_name = lookup('debian_repository::vhost::name')
$vhost_aliases = lookup('debian_repository::vhost::aliases')
$vhost_docroot = lookup('debian_repository::vhost::docroot')
$vhost_ssl_protocol = lookup('debian_repository::vhost::ssl_protocol')
$vhost_ssl_honorcipherorder = lookup('debian_repository::vhost::ssl_honorcipherorder')
$vhost_ssl_cipher = lookup('debian_repository::vhost::ssl_cipher')
$vhost_hsts_header = lookup('debian_repository::vhost::hsts_header')
include ::profile::apache::common
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
serveraliases => $vhost_aliases,
port => '80',
docroot => $vhost_docroot,
manage_docroot => false,
redirect_status => 'permanent',
redirect_dest => "https://${vhost_name}/",
}
::profile::letsencrypt::certificate {$vhost_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($vhost_name)
::apache::vhost {"${vhost_name}_ssl":
servername => $vhost_name,
port => '443',
ssl => true,
ssl_protocol => $vhost_ssl_protocol,
ssl_honorcipherorder => $vhost_ssl_honorcipherorder,
ssl_cipher => $vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$vhost_hsts_header],
docroot => $vhost_docroot,
manage_docroot => false,
directories => [
{
path => $vhost_docroot,
require => 'all granted',
options => ['Indexes', 'FollowSymLinks', 'MultiViews'],
},
],
require => [
- File[$ssl_cert],
- File[$ssl_chain],
- File[$ssl_key],
+ File[$cert_paths['cert']],
+ File[$cert_paths['chain']],
+ File[$cert_paths['privkey']],
],
}
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
+
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"debian repository http redirect on ${::fqdn}":
service_name => 'debian repository http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"debian repository https on ${::fqdn}":
service_name => 'debian repository https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"debian repository https certificate ${::fqdn}":
service_name => 'debian repository https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $vhost_name,
http_vhost => $vhost_name,
http_ssl => true,
http_sni => true,
- http_certificate => 60,
+ http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/site-modules/profile/manifests/docs_web.pp b/site-modules/profile/manifests/docs_web.pp
index 5cb27f7e..1b5eb3ac 100644
--- a/site-modules/profile/manifests/docs_web.pp
+++ b/site-modules/profile/manifests/docs_web.pp
@@ -1,108 +1,110 @@
# Deployment of web-facing static documentation
class profile::docs_web {
$docs_basepath = lookup('docs::basepath')
$docs_vhost_name = lookup('docs::vhost::name')
$docs_vhost_docroot = lookup('docs::vhost::docroot')
$docs_vhost_docroot_owner = lookup('docs::vhost::docroot_owner')
$docs_vhost_docroot_group = lookup('docs::vhost::docroot_group')
$docs_vhost_docroot_mode = lookup('docs::vhost::docroot_mode')
$docs_vhost_ssl_protocol = lookup('docs::vhost::ssl_protocol')
$docs_vhost_ssl_honorcipherorder = lookup('docs::vhost::ssl_honorcipherorder')
$docs_vhost_ssl_cipher = lookup('docs::vhost::ssl_cipher')
$docs_vhost_hsts_header = lookup('docs::vhost::hsts_header')
include ::profile::apache::common
::apache::vhost {"${docs_vhost_name}_non-ssl":
servername => $docs_vhost_name,
port => '80',
docroot => $docs_vhost_docroot,
manage_docroot => false, # will be managed by the SSL resource
redirect_status => 'permanent',
redirect_dest => "https://${docs_vhost_name}/",
}
::profile::letsencrypt::certificate {$docs_vhost_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($docs_vhost_name)
::apache::vhost {"${docs_vhost_name}_ssl":
servername => $docs_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $docs_vhost_ssl_protocol,
ssl_honorcipherorder => $docs_vhost_ssl_honorcipherorder,
ssl_cipher => $docs_vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$docs_vhost_hsts_header],
docroot => $docs_vhost_docroot,
docroot_owner => $docs_vhost_docroot_owner,
