working version, for what is added. Still more to come.

files/etc/apache2/conf.d/ldap.conf

@@ -0,0 +1,20 @@
+<IfModule util_ldap.c>
+# Enable the LDAP connection pool and shared
+# memory cache. Enable the LDAP cache status
+# handler. Requires that mod_ldap and mod_authnz_ldap
+# be loaded. Change the "yourdomain.example.com" to
+# match your domain.
+
+LDAPSharedCacheSize 500000
+LDAPCacheEntries 1024
+LDAPCacheTTL 600
+LDAPOpCacheEntries 1024
+LDAPOpCacheTTL 600
+
+# Enable SSL connections, and disable certificate validation.
+LDAPTrustedMode         SSL
+LDAPVerifyServerCert    Off
+
+<Location /ldap-status>
+        SetHandler	ldap-status
+</Location>

files/etc/apache2/mod_info.conf

@@ -0,0 +1,14 @@
+#
+# Allow remote server configuration reports, with the URL of
+#  http://servername/server-info (requires that mod_info.c be loaded).
+#
+# see http://httpd.apache.org/docs-2.2/mod/mod_info.html
+#
+<IfModule mod_info.c>
+	<Location /server-info>
+		SetHandler server-info
+		Require host localhost
+		Require ip 127.0.0.1
+	</Location>
+</IfModule>
+

files/etc/apache2/mod_status.conf

@@ -0,0 +1,14 @@
+#
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+#
+# see http://httpd.apache.org/docs-2.2/mod/mod_status.html
+#
+<IfModule mod_status.c>
+	<Location /server-status>
+		SetHandler server-status
+		Require host localhost
+		Require ip 127.0.0.1
+	</Location>
+</IfModule>
+

manifests/access.pp

@@ -0,0 +1,44 @@
+class apache2::access {
+	#
+	# Create the file we're storing these in
+	#
+	concat { $params::accessConfigPath :
+		ensure	=> present,
+	}
+}
+
+define apache2::grantAccessToHost
+(
+	$location,
+	$host
+)
+{
+	include apache2::params
+
+	validate_string( $location )
+	validate_string( $host )
+
+	concat::fragment { "${location}_${host}" :
+		target	=> $params::accessConfigPath,
+		order	=> 10,
+		content	=> template( "apache2/default${params::accessConfigPath}-grantToHost-frag.erb" ),
+	}
+}
+
+define apache2::grantAccessToIp
+(
+	$location,
+	$ip
+)
+{
+	include apache2::params
+
+	validate_string( $location )
+	validate_string( $ip )
+
+	concat::fragment { "${location}_${ip}" :
+		target	=> $params::accessConfigPath,
+		order	=> 10,
+		content	=> template( "apache2/default${params::accessConfigPath}-grantToIp-frag.erb" ),
+	}
+}

manifests/defaultmodules.pp

@@ -0,0 +1,24 @@
+class apache2::defaultModules
+(
+	$modules = []
+)
+{
+	include apache2::params
+
+	# List of default modules to enable
+	# defined in apache2::params::a2modDefaults
+	if ( is_array( $modules ) and ( size( $modules ) > 0 ) ) {
+		apache2::enableModule { $modules : }
+	}
+}
+
+define apache2::enableModule
+{
+        # Enable the module
+        exec { "enable_${name}" :
+                command => "/usr/sbin/a2enmod ${name}",
+                unless  => "/usr/sbin/a2enmod -q ${name}",
+                require => [ Package[ $params::packageName ], File[ $params::sysconfigPath ] ],
+                notify	=> $apache2::serviceNotify,
+        }
+}

manifests/init.pp

@@ -1,41 +1,114 @@
-# == Class: apache2
-#
-# Full description of class apache2 here.
-#
-# === Parameters
-#
-# Document parameters here.
-#
-# [*sample_parameter*]
-#   Explanation of what this parameter affects and what it defaults to.
-#   e.g. "Specify one or more upstream ntp servers as an array."
-#
-# === Variables
-#
-# Here you should define a list of variables that this module would require.
-#
-# [*sample_variable*]
-#   Explanation of how this variable affects the funtion of this class and if it
-#   has a default. e.g. "The parameter enc_ntp_servers must be set by the
-#   External Node Classifier as a comma separated list of hostnames." (Note,
-#   global variables should not be used in preference to class parameters  as of
-#   Puppet 2.6.)
-#
-# === Examples
-#
-#  class { apache2:
-#    servers => [ 'pool.ntp.org', 'ntp.local.company.com' ]
-#  }
-#
-# === Authors
-#
-# Author Name <[email protected]>
-#
-# === Copyright
-#
-# Copyright 2014 Your name here, unless otherwise noted.
-#
-class apache2 {
+File {
+	owner	=> root,
+	group	=> root,
+	ignore	=> [ '.svn', '.git' ],
+}
+
+class apache2
+(
+	$modules		= [],
+	$useDefaultModules	= true,
+	$remoteIpHeader		= 'X-Forwarded-For',
+	$serverSignature	= 'off',
+	$serverTokens		= 'prod',
+	$traceEnable		= false,
+	$reloadOnChange		= false
+)
+{
+	#
+	# Get our configs
+	#
+	include apache2::params
+
+
+	#
+	# Figure out if we're doing any "ensure" stuff with the service
+	#
+	validate_bool( $reloadOnChange )
+	if ( $reloadOnChange ) {
+		$serviceNotify = Service[ $params::serviceName ]
+	}
+	else {
+		$serviceNotify = []
+	}
+
+
+	#
+	# Package and Service
+	#
+	package { $params::packageName :
+		ensure	=> latest,
+	}
+
+	service { $params::serviceName :
+		ensure	=> running,
+		enable	=> true,
+		require	=> Package[ $params::packageName ],
+	}
+
+
+	#
+	# Make the log dir readable
+	#
+	file { '/var/log/apache2' :
+		ensure	=> directory,
+		mode	=> 'a+rx',
+		require	=> Package[ $params::packageName ],
+	}
+
+
+	#
+	# Set serverSignature and serverTokens
+	#
+	class { 'apache2::sysconfig' :
+		serverSignature	=> $serverSignature,
+		serverTokens	=> $serverTokens,
+	}
+
+
+	#
+	# Default Modules
+	# See params::a2modDefaults for default module list
+	# Other modules are turned on in their configuration definitions
+	#
+	if ( is_array( $modules ) ) { $a2modLoad = $modules }
+	else { $a2modLoad = [] }
+
+	if ( is_bool( $useDefaultModules ) and $useDefaultModules ) { $a2modDefaultLoad = $params::a2modDefaults }
+	else { $a2modDefaultLoad = [] }
+
+	class { 'apache2::defaultModules':
+		modules	=> union( $a2modLoad, $a2modDefaultLoad )
+	}
+
+
+	#
+	# Turn TraceEnable off
+	#
+	validate_bool( $traceEnable )
+	apache2::traceenable { 'class_default' :
+		enable => $traceEnable,
+		require	=> Package[ $params::packageName ],
+	}
+
+
+	#
+	# Turn on remoteIpHeader logging
+	#
+	validate_string( $remoteIpHeader )
+	apache2::remoteip { 'class_default' :
+		remoteIpHeader	=> $remoteIpHeader,
+	}
+
+
+	#
+	# Defaults for server-info and server-status
+	#
+	include apache2::statusAndInfo
 
