From e20f3bc372a8080ebd0fc45b29cc0c2ddd0013bb Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 5 Jul 2024 22:49:22 +1000
Subject: [PATCH] nginx authproxy module

---
 modules/nginxproxy/manifests/authproxy.pp | 15 +++++
 modules/nginxproxy/manifests/config.pp    | 67 +++++++++++++++++++++++
 modules/nginxproxy/manifests/init.pp      | 38 +++++++++++++
 modules/nginxproxy/manifests/locations.pp | 10 ++++
 modules/nginxproxy/manifests/params.pp    | 18 ++++++
 modules/nginxproxy/manifests/selinux.pp   |  9 +++
 6 files changed, 157 insertions(+)
 create mode 100644 modules/nginxproxy/manifests/authproxy.pp
 create mode 100644 modules/nginxproxy/manifests/config.pp
 create mode 100644 modules/nginxproxy/manifests/init.pp
 create mode 100644 modules/nginxproxy/manifests/locations.pp
 create mode 100644 modules/nginxproxy/manifests/params.pp
 create mode 100644 modules/nginxproxy/manifests/selinux.pp

diff --git a/modules/nginxproxy/manifests/authproxy.pp b/modules/nginxproxy/manifests/authproxy.pp
new file mode 100644
index 0000000..f5033a8
--- /dev/null
+++ b/modules/nginxproxy/manifests/authproxy.pp
@@ -0,0 +1,15 @@
+class nginxproxy::authproxy {
+  file { $nginxproxy::auth_ldap_config:
+    ensure  => file,
+    content => epp('nginxproxy/auth-ldap.py.epp', {
+        'params' => $nginxproxy::auth_ldap_params
+      }
+    ),
+    mode    => '0644',
+  }
+
+  #package { 'nginx-auth-ldap':
+  #  ensure   => 'present',
+  #  provider => 'pip',
+  #}
+}
diff --git a/modules/nginxproxy/manifests/config.pp b/modules/nginxproxy/manifests/config.pp
new file mode 100644
index 0000000..27b434d
--- /dev/null
+++ b/modules/nginxproxy/manifests/config.pp
@@ -0,0 +1,67 @@
+# manage configuration for nginxproxy
+class nginxproxy::config {
+  $proxyurl = "${nginxproxy::proxy_scheme}://${nginxproxy::proxy_host}:${nginxproxy::proxy_port}${nginxproxy::proxy_path}"
+  $server_names = unique([$facts['networking']['fqdn'], $nginxproxy::nginx_vhost] + $nginxproxy::nginx_aliases)
+
+  case $nginxproxy::nginx_cert_type {
+    'vault': {
+      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
+      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
+    }
+    default: {
+      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
+      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
+    }
+  }
+
+  case $nginxproxy::nginx_listen_mode {
+    'http': {
+      $enable_ssl = false
+      $ssl_cert = undef
+      $ssl_key = undef
+      $listen_port = $nginxproxy::nginx_port
+      $listen_ssl_port = undef
+      $extras_hash = {}
+    }
+    'https': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginxproxy::nginx_ssl_port
+      $listen_ssl_port = $nginxproxy::nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
+    }
+    default: {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginxproxy::nginx_port
+      $listen_ssl_port = $nginxproxy::nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
+    }
+  }
+
+  $defaults = {
+    'listen_port'          => $listen_port,
+    'server_name'          => $server_names,
+    'use_default_location' => true,
+    'access_log'           => "/var/log/nginx/${nginxproxy::nginx_vhost}_access.log",
+    'error_log'            => "/var/log/nginx/${nginxproxy::nginx_vhost}_error.log",
+    'autoindex'            => 'on',
+    'ssl'                  => $enable_ssl,
+    'ssl_cert'             => $ssl_cert,
+    'ssl_key'              => $ssl_key,
+    'ssl_port'             => $listen_ssl_port,
+    'proxy'                => $proxyurl,
+  }
+
+  $nginx_parameters = merge($defaults, $extras_hash)
+
+  include 'nginx'
+
+  create_resources('nginx::resource::server', { $nginxproxy::nginx_vhost => $nginx_parameters })
+}