docroot_group => $docs_vhost_docroot_group,
docroot_mode => $docs_vhost_docroot_mode,
directories => [{
'path' => $docs_vhost_docroot,
'require' => 'all granted',
'options' => ['Indexes', 'FollowSymLinks', 'MultiViews'],
}],
- require => [
- File[$ssl_cert],
- File[$ssl_chain],
- File[$ssl_key],
- ],
rewrites => [
{ rewrite_rule => '^/?$ /devel/ [R,L]' },
],
+ require => [
+ File[$cert_paths['cert']],
+ File[$cert_paths['chain']],
+ File[$cert_paths['privkey']],
+ ],
}
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
+
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"docs http redirect on ${::fqdn}":
service_name => 'docs http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $docs_vhost_name,
http_vhost => $docs_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"docs https on ${::fqdn}":
service_name => 'docs https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $docs_vhost_name,
http_vhost => $docs_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"docs https certificate ${::fqdn}":
service_name => 'docs https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $docs_vhost_name,
http_vhost => $docs_vhost_name,
http_ssl => true,
http_sni => true,
- http_certificate => 60,
+ http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/site-modules/profile/manifests/grafana/vhost.pp b/site-modules/profile/manifests/grafana/vhost.pp
index 5af9b4a0..fc3d6f33 100644
--- a/site-modules/profile/manifests/grafana/vhost.pp
+++ b/site-modules/profile/manifests/grafana/vhost.pp
@@ -1,101 +1,103 @@
# Apache virtual host for grafana
class profile::grafana::vhost {
include ::profile::apache::common
include ::apache::mod::proxy
$grafana_vhost_name = lookup('grafana::vhost::name')
$grafana_vhost_docroot = '/var/www/html'
$grafana_vhost_ssl_protocol = lookup('grafana::vhost::ssl_protocol')
$grafana_vhost_ssl_honorcipherorder = lookup('grafana::vhost::ssl_honorcipherorder')
$grafana_vhost_ssl_cipher = lookup('grafana::vhost::ssl_cipher')
$grafana_vhost_hsts_header = lookup('grafana::vhost::hsts_header')
$grafana_upstream_port = lookup('grafana::backend::port')
$grafana_backend_url = "http://127.0.0.1:${grafana_upstream_port}/"
::apache::vhost {"${grafana_vhost_name}_non-ssl":
servername => $grafana_vhost_name,
port => '80',
docroot => $grafana_vhost_docroot,
manage_docroot => false, # will be managed by the SSL resource
redirect_status => 'permanent',
redirect_dest => "https://${grafana_vhost_name}/",
}
::profile::letsencrypt::certificate {$grafana_vhost_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($grafana_vhost_name)
::apache::vhost {"${grafana_vhost_name}_ssl":
servername => $grafana_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $grafana_vhost_ssl_protocol,
ssl_honorcipherorder => $grafana_vhost_ssl_honorcipherorder,
ssl_cipher => $grafana_vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$grafana_vhost_hsts_header],
docroot => $grafana_vhost_docroot,
manage_docroot => false,
proxy_pass => [
{ path => '/',
url => $grafana_backend_url,
},
],
require => [
- File[$ssl_cert],
- File[$ssl_chain],
- File[$ssl_key],
+ File[$ssl_cert],
+ File[$ssl_chain],
+ File[$ssl_key],
],
}
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
+
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"grafana http redirect on ${::fqdn}":
service_name => 'grafana http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $grafana_vhost_name,
http_vhost => $grafana_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"grafana https on ${::fqdn}":
service_name => 'grafana https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $grafana_vhost_name,
http_vhost => $grafana_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/login',
http_string => 'Grafana',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"grafana https certificate ${::fqdn}":
