Puppet Class: role::https
- Defined in:
- puppet/modules/role/manifests/https.pp
Overview
Class: role::https
Configures HTTPS support
NOTE: This will probably break on Labs-Vagrant (Cloud VPS), which sets ports in a different way. But Labs has default HTTPS via web proxies so there is not point in enabling this role there anyway.
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'puppet/modules/role/manifests/https.pp', line 7
class role::https {
if Integer($::forwarded_https_port) == 0 {
fail("You must configure the HTTPS port to use the 'https' role. (Use 'vagrant config https_port <port>'.)")
}
$subject = '/CN=local.wmftest.net/O=MediaWiki-Vagrant/C=US'
$keyname = 'local.wmftest.net'
# Undo a hack used by an older version of this role
exec { 'fix openssl.conf':
command => 'sed -i "s/^subjectAltName=DNS:dev.wiki.local.wmftest.net/# subjectAltName=email:copy/g" /etc/ssl/openssl.cnf',
onlyif => 'grep -q "^subjectAltName=DNS:dev.wiki.local.wmftest.net" /etc/ssl/openssl.cnf',
before => Exec['generate ssl key'],
}
exec { 'generate ssl key':
command => @("COMMAND")
/usr/bin/openssl req -subj ${subject} -nodes -new -x509 -newkey rsa:2048 \
-keyout /etc/ssl/certs/${keyname}.key -out /etc/ssl/certs/${keyname}.pem -days 1095 \
-addext 'subjectAltName=DNS:*.local.wmftest.net,DNS:*.wiki.local.wmftest.net'
| - COMMAND
,
creates => "/etc/ssl/certs/${keyname}.pem",
before => Nginx::Site['devwiki'],
notify => Exec['nginx-reload'],
}
exec { 'add ssl key to OS cert store':
command => @("COMMAND")
/usr/bin/openssl x509 -outform der \
-in /etc/ssl/certs/${keyname}.pem \
-out /usr/local/share/ca-certificates/puppet-${keyname}.crt; \
update-ca-certificates
| - COMMAND
,
creates => "/usr/local/share/ca-certificates/puppet-${keyname}.crt",
require => Exec['generate ssl key'],
}
nginx::site { 'devwiki':
content => template('role/https/nginx.conf.erb'),
notify => Service['nginx'],
}
mediawiki::settings { 'SSL-related settings':
values => {
'wgForceHTTPS' => true,
'wgHttpsPort' => $::forwarded_https_port,
'wgAssumeProxiesUseDefaultProtocolPorts' => false,
}
}
# Horrible hack to tell CommonSettings.php that it is safe to use
# a HTTPS URL for wgServer.
# See modules/mediawiki/templates/multiwiki/CommonSettings.php.erb
mediawiki::settings { 'Vagrant HTTPS support flag':
values => {
'mwvSupportsHttps' => true,
},
priority => 1,
}
file { "${::apache::docroot}/${keyname}.pem":
ensure => file,
source => "/etc/ssl/certs/${keyname}.pem",
require => Exec['generate ssl key'],
}
mediawiki::import::text { 'VagrantRoleHttps':
content => template('role/https/VagrantRoleHttps.wiki.erb'),
}
}
|