added ssl support

README.markdown

@@ -124,6 +124,20 @@ The ownCloud module does not install or configure the database server itself, th
     }
 ```
 
+#### Install and configure Apache to use SSL
+
+To configure the Apache vhost to use SSL, you need to set `ssl` to `true` and define the absolute paths for the `ssl_cert` and `ssl_key` parameters. This module does not distribute certificate or key files to the server, you will need to take care of this yourself.
+
+```puppet
+    class { '::owncloud':
+      ssl      => true,
+      ssl_cert => '/path/to/file.crt',
+      ssl_key  => '/path/to/file.key',
+    }
+```
+
+When configured to use SSL, any non HTTPS traffic to the HTTP port (defaults to 80) will be redirected to the HTTPS port (defaults to 443).
+
 #### Install and manage only ownCloud
 
 To install and configure ownCloud with no additional modules:
@@ -181,6 +195,10 @@ Set the database type in the ownCloud configuration. Currently the only supporte
 
 Set the HTTP port to a non standard port. Defaults to '80'.
 
+##### `https_port`
+
+Set the HTTPS port to a non standard port. Defaults to '443'.
+
 ##### `manage_apache`
 
 Set to true for the module to install Apache and virtual host using the [PuppetLabs Apache module](https://github.com/puppetlabs/puppetlabs-apache). Typically this is managed elsewhere in your node definition, but if you are installing ownCloud on a dedicated webserver then setting `manage_apache` to true will configure Apache as required. Defaults to 'true'.
@@ -203,6 +221,26 @@ Set to true for the module to install the Apache virtual host using the [PuppetL
 
 *Note:* If `manage_apache` is set to true, `manage_vhost` will be ignored and the virtual host configuration will be installed even if it's set to false.
 
+##### `ssl`
+
+Set to true to enable HTTPS. When enabled, HTTP requests will be redirected to HTTPS. Must at least set the `ssl_cert` and `ssl_key` parameters to use SSL. Defaults to 'false'.
+
+##### `ssl_ca`
+
+Set the path of the CA certificate file, must use the absolute path.
+
+##### `ssl_cert`
+
+Set the path of the certificate file, must use the absolute path.
+
+##### `ssl_chain`
+
+Set the path of the certificate chain file, must use the absolute path.
+
+##### `ssl_key`
+
+Set the path of the certificate key file, must use the absolute path.
+
 ##### `url`
 
 Configures the virtual host to install if `manage_apache` or `manage_vhost` are set to true. At this time there is no support for Apache server aliases. Defaults to `owncloud.${::domain}`
@@ -237,7 +275,6 @@ In the pipeline:
 
 * Add support for additional operating systems.
 * Add support for PostgreSQL.
-* Add support for SSL virtual hosts.
 
 At this time only one instance of ownCloud can be configured per host. It would be easy enough to change to a define to make a multi-tenant ownCloud server, but wasn't a requirement when writing this and can only see this being implemented if someone wants to add this functionality via a pull request.