service_name => 'grafana https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $grafana_vhost_name,
http_vhost => $grafana_vhost_name,
http_ssl => true,
http_sni => true,
- http_certificate => 60,
+ http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/site-modules/profile/manifests/icinga2/icingaweb2/vhost.pp b/site-modules/profile/manifests/icinga2/icingaweb2/vhost.pp
index 72147cd9..d25c3554 100644
--- a/site-modules/profile/manifests/icinga2/icingaweb2/vhost.pp
+++ b/site-modules/profile/manifests/icinga2/icingaweb2/vhost.pp
@@ -1,120 +1,122 @@
# Apache virtual host for icingaweb2
class profile::icinga2::icingaweb2::vhost {
include ::profile::apache::common
include ::apache::mod::php
$icingaweb2_vhost_name = lookup('icinga2::icingaweb2::vhost::name')
$icingaweb2_vhost_aliases = lookup('icinga2::icingaweb2::vhost::aliases')
$icingaweb2_vhost_docroot = '/usr/share/icingaweb2/public'
$icingaweb2_vhost_ssl_protocol = lookup('icinga2::icingaweb2::vhost::ssl_protocol')
$icingaweb2_vhost_ssl_honorcipherorder = lookup('icinga2::icingaweb2::vhost::ssl_honorcipherorder')
$icingaweb2_vhost_ssl_cipher = lookup('icinga2::icingaweb2::vhost::ssl_cipher')
$icingaweb2_vhost_hsts_header = lookup('icinga2::icingaweb2::vhost::hsts_header')
::apache::vhost {"${icingaweb2_vhost_name}_non-ssl":
servername => $icingaweb2_vhost_name,
serveraliases => $icingaweb2_vhost_aliases,
port => '80',
docroot => $icingaweb2_vhost_docroot,
manage_docroot => false, # will be managed by the SSL resource
redirect_status => 'permanent',
redirect_dest => "https://${icingaweb2_vhost_name}/",
}
::profile::letsencrypt::certificate {$icingaweb2_vhost_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($icingaweb2_vhost_name)
::apache::vhost {"${icingaweb2_vhost_name}_ssl":
servername => $icingaweb2_vhost_name,
serveraliases => $icingaweb2_vhost_aliases,
port => '443',
ssl => true,
ssl_protocol => $icingaweb2_vhost_ssl_protocol,
ssl_honorcipherorder => $icingaweb2_vhost_ssl_honorcipherorder,
ssl_cipher => $icingaweb2_vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$icingaweb2_vhost_hsts_header],
docroot => $icingaweb2_vhost_docroot,
manage_docroot => false,
directories => [
{
path => $icingaweb2_vhost_docroot,
require => 'all granted',
options => ['SymlinksIfOwnerMatch'],
setenv => ['ICINGAWEB_CONFIGDIR "/etc/icingaweb2"'],
allow_override => ['None'],
rewrites => [
{
rewrite_cond => [
'%{REQUEST_FILENAME} -s [OR]',
'%{REQUEST_FILENAME} -l [OR]',
'%{REQUEST_FILENAME} -d',
],
rewrite_rule => '^.*$ - [NC,L]',
},
{
rewrite_rule => '^.*$ index.php [NC,L]',
}
],
},
],
require => [
- File[$ssl_cert],
- File[$ssl_chain],
- File[$ssl_key],
+ File[$cert_paths['cert']],
+ File[$cert_paths['chain']],
+ File[$cert_paths['privkey']],
],
}
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
+
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"icingaweb2 http redirect on ${::fqdn}":
service_name => 'icingaweb2 http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $icingaweb2_vhost_name,
http_vhost => $icingaweb2_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"icingaweb2 https on ${::fqdn}":
service_name => 'icingaweb2 https',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $icingaweb2_vhost_name,
http_vhost => $icingaweb2_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/authentication/login',
http_header => ['Cookie: _chc=1'],
http_string => 'Icinga Web 2 Login',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"icingaweb2 https certificate ${::fqdn}":
service_name => 'icingaweb2 https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $icingaweb2_vhost_name,
http_vhost => $icingaweb2_vhost_name,
http_ssl => true,
http_sni => true,
- http_certificate => 60,
+ http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
diff --git a/site-modules/profile/manifests/mediawiki.pp b/site-modules/profile/manifests/mediawiki.pp
