From 4e48dadf9a43e9e6e112994207c4d6fef996672f Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 11:47:56 +0100 Subject: [PATCH 01/46] * Change owner of directories to project user * Change permissions of high-level directorys to remove group write (to make SSH work) --- manifests/project.pp | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index 9292ce2..b9e226b 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -40,24 +40,24 @@ "$::projects::basedir/$title/etc", ] : ensure => directory, - owner => root, - group => $title, - mode => '0775' + owner => $uid, + group => $gid, + mode => '0755' } file { "$::projects::basedir/$title/var/log": ensure => directory, - owner => root, - group => $title, + owner => $uid, + group => $gid, mode => '0750', seltype => 'var_log_t', require => File["$::projects::basedir/$title/var"], } concat { "${::projects::basedir}/${title}/README": - owner => 'root', - group => $title, + owner => $uid, + group => $gid, mode => '0640', } From c9b71d4ba97fd5cc6212b5afafff59274b26b8c1 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 13:44:04 +0100 Subject: [PATCH 02/46] Puppet insists that uid and gid are strings in a concat section. --- manifests/project.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index b9e226b..2fdd03f 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -56,8 +56,8 @@ } concat { "${::projects::basedir}/${title}/README": - owner => $uid, - group => $gid, + owner => $title, + group => $title, mode => '0640', } From 50c2eb73729e77f7d8bfa9a9f3712a26a0942abb Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 13:56:20 +0100 Subject: [PATCH 03/46] * Backslash quote backslashes to prevent Puppet complaining about \. not being a valid sequence --- manifests/project/apache.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 32b1fe1..56fa2d3 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -161,7 +161,7 @@ serveraliases => $altnames, access_log_env_var => "!forwarded", custom_fragment => "LogFormat \"%{X-Forwarded-For}i %l %u %t \\\"%r\\\" %s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" proxy -SetEnvIf X-Forwarded-For \"^.*\..*\..*\..*\" forwarded +SetEnvIf X-Forwarded-For \"^.*\\..*\\..*\\..*\" forwarded CustomLog \"${::projects::basedir}/${projectname}/var/log/httpd/${title}_access.log\" proxy env=forwarded", ip => $ip, ip_based => $ip_based, From 4388dc5ac888570624c6d723856c24cda41f454f Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 14:01:42 +0100 Subject: [PATCH 04/46] Use Puppet heredoc for complicated Apache config line... --- manifests/project/apache.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 56fa2d3..766db02 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -160,9 +160,11 @@ "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", serveraliases => $altnames, access_log_env_var => "!forwarded", - custom_fragment => "LogFormat \"%{X-Forwarded-For}i %l %u %t \\\"%r\\\" %s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" proxy -SetEnvIf X-Forwarded-For \"^.*\\..*\\..*\\..*\" forwarded -CustomLog \"${::projects::basedir}/${projectname}/var/log/httpd/${title}_access.log\" proxy env=forwarded", + custom_fragment => @("LOGFORMAT"), + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy + SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded + CustomLog "${::projects::basedir}/${projectname}/var/log/httpd/${title}_access.log" proxy env=forwarded + | LOGFORMAT ip => $ip, ip_based => $ip_based, add_listen => false, From d7ff480fd7089f09761f2dbc7117183409c86d70 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 14:06:51 +0100 Subject: [PATCH 05/46] Revert "Use Puppet heredoc for complicated Apache config line..." This reverts commit 4388dc5ac888570624c6d723856c24cda41f454f. It turns out that Puppet 3 doesn't support heredocs :-( --- manifests/project/apache.pp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 766db02..56fa2d3 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -160,11 +160,9 @@ "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", serveraliases => $altnames, access_log_env_var => "!forwarded", - custom_fragment => @("LOGFORMAT"), - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy - SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded - CustomLog "${::projects::basedir}/${projectname}/var/log/httpd/${title}_access.log" proxy env=forwarded - | LOGFORMAT + custom_fragment => "LogFormat \"%{X-Forwarded-For}i %l %u %t \\\"%r\\\" %s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" proxy +SetEnvIf X-Forwarded-For \"^.*\\..*\\..*\\..*\" forwarded +CustomLog \"${::projects::basedir}/${projectname}/var/log/httpd/${title}_access.log\" proxy env=forwarded", ip => $ip, ip_based => $ip_based, add_listen => false, From ca70ee207f5f660c5e54942ebd496ae1bc478155 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 15:36:34 +0100 Subject: [PATCH 06/46] Try adding reset-perms to the sudo list. --- manifests/project.pp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/manifests/project.pp b/manifests/project.pp index 2fdd03f..8798fe3 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -103,3 +103,8 @@ } } +sudo::conf { "${title}-reset-perms": + content => "%${title} ALL= (ALL) /usr/local/bin/reset-perms" +} + + From a0d1898db3a26c7647031698f95d0446d233b992 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 15:40:54 +0100 Subject: [PATCH 07/46] Move the sudo::conf into the project definition... --- manifests/project.pp | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index 8798fe3..9908611 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -93,6 +93,10 @@ grant => pick($mysql[grant],['ALL']), } } + + sudo::conf { "${title}-reset-perms": + content => "%${title} ALL= (ALL) /usr/local/bin/reset-perms" + } } define project_user ( @@ -102,9 +106,3 @@ groups +> $group, } } - -sudo::conf { "${title}-reset-perms": - content => "%${title} ALL= (ALL) /usr/local/bin/reset-perms" -} - - From 8885ee9d880f4a07eea13b39164e118f7be5b777 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 7 Oct 2016 15:51:42 +0100 Subject: [PATCH 08/46] Allow NOPASSWD for reset-perms. I hope this is a good idea... --- manifests/project.