apache: Re-use puppet certs when default_ssl_vhost is turned on

0917608a · Markus Frosch · 686d2dcf · 0917608a
Commit 0917608a authored Dec 06, 2016 by Markus Frosch
--- a/manifests/profiles/apache.pp
+++ b/manifests/profiles/apache.pp
 class icinga2_testing::profiles::apache
 {
+  include ::apache::params
+  
+  $conf_dir = hiera('apache::conf_dir', $::apache::params::conf_dir)
+
+  $default_ssl_vhost = hiera('apache::default_ssl_vhost', false)
+
+  if $default_ssl_vhost and hiera('apache::default_ssl_cert', undef) {
+    $default_ssl_key = undef
+    $default_ssl_cert = undef
+    $default_ssl_chain = undef
+  } elsif $default_ssl_vhost {
+    $default_ssl_key = "${conf_dir}/ssl/key.pem"
+    $default_ssl_cert = "${conf_dir}/ssl/cert.pem"
+    $default_ssl_chain = "${conf_dir}/ssl/chain.pem"
+    $_default_ssl_key = "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem"
+    $_default_ssl_cert = "/var/lib/puppet/ssl/certs/${::fqdn}.pem"
+    $_default_ssl_chain = "/var/lib/puppet/ssl/certs/ca.pem"
+  }
+
  class { '::apache':
-    mpm_module => 'prefork', # enforce for PHP
+    mpm_module        => 'prefork', # enforce for PHP
+    default_ssl_key   => $default_ssl_key,
+    default_ssl_cert  => $default_ssl_cert,
+    default_ssl_chain => $default_ssl_chain,
  }

  contain ::apache
  contain ::apache::mod::rewrite
  contain ::apache::mod::php

-  create_resources('apache::custom_config', hiera_hash('apache::custom_configs', {}))
-  create_resources('apache::vhost', hiera_hash('apache::vhosts', {}))
+  if $default_ssl_key and $default_ssl_cert {
+    Package['httpd'] ->
+    file {
+      'apache ssl':
+        ensure => directory,
+        path   => "${conf_dir}/ssl";
+      'apache default_ssl_key':
+        ensure => file,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0644',
+        path   => $default_ssl_key,
+        source => $_default_ssl_key;
+      'apache default_ssl_cert':
+        ensure => file,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0644',
+        path   => $default_ssl_cert,
+        source => $_default_ssl_cert;
+      'apache default_ssl_chain':
+        ensure => file,
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0644',
+        path   => $default_ssl_chain,
+        source => $_default_ssl_chain;
+    } ~> Class['::apache::service']
+  }
+
+  create_resources('apache::custom_config', hiera_hash('apache::custom_configs', { }))
+  create_resources('apache::vhost', hiera_hash('apache::vhosts', { }))
 }