index 682ec9d3..6105744c 100644
--- a/site-modules/profile/manifests/mediawiki.pp
+++ b/site-modules/profile/manifests/mediawiki.pp
@@ -1,139 +1,139 @@
# Deployment of mediawiki for the Software Heritage intranet
class profile::mediawiki {
$mediawiki_fpm_root = lookup('mediawiki::php::fpm_listen')
$mediawiki_vhosts = lookup('mediawiki::vhosts', Hash, 'deep')
include ::profile::php
::php::extension {[
'xml',
]:
provider => 'apt',
}
::php::fpm::pool {'mediawiki':
listen => $mediawiki_fpm_root,
user => 'www-data',
}
include ::mediawiki
$mediawiki_vhost_docroot = lookup('mediawiki::vhost::docroot')
$mediawiki_vhost_ssl_protocol = lookup('mediawiki::vhost::ssl_protocol')
$mediawiki_vhost_ssl_honorcipherorder = lookup('mediawiki::vhost::ssl_honorcipherorder')
$mediawiki_vhost_ssl_cipher = lookup('mediawiki::vhost::ssl_cipher')
$mediawiki_vhost_hsts_header = lookup('mediawiki::vhost::hsts_header')
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
each ($mediawiki_vhosts) |$name, $data| {
$secret_key = $data['secret_key']
$upgrade_key = $data['upgrade_key']
$site_name = $data['site_name']
$basic_auth_content = $data['basic_auth_content']
::profile::letsencrypt::certificate {$name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($name)
::mediawiki::instance { $name:
vhost_docroot => $mediawiki_vhost_docroot,
vhost_aliases => $data['aliases'],
vhost_fpm_root => $mediawiki_fpm_root,
vhost_basic_auth => $basic_auth_content,
vhost_ssl_protocol => $mediawiki_vhost_ssl_protocol,
vhost_ssl_honorcipherorder => $mediawiki_vhost_ssl_honorcipherorder,
vhost_ssl_cipher => $mediawiki_vhost_ssl_cipher,
vhost_ssl_cert => $cert_paths['cert'],
vhost_ssl_chain => $cert_paths['chain'],
vhost_ssl_key => $cert_paths['privkey'],
vhost_ssl_hsts_header => $mediawiki_vhost_hsts_header,
db_host => 'localhost',
db_basename => $data['mysql']['dbname'],
db_user => $data['mysql']['username'],
db_password => $data['mysql']['password'],
secret_key => $secret_key,
upgrade_key => $upgrade_key,
swh_logo => $data['swh_logo'],
site_name => $site_name,
}
@@::icinga2::object::service {"mediawiki (${name}) http redirect on ${::fqdn}":
service_name => "mediawiki ${name} http redirect",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $name,
http_vhost => $name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
if $basic_auth_content != '' {
$extra_vars = {
http_expect => '401 Unauthorized',
}
@@::icinga2::object::service {"mediawiki ${name} https + auth on ${::fqdn}":
service_name => "mediawiki ${name} + auth",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $name,
http_vhost => $name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky,
http_auth_pair => $data['icinga_http_auth_pair'],
http_string => "${site_name}",
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
} else {
$extra_vars = {
http_string => "${site_name}",
}
}
@@::icinga2::object::service {"mediawiki ${name} https on ${::fqdn}":
service_name => "mediawiki ${name}",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $name,
http_vhost => $name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky,
} + $extra_vars,
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"mediawiki ${name} https certificate ${::fqdn}":
service_name => "mediawiki ${name} https certificate",
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_vhost => $name,
http_address => $name,
http_ssl => true,
http_sni => true,
- http_certificate => 60,
+ http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
}
}
diff --git a/site-modules/profile/manifests/phabricator.pp b/site-modules/profile/manifests/phabricator.pp
index 18867cfa..c5caaf57 100644
--- a/site-modules/profile/manifests/phabricator.pp
+++ b/site-modules/profile/manifests/phabricator.pp
@@ -1,326 +1,328 @@
# Setup an instance of phabricator
class profile::phabricator {
$phabricator_basepath = lookup('phabricator::basepath')