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project.pp b/manifests/project.pp index 9908611..f7e83e3 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -95,7 +95,7 @@ } sudo::conf { "${title}-reset-perms": - content => "%${title} ALL= (ALL) /usr/local/bin/reset-perms" + content => "%${title} ALL=(ALL) NOPASSWD: /usr/local/bin/reset-perms" } } From 8fdf88ab09b174feea2e874b9d8659ed83fdda34 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 13 Oct 2016 09:44:09 +0100 Subject: [PATCH 09/46] * create apache and apache/conf --- manifests/project.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/project.pp b/manifests/project.pp index f7e83e3..61f2f04 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -38,6 +38,8 @@ "$::projects::basedir/$title/var", "$::projects::basedir/$title/lib", "$::projects::basedir/$title/etc", + "$::projects::basedir/$title/apache", + "$::projects::basedir/$title/apache/conf", ] : ensure => directory, owner => $uid, From 60185d87a9ecc916e160b880e899e149b9a35cef Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 14 Oct 2016 13:22:37 +0100 Subject: [PATCH 10/46] * add dependencies for apache sub directories --- manifests/project.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/manifests/project.pp b/manifests/project.pp index 61f2f04..15ea66f 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -39,14 +39,32 @@ "$::projects::basedir/$title/lib", "$::projects::basedir/$title/etc", "$::projects::basedir/$title/apache", + ] : + ensure => directory, + owner => $uid, + group => $gid, + mode => '0755' + } + + file { [ "$::projects::basedir/$title/apache/conf", ] : ensure => directory, owner => $uid, group => $gid, mode => '0755' + require => File["$::projects::basedir/$title/apache"], } + file { [ + "$::projects::basedir/$title/apache/conf/conf.d", + ] : + ensure => directory, + owner => $uid, + group => $gid, + mode => '0755' + require => File["$::projects::basedir/$title/apache/conf"], + } file { "$::projects::basedir/$title/var/log": ensure => directory, From e86041defabee6d43fe317e7524d04b09c02c5c1 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 14 Oct 2016 13:27:52 +0100 Subject: [PATCH 11/46] * typo - added commas to ends of lines --- manifests/project.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index 15ea66f..90c0a57 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -43,7 +43,7 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0755' + mode => '0755', } file { [ @@ -52,7 +52,7 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0755' + mode => '0755', require => File["$::projects::basedir/$title/apache"], } @@ -62,7 +62,7 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0755' + mode => '0755', require => File["$::projects::basedir/$title/apache/conf"], } From f3a1733498a33a1b5ac90ca62ee7b12355b26505 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 14 Oct 2016 13:31:28 +0100 Subject: [PATCH 12/46] * add group write to subdirectories in project directory * add dependency on project directory to subdirectories --- manifests/project.pp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index 90c0a57..6f04109 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -34,7 +34,16 @@ group => $title } - file { [ "$::projects::basedir/$title", + file { [ + "$::projects::basedir/$title", + ] : + ensure => directory, + owner => $uid, + group => $gid, + mode => '0755', + } + + file { [ "$::projects::basedir/$title/var", "$::projects::basedir/$title/lib", "$::projects::basedir/$title/etc", @@ -43,7 +52,8 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0755', + mode => '0775', + require => File["$::projects::basedir/$title"], } file { [ @@ -52,7 +62,7 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0755', + mode => '0775', require => File["$::projects::basedir/$title/apache"], } @@ -62,7 +72,7 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0755', + mode => '0775', require => File["$::projects::basedir/$title/apache/conf"], } From a5e06d747117dd43a1f836ea4ed8bc31a161d437 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 17 Oct 2016 09:44:15 +0100 Subject: [PATCH 13/46] * move apache directory creation to apache manifest --- manifests/project.pp | 21 --------------------- manifests/project/apache.pp | 30 ++++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 21 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index 6f04109..14846db 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -47,7 +47,6 @@ "$::projects::basedir/$title/var", "$::projects::basedir/$title/lib", "$::projects::basedir/$title/etc", - "$::projects::basedir/$title/apache", ] : ensure => directory, owner => $uid, @@ -56,26 +55,6 @@ require => File["$::projects::basedir/$title"], } - file { [ - "$::projects::basedir/$title/apache/conf", - ] : - ensure => directory, - owner => $uid, - group => $gid, - mode => '0775', - require => File["$::projects::basedir/$title/apache"], - } - - file { [ - "$::projects::basedir/$title/apache/conf/conf.d", - ] : - ensure => directory, - owner => $uid, - group => $gid, - mode => '0775', - require => File["$::projects::basedir/$title/apache/conf"], - } - file { "$::projects::basedir/$title/var/log": ensure => directory, owner => $uid, diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 56fa2d3..a0200e8 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -94,6 +94,36 @@ require => File["${::projects::basedir}/${title}/etc/ssl"], } + file { [ + "$::projects::basedir/$title/apache", + ] : + ensure => directory, + owner => $title, + group => $title, + mode => '0775', + require => File["$::projects::basedir/$title"], + } + + file { [ + "$::projects::basedir/$title/apache/conf", + ] : + ensure => directory, + owner => $title, + group => $title, + mode => '0775', + require => File["$::projects::basedir/$title/apache"], + } + + file { [ + "$::projects::basedir/$title/apache/conf/conf.d", + ] : + ensure => directory, + owner => $title, + group => $title, + mode => '0775', + require => File["$::projects::basedir/$title/apache/conf"], + } + sudo::conf { "${title}-apache": content => "%${title} ALL= (ALL) /sbin/apachectl" } From 068472b0731849bacae6c88723d4f877d5da8870 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 17 Oct 2016 11:47:13 +0100 Subject: [PATCH 14/46] * Move creation of project .ssh directory from Vagrantfile to Puppet --- manifests/project.pp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/manifests/project.pp b/manifests/project.pp index 14846db..c9e44cf 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -43,6 +43,15 @@ mode => '0755', } + file { '$::projects::basedir/$title/.ssh': + ensure => 'directory', + owner => $uid, + group => $gid, + mode => '700', + seltype => 'ssh_home_t', + require => File["$::projects::basedir/$title"], + } + file { [ "$::projects::basedir/$title/var", "$::projects::basedir/$title/lib", From 7c7b58f52a20483e78261bbe38b72f4751405a3f Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 17 Oct 2016 11:55:54 +0100 Subject: [PATCH 15/46] * Fix quotes to enable interpolation --- manifests/project.