apache-httpd: manage snippets

- add apache-httpd profile with snippets configuration
- add TLS snippet to apache-httpd role pillar

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

pillar/id/themis_lysergic_dev.sls

@@ -0,0 +1,77 @@
+apache:
+  sites:
+    BookStack:
+      interface: '[fd29:8e45:f292:ff80::1]'
+      port: 443
+      ServerName: bookstack.themis.backend.syscid.com
+      DocumentRoot: /srv/www/BookStack/
+      DirectoryIndex: index.php
+      Directory:
+        /srv/www/BookStack/:
+          Options: 'Indexes FollowSymLinks -MultiViews'
+          AllowOverride: None
+          Require: all granted
+          Formula_Append: |
+            RewriteEngine On
+            RewriteCond '%{HTTP:Authorization} .'
+            RewriteCond '.* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]'
+            RewriteCond '%{REQUEST_FILENAME} !-d'
+            RewriteCond '%{REQUEST_URI} (.+)/$'
+            RewriteCond '^ %1 [L,R=301]'
+            RewriteCond '%{REQUEST_FILENAME} !-d'
+            RewriteCond '%{REQUEST_FILENAME} !-f'
+            RewriteCond '^ index.php [L]'
+      LogLevel: False
+      ErrorLog: False
+      LogFormat: False
+      CustomLog: False
+      ServerAdmin: False
+      ServerAlias: False
+      Formula_Append: |
+        Include /etc/apache2/snippets.d/ssl_themis.conf
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+        SetOutputFilter DEFLATE
+        <FilesMatch '\.php$'>
+          SetHandler 'proxy:unix:/run/php-fpm/BookStack.sock|fcgi://BookStack'
+        </FilesMatch>
+
+profile:
+  bookstack:
+    app_url: https://libertacasa.info
+    db_host: ${'secret_bookstack:db_host'}
+    db_database: ${'secret_bookstack:db_database'}
+    db_username: ${'secret_bookstack:db_username'}
+    db_password: ${'secret_bookstack:db_password'}
+    mail_driver: smtp
+    mail_from_name: LibertaCasa Documentation
+    mail_from: mail@libertacasa.info
+    mail_host: zz0.email
+    mail_port: 465
+    mail_username: mail@libertacasa.info
+    mail_password: ${'secret_bookstack:mail_password'}
+    mail_encryption: ssl
+    app_theme: lysergic
+    cache_driver: memcached
+    session_driver: memcached
+    memcached_servers: /run/memcached/memcached.sock
+    session_secure_cookie: true
+    session_cookie_name: libertacasa_megayummycookie
+    app_debug: false
+    session_lifetime: 240
+    auth_method: saml2
+    auth_auto_initiate: true
+    saml2_name: LibertaCasa SSO
+    saml2_email_attribute: email
+    saml2_external_id_attribute: uid
+    saml2_display_name_attributes: fullname
+    saml2_idp_entityid: https://libsso.net/realms/libertacasa
+    saml2_idp_sso: https://libsso.net/realms/libertacasa/protocol/saml
+    saml2_idp_slo: https://libsso.net/realms/libertacasa/protocol/saml
+    saml2_idp_x509: ${'secret_bookstack:saml2_idp_x509'}
+    saml2_autoload_metadata: false
+    saml2_sp_x509: ${'secret_bookstack:saml2_sp_x509'}
+    saml2_sp_x509_key: ${'secret_bookstack:saml2_sp_x509_key'}
+    saml2_user_to_groups: true
+    saml2_group_attribute: groups
+    saml2_remove_from_groups: true
+    queue_connection: database

pillar/role/web/apache-httpd.sls

@@ -1,3 +1,13 @@
+{%- set host = grains['host'] -%}
+{%- set fqdn = grains['fqdn'] -%}
+
 apache:
   global:
     ServerAdmin: system@lysergic.dev
+
+profile:
+  apache-httpd:
+   snippets:
+    ssl_{{ host }}:
+      - 'SSLCertificateFile    "/etc/ssl/{{ host }}/{{ fqdn }}.crt"'
+      - 'SSLCertificateKeyFile "/etc/ssl/{{ host }}/{{ fqdn }}.key"'

salt/profile/apache-httpd/init.sls

@@ -0,0 +1,31 @@
+{%- set snippetsdir = '/etc/apache2/snippets.d' -%}
+{%- set mypillar = salt['pillar.get']('profile:apache-httpd', {}) -%}
+
+{{ snippetsdir }}:
+  file.directory:
+    - makedirs: True
+
+{%- if 'snippets' in mypillar %}
+{%- for snippet, config in mypillar['snippets'].items() %}
+{{ snippetsdir }}/{{ snippet }}.conf:
+  file.managed:
+    - contents:
+      {%- for line in config %}
+      - {{ line }}
+      {%- endfor %}
+    - require:
+      - file: {{ snippetsdir }}
+    {#- formula dependencies #}
+    - require_in:
+      - module: apache-service-running-restart
+      - service: apache-service-running
+    - watch_in:
+      - module: apache-service-running-reload
+{%- endfor %}
+{%- endif %}
+
+include:
+  - apache.config
+
+
+

salt/role/web/apache-httpd.sls

@@ -1,2 +1,2 @@
 include:
-  - apache.config
+  - profile.apache-httpd