diff options
| -rw-r--r-- | src/package.lisp | 14 | ||||
| -rw-r--r-- | src/property/apache.lisp | 83 |
2 files changed, 92 insertions, 5 deletions
diff --git a/src/package.lisp b/src/package.lisp index 6f9bd24..782e975 100644 --- a/src/package.lisp +++ b/src/package.lisp @@ -701,15 +701,19 @@ (defpackage :consfigurator.property.apache (:use #:cl #:consfigurator) - (:local-nicknames (#:service #:consfigurator.property.service) - (#:apt #:consfigurator.property.apt) - (#:os #:consfigurator.property.os) - (#:file #:consfigurator.property.file)) + (:local-nicknames (#:service #:consfigurator.property.service) + (#:apt #:consfigurator.property.apt) + (#:os #:consfigurator.property.os) + (#:file #:consfigurator.property.file) + (#:lets-encrypt #:consfigurator.property.lets-encrypt)) (:export #:installed #:reloaded #:mod-enabled #:conf-enabled - #:conf-available)) + #:conf-available + #:site-enabled + #:site-available + #:https-vhost)) (defpackage :consfigurator.property.systemd (:use #:cl #:consfigurator) diff --git a/src/property/apache.lisp b/src/property/apache.lisp index 7de7cdd..187fd50 100644 --- a/src/property/apache.lisp +++ b/src/property/apache.lisp @@ -60,3 +60,86 @@ (%conf-enabled ,name)) `(%conf-enabled ,name)) (reloaded)))) + +(defproplist site-available :posix (domain config) + (:desc #?"Apache site ${domain} available") + (file:exists-with-content + (merge-pathnames (strcat domain ".conf") #P"/etc/apache2/sites-available/") + config)) + +(defprop %site-enabled :posix (domain) + (:hostattrs (os:required 'os:debianlike)) + (:check (zerop (mrun :for-exit "a2query" "-q" "-s" domain))) + (:apply (mrun "a2ensite" "--quiet" domain)) + (:unapply (mrun "a2dissite" "--quiet" domain))) + +(defpropspec site-enabled :posix (domain &optional config) + (:desc #?"Apache site ${domain} enabled") + `(eseqprops + (installed) + (on-change ,(if config + `(eseqprops (site-available ,domain ,config) + (%site-enabled ,domain)) + `(%site-enabled ,domain)) + (reloaded)))) + +(defproplist https-vhost :posix + (domain htdocs agree-tos + &key aliases additional-config additional-config-https) + "Configure an HTTPS Apache virtual host using a Let's Encrypt certificate. +ALIASES are the values for ServerAlias entries; these must be specified +separately for proper handling of the redirects from HTTP to HTTPS. Use of +this property implies agreement with the Let's Encrypt Subscriber Agreement; +AGREE-TOS is an instance of LETS-ENCRYPT:AGREE-TOS. ADDITIONAL-CONFIG are +additional lines to add to the Apache configuration for both the HTTP and +HTTPS virtual hosts; ADDITIONAL-CONFIG-HTTPS are additional lines to be added +only to the HTTPS virtual host. + +Unapplying removes the Apache site config but leaves the certificate behind." + (with-unapply + (mod-enabled "ssl") + (conf-enabled "stapling" + '("SSLStaplingCache shmcb:/tmp/stapling_cache(128000)")) + (mod-enabled "rewrite") + (site-enabled + domain + (let ((initial `(,(strcat "DocumentRoot " htdocs) + "ErrorLog /var/log/apache2/error.log" + "LogLevel warn" + "CustomLog /var/log/apache2/access.log combined" + "ServerSignature on"))) + `(,(strcat "<IfFile " (unix-namestring + (lets-encrypt:certificate-for domain)) + ">") + "<VirtualHost *:443>" + ,(strcat "ServerName " domain ":443") + ,@(loop for alias in aliases collect (strcat "ServerAlias " alias)) + ,@initial + "SSLEngine on" + ,(strcat "SSLCertificateFile " + (unix-namestring (lets-encrypt:certificate-for domain))) + ,(strcat "SSLCertificateKeyFile " + (unix-namestring (lets-encrypt:privkey-for domain))) + ,(strcat "SSLCertificateChainFile " + (unix-namestring (lets-encrypt:chain-for domain))) + "SSLUseStapling on" + ,@additional-config + ,@additional-config-https + "</VirtualHost>" "</IfFile>" + ,@(loop for name in (cons domain aliases) append + `("" + "<VirtualHost *:80>" + ,(strcat "ServerName " name ":80") + ,@initial + "RewriteEngine On" + "RewriteRule ^/.well-known/(.*) - [L]" + ;; redirect everything else to https + ,(strcat "RewriteRule ^/(.*) https://" name "/$1 [L,R,NE]") + ,@additional-config + "</VirtualHost>"))))) + (on-change + (lets-encrypt:certificate-obtained agree-tos htdocs domain aliases) + (reloaded)) + :unapply + (unapply (site-enabled domain)) + (unapply (site-available domain "")))) |