(maint) Add support for mod_md

Allow configuring all parameters provided by the module.

Author: smortex

manifests/mod/md.pp

@@ -0,0 +1,137 @@
+# @summary
+#   Installs and configures `mod_md`.
+#
+# @param md_activation_delay
+#   -
+#
+# @param md_base_server
+#   Control if base server may be managed or only virtual hosts.
+#
+# @param md_ca_challenges
+#   Type of ACME challenge used to prove domain ownership.
+#
+# @param md_certificate_agreement
+#   You confirm that you accepted the Terms of Service of the Certificate
+#   Authority.
+#
+# @param md_certificate_authority
+#   The URL of the ACME Certificate Authority service.
+#
+# @param md_certificate_check
+#   -
+#
+# @param md_certificate_monitor
+#   The URL of a certificate log monitor.
+#
+# @param md_certificate_protocol
+#   The protocol to use with the Certificate Authority.
+#
+# @param md_certificate_status
+#   Exposes public certificate information in JSON.
+#
+# @param md_challenge_dns01
+#   Define a program to be called when the `dns-01` challenge needs to be
+#   setup/torn down. 
+#
+# @param md_contact_email
+#   The ACME protocol requires you to give a contact url when you sign up.
+#
+# @param md_http_proxy
+#   Define a proxy for outgoing connections.
+#
+# @param md_members
+#   Control if the alias domain names are automatically added.
+#
+# @param md_message_cmd
+#   Handle events for Manage Domains.
+#
+# @param md_must_staple
+#   Control if new certificates carry the OCSP Must Staple flag.
+#
+# @param md_notify_cmd
+#   Run a program when a Managed Domain is ready.
+#
+# @param md_port_map
+#   Map external to internal ports for domain ownership verification.
+#
+# @param md_private_keys
+#   Set type and size of the private keys generated.
+#
+# @param md_renew_mode
+#   Controls if certificates shall be renewed.
+#
+# @param md_renew_window
+#   Control when a certificate will be renewed.
+#
+# @param md_require_https
+#   Redirects http: traffic to https: for Managed Domains.
+#
+# @param md_server_status
+#   Control if Managed Domain information is added to server-status.
+#
+# @param md_staple_others
+#   Enable stapling for certificates not managed by mod_md.
+#
+# @param md_stapling
+#   Enable stapling for all or a particular MDomain.
+#
+# @param md_stapling_keep_response
+#   Controls when old responses should be removed.
+#
+# @param md_stapling_renew_window
+#   Control when the stapling responses will be renewed.
+#
+# @param md_store_dir
+#   Path on the local file system to store the Managed Domains data.
+#
+# @param md_warn_window
+#  Define the time window when you want to be warned about an expiring
+#  certificate.
+#
+# @see https://httpd.apache.org/docs/current/mod/mod_md.html for additional documentation.
+class apache::mod::md (
+  Optional[String]                                          $md_activation_delay       = undef,
+  Optional[Enum['on', 'off']]                               $md_base_server            = undef,
+  Optional[Array[Enum['dns-01', 'http-01', 'tls-alpn-01']]] $md_ca_challenges          = undef,
+  Optional[Enum['accepted']]                                $md_certificate_agreement  = undef,
+  Optional[Stdlib::HTTPUrl]                                 $md_certificate_authority  = undef,
+  Optional[String]                                          $md_certificate_check      = undef, # undocumented
+  Optional[String]                                          $md_certificate_monitor    = undef,
+  Optional[Enum['ACME']]                                    $md_certificate_protocol   = undef,
+  Optional[Enum['on', 'off']]                               $md_certificate_status     = undef,
+  Optional[Stdlib::Absolutepath]                            $md_challenge_dns01        = undef,
+  Optional[String]                                          $md_contact_email          = undef,
+  Optional[Stdlib::HTTPUrl]                                 $md_http_proxy             = undef,
+  Optional[Enum['auto', 'manual']]                          $md_members                = undef,
+  Optional[Stdlib::Absolutepath]                            $md_message_cmd            = undef,
+  Optional[Enum['on', 'off']]                               $md_must_staple            = undef,
+  Optional[Stdlib::Absolutepath]                            $md_notify_cmd             = undef,
+  Optional[String]                                          $md_port_map               = undef,
+  Optional[String]                                          $md_private_keys           = undef,
+  Optional[Enum['always', 'auto', 'manual']]                $md_renew_mode             = undef,
+  Optional[String]                                          $md_renew_window           = undef,
+  Optional[Enum['off', 'permanent', 'temporary']]           $md_require_https          = undef,
+  Optional[Enum['on', 'off']]                               $md_server_status          = undef,
+  Optional[Enum['on', 'off']]                               $md_staple_others          = undef,
+  Optional[Enum['on', 'off']]                               $md_stapling               = undef,
+  Optional[String]                                          $md_stapling_keep_response = undef,
+  Optional[String]                                          $md_stapling_renew_window  = undef,
+  Optional[Stdlib::Absolutepath]                            $md_store_dir              = undef,
+  Optional[String]                                          $md_warn_window            = undef,
+) {
+  include apache
+  include apache::mod::watchdog
+
+  apache::mod { 'md':
+  }
+
+  file { 'md.conf':
+    ensure  => file,
+    path    => "${apache::mod_dir}/md.conf",
+    mode    => $apache::file_mode,
+    content => epp('apache/mod/md.conf.epp'),
+    require => Exec["mkdir ${apache::mod_dir}"],
+    before  => File[$apache::mod_dir],
+    notify  => Class['apache::service'],
+  }
+}

