feat: simple nginx proxy

- merge consul/vault nginx proxy into single class
- replace nginx proxy classes for consul/vault with simpleproxy class

hieradata/roles/infra/storage/consul.yaml

@@ -24,3 +24,11 @@ profiles::pki::vault::alt_names:
   - consul.main.unkin.net
   - consul.service.consul
   - consul
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'consul.service.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - consul
+  - consul.main.unkin.net
+profiles::nginx::simpleproxy::proxy_port: 8500
+profiles::nginx::simpleproxy::proxy_path: '/'

hieradata/roles/infra/storage/vault.yaml

@@ -11,3 +11,11 @@ profiles::pki::vault::alt_names:
   - vault.main.unkin.net
   - vault.service.consul
   - vault
+
+# manage a simple nginx reverse proxy
+profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul'
+profiles::nginx::simpleproxy::nginx_aliases:
+  - vault
+  - vault.main.unkin.net
+profiles::nginx::simpleproxy::proxy_port: 8200
+profiles::nginx::simpleproxy::proxy_path: '/'

site/profiles/manifests/consul/nginx.pp

@@ -1,97 +0,0 @@
-# profiles::consul::nginx
-class profiles::consul::nginx (
-  String       $nginx_vhost = 'consul.service.consul',
-  Stdlib::Port $nginx_port = 80,
-  Stdlib::Port $nginx_ssl_port = 443,
-  Enum['http','https','both'] $nginx_listen_mode = 'https',
-  Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
-) {
-
-  # set the server_names
-  $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'consul', 'consul.main.unkin.net']
-
-  # select the certificates to use based on cert type
-  case $nginx_cert_type {
-    'puppet': {
-      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
-      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
-    }
-    'vault': {
-      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
-      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
-    }
-    default: {
-      # enum param prevents this ever being reached
-    }
-  }
-
-  # set variables based on the listen_mode
-  case $nginx_listen_mode {
-    'http': {
-      $enable_ssl = false
-      $ssl_cert = undef
-      $ssl_key = undef
-      $listen_port = $nginx_port
-      $listen_ssl_port = undef
-      $extras_hash = {}
-    }
-    'https': {
-      $enable_ssl = true
-      $ssl_cert = $selected_ssl_cert
-      $ssl_key = $selected_ssl_key
-      $listen_port = $nginx_ssl_port
-      $listen_ssl_port = $nginx_ssl_port
-      $extras_hash = {
-        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
-      }
-    }
-    'both': {
-      $enable_ssl = true
-      $ssl_cert = $selected_ssl_cert
-      $ssl_key = $selected_ssl_key
-      $listen_port = $nginx_port
-      $listen_ssl_port = $nginx_ssl_port
-      $extras_hash = {
-        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
-      }
-    }
-    default: {
-      # enum param prevents this ever being reached
-    }
-  }
-
-  # define the default parameters for the nginx server
-  $defaults = {
-    'listen_port'          => $listen_port,
-    'server_name'          => $server_names,
-    'use_default_location' => true,
-    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
-    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
-    'autoindex'            => 'on',
-    'ssl'                  => $enable_ssl,
-    'ssl_cert'             => $ssl_cert,
-    'ssl_key'              => $ssl_key,
-    'ssl_port'             => $listen_ssl_port,
-    'proxy'                => "http://${facts['networking']['ip']}:8500/",
-  }
-
-  # merge the hashes conditionally
-  $nginx_parameters = merge($defaults, $extras_hash)
-
-  # manage the nginx class
-  include 'nginx'
-
-  # create the nginx vhost with the merged parameters
-  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
-
-  # manage selinux
-  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
-
-    # make sure nginx can reverse proxy
-    selboolean { 'httpd_can_network_connect':
-      persistent => true,
-      value      => 'on',
-    }
-
-  }
-}

site/profiles/manifests/consul/server.pp

@@ -106,7 +106,7 @@ class profiles::consul::server (
   if defined(Class['consul']) {
 
     # include nginx, policies and tokens
-    include profiles::consul::nginx
+    include profiles::nginx::simpleproxy
     include profiles::consul::policies
     include profiles::consul::tokens
 

