From c61cbb979eb2e8ada25ab12644de767df1136713 Mon Sep 17 00:00:00 2001
From: Thomas Bellman <bellman@nsc.liu.se>
Date: Tue, 17 Mar 2020 20:12:57 +0100
Subject: [PATCH] Add named_vhost TLS configuration.

To make it easier for people to configure named virtual hosts doing
HTTPS, add a parameter 'certname' to apache::named_vhost, specifying
names of the certificate files to use for that virtual host.  When
given, TLS will be enabled for the vhost, and configuration directives
pointing out the certificate files (cert, chain and private key) will
be added to the virtual host definition.

Users need to install the certificate files themselves by means of
the x509certs::hostcert::separate from the x509certs Puppet module
from NSC, though.
---
 manifests/named_vhost.pp       | 17 ++++++++++++++---
 templates/named_vhost.conf.erb | 13 +++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/manifests/named_vhost.pp b/manifests/named_vhost.pp
index d660788..fce812f 100644
--- a/manifests/named_vhost.pp
+++ b/manifests/named_vhost.pp
@@ -1,4 +1,4 @@
-# Copyright (C) 2014 Thomas Bellman.
+# Copyright (C) 2014-2020 Thomas Bellman.
 # Licensed under the GNU LGPL v3+; see the README file for more information.
 
 
@@ -22,6 +22,14 @@ import "nsc-puppet-utils"
  *    into 'ServerName' and 'ServerAlias' directives.  Defaults to the
  *    hostnames (before resolving) in the 'urls' parameter if not specified.
  *
+ *  - certname
+ *    If set, specifies the basename of server certificate files, for
+ *    certificate, key, and chain.  This is the same name as used in the
+ *    x509certs::hostcert::separate definition in the NSC x509certs module.
+ *    Httpd configuration to enable TLS and use those certificate files
+ *    will be inserted in the virtual host configuration, but users needs
+ *    to install the files themselves, using x509certs::hostcert::separate.
+ *
  *  - documentroot
  *    The document root for the virtual host.  Optional (Apache will by
  *    default inherit this setting from the server-global setting).
@@ -41,8 +49,11 @@ import "nsc-puppet-utils"
 # but we do not want to guess the protocol, or imply a preference of
 # e.g. http over https.
 
-define apache::named_vhost($urls, $servernames=[],
-			   $documentroot='', $config=undef,
+define apache::named_vhost($urls,
+			   $servernames=[],
+			   $certname=false,
+			   $documentroot='',
+			   $config=undef,
 			   $ensure='present')
 {
     include apache
diff --git a/templates/named_vhost.conf.erb b/templates/named_vhost.conf.erb
index 9e72c47..9382aab 100644
--- a/templates/named_vhost.conf.erb
+++ b/templates/named_vhost.conf.erb
@@ -1,4 +1,7 @@
 <%
+    # Copyright (C) 2014-2020 Thomas Bellman.
+    # Licensed under the GNU LGPL v3+; see the README file for more information.
+
     httpd_version = scope.lookupvar('apache::standard_version')
 
     server_names = []
@@ -72,6 +75,16 @@ NameVirtualHost <%= addr %>
 <% server_names[1..-1].each do |aliasname| -%>
     ServerAlias <%= aliasname %>
 <% end -%>
+<% if @certname && @certname != ''
+    certdir = scope.lookupvar('x509certs::pki_certdir')
+    keydir  = scope.lookupvar('x509certs::pki_keydir')
+-%>
+    SSLEngine on
+    SSLCertificateFile <%= certdir %>/<%= @certname %>-cert.pem
+    SSLCertificateKeyFile <%= keydir %>/<%= @certname %>-key.pem
+    SSLCertificateChainFile <%= certdir %>/<%= @certname %>-chain.pem
+
+<% end -%>
 <% if @documentroot && @documentroot != '' -%>
     DocumentRoot  <%= @documentroot %>
 <% end -%>
-- 
GitLab