try ssl on syncproxies

diff --git a/modules/roles/manifests/syncproxy.pp b/modules/roles/manifests/syncproxy.pp
index 7e21d5b..b01232b 100644 (file)
--- a/modules/roles/manifests/syncproxy.pp
+++ b/modules/roles/manifests/syncproxy.pp
@@ -41,6 +41,7 @@ class roles::syncproxy {
        }
 
        if $::apache2 and $syncproxy_name != 'unknown' {
+               ssl::service { "$syncproxy_name": notify => Service['apache2'], key => true, }
                apache2::site { '010-syncproxy.debian.org':
                        site   => 'syncproxy.debian.org',
                        content => template('roles/syncproxy/syncproxy.debian.org-apache.erb')

diff --git a/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb b/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb
index db52513..9367e8e 100644 (file)
--- a/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb
+++ b/modules/roles/templates/syncproxy/syncproxy.debian.org-apache.erb
@@ -5,12 +5,17 @@
 
 <%
   vhost_listen = [ (bind != '') ? "#{bind}:80" : "*:80",  (bind6 != '') ? "#{bind6}:80" : "*:80"].uniq.join(' ')
+  vhost_listen_443 = [ (bind != '') ? "#{bind}:443" : "*:443",  (bind6 != '') ? "#{bind6}:443" : "*:443"].uniq.join(' ')
 %>
 
-<Virtualhost <%= vhost_listen %> >
+Use common-debian-service-https-redirect "<%= vhost_listen %>" <%= syncproxy_name %>
+<Virtualhost <%= vhost_listen_443 %> >
    ServerName <%= syncproxy_name %>
    DocumentRoot /srv/www/syncproxy.debian.org/htdocs
 
+   Use common-debian-service-ssl <%= syncproxy_name %>
+   Use common-ssl-HSTS
+
    <Directory /srv/www/syncproxy.debian.org/htdocs>
       Require all granted
    </Directory>