Setup Apache httpd on webstatic

5 files changed, 167 insertions, 0 deletions

diff --git a/Puppetfile b/Puppetfile
index a1c594b..ce9073b 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -1,5 +1,6 @@
 mod 'icinga/icinga2', :latest
 mod 'icinga/icingaweb2', :latest
+mod 'puppetlabs/apache', :latest
 mod 'puppetlabs/apt', :latest
 mod 'puppetlabs/concat', :latest
 mod 'puppetlabs/mailalias_core', :latest
diff --git a/hieradata/nodes/webstatic.yaml b/hieradata/nodes/webstatic.yaml
index c489195..21bf5fe 100644
--- a/hieradata/nodes/webstatic.yaml
+++ b/hieradata/nodes/webstatic.yaml
@@ -72,3 +72,103 @@ profiles::icinga2_agent::pki_ticket: >
     zWIAoTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCz2/HN15HQ/xCGQExX
     Ozd9gDCOqJLm9jtlSoCpwDwzowwiCgRj+k1s444lp1RkvgWKCrfO3QkOF3aR
     MY7nsz39ve8=]
+profiles::static_websites::apache_vhosts:
+  'webstatic.cacert.org':
+    port: 80
+    access_log: true
+    access_log_format: "combined"
+    error_log: true
+    log_level: "warn"
+    redirect_source:
+      - "/"
+    redirect_dest:
+      - "https://www.cacert.org/"
+    docroot: false
+    manage_docroot: false
+  'funding.cacert.org':
+    port: 80
+    access_log: true
+    access_log_format: "combined"
+    error_log: true
+    log_level: "warn"
+    docroot: "/var/www/funding.cacert.org"
+    docroot_owner: "git"
+    docroot_mode: "0755"
+    directoryindex:
+      - "index.html"
+    directories:
+      -
+        path: "/var/www/funding.cacert.org"
+        options:
+          - "-Includes"
+          - "-Indexes"
+          - "-FollowSymLinks"
+          - "-MultiViews"
+        require: "all granted"
+    headers:
+      - 'set X-Frame-Options "sameorigin"'
+      - 'set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
+      - 'set X-XSS-Protection "1; mode=block"'
+      - 'set Cache-Control "no-cache, no-store, must-revalidate"'
+      - 'set Pragma "no-cache"'
+      - 'set Expires "-1"'
+      - 'set X-Permitted-Cross-Domain-Policies "master-only"'
+      - "set Content-Security-Policy \"default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; connect-src 'self';\""
+  'codedocs.cacert.org':
+    port: 80
+    access_log: true
+    access_log_format: "combined"
+    error_log: true
+    log_level: "warn"
+    docroot: "/var/www/codedocs.cacert.org/html"
+    docroot_owner: "jenkins-infradocs"
+    docroot_group: "upload"
+    docroot_mode: "0755"
+    directoryindex:
+      - "index.html"
+    directories:
+      -
+        path: "/var/www/codedocs.cacert.org/html"
+        options:
+          - "-Includes"
+          - "-Indexes"
+          - "-FollowSymLinks"
+          - "-MultiViews"
+        require: "all granted"
+    headers:
+      - 'set X-Frame-Options "sameorigin"'
+      - 'set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
+      - 'set X-XSS-Protection "1; mode=block"'
+      - 'set Cache-Control "no-cache, no-store, must-revalidate"'
+      - 'set Pragma "no-cache"'
+      - 'set Expires "-1"'
+      - 'set X-Permitted-Cross-Domain-Policies "master-only"'
+  'infradocs.cacert.org':
+    port: 80
+    access_log: true
+    access_log_format: "combined"
+    error_log: true
+    log_level: "warn"
+    docroot: "/var/www/infradocs.cacert.org/html"
+    docroot_owner: "jenkins-infradocs"
+    docroot_group: "upload"
+    docroot_mode: "0755"
+    directoryindex:
+      - "index.html"
+    directories:
+      -
+        path: "/var/www/infradocs.cacert.org/html"
+        options:
+          - "-Includes"
+          - "-Indexes"
+          - "-FollowSymLinks"
+          - "-MultiViews"
+        require: "all granted"
+    headers:
+      - 'set X-Frame-Options "sameorigin"'
+      - 'set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
+      - 'set X-XSS-Protection "1; mode=block"'
+      - 'set Cache-Control "no-cache, no-store, must-revalidate"'
+      - 'set Pragma "no-cache"'
+      - 'set Expires "-1"'
+      - 'set X-Permitted-Cross-Domain-Policies "master-only"'
diff --git a/sitemodules/profiles/manifests/apache_common.pp b/sitemodules/profiles/manifests/apache_common.pp
new file mode 100644
index 0000000..4a94f80
--- /dev/null
+++ b/sitemodules/profiles/manifests/apache_common.pp
@@ -0,0 +1,29 @@
+# Class: profiles::static_websites
+# ================================
+#
+# This class takes care of basic Apache http setup. It is meant to be
+# included by other profiles.
+#
+# Examples
+# --------
+#
+# @example
+#   class profiles::myprofile {
+#     include profiles::icinga2_agent
+#   }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2019 Jan Dittberner
+class profiles::apache_common (
+) {
+  class { 'apache':
+    default_vhost => false,
+  }
+}
diff --git a/sitemodules/profiles/manifests/static_websites.pp b/sitemodules/profiles/manifests/static_websites.pp
new file mode 100644
index 0000000..0ef308b
--- /dev/null
+++ b/sitemodules/profiles/manifests/static_websites.pp
@@ -0,0 +1,36 @@
+# Class: profiles::static_websites
+# ================================
+#
+# This class takes care of VirtualHost setup for static websites.
+#
+# Parameters
+# ----------
+#
+# @param apache_vhosts Apache VirtualHost definitions that will be fed into
+#                      apache::vhost resources from the puppetlabs/apache
+#                      module
+#
+# Examples
+# --------
+#
+# @example
+#   class roles::myhost {
+#     include profiles::icinga2_agent
+#   }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2019 Jan Dittberner
+class profiles::static_websites (
+  Hash[String, Data] $apache_vhosts = {},
+) {
+  include profiles::apache_common
+
+  create_resources(apache::vhost, $apache_vhosts)
+}
diff --git a/sitemodules/roles/manifests/webstatic.pp b/sitemodules/roles/manifests/webstatic.pp
index 59bef2e..f93c73d 100644
--- a/sitemodules/roles/manifests/webstatic.pp
+++ b/sitemodules/roles/manifests/webstatic.pp
@@ -25,5 +25,6 @@ class roles::webstatic {
   include profiles::rsyslog
   include profiles::purge_nrpe_agent
   include profiles::icinga2_agent
+  include profiles::static_websites
   include profiles::debarchive
 }