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project.pp b/manifests/project.pp index c9e44cf..602ada9 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -43,7 +43,7 @@ mode => '0755', } - file { '$::projects::basedir/$title/.ssh': + file { "$::projects::basedir/$title/.ssh": ensure => 'directory', owner => $uid, group => $gid, From 2423f7e8815af5d5e13629ea0c6e67ce88f86711 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 17 Oct 2016 12:00:17 +0100 Subject: [PATCH 16/46] * Remove redundant requires --- manifests/project.pp | 3 --- 1 file changed, 3 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index 602ada9..a7f241a 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -49,7 +49,6 @@ group => $gid, mode => '700', seltype => 'ssh_home_t', - require => File["$::projects::basedir/$title"], } file { [ @@ -61,7 +60,6 @@ owner => $uid, group => $gid, mode => '0775', - require => File["$::projects::basedir/$title"], } file { "$::projects::basedir/$title/var/log": @@ -70,7 +68,6 @@ group => $gid, mode => '0750', seltype => 'var_log_t', - require => File["$::projects::basedir/$title/var"], } concat { "${::projects::basedir}/${title}/README": From f157e7757f338ecc2896161ae494e220c08ff25c Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 20 Oct 2016 10:54:18 +0100 Subject: [PATCH 17/46] * remove apache dir from project root - this is the Debian structure. We should be using Dan's layout instead. --- manifests/project/apache.pp | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index a0200e8..56fa2d3 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -94,36 +94,6 @@ require => File["${::projects::basedir}/${title}/etc/ssl"], } - file { [ - "$::projects::basedir/$title/apache", - ] : - ensure => directory, - owner => $title, - group => $title, - mode => '0775', - require => File["$::projects::basedir/$title"], - } - - file { [ - "$::projects::basedir/$title/apache/conf", - ] : - ensure => directory, - owner => $title, - group => $title, - mode => '0775', - require => File["$::projects::basedir/$title/apache"], - } - - file { [ - "$::projects::basedir/$title/apache/conf/conf.d", - ] : - ensure => directory, - owner => $title, - group => $title, - mode => '0775', - require => File["$::projects::basedir/$title/apache/conf"], - } - sudo::conf { "${title}-apache": content => "%${title} ALL= (ALL) /sbin/apachectl" } From 35c65447896a1fff2f920a55e66149549afaf138 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 20 Oct 2016 13:11:29 +0100 Subject: [PATCH 18/46] * fix up SELinux types --- manifests/project.pp | 22 ++++++++++++++++++++-- manifests/project/apache.pp | 4 +++- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/manifests/project.pp b/manifests/project.pp index a7f241a..bfb069c 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -51,15 +51,33 @@ seltype => 'ssh_home_t', } + file { [ + "$::projects::basedir/$title/etc", + ] : + ensure => directory, + owner => $uid, + group => $gid, + mode => '0775', + } + file { [ "$::projects::basedir/$title/var", + ] : + ensure => directory, + owner => $uid, + group => $gid, + seltype => 'httpd_sys_content_t', + mode => '0775', + } + + file { [ "$::projects::basedir/$title/lib", - "$::projects::basedir/$title/etc", ] : ensure => directory, owner => $uid, group => $gid, mode => '0775', + seltype => 'httpd_sys_content_t', } file { "$::projects::basedir/$title/var/log": @@ -67,7 +85,7 @@ owner => $uid, group => $gid, mode => '0750', - seltype => 'var_log_t', + seltype => 'httpd_log_t', } concat { "${::projects::basedir}/${title}/README": diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 56fa2d3..a762c3d 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -52,7 +52,7 @@ owner => $apache_user, group => $title, mode => '0750', - seltype => 'var_log_t', + seltype => 'httpd_log_t', require => File["${::projects::basedir}/${title}/var/log"], } @@ -65,6 +65,7 @@ ensure => directory, owner => $title, group => $title, + seltype => 'httpd_config_t', require => File["${::projects::basedir}/${title}/etc"], } @@ -81,6 +82,7 @@ ensure => directory, owner => $title, group => $title, + seltype => 'cert_t', require => File["${::projects::basedir}/${title}/etc"], } From 5f9797e70d51ddc4be8a877e744e7cf2ce331318 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 21 Oct 2016 15:12:02 +0100 Subject: [PATCH 19/46] * include Apache headers module --- manifests/project/apache.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index a762c3d..3a06f73 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -16,6 +16,7 @@ include ::apache::mod::alias include ::apache::mod::proxy_http include ::apache::mod::proxy_ajp + include ::apache::mod::headers class {'::apache::mod::authnz_ldap': verifyServerCert => false } From 6d932647f56bababf8909f57d733f7739a818413 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 21 Oct 2016 15:14:02 +0100 Subject: [PATCH 20/46] * allow no password for apachectl from bos2 --- manifests/project/apache.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 3a06f73..c0a0d22 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -98,7 +98,7 @@ } sudo::conf { "${title}-apache": - content => "%${title} ALL= (ALL) /sbin/apachectl" + content => "%${title} ALL= (ALL) NOPASSWD: /sbin/apachectl" } create_resources('::projects::project::apache::vhost', $vhosts, { From 875ca4b080ee1649322f2f8fa0f463877884aba7 Mon Sep 17 00:00:00 2001 From: Kieren Pitts Date: Mon, 24 Oct 2016 16:22:09 +0100 Subject: [PATCH 21/46] Make sure mod_wsgi is loaded --- manifests/project/apache.