diff --git a/modules/nginxproxy/manifests/init.pp b/modules/nginxproxy/manifests/init.pp
new file mode 100644
index 0000000..0342cce
--- /dev/null
+++ b/modules/nginxproxy/manifests/init.pp
@@ -0,0 +1,38 @@
+# manage a nginx proxy with a wraoper module
+class nginxproxy (
+  Stdlib::Fqdn          $nginx_vhost = $nginxproxy::params::nginx_vhost,
+  Array[Stdlib::Host]   $nginx_aliases = $nginxproxy::params::nginx_aliases,
+  Stdlib::Port          $nginx_port = $nginxproxy::params::nginx_port,
+  Stdlib::Port          $nginx_ssl_port = $nginxproxy::params::nginx_ssl_port,
+  Enum['http','https','both'] $nginx_listen_mode = $nginxproxy::params::nginx_listen_mode,
+  Enum['puppet', 'vault'] $nginx_cert_type = $nginxproxy::params::nginx_cert_type,
+  Enum['http','https']  $proxy_scheme = $nginxproxy::params::proxy_scheme,
+  Stdlib::Port          $proxy_port = $nginxproxy::params::proxy_port,
+  Stdlib::Host          $proxy_host = $nginxproxy::params::proxy_host,
+  String                $proxy_path = $nginxproxy::params::proxy_path,
+  Boolean               $simple_mode = $nginxproxy::params::simple_mode,
+  Array[Hash]           $locations = $nginxproxy::params::locations,
+  Boolean               $manage_auth_ldap = $nginxproxy::params::manage_auth_ldap,
+  Stdlib::Absolutepath  $auth_ldap_config = $nginxproxy::params::auth_ldap_config,
+  Hash                  $auth_ldap_params = $nginxproxy::params::auth_ldap_params,
+) {
+
+  if ! $facts['nginx_version'] {
+    package { 'nginx':
+      ensure => 'present',
+    }
+  } else {
+    include nginxproxy::config
+    include nginxproxy::selinux
+
+    if $manage_auth_ldap {
+      include nginxproxy::authproxy
+    }
+
+    if ! $simple_mode {
+      nginxproxy::locations { 'default':
+        locations => $locations,
+      }
+    }
+  }
+}
diff --git a/modules/nginxproxy/manifests/locations.pp b/modules/nginxproxy/manifests/locations.pp
new file mode 100644
index 0000000..a179dc2
--- /dev/null
+++ b/modules/nginxproxy/manifests/locations.pp
@@ -0,0 +1,10 @@
+define nginxproxy::locations (
+  Array[Hash] $locations = [],
+) {
+  $locations.each |$location| {
+    nginx::resource::location { $location['path']:
+      server => $nginxproxy::nginx_vhost,
+      proxy  => $location['proxy'],
+    }
+  }
+}
diff --git a/modules/nginxproxy/manifests/params.pp b/modules/nginxproxy/manifests/params.pp
new file mode 100644
index 0000000..8b8e6e9
--- /dev/null
+++ b/modules/nginxproxy/manifests/params.pp
@@ -0,0 +1,18 @@
+# nginxproxy params
+class nginxproxy::params (
+  Stdlib::Fqdn          $nginx_vhost = 'localhost',
+  Array[Stdlib::Host]   $nginx_aliases = [],
+  Stdlib::Port          $nginx_port = 80,
+  Stdlib::Port          $nginx_ssl_port = 443,
+  Enum['http','https','both'] $nginx_listen_mode = 'https',
+  Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
+  Enum['http','https']  $proxy_scheme = 'http',
+  Stdlib::Port          $proxy_port = 80,
+  Stdlib::Host          $proxy_host = $facts['networking']['ip'],
+  String                $proxy_path = '/',
+  Boolean               $simple_mode = true,
+  Array[Hash]           $locations = [],
+  Boolean               $manage_auth_ldap = false,
+  Stdlib::Absolutepath  $auth_ldap_config = '/etc/nginx/auth-ldap.conf',
+  Hash                  $auth_ldap_params = {},
+){}
diff --git a/modules/nginxproxy/manifests/selinux.pp b/modules/nginxproxy/manifests/selinux.pp
new file mode 100644
index 0000000..f505bcb
--- /dev/null
+++ b/modules/nginxproxy/manifests/selinux.pp
@@ -0,0 +1,9 @@
+# manage selinux for nginxproxy
+class nginxproxy::selinux {
+  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+    selboolean { 'httpd_can_network_connect':
+      persistent => true,
+      value      => 'on',
+    }
+  }
+}