From c653ce124758fb2d5f1d6ae1abfb0430ef6a9867 Mon Sep 17 00:00:00 2001
From: alex <alex@pdp7.net>
Date: Sun, 5 Mar 2023 20:42:33 +0100
Subject: [PATCH] Add initial Proxmox proxy

---
 .../puppet/modules/proxmox/README.md          | 16 +++++++
 .../puppet/modules/proxmox/manifests/proxy.pp | 47 +++++++++++++++++++
 personal_infra/puppet/site/h1.pdp7.net.pp     |  4 ++
 3 files changed, 67 insertions(+)
 create mode 100644 personal_infra/puppet/modules/proxmox/manifests/proxy.pp

diff --git a/personal_infra/puppet/modules/proxmox/README.md b/personal_infra/puppet/modules/proxmox/README.md
index 1600d22..42bf724 100644
--- a/personal_infra/puppet/modules/proxmox/README.md
+++ b/personal_infra/puppet/modules/proxmox/README.md
@@ -16,3 +16,19 @@ network:
     netmask: 255.255.255.0
     network: 10.3.3.0/24
 ```
+
+## Proxy
+
+Class `proxmox::proxy` can handle proxying internal web servers.
+
+```
+class {'proxmox::proxy':
+  mail => lookup('mail.root_mail'),
+  base_hostname => lookup('network.public_hostname'),
+}
+```
+
+This uses the Apache HTTP Server and mod_md to obtain certificates.
+Your hostname must be publicly accessible, because http challenges are used.
+
+You receive mails to restart your server when required.
diff --git a/personal_infra/puppet/modules/proxmox/manifests/proxy.pp b/personal_infra/puppet/modules/proxmox/manifests/proxy.pp
new file mode 100644
index 0000000..423d5cf
--- /dev/null
+++ b/personal_infra/puppet/modules/proxmox/manifests/proxy.pp
@@ -0,0 +1,47 @@
+class proxmox::proxy ($mail, $base_hostname) {
+  package {'apache2':}
+  ->
+  service {'apache2':
+    enable => true,
+    ensure => running,
+    require => File['/usr/local/bin/notify_md_renewal'],
+  }
+
+  $apache_dep = {
+    require => Package['apache2'],
+    notify => Service['apache2'],
+  }
+
+  ['md', 'ssl'].each |$mod| {
+    exec {"/usr/sbin/a2enmod $mod":
+      creates => "/etc/apache2/mods-enabled/$mod.load",
+      * => $apache_dep,
+    }
+  }
+
+  file {'/etc/apache2/sites-enabled/test.conf':
+    content => @("EOT")
+    MDomain $base_hostname
+    MDCertificateAgreement accepted
+    MDContactEmail $mail
+    MDNotifyCmd /usr/local/bin/notify_md_renewal
+
+    <VirtualHost *:443>
+      ServerName $base_hostname
+      SSLEngine on
+    </VirtualHost>
+    | EOT
+    ,
+    * => $apache_dep
+  }
+
+  file {'/usr/local/bin/notify_md_renewal':
+    content => @("EOT"/$)
+    #!/bin/sh
+
+    mail $mail -s "Restart apache2 on $base_hostname for certificate \$1" </dev/null
+    | EOT
+    ,
+    mode => '0755',
+  }
+}
diff --git a/personal_infra/puppet/site/h1.pdp7.net.pp b/personal_infra/puppet/site/h1.pdp7.net.pp
index af66ab5..ef0ff1e 100644
--- a/personal_infra/puppet/site/h1.pdp7.net.pp
+++ b/personal_infra/puppet/site/h1.pdp7.net.pp
@@ -1,5 +1,9 @@
 node 'h1.pdp7.net' {
   class {'proxmox::freeipa':}
+  class {'proxmox::proxy':
+    mail => lookup('mail.root_mail'),
+    base_hostname => lookup('network.public_hostname'),
+  }
   class {'dns_dhcp':}
 
   # TODO: ugly; tinc scripts require this :(
-- 
2.47.3