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index c0a0d22..cec3047 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -17,6 +17,7 @@ include ::apache::mod::proxy_http include ::apache::mod::proxy_ajp include ::apache::mod::headers + include ::apache::mod::wsgi class {'::apache::mod::authnz_ldap': verifyServerCert => false } From ef93660426302845893d700a3cb0fc9452df970a Mon Sep 17 00:00:00 2001 From: David Goodall Date: Tue, 25 Oct 2016 10:49:08 +0100 Subject: [PATCH 22/46] Added use_optional_includes to fix No matches for the wildcard '*.conf' in fitnet --- manifests/project/apache.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index cec3047..105c72c 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -155,6 +155,7 @@ ssl => $ssl, docroot => "${::projects::basedir}/${projectname}/var/${docroot}", logroot => "${::projects::basedir}/${projectname}/var/log/httpd", + use_optional_includes => "true", additional_includes => ["${::projects::basedir}/${projectname}/etc/apache/conf.d/*.conf", "${::projects::basedir}/${projectname}/etc/apache/conf.d/${title}/*.conf"], From 61f2a90a8e1b3a01664f8e2c2a2877041ccadb7b Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 31 Oct 2016 12:00:45 +0000 Subject: [PATCH 23/46] * add SELinux config to allow httpd to connect to database and send mail. --- manifests/project/apache.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index c0a0d22..d4d2323 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -148,6 +148,24 @@ require => File["${::projects::basedir}/${projectname}/etc/apache/conf.d"], } + selboolean { 'SELinux httpd_can_network_connect_db': + name => 'httpd_can_network_connect_db', + persistent => true, + value => 'on', + } + + selboolean { 'SELinux': + name => 'httpd_can_network_connect', + persistent => true, + value => 'on', + } + + selboolean { 'SELinux httpd_can_sendmail': + name => 'httpd_can_sendmail', + persistent => true, + value => 'on', + } + ::apache::vhost { $title: servername => $vhost_name, port => $port, From f720a4c15da5100b12f30905dc737c3ec3c5defc Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 31 Oct 2016 12:03:55 +0000 Subject: [PATCH 24/46] * tidy up names and titles for SELinux booleans --- manifests/project/apache.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 4ca9b25..c714719 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -149,20 +149,17 @@ require => File["${::projects::basedir}/${projectname}/etc/apache/conf.d"], } - selboolean { 'SELinux httpd_can_network_connect_db': - name => 'httpd_can_network_connect_db', + selboolean { 'httpd_can_network_connect_db': persistent => true, value => 'on', } - selboolean { 'SELinux': - name => 'httpd_can_network_connect', + selboolean { 'httpd_can_network_connect': persistent => true, value => 'on', } - selboolean { 'SELinux httpd_can_sendmail': - name => 'httpd_can_sendmail', + selboolean { 'httpd_can_sendmail': persistent => true, value => 'on', } From 2bf3234e7761f382cddb102ce73b3710db89aa7a Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 31 Oct 2016 12:11:55 +0000 Subject: [PATCH 25/46] * use ensure_resource syntax for SELinux booleans - selboolean fails for some reason... --- manifests/project/apache.pp | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index c714719..1f310e0 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -26,6 +26,9 @@ if defined(Class['::selinux']) { ensure_resource('selinux::boolean', 'httpd_can_connect_ldap', {'ensure' => 'on'}) + ensure_resource('selinux::boolean', 'httpd_can_network_connect_db', {'ensure' => 'on'}) + ensure_resource('selinux::boolean', 'httpd_can_network_connect', {'ensure' => 'on'}) + ensure_resource('selinux::boolean', 'httpd_can_sendmail', {'ensure' => 'on'}) } @@ -149,21 +152,6 @@ require => File["${::projects::basedir}/${projectname}/etc/apache/conf.d"], } - selboolean { 'httpd_can_network_connect_db': - persistent => true, - value => 'on', - } - - selboolean { 'httpd_can_network_connect': - persistent => true, - value => 'on', - } - - selboolean { 'httpd_can_sendmail': - persistent => true, - value => 'on', - } - ::apache::vhost { $title: servername => $vhost_name, port => $port, From 2d4aeb33f729c915dff371d186a6e60aedeff0e3 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 31 Oct 2016 13:10:13 +0000 Subject: [PATCH 26/46] * Update SELinux type for ~/var to allow writes --- manifests/project.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project.pp b/manifests/project.pp index bfb069c..faa93ad 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -66,7 +66,7 @@ ensure => directory, owner => $uid, group => $gid, - seltype => 'httpd_sys_content_t', + seltype => 'httpd_sys_rw_content_t', mode => '0775', } From 054ef7ac988b5addfdc473e8e1d8219756bf601d Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 31 Oct 2016 13:17:23 +0000 Subject: [PATCH 27/46] * create ~/.settings and set the SELinux context for httpd --- manifests/project.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/manifests/project.pp b/manifests/project.pp index faa93ad..ef39f2e 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -51,6 +51,14 @@ seltype => 'ssh_home_t', } + file { "$::projects::basedir/$title/.settings": + ensure => 'directory', + owner => $uid, + group => $gid, + mode => '775', + seltype => 'httpd_sys_content_t', + } + file { [ "$::projects::basedir/$title/etc", ] : From 37d3942905475ce54f42e5849927e3a77df5be64 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 11:01:19 +0000 Subject: [PATCH 28/46] Ensure httpd starts after reboot. --- manifests/project/apache.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 1f310e0..ddd416a 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -10,7 +10,8 @@ ensure_resource('class', '::apache', { default_vhost => true, use_optional_includes => true, - mpm_module => false + mpm_module => false, + service_ensure => running, }) include ::apache::mod::proxy include ::apache::mod::alias From fe43fdf4b209eb971622546fbc919b4ce255145d Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 11:11:18 +0000 Subject: [PATCH 29/46] Add a possibly redundant but explanatory option to enable httpd at boot. --- manifests/project/apache.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index ddd416a..b94ca1f 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -12,6 +12,7 @@ use_optional_includes => true, mpm_module => false, service_ensure => running, + service_enable => true, }) include ::apache::mod::proxy include ::apache::mod::alias From 3f9f0401797f6899a3f5008efdac584480573bf4 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 13:13:15 +0000 Subject: [PATCH 30/46] Ensure keys are in place before httpd service starts. --- manifests/project/apache.