--- /dev/null
+{%- set has_letsencrypt = salt['pillar.get']('apache2:ssl:has_letsencrypt', False) %}
+{%- set my_fqdn = salt['grains.get']('fqdn') -%}
+{%- set my_hostname = salt['grains.get']('host') -%}
+{%- if has_letsencrypt %}
+ {%- set le_domain = salt['pillar.get']('apache2:ssl:le_domain', my_fqdn) %}
+ {%- set ssl_cert_file = '/etc/letsencrypt/live/' + le_domain + '/fullchain.pem' %}
+ {%- set ssl_key_file = '/etc/letsencrypt/live/' + le_domain + '/privkey.pem' %}
+{%- else %}
+ {%- set ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' %}
+ {%- set ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' %}
+{%- endif %}
+{%- set server_name = salt['pillar.get']('apache2:server_name', my_fqdn) %}
+{%- set server_aliases = salt['pillar.get']('apache2:server_alias', [my_hostname]) %}
+
+<IfModule mod_ssl.c>
+ <VirtualHost _default_:443>
+
+ Include sites-available/default-include.conf
+
+ SSLEngine on
+
+ SSLCertificateFile {{ ssl_cert_file }}
+ SSLCertificateKeyFile {{ ssl_key_file }}
+{%- if has_letsencrypt %}
+
+ Include /etc/letsencrypt/options-ssl-apache.conf
+{%- endif %}
+
+ #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+ #SSLCACertificatePath /etc/ssl/certs/
+ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+ #SSLCARevocationPath /etc/apache2/ssl.crl/
+ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+ #SSLVerifyClient require
+ #SSLVerifyDepth 10
+
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ <FilesMatch "\.(cgi|shtml|phtml|php)$">
+ SSLOptions +StdEnvVars
+ </FilesMatch>
+ <Directory /usr/lib/cgi-bin>
+ SSLOptions +StdEnvVars
+ </Directory>
+
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ # MSIE 7 and newer should be able to use keepalive
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+ ServerName {{ server_name }}
+{%- for server_alias in server_aliases %}
+ ServerAlias {{ server_alias }}
+{%- endfor %}
+
+ </VirtualHost>
+</IfModule>
+
+# vim: filetype=apache ts=8 sw=4 sts=4 sr noet
+++ /dev/null
-<IfModule mod_ssl.c>
- <VirtualHost _default_:443>
-
- Include sites-available/default-include.conf
-
- SSLEngine on
-
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
- #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
-
- #SSLCACertificatePath /etc/ssl/certs/
- #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-
- #SSLCARevocationPath /etc/apache2/ssl.crl/
- #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
-
- #SSLVerifyClient require
- #SSLVerifyDepth 10
-
- #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-
- <FilesMatch "\.(cgi|shtml|phtml|php)$">
- SSLOptions +StdEnvVars
- </FilesMatch>
- <Directory /usr/lib/cgi-bin>
- SSLOptions +StdEnvVars
- </Directory>
-
- BrowserMatch "MSIE [2-6]" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
- # MSIE 7 and newer should be able to use keepalive
- BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
-
- </VirtualHost>
-</IfModule>
-
-# vim: filetype=apache ts=4 sw=4 sts=4 sr noet
{%- set has_apache = salt['pillar.get']('has_apache', False) %}
{%- if has_apache %}
+{%- set has_ssl = salt['pillar.get']('apache2:ssl:enabled', False) %}
apache2:
pkg.installed:
- enable: True
- require:
- pkg: apache2
+ - file: apache2_custom_log_conf
+ - file: apache2_mod_server_info_conf
+ - file: apache2_mod_server_status_conf
+ - file: apache2_default_config_include
+ - file: apache2_default_config
- file: apache2_custom_log_symlink
- file: apache2_mod_server_info_symlink
- file: apache2_mod_server_status_symlink
- - file: apache2_default_config_include
- - file: apache2_default_config
+ - file: apache2_default_config_symlink
+ - file: /etc/apache2/sites-enabled/000-default-le-ssl.conf
+ - file: /etc/apache2/sites-enabled/default-ssl.conf
+{%- if has_ssl %}
- file: apache2_default_config_ssl
+ - file: apache2_default_config_ssl_symlink
+{%- endif %}
- watch:
- file: apache2_custom_log_conf
- file: apache2_mod_server_info_conf
- file: apache2_mod_server_status_conf
- file: apache2_default_config_include
- file: apache2_default_config
- - file: apache2_default_config_include
+{%- if has_ssl %}
+ - file: apache2_default_config_ssl
+{%- endif %}
- onlyif:
- test -x /etc/init.d/apache2
- require:
- file: apache2_conf_dir
+apache2_sites_enabled_dir:
+ file.directory:
+ - name: /etc/apache2/sites-enabled
+ - user: root
+ - group: root
+ - mode: 0755
+ - require:
+ - file: apache2_conf_dir
+
apache2_default_config_include:
file.managed:
- name: /etc/apache2/sites-available/default-include.conf
- pkg: apache2
- file: apache2_default_config_include
+apache2_default_config_symlink:
+ file.symlink:
+ - name: /etc/apache2/sites-enabled/000-default.conf
+ - target: ../sites-available/000-default.conf
+ - force: True
+ - backupname: /etc/apache2/sites-available/000-default.disabled
+ - user: root
+ - group: root
+ - require:
+ - file: apache2_sites_enabled_dir
+ - file: apache2_default_config
+{%- if has_ssl %}
+
apache2_default_config_ssl:
file.managed:
- - name: /etc/apache2/sites-available/default-ssl.conf
- - source: salt://apache2/files/default-ssl.conf
+ - name: /etc/apache2/sites-available/000-default-ssl.conf
+ - source: salt://apache2/files/000-default-ssl.conf
- user: root
- group: root
- mode: 644
- pkg: apache2
- file: apache2_default_config_include
+apache2_default_config_ssl_symlink:
+ file.symlink:
+ - name: /etc/apache2/sites-enabled/000-default-ssl.conf
+ - target: ../sites-available/000-default-ssl.conf
+ - force: True
+ - backupname: /etc/apache2/sites-available/000-default-ssl.disabled
+ - user: root
+ - group: root
+ - require:
+ - file: apache2_sites_enabled_dir
+ - file: apache2_default_config_ssl
+{%- endif %}
+
+/etc/apache2/sites-enabled/000-default-le-ssl.conf:
+ file.absent
+
+/etc/apache2/sites-enabled/default-ssl.conf:
+ file.absent
+
apache2_logrotate:
file.managed:
- name: /etc/logrotate.d/apache2