$phabricator_user = lookup('phabricator::user')
$phabricator_vcs_user = lookup('phabricator::vcs_user')
$phabricator_db_root_password = lookup('phabricator::mysql::root_password')
$phabricator_db_basename = lookup('phabricator::mysql::database_prefix')
$phabricator_db_user = lookup('phabricator::mysql::username')
$phabricator_db_password = lookup('phabricator::mysql::password')
$phabricator_db_max_allowed_packet = lookup('phabricator::mysql::conf::max_allowed_packet')
$phabricator_db_sql_mode = lookup('phabricator::mysql::conf::sql_mode')
$phabricator_db_ft_stopword_file = lookup('phabricator::mysql::conf::ft_stopword_file')
$phabricator_db_ft_min_word_len = lookup('phabricator::mysql::conf::ft_min_word_len')
$phabricator_db_ft_boolean_syntax = lookup('phabricator::mysql::conf::ft_boolean_syntax')
$phabricator_db_innodb_buffer_pool_size = lookup('phabricator::mysql::conf::innodb_buffer_pool_size')
$phabricator_db_innodb_file_per_table = lookup('phabricator::mysql::conf::innodb_file_per_table')
$phabricator_db_innodb_flush_method = lookup('phabricator::mysql::conf::innodb_flush_method')
$phabricator_db_innodb_log_file_size = lookup('phabricator::mysql::conf::innodb_log_file_size')
$phabricator_db_max_connections = lookup('phabricator::mysql::conf::max_connections')
$phabricator_fpm_listen = lookup('phabricator::php::fpm_listen')
$phabricator_max_size = lookup('phabricator::php::max_file_size')
$phabricator_opcache_validate_timestamps = lookup('phabricator::php::opcache_validate_timestamps')
$phabricator_notification_listen = lookup('phabricator::notification::listen')
$phabricator_notification_client_host = lookup('phabricator::notification::client_host')
$phabricator_notification_client_port = lookup('phabricator::notification::client_port')
$phabricator_vhost_name = lookup('phabricator::vhost::name')
$phabricator_vhost_docroot = lookup('phabricator::vhost::docroot')
$phabricator_vhost_basic_auth_file = "${phabricator_basepath}/http_auth"
$phabricator_vhost_basic_auth_content = lookup('phabricator::vhost::basic_auth_content')
$phabricator_vhost_ssl_protocol = lookup('phabricator::vhost::ssl_protocol')
$phabricator_vhost_ssl_honorcipherorder = lookup('phabricator::vhost::ssl_honorcipherorder')
$phabricator_vhost_ssl_cipher = lookup('phabricator::vhost::ssl_cipher')
$phabricator_vhost_hsts_header = lookup('phabricator::vhost::hsts_header')
$homedirs = {
$phabricator_user => $phabricator_basepath,
$phabricator_vcs_user => "${phabricator_basepath}/vcshome",
}
$homedir_modes = {
$phabricator_user => '0644',
$phabricator_vcs_user => '0640',
}
each([$phabricator_user, $phabricator_vcs_user]) |$name| {
user {$name:
ensure => present,
system => true,
shell => '/bin/bash',
home => $homedirs[$name],
}
file {$homedirs[$name]:
ensure => directory,
owner => $name,
group => $name,
mode => $homedir_modes[$name],
}
}
::sudo::conf {'phabricator-ssh':
ensure => present,
content => "${phabricator_vcs_user} ALL=(${phabricator_user}) SETENV: NOPASSWD: /usr/bin/git-upload-pack, /usr/bin/git-receive-pack, /usr/bin/hg",
}
::sudo::conf {'phabricator-http':
ensure => present,
content => "www-data ALL=(${phabricator_user}) SETENV: NOPASSWD: /usr/bin/git-http-backend, /usr/bin/hg",
require => File['/usr/bin/git-http-backend'],
}
file {'/usr/bin/git-http-backend':
ensure => link,
target => '/usr/lib/git-core/git-http-backend',
}
$phabricator_ssh_hook = '/usr/bin/phabricator-ssh-hook.sh'
$phabricator_ssh_config = '/etc/ssh/ssh_config.phabricator'
file {$phabricator_ssh_hook:
ensure => present,
owner => 'root',
group => 'root',
mode => '0755',
content => template('profile/phabricator/phabricator-ssh-hook.sh.erb'),
}
file {$phabricator_ssh_config:
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => template('profile/phabricator/sshd_config.phabricator.erb'),
require => File[$phabricator_ssh_hook],