spec/classes/mod/md_spec.rb

@@ -0,0 +1,199 @@
+require 'spec_helper'
+
+describe 'apache::mod::md', type: :class do
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let :facts do
+        facts
+      end
+
+      if facts[:os]['family'] == 'Debian'
+        context 'validating all md params - using Debian' do
+          md_options = {
+            'md_activation_delay' => { type: 'Duration', pass_opt: 'MDActivationDelay' },
+            'md_base_server' => { type: 'OnOff', pass_opt: 'MDBaseServer' },
+            'md_ca_challenges' => { type: 'CAChallenges', pass_opt: 'MDCAChallenges' },
+            'md_certificate_agreement' => { type: 'MDCertificateAgreement', pass_opt: 'MDCertificateAgreement' },
+            'md_certificate_authority' => { type: 'URL', pass_opt: 'MDCertificateAuthority' },
+            'md_certificate_check' => { type: 'String', pass_opt: 'MDCertificateCheck' },
+            'md_certificate_monitor' => { type: 'URL', pass_opt: 'MDCertificateMonitor' },
+            'md_certificate_protocol' => { type: 'MDCertificateProtocol', pass_opt: 'MDCertificateProtocol' },
+            'md_certificate_status' => { type: 'OnOff', pass_opt: 'MDCertificateStatus' },
+            'md_challenge_dns01' => { type: 'Path', pass_opt: 'MDChallengeDns01' },
+            'md_contact_email' => { type: 'EMail', pass_opt: 'MDContactEmail' },
+            'md_http_proxy' => { type: 'URL', pass_opt: 'MDHttpProxy' },
+            'md_members' => { type: 'MDMembers', pass_opt: 'MDMembers' },
+            'md_message_cmd' => { type: 'Path', pass_opt: 'MDMessageCmd' },
+            'md_must_staple' => { type: 'OnOff', pass_opt: 'MDMustStaple' },
+            'md_notify_cmd' => { type: 'Path', pass_opt: 'MDNotifyCmd' },
+            'md_port_map' => { type: 'String', pass_opt: 'MDPortMap' },
+            'md_private_keys' => { type: 'String', pass_opt: 'MDPrivateKeys' },
+            'md_renew_mode' => { type: 'MDRenewMode', pass_opt: 'MDRenewMode' },
+            'md_renew_window' => { type: 'Duration', pass_opt: 'MDRenewWindow' },
+            'md_require_https' => { type: 'MDRequireHttps', pass_opt: 'MDRequireHttps' },
+            'md_server_status' => { type: 'OnOff', pass_opt: 'MDServerStatus' },
+            'md_staple_others' => { type: 'OnOff', pass_opt: 'MDStapleOthers' },
+            'md_stapling' => { type: 'OnOff', pass_opt: 'MDStapling' },
+            'md_stapling_keep_response' => { type: 'Duration', pass_opt: 'MDStaplingKeepResponse' },
+            'md_stapling_renew_window' => { type: 'Duration', pass_opt: 'MDStaplingRenewWindow' },
+            'md_store_dir' => { type: 'Path', pass_opt: 'MDStoreDir' },
+            'md_warn_window' => { type: 'Duration', pass_opt: 'MDWarnWindow' },
+          }
+
+          md_options.each do |config_option, config_hash|
+            puppetized_config_option = config_option
+            case config_hash[:type]
+            when 'CAChallenges'
+              valid_config_values = [['dns-01'], ['tls-alpn-01', 'http-01']]
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => #{valid_value}" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value.join(' ')}}) }
+                end
+              end
+            when 'EMail'
+              valid_config_values = ['root@example.com']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => #{valid_value}" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'Duration'
+              valid_config_values = ['7d', '33%']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'MDCertificateAgreement'
+              valid_config_values = ['accepted']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'MDCertificateProtocol'
+              valid_config_values = ['ACME']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'MDMembers'
+              valid_config_values = ['auto', 'manual']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'MDRenewMode'
+              valid_config_values = ['always', 'auto', 'manual']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'MDRequireHttps'
+              valid_config_values = ['off', 'temporary', 'permanent']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'OnOff'
+              valid_config_values = ['on', 'off']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'Path'
+              valid_config_values = ['/some/path/to/somewhere']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => #{valid_value}" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} "#{valid_value}"$}) }
+                end
+              end
+            when 'String'
+              valid_config_values = ['a random string']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            when 'URL'
+              valid_config_values = ['https://example.com/example']
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            else
+              valid_config_values = config_hash[:type]
+              valid_config_values.each do |valid_value|
+                describe "with #{puppetized_config_option} => '#{valid_value}'" do
+                  let :params do
+                    { puppetized_config_option.to_sym => valid_value }
+                  end
+
+                  it { is_expected.to contain_file('md.conf').with_content(%r{^#{config_hash[:pass_opt]} #{valid_value}$}) }
+                end
+              end
+            end
+          end
+        end
+      end
+
+      it { is_expected.to contain_class('apache::mod::watchdog') }
+      it { is_expected.to contain_apache__mod('md') }
+      it { is_expected.to contain_file('md.conf') }
+    end
+  end
+end