feat: nginx reverse proxy debian cache

- add debian, debian/pool locations to reposyncer - add selinux fcontext rules
2024-04-13 12:59:22 +10:00 · 2024-04-13 12:59:22 +10:00 · 114d3fe195
commit 114d3fe195
parent eaddbe03d1
1 changed files with 51 additions and 1 deletions
--- a/site/profiles/manifests/reposync/webserver.pp
+++ b/site/profiles/manifests/reposync/webserver.pp
@ -1,6 +1,7 @@
 # setup a reposync webserver
 class profiles::reposync::webserver (
  String  $www_root = '/data/repos/snap',
+  String  $cache_root = '/data/repos/cache',
  String  $nginx_vhost = 'repos.main.unkin.net',
  Stdlib::Port $nginx_port = 80,
  Stdlib::Port $nginx_ssl_port = 443,
@ -77,10 +78,45 @@ class profiles::reposync::webserver (
  # merge the hashes conditionally
  $nginx_parameters = merge($defaults, $extras_hash)

+  # manage the nginx class
+  class { 'nginx':
+    proxy_cache_path      => {
+      "${cache_root}/debian" => 'debian:128m',
+    },
+    proxy_cache_levels    => '1:2',
+    proxy_cache_keys_zone => 'debian:128m',
+    proxy_cache_max_size  => '30000m',
+    proxy_cache_inactive  => '60d',
+    proxy_temp_path       => "${cache_root}/tmp",
+  }
+
  # create the nginx vhost with the merged parameters
-  class { 'nginx': }
  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })

+  # cache debian packages from upstream
+  nginx::resource::location { "${nginx_vhost}-debian":
+    ensure   => present,
+    ssl      => true,
+    ssl_only => false,
+    location => '/debian',
+    server   => $nginx_vhost,
+    proxy    => 'http://mirror.gsl.icu/debian',
+  }
+
+  nginx::resource::location { "${nginx_vhost}-debian_pool":
+    ensure            => present,
+    ssl               => true,
+    ssl_only          => false,
+    location          => '/debian/pool',
+    server            => $nginx_vhost,
+    proxy             => 'http://mirror.gsl.icu/debian/pool',
+    proxy_cache       => 'debian',
+    proxy_cache_valid => [
+        '200 302 1440h',
+        '404 1m'
+    ],
+  }
+
  if $favicon {
    file { "${www_root}/favicon.ico":
      ensure => 'file',
@ -109,6 +145,13 @@ class profiles::reposync::webserver (
      pathspec => "${www_root}(/.*)?",
    }

+    # set httpd_sys_rw_content_t to all files under the cache_root
+    selinux::fcontext { $cache_root:
+      ensure   => 'present',
+      seltype  => 'httpd_sys_rw_content_t',
+      pathspec => "${cache_root}(/.*)?",
+    }
+
    # make sure we can connect to port 80
    selboolean { 'httpd_can_network_connect':
      persistent => true,
@ -121,5 +164,12 @@ class profiles::reposync::webserver (
      refreshonly => true,
      subscribe   => Selinux::Fcontext[$www_root],
    }
+
+    exec { "restorecon_${cache_root}":
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => "restorecon -Rv ${cache_root}",
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext[$cache_root],
+    }
  }
 }