}
::systemd::unit_file {'phabricator-sshd.service':
ensure => present,
content => template('profile/phabricator/phabricator-sshd.service.erb'),
require => File[$phabricator_ssh_config],
} ~> service {'phabricator-sshd':
ensure => 'running',
enable => true,
require => [
File['/etc/systemd/system/phabricator-sshd.service'],
],
}
include ::mysql::client
class {'::mysql::server':
root_password => $phabricator_db_root_password,
override_options => {
mysqld => {
max_allowed_packet => $phabricator_db_max_allowed_packet,
sql_mode => $phabricator_db_sql_mode,
ft_stopword_file => $phabricator_db_ft_stopword_file,
ft_min_word_len => $phabricator_db_ft_min_word_len,
ft_boolean_syntax => $phabricator_db_ft_boolean_syntax,
innodb_buffer_pool_size => $phabricator_db_innodb_buffer_pool_size,
innodb_file_per_table => $phabricator_db_innodb_file_per_table,
innodb_flush_method => $phabricator_db_innodb_flush_method,
innodb_log_file_size => $phabricator_db_innodb_log_file_size,
max_connections => $phabricator_db_max_connections,
local_infile => 0,
}
}
}
$mysql_username = "${phabricator_db_user}@localhost"
$mysql_tables = "${phabricator_db_basename}_%.*"
mysql_user {$mysql_username:
ensure => present,
password_hash => mysql_password($phabricator_db_password),
}
mysql_grant {"${mysql_username}/${mysql_tables}":
user => $mysql_username,
table => $mysql_tables,
privileges => ['ALL'],
require => Mysql_user[$mysql_username],
}
include ::profile::php
::php::fpm::pool {'phabricator':
listen => $phabricator_fpm_listen,
user => 'www-data',
php_admin_value => {
post_max_size => $phabricator_max_size,
upload_max_filesize => $phabricator_max_size,
'opcache.validate_timestamps' => $phabricator_opcache_validate_timestamps,
'mysqli.allow_local_infile' => 0,
},
}
::php::extension {[
'apcu',
'mailparse',
]:
provider => 'apt',
package_prefix => 'php-',
}
::php::extension {[
'curl',
'gd',
'mbstring',
'zip',
]:
provider => 'apt',
}
include ::profile::apache::common
include ::apache::mod::proxy
include ::profile::apache::mod_proxy_fcgi
::apache::mod {'proxy_wstunnel':}
::apache::vhost {"${phabricator_vhost_name}_non-ssl":
servername => $phabricator_vhost_name,
port => '80',
docroot => $phabricator_vhost_docroot,
docroot_owner => $phabricator_user,
docroot_group => $phabricator_user,
redirect_status => 'permanent',
redirect_dest => "https://${phabricator_vhost_name}/",
}
::profile::letsencrypt::certificate {$phabricator_vhost_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($phabricator_vhost_name)
::apache::vhost {"${phabricator_vhost_name}_ssl":
servername => $phabricator_vhost_name,
port => '443',
ssl => true,
ssl_protocol => $phabricator_vhost_ssl_protocol,
ssl_honorcipherorder => $phabricator_vhost_ssl_honorcipherorder,
ssl_cipher => $phabricator_vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$phabricator_vhost_hsts_header],
docroot => $phabricator_vhost_docroot,
docroot_owner => $phabricator_user,
docroot_group => $phabricator_user,
rewrites => [
{ rewrite_rule => '^/rsrc/(.*) - [L,QSA]' },
{ rewrite_rule => '^/favicon.ico - [L,QSA]' },
{ rewrite_rule => "^/ws/(.*)$ ws://${phabricator_notification_listen}/\$1 [L,P]" },
{ rewrite_rule => "^(.*)$ fcgi://${phabricator_fpm_listen}${phabricator_vhost_docroot}/index.php?__path__=\$1 [B,L,P,QSA]" },
],
setenvif => [
"Authorization \"(.*)\" HTTP_AUTHORIZATION=\$1",
],
require => [
- File[$ssl_cert],
- File[$ssl_chain],
- File[$ssl_key],
+ File[$cert_paths['cert']],
+ File[$cert_paths['chain']],
+ File[$cert_paths['privkey']],
],
}
+ File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
+
file {$phabricator_vhost_basic_auth_file:
ensure => absent,
}
# Uses:
# $phabricator_basepath
# $phabricator_user
::systemd::unit_file {'phabricator-phd.service':
ensure => present,
content => template('profile/phabricator/phabricator-phd.service.erb'),