 
+	#
+	# Grant access to various things from TS network
+	#
+	include apache2::access
 }

manifests/ldap.pp

@@ -0,0 +1,17 @@
+class apache2::ldap
+{
+	#
+	# Simply put in the default ldap config file,
+	# but using the new-style access control configurations
+	#
+	file { $params::ldapConfigPath :
+		ensure	=> present,
+		source	=> "puppet:///modules/apache2${params::statusConfigPath}",
+		require	=> Package[ $params::packageName ],
+	}
+
+	#
+	# Enable the module
+	#
+	apache2::enableModule{ 'ldap': }
+}

manifests/params.pp

@@ -0,0 +1,19 @@
+class apache2::params
+{
+	$serviceName   		= "apache2"
+	$packageName		= "apache2"
+
+	$sysconfigPath		= "/etc/sysconfig/apache2"
+
+	$configDirPath		= "/etc/apache2"
+	$infoConfigPath		= "${configDirPath}/mod_info.conf"
+	$statusConfigPath	= "${configDirPath}/mod_status.conf"
+
+	$configConfdPath	= "${configDirPath}/conf.d"
+	$accessConfigPath	= "${configConfdPath}/access.conf"
+	$remoteIpConfigPath	= "${configConfdPath}/remoteip.conf"
+	$traceEnableConfigPath	= "${configConfdPath}/trace.conf"
+
+	# Default modules for mod.pp
+	$a2modDefaults = [ 'actions','alias','auth_basic','authn_file','authz_host','authz_groupfile','authz_user','autoindex','dir','env','expires','include','log_config','mime','negotiation','setenvif','reqtimeout','authn_core','authz_core' ]
+}

manifests/remoteip.pp

@@ -0,0 +1,26 @@
+define apache2::remoteip
+(
+	$remoteIpHeader
+)
+{
+	include apache2::params
+
+	validate_string( $remoteIpHeader )
+
+	# Enable the module
+	apache2::enableModule{ 'remoteip': }
+
+        # Pick the template path we're going to use
+        $mod_path = get_module_path('apache2')
+        $specific = "$mod_path/templates/$operatingsystem/$operatingsystemrelease$params::remoteIpConfigPath.erb"
+        $default  = "$mod_path/templates/default$params::remoteIpConfigPath.erb"
+
+        # Set up the config file
+        file { $params::remoteIpConfigPath :
+                owner   => 'root',
+                group   => 'root',
+                content => inline_template( file( $specific, $default ) ),
+                notify  => $apache2::serviceNotify,
+        }
+
+}

manifests/statusandinfo.pp

@@ -0,0 +1,23 @@
+class apache2::statusAndInfo
+{
+	#
+	# Simply put in the default server-status and server-info files,
+	# but using the new-style access control configurations
+	#
+	file { $params::statusConfigPath :
+		ensure	=> present,
+		source	=> "puppet:///modules/apache2${params::statusConfigPath}",
+		require	=> Package[ $params::packageName ],
+	}
+	file { $params::infoConfigPath :
+		ensure	=> present,
+		source	=> "puppet:///modules/apache2${params::infoConfigPath}",
+		require	=> Package[ $params::packageName ],
+	}
+
+	#
+	# Enable the modules
+	#
+	apache2::enableModule{ 'status': }
+	apache2::enableModule{ 'info': }
+}

manifests/sysconfig.pp

@@ -0,0 +1,20 @@
+class apache2::sysconfig
+(
+	$serverSignature = 'off',
+	$serverTokens    = 'prod'
+)
+{
+	include apache2::params
+
+        # Pick the template path we're going to use
+        $mod_path = get_module_path('apache2')
+        $specific = "$mod_path/templates/$operatingsystem/$operatingsystemrelease$params::sysconfigPath.erb"
+        $default  = "$mod_path/templates/default$params::sysconfigPath.erb"
+
+	# Build the sysconfig file from the template
+	file { $params::sysconfigPath :
+		ensure	=> present,
+                content => inline_template( file( $specific, $default ) ),
+                notify	=> $apache2::serviceNotify,
+	}
+}