feat: dynamically add subscribe to nginx resource

- add subscribe option to nginx resource dependent on nginx_listen_mode - ensure nginx reloads when the ssl_cert or ssl_key changes, only if these values are not undef - ensure the file resources are defined for certificates
2024-03-03 15:22:01 +11:00 · 2024-03-03 15:22:01 +11:00 · 0782cd5679
commit 0782cd5679
parent df97b75aca
2 changed files with 47 additions and 15 deletions
--- a/site/profiles/manifests/pki/vault.pp
+++ b/site/profiles/manifests/pki/vault.pp
@ -102,5 +102,25 @@ class profiles::pki::vault (
        require => File[$base_path],
      }
    }
+
+  }else{
+    # manage each file resources, but dont change the content
+    $certificate_files = [
+      "${base_path}/certificate.crt",
+      "${base_path}/private.key",
+      "${base_path}/full_chain.crt",
+      "${base_path}/ca_certificate.crt",
+      "${base_path}/certificate.pem"
+    ]
+
+    $certificate_files.each |$file_path| {
+      file { $file_path:
+        ensure  => file,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        require => File[$base_path],
+      }
+    }
  }
 }
--- a/site/profiles/manifests/reposync/webserver.pp
+++ b/site/profiles/manifests/reposync/webserver.pp
@ -32,6 +32,7 @@ class profiles::reposync::webserver (
      $ssl_key = undef
      $listen_port = $nginx_port
      $listen_ssl_port = undef
+      $extras_hash = {}
    }
    'https': {
      $enable_ssl = true
@ -39,6 +40,9 @@ class profiles::reposync::webserver (
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_ssl_port
      $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
    }
    'both': {
      $enable_ssl = true
@ -46,29 +50,37 @@ class profiles::reposync::webserver (
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_port
      $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
    }
    default: {
      # enum param prevents this ever being reached
    }
  }

-  class { 'nginx': }
-
-  # create the nginx vhost
-  nginx::resource::server { $nginx_vhost:
-    listen_port          => $listen_port,
-    server_name          => [$nginx_vhost],
-    use_default_location => true,
-    access_log           => "/var/log/nginx/${nginx_vhost}_access.log",
-    error_log            => "/var/log/nginx/${nginx_vhost}_error.log",
-    www_root             => $www_root,
-    autoindex            => 'on',
-    ssl                  => $enable_ssl,
-    ssl_cert             => $ssl_cert,
-    ssl_key              => $ssl_key,
-    ssl_port             => $listen_ssl_port,
+  # define the default parameters for the nginx server
+  $defaults = {
+    'listen_port'          => $listen_port,
+    'server_name'          => [$nginx_vhost],
+    'use_default_location' => true,
+    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
+    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
+    'www_root'             => $www_root,
+    'autoindex'            => 'on',
+    'ssl'                  => $enable_ssl,
+    'ssl_cert'             => $ssl_cert,
+    'ssl_key'              => $ssl_key,
+    'ssl_port'             => $listen_ssl_port,
  }

+  # merge the hashes conditionally
+  $nginx_parameters = merge($defaults, $extras_hash)
+
+  # create the nginx vhost with the merged parameters
+  class { 'nginx': }
+  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
+
  if $favicon {
    file { "${www_root}/favicon.ico":
      ensure => 'file',