unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'feat: change nginx to use vault ssl certs' (#128) from neoloc/packagerepo_ssl into develop

Browse Source 
Reviewed-on: unkinben/puppet-prod#128
This commit is contained in:
Ben Vincent 2024-03-03 13:34:04 +09:30
commit df97b75aca
2 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
hieradata/roles/infra/reposync/syncer.yaml
View File

@ -2,6 +2,11 @@
profiles::packages::install: profiles::packages::install:
- createrepo - createrepo
profiles::pki::vault::alt_names:
- repos.main.unkin.net
profiles::reposync::webserver::nginx_listen_mode: both
profiles::reposync::webserver::nginx_cert_type: vault
profiles::reposync::repos_list: profiles::reposync::repos_list:
almalinux_8_9_baseos: almalinux_8_9_baseos:
repository: 'BaseOS' repository: 'BaseOS'

54
site/profiles/manifests/reposync/webserver.pp
View File

@ -2,21 +2,71 @@
class profiles::reposync::webserver ( class profiles::reposync::webserver (
String $www_root = '/data/repos/snap', String $www_root = '/data/repos/snap',
String $nginx_vhost = 'repos.main.unkin.net', String $nginx_vhost = 'repos.main.unkin.net',
Integer $nginx_port = 80, Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Boolean $favicon = true, Boolean $favicon = true,
Enum['http','https','both'] $nginx_listen_mode = 'http',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
) { ) {
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
}
default: {
# enum param prevents this ever being reached
}
}
class { 'nginx': } class { 'nginx': }
# create the nginx vhost # create the nginx vhost
nginx::resource::server { $nginx_vhost: nginx::resource::server { $nginx_vhost:
listen_port => $nginx_port, listen_port => $listen_port,
server_name => [$nginx_vhost], server_name => [$nginx_vhost],
use_default_location => true, use_default_location => true,
access_log => "/var/log/nginx/${nginx_vhost}_access.log", access_log => "/var/log/nginx/${nginx_vhost}_access.log",
error_log => "/var/log/nginx/${nginx_vhost}_error.log", error_log => "/var/log/nginx/${nginx_vhost}_error.log",
www_root => $www_root, www_root => $www_root,
autoindex => 'on', autoindex => 'on',
ssl => $enable_ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_port => $listen_ssl_port,
} }
if $favicon { if $favicon {