From 3ffae01a36f79dd5cf456edaf527dd3cdf7e18df Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Tue, 17 Sep 2024 15:11:44 -0400 Subject: [PATCH] Split out letsencrypt for web --- puppet/modules/profiles/manifests/repo/rpm.pp | 3 ++- puppet/modules/web/manifests/certs.pp | 20 +++++++++++++++++++ puppet/modules/web/manifests/init.pp | 12 +++++------ puppet/modules/web/manifests/vhost/rpm.pp | 17 ++++++++++++++++ 4 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 puppet/modules/web/manifests/certs.pp diff --git a/puppet/modules/profiles/manifests/repo/rpm.pp b/puppet/modules/profiles/manifests/repo/rpm.pp index 0c1c45af8..2db9c8bb1 100644 --- a/puppet/modules/profiles/manifests/repo/rpm.pp +++ b/puppet/modules/profiles/manifests/repo/rpm.pp @@ -12,7 +12,8 @@ Boolean $https = true, ) { class { 'web': - https => $https, + https => $https, + all_in_one => false, } contain web diff --git a/puppet/modules/web/manifests/certs.pp b/puppet/modules/web/manifests/certs.pp new file mode 100644 index 000000000..4bb6945e8 --- /dev/null +++ b/puppet/modules/web/manifests/certs.pp @@ -0,0 +1,20 @@ +# @summary Define letsencrypt certificate +# +# domain / webroot_paths must match exactly +# +# @param domains +# Domains to be handled by the certificate +# @param paths +# Vhost paths for each domain +define web::certs( + Array[String] $domains, + Array[String] $paths, +) { + $letsencypt_domain = 'theforeman.org' + + letsencrypt::certonly { $letsencypt_domain: + plugin => 'webroot', + domains => $domains, + webroot_paths => $paths, + } +} diff --git a/puppet/modules/web/manifests/init.pp b/puppet/modules/web/manifests/init.pp index 1ca76708b..23cb5b75a 100644 --- a/puppet/modules/web/manifests/init.pp +++ b/puppet/modules/web/manifests/init.pp @@ -8,19 +8,19 @@ # start httpd, the certs have to exist, so keep SSL vhosts disabled until the # certs are present via the HTTP vhost and only then enable the SSL vhosts. # +# @param all_in_one +# Used when deploying all vhosts to the same machine. +# class web( Boolean $https = false, + Boolean $all_in_one = true, ) { class { 'web::base': letsencrypt => $https, } - if $https { - $letsencypt_domain = 'theforeman.org' - - letsencrypt::certonly { $letsencypt_domain: - plugin => 'webroot', - # domain / webroot_paths must match exactly + if $https and $all_in_one { + web::certs { 'web': domains => [ 'theforeman.org', 'archivedeb.theforeman.org', diff --git a/puppet/modules/web/manifests/vhost/rpm.pp b/puppet/modules/web/manifests/vhost/rpm.pp index 6a14f6bcc..da4643dec 100644 --- a/puppet/modules/web/manifests/vhost/rpm.pp +++ b/puppet/modules/web/manifests/vhost/rpm.pp @@ -40,6 +40,23 @@ script_content => epp('web/deploy-rpmrepo.sh.epp', $deploy_rpmrepo_context), } + if $web::https { + web::certs { 'rpm': + domains => [ + 'yum.theforeman.org', + 'stagingyum.theforeman.org', + 'rpm.theforeman.org', + 'stagingrpm.theforeman.org', + ], + webroot_paths => [ + '/var/www/vhosts/yum/htdocs', + '/var/www/vhosts/stagingyum/htdocs', + '/var/www/vhosts/rpm/htdocs', + '/var/www/vhosts/stagingrpm/htdocs', + ], + } + } + include apache::mod::expires include apache::mod::dir include apache::mod::autoindex