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index b94ca1f..ead8d5e 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -218,6 +218,7 @@ ssl_pkey { "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key" : ensure => present, require => File["${::projects::basedir}/${projectname}/etc/ssl/private"], + before => Service[httpd], } x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${vhost_name}.auto.csr" : @@ -225,6 +226,7 @@ template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key", require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], + before => Service[httpd], } x509_cert { "${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.auto.crt": @@ -233,30 +235,35 @@ private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key", days => 4536, require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], + before => Service[httpd], } exec { "deploy ${vhost_name}.key" : command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key ${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", require => Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key"], + before => Service[httpd], } file { "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key": replace => 'no', seltype => 'cert_t', require => Exec["deploy ${vhost_name}.key"], + before => Service[httpd], } exec { "deploy ${vhost_name}.crt" : command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.auto.crt ${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt", onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt", require => X509_cert["${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.auto.crt"], + before => Service[httpd], } file { "${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt": replace => 'no', seltype => 'cert_t', require => Exec["deploy ${vhost_name}.crt"], + before => Service[httpd], } } From 9d8ce00324c2e07c3fc134828c2dc11f2006bc4b Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 14:42:39 +0000 Subject: [PATCH 31/46] Vhosts now accept a certificate name rather than default to the vhost name. --- manifests/project/apache.pp | 51 +++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index ead8d5e..eb06e33 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -125,7 +125,8 @@ $php = false, $apache_user = 'apache', $altnames = [], - $ip = undef + $ip = undef, + $cert_name = $vhost_name, ) { if ($ip) { @@ -165,9 +166,9 @@ ["${::projects::basedir}/${projectname}/etc/apache/conf.d/*.conf", "${::projects::basedir}/${projectname}/etc/apache/conf.d/${title}/*.conf"], ssl_cert => - "${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt", + "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", ssl_key => - "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", + "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", serveraliases => $altnames, access_log_env_var => "!forwarded", custom_fragment => "LogFormat \"%{X-Forwarded-For}i %l %u %t \\\"%r\\\" %s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" proxy @@ -205,64 +206,64 @@ if (hiera('projects::ssl::unit','') != '') { $unit = hiera('projects::ssl::unit',nil) } - $commonname = $vhost_name + $commonname = $cert_name if (hiera('projects::ssl::email','') != '') { $email = hiera('projects::ssl::email',nil) } - file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf": + file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${cert_name}.cnf": content => template('openssl/cert.cnf.erb'), require => File["${::projects::basedir}/${projectname}/etc/ssl/conf"], } - ssl_pkey { "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key" : + ssl_pkey { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key" : ensure => present, require => File["${::projects::basedir}/${projectname}/etc/ssl/private"], before => Service[httpd], } - x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${vhost_name}.auto.csr" : + x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${cert_name}.auto.csr" : ensure => present, - template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", - private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key", - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], + template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${cert_name}.cnf", + private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", + require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${cert_name}.cnf"]], before => Service[httpd], } - x509_cert { "${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.auto.crt": + x509_cert { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt": ensure => present, template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", - private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key", + private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", days => 4536, - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], + require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], before => Service[httpd], } - exec { "deploy ${vhost_name}.key" : - command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key ${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", - onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key", - require => Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.auto.key"], + exec { "deploy ${cert_name}.key" : + command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", + onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", + require => Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"], before => Service[httpd], } - file { "${::projects::basedir}/${projectname}/etc/ssl/private/${vhost_name}.key": + file { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key": replace => 'no', seltype => 'cert_t', - require => Exec["deploy ${vhost_name}.key"], + require => Exec["deploy ${cert_name}.key"], before => Service[httpd], } - exec { "deploy ${vhost_name}.crt" : - command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.auto.crt ${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt", - onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt", - require => X509_cert["${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.auto.crt"], + exec { "deploy ${cert_name}.crt" : + command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", + onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", + require => X509_cert["${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt"], before => Service[httpd], } - file { "${::projects::basedir}/${projectname}/etc/ssl/certs/${vhost_name}.crt": + file { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt": replace => 'no', seltype => 'cert_t', - require => Exec["deploy ${vhost_name}.crt"], + require => Exec["deploy ${cert_name}.crt"], before => Service[httpd], } } From 705fadc96a054577898ce91d955c246727141334 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 14:50:04 +0000 Subject: [PATCH 32/46] Ensure consistent use of vhost_name for conf files. --- manifests/project/apache.