From bf729d9b114019e8debd3b847cf266c095165a33 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 11 Dec 2023 22:14:45 +1100
Subject: [PATCH] feat: add selinux support to puppetboard

- required to allow nginx to reach puppetdb
---
 site/profiles/manifests/puppet/puppetboard.pp | 11 ++++++++++
 site/profiles/manifests/selinux/nginx.pp      | 22 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 site/profiles/manifests/selinux/nginx.pp

diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp
index 0085eb5..5d229a0 100644
--- a/site/profiles/manifests/puppet/puppetboard.pp
+++ b/site/profiles/manifests/puppet/puppetboard.pp
@@ -20,6 +20,7 @@ class profiles::puppet::puppetboard (
   Integer $gunicorn_threads     = 4,
   String  $nginx_vhost          = 'puppetboard.main.unkin.net',
   Integer $nginx_port           = 80,
+  Boolean $selinux              = true,
   #String[1] $secret_key         = "${fqdn_rand_string(32)}",
 ) {
 
@@ -120,4 +121,14 @@ class profiles::puppet::puppetboard (
       server         => $nginx_vhost,
       location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static",
   }
+
+
+    # if selinux is defined, manage it
+    if $selinux {
+
+      # call the nginx selinux class
+      class { 'profiles::selinux::nginx':
+        require      => Class['Nginx'],
+      }
+    }
 }
diff --git a/site/profiles/manifests/selinux/nginx.pp b/site/profiles/manifests/selinux/nginx.pp
new file mode 100644
index 0000000..2c8f585
--- /dev/null
+++ b/site/profiles/manifests/selinux/nginx.pp
@@ -0,0 +1,22 @@
+# profiles::selinux::nginx
+# selinux settings for nginx
+class profiles::selinux::nginx (
+  Boolean $persistent = true,
+  Boolean $httpd_can_network_connect = true,
+  String  $selinux_mode = 'enforcing',
+){
+  # include packages that are required
+  include profiles::packages::selinux
+
+  # setenforce
+  class { 'profiles::selinux::setenforce':
+    mode => $selinux_mode,
+  }
+
+  # make sure we can connect to network resources
+  selboolean { 'httpd_can_network_connect':
+    persistent => $persistent,
+    value      => $httpd_can_network_connect,
+  }
+}
+