Add named_vhost TLS configuration.

To make it easier for people to configure named virtual hosts doing HTTPS, add a parameter 'certname' to apache::named_vhost, specifying names of the certificate files to use for that virtual host. When given, TLS will be enabled for the vhost, and configuration directives pointing out the certificate files (cert, chain and private key) will be added to the virtual host definition. Users need to install the certificate files themselves by means of the x509certs::hostcert::separate from the x509certs Puppet module from NSC, though.

Add named_vhost TLS configuration.
c61cbb97 · Thomas Bellman · 670474cf · c61cbb97 · c61cbb97
Commit c61cbb97 authored 5 years ago by Thomas Bellman
--- a/manifests/named_vhost.pp
+++ b/manifests/named_vhost.pp
-# Copyright (C) 2014 Thomas Bellman.
+# Copyright (C) 2014-2020 Thomas Bellman.
 # Licensed under the GNU LGPL v3+; see the README file for more information.
@@ -22,6 +22,14 @@ import "nsc-puppet-utils"
 *    into 'ServerName' and 'ServerAlias' directives.  Defaults to the
 *    hostnames (before resolving) in the 'urls' parameter if not specified.
 *
+ *  - certname
+ *    If set, specifies the basename of server certificate files, for
+ *    certificate, key, and chain.  This is the same name as used in the
+ *    x509certs::hostcert::separate definition in the NSC x509certs module.
+ *    Httpd configuration to enable TLS and use those certificate files
+ *    will be inserted in the virtual host configuration, but users needs
+ *    to install the files themselves, using x509certs::hostcert::separate.
+ *
 *  - documentroot
 *    The document root for the virtual host.  Optional (Apache will by
 *    default inherit this setting from the server-global setting).
@@ -41,8 +49,11 @@ import "nsc-puppet-utils"
 # but we do not want to guess the protocol, or imply a preference of
 # e.g. http over https.
-define apache::named_vhost($urls, $servernames=[],
+define apache::named_vhost($urls,
-			   $documentroot='', $config=undef,
+			   $servernames=[],
+			   $certname=false,
+			   $documentroot='',
+			   $config=undef,
 			   $ensure='present')
 {
    include apache

--- a/templates/named_vhost.conf.erb
+++ b/templates/named_vhost.conf.erb
 <%
+    # Copyright (C) 2014-2020 Thomas Bellman.
+    # Licensed under the GNU LGPL v3+; see the README file for more information.
    httpd_version = scope.lookupvar('apache::standard_version')
    server_names = []
@@ -72,6 +75,16 @@ NameVirtualHost <%= addr %>
 <% server_names[1..-1].each do |aliasname| -%>
    ServerAlias <%= aliasname %>
 <% end -%>
+<% if @certname && @certname != ''
+    certdir = scope.lookupvar('x509certs::pki_certdir')
+    keydir  = scope.lookupvar('x509certs::pki_keydir')
+-%>
+    SSLEngine on
+    SSLCertificateFile <%= certdir %>/<%= @certname %>-cert.pem
+    SSLCertificateKeyFile <%= keydir %>/<%= @certname %>-key.pem
+    SSLCertificateChainFile <%= certdir %>/<%= @certname %>-chain.pem
+<% end -%>
 <% if @documentroot && @documentroot != '' -%>
    DocumentRoot  <%= @documentroot %>
 <% end -%>