adelgado/puppet-mastodon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add ssl

Browse source
This commit is contained in:
Antonio J. Delgado 2023-11-28 20:03:44 +02:00
parent 7baccd1884
commit 11d10e1ca5
1 changed files with 23 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
manifests/init.pp
View file

@ -137,13 +137,10 @@ class mastodon (
'libyaml-dev', 'libyaml-dev',
'lsb-release', 'lsb-release',
'nginx', 'nginx',
# 'nodejs',
'pkg-config', 'pkg-config',
# 'postgresql-contrib', # 'postgresql-contrib',
# 'postgresql',
'protobuf-compiler', 'protobuf-compiler',
'python3-certbot-nginx', 'python3-certbot-apache',
# 'redis-server',
# 'redis-tools', # 'redis-tools',
'wget', 'wget',
'zlib1g-dev', 'zlib1g-dev',
@ -310,6 +307,11 @@ class mastodon (
timeout => 0, timeout => 0,
require => File["${mastodon_home}/live/.env.production"], require => File["${mastodon_home}/live/.env.production"],
} }
exec { "register-${hostname}-letsencrypt":
command => "/etc/init.d/apache2 stop && /usr/bin/certbot certonly --agree-tos --email certs@susurrando.com -d ${hostname} -n --standalone && /etc/init.d/apache2 start",
creates => "/etc/letsencrypt/live/${hostname}/privkey.pem",
require => Package['python3-certbot-apache'],
}
apache::vhost { $hostname: apache::vhost { $hostname:
ensure => $ensure, ensure => $ensure,
access_log_file => $hostname, access_log_file => $hostname,
@ -325,6 +327,7 @@ class mastodon (
'http/1.1', 'http/1.1',
], ],
protocols_honor_order => true, protocols_honor_order => true,
proxy_requests => false,
proxy_pass => [ proxy_pass => [
{ 'path' => '/500.html', 'url' => '!' }, { 'path' => '/500.html', 'url' => '!' },
{ 'path' => '/sw.js', 'url' => '!' }, { 'path' => '/sw.js', 'url' => '!' },
@ -346,7 +349,10 @@ class mastodon (
request_headers => [ request_headers => [
'set X-Forwarded-Proto "https"', 'set X-Forwarded-Proto "https"',
], ],
headers => ['always set Strict-Transport-Security "max-age=31536000"'], headers => [
'always set Strict-Transport-Security "max-age=31536000"',
'always set Strict-Transport-Security "max-age=15552001; includeSubDomains"',
],
directories => [ directories => [
{ {
'path' => '^/(assets|avatars|emoji|headers|packs|sounds|system)', 'path' => '^/(assets|avatars|emoji|headers|packs|sounds|system)',
@ -368,6 +374,18 @@ class mastodon (
{ 'error_code' => '503', 'document' => '/503' }, { 'error_code' => '503', 'document' => '/503' },
{ 'error_code' => '504', 'document' => '/504' }, { 'error_code' => '504', 'document' => '/504' },
], ],
ssl => true,
ssl_cert => "/etc/letsencrypt/live/${hostname}/fullchain.pem",
ssl_cipher => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA',
ssl_honorcipherorder => true,
ssl_protocol => 'all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1',
ssl_key => "/etc/letsencrypt/live/${hostname}/privkey.pem",
ssl_proxy_check_peer_cn => true,
ssl_proxy_check_peer_expire => true,
ssl_proxyengine => true,
ssl_reload_on_change => true,
allow_encoded_slashes => true,
require => Exec["register-${hostname}-letsencrypt"],
} }
apache::vhost { "${hostname}_insecure": apache::vhost { "${hostname}_insecure":
ensure => $ensure, ensure => $ensure,