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index eb06e33..640f795 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -210,7 +210,7 @@ if (hiera('projects::ssl::email','') != '') { $email = hiera('projects::ssl::email',nil) } - file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${cert_name}.cnf": + file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf": content => template('openssl/cert.cnf.erb'), require => File["${::projects::basedir}/${projectname}/etc/ssl/conf"], @@ -224,9 +224,9 @@ x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${cert_name}.auto.csr" : ensure => present, - template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${cert_name}.cnf", + template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${cert_name}.cnf"]], + require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], before => Service[httpd], } From f5918664e699f23ac5d4fd309bba0ddd2aee95f1 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 15:03:41 +0000 Subject: [PATCH 33/46] Don't create keys if they already exist and use ensure_resource to set SELinux type for existing certs. --- manifests/project/apache.pp | 152 +++++++++++++++++++----------------- 1 file changed, 80 insertions(+), 72 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 640f795..bad1bac 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -194,80 +194,88 @@ } } - if $ssl == true { - $country= hiera('projects::ssl::country','GB') - if (hiera('projects::ssl::state','') != '') { - $state = hiera('projects::ssl::state') - } - if (hiera('projects::ssl::locality','') != '') { - $locality = hiera('projects::ssl::locality') - } - $organization = hiera('projects::ssl::organization','ACME') - if (hiera('projects::ssl::unit','') != '') { - $unit = hiera('projects::ssl::unit',nil) - } - $commonname = $cert_name - if (hiera('projects::ssl::email','') != '') { - $email = hiera('projects::ssl::email',nil) - } - file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf": - content => template('openssl/cert.cnf.erb'), - require => File["${::projects::basedir}/${projectname}/etc/ssl/conf"], - - } - - ssl_pkey { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key" : - ensure => present, - require => File["${::projects::basedir}/${projectname}/etc/ssl/private"], - before => Service[httpd], - } - - x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${cert_name}.auto.csr" : - ensure => present, - template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", - private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], - before => Service[httpd], - } - - x509_cert { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt": - ensure => present, - template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", - private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", - days => 4536, - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], - before => Service[httpd], - } - - exec { "deploy ${cert_name}.key" : - command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", - onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", - require => Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"], - before => Service[httpd], - } - - file { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key": - replace => 'no', - seltype => 'cert_t', - require => Exec["deploy ${cert_name}.key"], - before => Service[httpd], - } - - exec { "deploy ${cert_name}.crt" : - command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", - onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", - require => X509_cert["${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt"], - before => Service[httpd], - } - - file { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt": - replace => 'no', - seltype => 'cert_t', - require => Exec["deploy ${cert_name}.crt"], - before => Service[httpd], - } + if !defined(File["${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt"]) { + if $ssl == true { + $country= hiera('projects::ssl::country','GB') + if (hiera('projects::ssl::state','') != '') { + $state = hiera('projects::ssl::state') + } + if (hiera('projects::ssl::locality','') != '') { + $locality = hiera('projects::ssl::locality') + } + $organization = hiera('projects::ssl::organization','ACME') + if (hiera('projects::ssl::unit','') != '') { + $unit = hiera('projects::ssl::unit',nil) + } + $commonname = $cert_name + if (hiera('projects::ssl::email','') != '') { + $email = hiera('projects::ssl::email',nil) + } + file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf": + content => template('openssl/cert.cnf.erb'), + require => File["${::projects::basedir}/${projectname}/etc/ssl/conf"], + + } + + ssl_pkey { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key" : + ensure => present, + require => File["${::projects::basedir}/${projectname}/etc/ssl/private"], + before => Service[httpd], + } + + x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${cert_name}.auto.csr" : + ensure => present, + template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", + private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", + require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], + before => Service[httpd], + } + + x509_cert { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt": + ensure => present, + template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", + private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", + days => 4536, + require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], + before => Service[httpd], + } + + exec { "deploy ${cert_name}.key" : + command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", + onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", + require => Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"], + before => Service[httpd], + } + + file { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key": + replace => 'no', + seltype => 'cert_t', + require => Exec["deploy ${cert_name}.key"], + before => Service[httpd], + } + + exec { "deploy ${cert_name}.crt" : + command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", + onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", + require => X509_cert["${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt"], + before => Service[httpd], + } + + file { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt": + replace => 'no', + seltype => 'cert_t', + require => Exec["deploy ${cert_name}.crt"], + before => Service[httpd], + } + } } + ensure_resource('file', [ + "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", + "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key" + ], + { seltype => 'cert_t' } + ) if !defined(Firewall["050 accept Apache ${port}"]) { firewall { "050 accept Apache ${port}": From 3132fdc70b22895eea068954f1adc18ce2532050 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 1 Nov 2016 15:14:24 +0000 Subject: [PATCH 34/46] Don't auto generate certs... --- manifests/project/apache.pp | 76 ------------------------------------- 1 file changed, 76 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index bad1bac..de20adf 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -194,82 +194,6 @@ } } - if !defined(File["${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt"]) { - if $ssl == true { - $country= hiera('projects::ssl::country','GB') - if (hiera('projects::ssl::state','') != '') { - $state = hiera('projects::ssl::state') - } - if (hiera('projects::ssl::locality','') != '') { - $locality = hiera('projects::ssl::locality') - } - $organization = hiera('projects::ssl::organization','ACME') - if (hiera('projects::ssl::unit','') != '') { - $unit = hiera('projects::ssl::unit',nil) - } - $commonname = $cert_name - if (hiera('projects::ssl::email','') != '') { - $email = hiera('projects::ssl::email',nil) - } - file {"${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf": - content => template('openssl/cert.cnf.erb'), - require => File["${::projects::basedir}/${projectname}/etc/ssl/conf"], - - } - - ssl_pkey { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key" : - ensure => present, - require => File["${::projects::basedir}/${projectname}/etc/ssl/private"], - before => Service[httpd], - } - - x509_request { "${::projects::basedir}/${projectname}/etc/ssl/csrs/${cert_name}.auto.csr" : - ensure => present, - template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", - private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], - before => Service[httpd], - } - - x509_cert { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt": - ensure => present, - template => "${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf", - private_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key", - days => 4536, - require => [Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"],File["${::projects::basedir}/${projectname}/etc/ssl/conf/${vhost_name}.cnf"]], - before => Service[httpd], - } - - exec { "deploy ${cert_name}.key" : - command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", - onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", - require => Ssl_pkey["${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.auto.key"], - before => Service[httpd], - } - - file { "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key": - replace => 'no', - seltype => 'cert_t', - require => Exec["deploy ${cert_name}.key"], - before => Service[httpd], - } - - exec { "deploy ${cert_name}.crt" : - command => "/bin/cp ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", - onlyif => "/bin/test ! -f ${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", - require => X509_cert["${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.auto.crt"], - before => Service[httpd], - } - - file { "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt": - replace => 'no', - seltype => 'cert_t', - require => Exec["deploy ${cert_name}.crt"], - before => Service[httpd], - } - } - } - ensure_resource('file', [ "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key" From 61b5352521fc6362b992ef8c0d0c2262afbd3ca4 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 7 Nov 2016 15:23:42 +0000 Subject: [PATCH 35/46] Logrotation is handled by rotatelog pipe --- manifests/project/apache.pp | 5 ----- templates/apache/logrotate.erb | 10 ---------- 2 files changed, 15 deletions(-) delete mode 100644 templates/apache/logrotate.erb diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index de20adf..f2b1722 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -63,11 +63,6 @@ require => File["${::projects::basedir}/${title}/var/log"], } - file { "/etc/logrotate.d/httpd-$title": - ensure => present, - content => template('projects/apache/logrotate.erb'), - } - file { "${::projects::basedir}/${title}/etc/apache": ensure => directory, owner => $title, diff --git a/templates/apache/logrotate.erb b/templates/apache/logrotate.erb deleted file mode 100644 index d061e40..0000000 --- a/templates/apache/logrotate.erb +++ /dev/null @@ -1,10 +0,0 @@ -<%= scope.lookupvar('projects::basedir') %>/<%= @title %>/var/log/httpd/*log { - missingok - notifempty - sharedscripts - delaycompress - postrotate - /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true - endscript -} - From 935c1fd7346199bf05d5cea4608f34d48c8e0af1 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 15 Nov 2016 13:23:46 +0000 Subject: [PATCH 36/46] Add link to cert as certificate chain --- manifests/project/apache.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index f2b1722..af7f313 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -162,6 +162,8 @@ "${::projects::basedir}/${projectname}/etc/apache/conf.d/${title}/*.conf"], ssl_cert => "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", + ssl_chain => + "${::projects::basedir}/${projectname}/etc/ssl/certs/${cert_name}.crt", ssl_key => "${::projects::basedir}/${projectname}/etc/ssl/private/${cert_name}.key", serveraliases => $altnames, From 85d51e07ace827319dc56f1a6b288ab163e16ee3 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 15 Nov 2016 14:38:11 +0000 Subject: [PATCH 37/46] Change SELinux context of lib to allow pyc files to be created --- manifests/project.