} ~> service {'phabricator-phd':
ensure => 'running',
enable => true,
}
# Uses:
# $phabricator_basepath
# $phabricator_user
# $phabricator_notification_*
::systemd::unit_file {'phabricator-aphlict.service':
ensure => present,
content => template('profile/phabricator/phabricator-aphlict.service.erb'),
} ~> service {'phabricator-aphlict':
ensure => 'running',
enable => true,
}
package {'python-pygments':
ensure => installed,
}
$icinga_checks_file = lookup('icinga2::exported_checks::filename')
@@::icinga2::object::service {"phabricator http redirect on ${::fqdn}":
service_name => 'phabricator http redirect',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $phabricator_vhost_name,
http_vhost => $phabricator_vhost_name,
http_uri => '/',
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"phabricator https on ${::fqdn}":
service_name => 'phabricator',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $phabricator_vhost_name,
http_vhost => $phabricator_vhost_name,
http_ssl => true,
http_sni => true,
http_uri => '/',
http_onredirect => sticky
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
@@::icinga2::object::service {"phabricator https certificate ${::fqdn}":
service_name => 'phabricator https certificate',
import => ['generic-service'],
host_name => $::fqdn,
check_command => 'http',
vars => {
http_address => $phabricator_vhost_name,
http_vhost => $phabricator_vhost_name,
http_ssl => true,
http_sni => true,
- http_certificate => 60,
+ http_certificate => 25,
},
target => $icinga_checks_file,
tag => 'icinga2::exported',
}
# Needs refactoring
$ssh_known_hosts_dir = '/etc/ssh/puppet_known_hosts'
$ssh_known_hosts_target = "${ssh_known_hosts_dir}/${::fqdn}.keys"
each($::ssh) |$algo, $data| {
$real_algo = $algo ? {
'ecdsa' => 'ecdsa-sha2-nistp256',
default => $algo,
}
@@::concat::fragment {"ssh-phabricator-${::fqdn}-${real_algo}":
target => $ssh_known_hosts_target,
content => inline_template("<%= @phabricator_vhost_name %> <%= @real_algo %> <%= @data['key'] %>\n"),
order => '20',
tag => 'ssh_known_hosts',
}
}
}
diff --git a/site-modules/profile/manifests/stats_web.pp b/site-modules/profile/manifests/stats_web.pp
index 26900efe..a21fd6a6 100644
--- a/site-modules/profile/manifests/stats_web.pp
+++ b/site-modules/profile/manifests/stats_web.pp
@@ -1,49 +1,49 @@
# Deployment of web-facing stats export (from munin)
class profile::stats_web {
$vhost_name = lookup('stats_export::vhost::name')
$vhost_docroot = lookup('stats_export::vhost::docroot')
$vhost_ssl_protocol = lookup('stats_export::vhost::ssl_protocol')
$vhost_ssl_honorcipherorder = lookup('stats_export::vhost::ssl_honorcipherorder')
$vhost_ssl_cipher = lookup('stats_export::vhost::ssl_cipher')
$vhost_hsts_header = lookup('stats_export::vhost::hsts_header')
file {$vhost_docroot:
ensure => directory,
owner => 'www-data',
group => 'www-data',
mode => '0755',
}
include ::profile::apache::common
::apache::vhost {"${vhost_name}_non-ssl":
servername => $vhost_name,
port => '80',
docroot => $vhost_docroot,
redirect_status => 'permanent',
redirect_dest => "https://${vhost_name}/",
}
$ssl_cert_name = 'stats_export'
::profile::letsencrypt::certificate {$ssl_cert_name:}
$cert_paths = ::profile::letsencrypt::certificate_paths($ssl_cert_name)
::apache::vhost {"${vhost_name}_ssl":
servername => $vhost_name,
port => '443',
ssl => true,
ssl_protocol => $vhost_ssl_protocol,
ssl_honorcipherorder => $vhost_ssl_honorcipherorder,
ssl_cipher => $vhost_ssl_cipher,
ssl_cert => $cert_paths['cert'],
ssl_chain => $cert_paths['chain'],
ssl_key => $cert_paths['privkey'],
headers => [$vhost_hsts_header],
docroot => $vhost_docroot,
require => [
- Profile::Letsencrypt::Certificate[$ssl_cert_name],
- ],
+ Profile::Letsencrypt::Certificate[$ssl_cert_name],
+ ],
}
File[$cert_paths['cert'], $cert_paths['chain'], $cert_paths['privkey']] ~> Class['Apache::Service']
}