site/profiles/manifests/nginx/simpleproxy.pp

@@ -0,0 +1,116 @@
+# profiles::nginx:simpleproxy
+#
+# only one simpleproxy per host, for anything more advanced, use nginx class
+class profiles::nginx::simpleproxy (
+  Stdlib::Fqdn $nginx_vhost = 'localhost',
+  Array[Stdlib::Host] $nginx_aliases = [],
+  Stdlib::Port $nginx_port = 80,
+  Stdlib::Port $nginx_ssl_port = 443,
+  Enum['http','https','both'] $nginx_listen_mode = 'https',
+  Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
+  Enum['http','https'] $proxy_scheme = 'http',
+  Stdlib::Port $proxy_port = 80,
+  Stdlib::Host $proxy_host = $facts['networking']['ip'],
+  String $proxy_path = '/',
+) {
+
+  # if nginx_version isnt set, install nginx
+  if ! $facts['nginx_version'] {
+    package {'nginx':
+      ensure => 'present',
+    }
+
+  # else, configure simple proxy
+  }else{
+
+    # build the proxyurl from proxy_* variables
+    $proxyurl = "${proxy_scheme}://${proxy_host}:${proxy_port}${proxy_path}"
+
+    # set the server_names
+    $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
+
+    # select the certificates to use based on cert type
+    case $nginx_cert_type {
+      'puppet': {
+        $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
+        $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
+      }
+      'vault': {
+        $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
+        $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
+      }
+      default: {
+        # enum param prevents this ever being reached
+      }
+    }
+
+    # set variables based on the listen_mode
+    case $nginx_listen_mode {
+      'http': {
+        $enable_ssl = false
+        $ssl_cert = undef
+        $ssl_key = undef
+        $listen_port = $nginx_port
+        $listen_ssl_port = undef
+        $extras_hash = {}
+      }
+      'https': {
+        $enable_ssl = true
+        $ssl_cert = $selected_ssl_cert
+        $ssl_key = $selected_ssl_key
+        $listen_port = $nginx_ssl_port
+        $listen_ssl_port = $nginx_ssl_port
+        $extras_hash = {
+          'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+        }
+      }
+      'both': {
+        $enable_ssl = true
+        $ssl_cert = $selected_ssl_cert
+        $ssl_key = $selected_ssl_key
+        $listen_port = $nginx_port
+        $listen_ssl_port = $nginx_ssl_port
+        $extras_hash = {
+          'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+        }
+      }
+      default: {
+        # enum param prevents this ever being reached
+      }
+    }
+
+    # define the default parameters for the nginx server
+    $defaults = {
+      'listen_port'          => $listen_port,
+      'server_name'          => $server_names,
+      'use_default_location' => true,
+      'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
+      'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
+      'autoindex'            => 'on',
+      'ssl'                  => $enable_ssl,
+      'ssl_cert'             => $ssl_cert,
+      'ssl_key'              => $ssl_key,
+      'ssl_port'             => $listen_ssl_port,
+      'proxy'                => $proxyurl,
+    }
+
+    # merge the hashes conditionally
+    $nginx_parameters = merge($defaults, $extras_hash)
+
+    # manage the nginx class
+    include 'nginx'
+
+    # create the nginx vhost with the merged parameters
+    create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
+
+    # manage selinux
+    if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+
+      # make sure nginx can reverse proxy
+      selboolean { 'httpd_can_network_connect':
+        persistent => true,
+        value      => 'on',
+      }
+    }
+  }
+}

site/profiles/manifests/vault/nginx.pp

@@ -1,97 +0,0 @@
-# profiles::vault::nginx
-class profiles::vault::nginx (
-  String       $nginx_vhost = 'vault.service.consul',
-  Stdlib::Port $nginx_port = 80,
-  Stdlib::Port $nginx_ssl_port = 443,
-  Enum['http','https','both'] $nginx_listen_mode = 'https',
-  Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
-) {
-
-  # set the server_names
-  $server_names = [$facts['networking']['fqdn'], $nginx_vhost, 'vault', 'vault.main.unkin.net']
-
-  # select the certificates to use based on cert type
-  case $nginx_cert_type {
-    'puppet': {
-      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
-      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
-    }
-    'vault': {
-      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
-      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
-    }
-    default: {
-      # enum param prevents this ever being reached
-    }
-  }
-
-  # set variables based on the listen_mode
-  case $nginx_listen_mode {
-    'http': {
-      $enable_ssl = false
-      $ssl_cert = undef
-      $ssl_key = undef
-      $listen_port = $nginx_port
-      $listen_ssl_port = undef
-      $extras_hash = {}
-    }
-    'https': {
-      $enable_ssl = true
-      $ssl_cert = $selected_ssl_cert
-      $ssl_key = $selected_ssl_key
-      $listen_port = $nginx_ssl_port
-      $listen_ssl_port = $nginx_ssl_port
-      $extras_hash = {
-        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
-      }
-    }
-    'both': {
-      $enable_ssl = true
-      $ssl_cert = $selected_ssl_cert
-      $ssl_key = $selected_ssl_key
-      $listen_port = $nginx_port
-      $listen_ssl_port = $nginx_ssl_port
-      $extras_hash = {
-        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
-      }
-    }
-    default: {
-      # enum param prevents this ever being reached
-    }
-  }
-
-  # define the default parameters for the nginx server
-  $defaults = {
-    'listen_port'          => $listen_port,
-    'server_name'          => $server_names,
-    'use_default_location' => true,
-    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
-    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
-    'autoindex'            => 'on',
-    'ssl'                  => $enable_ssl,
-    'ssl_cert'             => $ssl_cert,
-    'ssl_key'              => $ssl_key,
-    'ssl_port'             => $listen_ssl_port,
-    'proxy'                => "http://${facts['networking']['ip']}:8200/",
-  }
-
-  # merge the hashes conditionally
-  $nginx_parameters = merge($defaults, $extras_hash)
-
-  # manage the nginx class
-  include 'nginx'
-
-  # create the nginx vhost with the merged parameters
-  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
-
-  # manage selinux
-  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
-
-    # make sure nginx can reverse proxy
-    selboolean { 'httpd_can_network_connect':
-      persistent => true,
-      value      => 'on',
-    }
-
-  }
-}

site/profiles/manifests/vault/server.pp

@@ -91,6 +91,6 @@ class profiles::vault::server (
 
     # include classes to manage vault
     include profiles::vault::unseal
-    include profiles::vault::nginx
+    include profiles::nginx::simpleproxy
   }
 }