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project.pp b/manifests/project.pp index ef39f2e..97e9b78 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -85,7 +85,7 @@ owner => $uid, group => $gid, mode => '0775', - seltype => 'httpd_sys_content_t', + seltype => 'httpd_sys_rw_content_t', } file { "$::projects::basedir/$title/var/log": From 37e5611044334ebe583a676bf08a123431129760 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 15 Nov 2016 14:40:35 +0000 Subject: [PATCH 38/46] Revert "Change SELinux context of lib to allow pyc files to be created" This reverts commit 85d51e07ace827319dc56f1a6b288ab163e16ee3. --- manifests/project.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project.pp b/manifests/project.pp index 97e9b78..ef39f2e 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -85,7 +85,7 @@ owner => $uid, group => $gid, mode => '0775', - seltype => 'httpd_sys_rw_content_t', + seltype => 'httpd_sys_content_t', } file { "$::projects::basedir/$title/var/log": From d4cf290a544f38041affacf9f015395792d00d64 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 17 Nov 2016 14:23:09 +0000 Subject: [PATCH 39/46] Ensure Apache uses only strong ciphers --- manifests/project/apache.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index af7f313..6fb82ba 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -26,6 +26,10 @@ include ::apache::mod::status + class { '::apache::mod::ssl': + ssl_cipher => 'HIGH:!aNULL:!MD5', + } + if defined(Class['::selinux']) { ensure_resource('selinux::boolean', 'httpd_can_connect_ldap', {'ensure' => 'on'}) ensure_resource('selinux::boolean', 'httpd_can_network_connect_db', {'ensure' => 'on'}) From fa2be9fd8b1ece0691e6e111c619c7c9b5a38cf7 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 17 Nov 2016 14:33:27 +0000 Subject: [PATCH 40/46] Move SSL Cipher config to Hiera --- manifests/project/apache.pp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 6fb82ba..af7f313 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -26,10 +26,6 @@ include ::apache::mod::status - class { '::apache::mod::ssl': - ssl_cipher => 'HIGH:!aNULL:!MD5', - } - if defined(Class['::selinux']) { ensure_resource('selinux::boolean', 'httpd_can_connect_ldap', {'ensure' => 'on'}) ensure_resource('selinux::boolean', 'httpd_can_network_connect_db', {'ensure' => 'on'}) From 27460824012289918dae78d2db4ae546d22d0c63 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 17 Nov 2016 15:52:09 +0000 Subject: [PATCH 41/46] Add security settings for Apache --- manifests/project/apache.pp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index af7f313..eabda75 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -174,6 +174,9 @@ ip => $ip, ip_based => $ip_based, add_listen => false, + server_signature => 'Off', + server_tokens => 'Prod', + headers => 'Set Strict-Transport-Security "max-age=63072000; includeSubdomains;"', } if !defined(Apache::Listen["$port"]) { From 7cb8b8306b71876666bc4571769417c745360a77 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Thu, 17 Nov 2016 15:55:30 +0000 Subject: [PATCH 42/46] Move server stuff to apache module from vhost --- manifests/project/apache.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index eabda75..da55a6c 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -13,6 +13,8 @@ mpm_module => false, service_ensure => running, service_enable => true, + server_signature => 'Off', + server_tokens => 'Prod', }) include ::apache::mod::proxy include ::apache::mod::alias @@ -174,8 +176,6 @@ ip => $ip, ip_based => $ip_based, add_listen => false, - server_signature => 'Off', - server_tokens => 'Prod', headers => 'Set Strict-Transport-Security "max-age=63072000; includeSubdomains;"', } From 62329fa5ac8c30d9d32305f1c12b00892dd184c5 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 18 Nov 2016 10:00:42 +0000 Subject: [PATCH 43/46] Tidy up indentation --- manifests/project/apache.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index da55a6c..87e7fc5 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -13,8 +13,8 @@ mpm_module => false, service_ensure => running, service_enable => true, - server_signature => 'Off', - server_tokens => 'Prod', + server_signature => 'Off', + server_tokens => 'Prod', }) include ::apache::mod::proxy include ::apache::mod::alias From 3b818c4856b2b0a8d67d1db1272a25585aee125b Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Fri, 18 Nov 2016 10:40:17 +0000 Subject: [PATCH 44/46] Turn on SELinux boolean for httpd to get to memcache --- manifests/project/apache.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 87e7fc5..693f527 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -33,6 +33,7 @@ ensure_resource('selinux::boolean', 'httpd_can_network_connect_db', {'ensure' => 'on'}) ensure_resource('selinux::boolean', 'httpd_can_network_connect', {'ensure' => 'on'}) ensure_resource('selinux::boolean', 'httpd_can_sendmail', {'ensure' => 'on'}) + ensure_resource('selinux::boolean', 'httpd_can_network_memcache', {'ensure' => 'on'}) } From 9e12f0fc81e433f2af626d9dfeb98b0ec242c9d3 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Tue, 21 Mar 2017 14:12:10 +0000 Subject: [PATCH 45/46] Allow worker as an MPM option --- manifests/project/apache.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/project/apache.pp b/manifests/project/apache.pp index 693f527..d5022d5 100644 --- a/manifests/project/apache.pp +++ b/manifests/project/apache.pp @@ -52,6 +52,8 @@ if $apache_common['mpm'] == 'event' { include ::apache::mod::event + } elsif $apache_common['mpm'] == 'worker' { + include ::apache::mod::worker } else { include ::apache::mod::prefork } From da6648ac5dbe5605ddc24c78fe87d1e9841ef147 Mon Sep 17 00:00:00 2001 From: Jon Hallett Date: Mon, 3 Apr 2017 13:40:18 +0100 Subject: [PATCH 46/46] Give other access to the project Apache logs --- manifests/project.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/project.pp b/manifests/project.pp index ef39f2e..4468612 100644 --- a/manifests/project.pp +++ b/manifests/project.pp @@ -92,7 +92,7 @@ ensure => directory, owner => $uid, group => $gid, - mode => '0750', + mode => '0755', seltype => 'httpd_log_t', }