 

manifests/apache.pp

@@ -25,11 +25,38 @@
     Dav Off
   </Directory>"
 
-    apache::vhost { 'owncloud-http':
-      servername      => $owncloud::url,
-      port            => $owncloud::http_port,
-      docroot         => $owncloud::documentroot,
-      custom_fragment => $vhost_custom_fragment,
+    if $owncloud::ssl {
+      apache::vhost { 'owncloud-http':
+        servername => $owncloud::url,
+        port       => $owncloud::http_port,
+        docroot    => $owncloud::documentroot,
+        rewrites   => [
+          {
+            comment      => 'redirect non-SSL traffic to SSL site',
+            rewrite_cond => ['%{HTTPS} off'],
+            rewrite_rule => ['(.*) https://%{HTTPS_HOST}%{REQUEST_URI}'],
+          }
+        ]
+      }
+
+      apache::vhost { 'owncloud-https':
+        servername      => $owncloud::url,
+        port            => $owncloud::https_port,
+        docroot         => $owncloud::documentroot,
+        custom_fragment => $vhost_custom_fragment,
+        ssl             => true,
+        ssl_ca          => $owncloud::ssl_ca,
+        ssl_cert        => $owncloud::ssl_cert,
+        ssl_chain       => $owncloud::ssl_chain,
+        ssl_key         => $owncloud::ssl_key,
+      }
+    } else {
+      apache::vhost { 'owncloud-http':
+        servername      => $owncloud::url,
+        port            => $owncloud::http_port,
+        docroot         => $owncloud::documentroot,
+        custom_fragment => $vhost_custom_fragment,
+      }
     }
   }
 }

manifests/init.pp

@@ -9,11 +9,17 @@
   $db_user         = 'owncloud',
   $db_type         = 'mysql',
   $http_port       = 80,
+  $https_port      = 443,
   $manage_apache   = true,
   $manage_db       = true,
   $manage_repo     = true,
   $manage_skeleton = true,
   $manage_vhost    = true,
+  $ssl             = false,
+  $ssl_ca          = undef,
+  $ssl_cert        = undef,
+  $ssl_chain       = undef,
+  $ssl_key         = undef,
   $url             = "owncloud.${::domain}",
   $datadirectory   = $owncloud::params::datadirectory,
 ) inherits owncloud::params {
@@ -23,9 +29,17 @@
   validate_bool($manage_repo)
   validate_bool($manage_skeleton)
   validate_bool($manage_vhost)
+  validate_bool($ssl)
 
   validate_re($db_type, '^mysql$', '$database must be \'mysql\'')
 
+  if $ssl {
+    validate_absolute_path($ssl_cert, $ssl_key)
+
+    if $ssl_ca { validate_absolute_path($ssl_ca) }
+    if $ssl_chain { validate_absolute_path($ssl_chain) }
+  }
+
   class { 'owncloud::install': } ->
   class { 'owncloud::apache': } ->
   class { 'owncloud::config': } ->

spec/classes/owncloud_spec.rb

@@ -76,6 +76,7 @@
           end
 
           it { should contain_apache__vhost('owncloud-http').with(servername: 'owncloud.example.com') }
+          it { should_not contain_apache__vhost('owncloud-https').with(servername: 'owncloud.example.com') }
 
           # owncloud::config
 
@@ -252,6 +253,44 @@
             it { should_not contain_apache__vhost('owncloud-http') }
           end
 
+          describe 'when ssl is set to true (and has related cert params)' do
+            let :params do
+              {
+                ssl: true,
+                ssl_ca: '/srv/www/owncloud/certs/ca.crt',
+                ssl_cert: '/srv/www/owncloud/certs/cert.crt',
+                ssl_chain: '/srv/www/owncloud/certs/chain.crt',
+                ssl_key: '/srv/www/owncloud/certs/key.crt'
+              }
+            end
+
+            it { should contain_apache__vhost('owncloud-http').with(port: 80) }
+
+            it do
+              should contain_apache__vhost('owncloud-https').with(
+                port: 443,
+                ssl_ca: '/srv/www/owncloud/certs/ca.crt',
+                ssl_cert: '/srv/www/owncloud/certs/cert.crt',
+                ssl_chain: '/srv/www/owncloud/certs/chain.crt',
+                ssl_key: '/srv/www/owncloud/certs/key.crt',
+                ssl: true
+              )
+            end
+          end
+
+          describe 'when ssl is set to true (and https_port is set to 8443)' do
+            let :params do
+              {
+                https_port: 8443,
+                ssl: true,
+                ssl_cert: '/srv/www/owncloud/certs/cert.crt',
+                ssl_key: '/srv/www/owncloud/certs/key.crt'
+              }
+            end
+
+            it { should contain_apache__vhost('owncloud-https').with(port: 8443) }
+          end
+
           describe 'when url is set to "owncloud.company.tld"' do
             let(:params) { { url: 'owncloud.company.tld' } }