diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml index 1aef9be..723f60c 100644 --- a/hieradata/roles/infra/storage/consul.yaml +++ b/hieradata/roles/infra/storage/consul.yaml @@ -24,3 +24,11 @@ profiles::pki::vault::alt_names: - consul.main.unkin.net - consul.service.consul - consul + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'consul.service.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - consul + - consul.main.unkin.net +profiles::nginx::simpleproxy::proxy_port: 8500 +profiles::nginx::simpleproxy::proxy_path: '/' diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml index 59dfa34..8785f7c 100644 --- a/hieradata/roles/infra/storage/vault.yaml +++ b/hieradata/roles/infra/storage/vault.yaml @@ -11,3 +11,11 @@ profiles::pki::vault::alt_names: - vault.main.unkin.net - vault.service.consul - vault + +# manage a simple nginx reverse proxy +profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul' +profiles::nginx::simpleproxy::nginx_aliases: + - vault + - vault.main.unkin.net +profiles::nginx::simpleproxy::proxy_port: 8200 +profiles::nginx::simpleproxy::proxy_path: '/' diff --git a/site/profiles/manifests/consul/nginx.pp b/site/profiles/manifests/consul/nginx.pp deleted file mode 100644 index 59d5fad..0000000 --- a/site/profiles/manifests/consul/nginx.pp +++ /dev/null @@ -1,97 +0,0 @@ -# profiles::consul::nginx -class profiles::consul::nginx ( - String $nginx_vhost = 'consul.service.consul', - Stdlib::Port $nginx_port = 80, - Stdlib::Port $nginx_ssl_port = 443, - Enum['http','https','both'] $nginx_listen_mode = 'https', - Enum['puppet', 'vault'] $nginx_cert_type = 'vault' -) { - - # set the server_names - $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'consul', 'consul.main.unkin.net'] - - # select the certificates to use based on cert type - case $nginx_cert_type { - 'puppet': { - $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" - $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" - } - 'vault': { - $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' - $selected_ssl_key = '/etc/pki/tls/vault/private.key' - } - default: { - # enum param prevents this ever being reached - } - } - - # set variables based on the listen_mode - case $nginx_listen_mode { - 'http': { - $enable_ssl = false - $ssl_cert = undef - $ssl_key = undef - $listen_port = $nginx_port - $listen_ssl_port = undef - $extras_hash = {} - } - 'https': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_ssl_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - 'both': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - default: { - # enum param prevents this ever being reached - } - } - - # define the default parameters for the nginx server - $defaults = { - 'listen_port' => $listen_port, - 'server_name' => $server_names, - 'use_default_location' => true, - 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", - 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", - 'autoindex' => 'on', - 'ssl' => $enable_ssl, - 'ssl_cert' => $ssl_cert, - 'ssl_key' => $ssl_key, - 'ssl_port' => $listen_ssl_port, - 'proxy' => "http://${facts['networking']['ip']}:8500/", - } - - # merge the hashes conditionally - $nginx_parameters = merge($defaults, $extras_hash) - - # manage the nginx class - include 'nginx' - - # create the nginx vhost with the merged parameters - create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) - - # manage selinux - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - # make sure nginx can reverse proxy - selboolean { 'httpd_can_network_connect': - persistent => true, - value => 'on', - } - - } -} diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp index b3ec8c7..e2e9d06 100644 --- a/site/profiles/manifests/consul/server.pp +++ b/site/profiles/manifests/consul/server.pp @@ -106,7 +106,7 @@ class profiles::consul::server ( if defined(Class['consul']) { # include nginx, policies and tokens - include profiles::consul::nginx + include profiles::nginx::simpleproxy include profiles::consul::policies include profiles::consul::tokens diff --git a/site/profiles/manifests/nginx/simpleproxy.pp b/site/profiles/manifests/nginx/simpleproxy.pp new file mode 100644 index 0000000..28d6c1e --- /dev/null +++ b/site/profiles/manifests/nginx/simpleproxy.pp @@ -0,0 +1,116 @@ +# profiles::nginx:simpleproxy +# +# only one simpleproxy per host, for anything more advanced, use nginx class +class profiles::nginx::simpleproxy ( + Stdlib::Fqdn $nginx_vhost = 'localhost', + Array[Stdlib::Host] $nginx_aliases = [], + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault', + Enum['http','https'] $proxy_scheme = 'http', + Stdlib::Port $proxy_port = 80, + Stdlib::Host $proxy_host = $facts['networking']['ip'], + String $proxy_path = '/', +) { + + # if nginx_version isnt set, install nginx + if ! $facts['nginx_version'] { + package {'nginx': + ensure => 'present', + } + + # else, configure simple proxy + }else{ + + # build the proxyurl from proxy_* variables + $proxyurl = "${proxy_scheme}://${proxy_host}:${proxy_port}${proxy_path}" + + # set the server_names + $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + 'proxy' => $proxyurl, + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include 'nginx' + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + + # manage selinux + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # make sure nginx can reverse proxy + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + } + } +} diff --git a/site/profiles/manifests/vault/nginx.pp b/site/profiles/manifests/vault/nginx.pp deleted file mode 100644 index d095db4..0000000 --- a/site/profiles/manifests/vault/nginx.pp +++ /dev/null @@ -1,97 +0,0 @@ -# profiles::vault::nginx -class profiles::vault::nginx ( - String $nginx_vhost = 'vault.service.consul', - Stdlib::Port $nginx_port = 80, - Stdlib::Port $nginx_ssl_port = 443, - Enum['http','https','both'] $nginx_listen_mode = 'https', - Enum['puppet', 'vault'] $nginx_cert_type = 'vault' -) { - - # set the server_names - $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'vault', 'vault.main.unkin.net'] - - # select the certificates to use based on cert type - case $nginx_cert_type { - 'puppet': { - $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" - $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" - } - 'vault': { - $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' - $selected_ssl_key = '/etc/pki/tls/vault/private.key' - } - default: { - # enum param prevents this ever being reached - } - } - - # set variables based on the listen_mode - case $nginx_listen_mode { - 'http': { - $enable_ssl = false - $ssl_cert = undef - $ssl_key = undef - $listen_port = $nginx_port - $listen_ssl_port = undef - $extras_hash = {} - } - 'https': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_ssl_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - 'both': { - $enable_ssl = true - $ssl_cert = $selected_ssl_cert - $ssl_key = $selected_ssl_key - $listen_port = $nginx_port - $listen_ssl_port = $nginx_ssl_port - $extras_hash = { - 'subscribe' => [File[$ssl_cert], File[$ssl_key]], - } - } - default: { - # enum param prevents this ever being reached - } - } - - # define the default parameters for the nginx server - $defaults = { - 'listen_port' => $listen_port, - 'server_name' => $server_names, - 'use_default_location' => true, - 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", - 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", - 'autoindex' => 'on', - 'ssl' => $enable_ssl, - 'ssl_cert' => $ssl_cert, - 'ssl_key' => $ssl_key, - 'ssl_port' => $listen_ssl_port, - 'proxy' => "http://${facts['networking']['ip']}:8200/", - } - - # merge the hashes conditionally - $nginx_parameters = merge($defaults, $extras_hash) - - # manage the nginx class - include 'nginx' - - # create the nginx vhost with the merged parameters - create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) - - # manage selinux - if $::facts['os']['selinux']['config_mode'] == 'enforcing' { - - # make sure nginx can reverse proxy - selboolean { 'httpd_can_network_connect': - persistent => true, - value => 'on', - } - - } -} diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp index 5d10f89..6aeaf6a 100644 --- a/site/profiles/manifests/vault/server.pp +++ b/site/profiles/manifests/vault/server.pp @@ -91,6 +91,6 @@ class profiles::vault::server ( # include classes to manage vault include profiles::vault::unseal - include profiles::vault::nginx + include profiles::nginx::simpleproxy } }