2024-06-01 14:48:48 +10:00
2 changed files with 57 additions and 2 deletions
--- a/hieradata/roles/infra/reposync/syncer.yaml
+++ b/hieradata/roles/infra/reposync/syncer.yaml
@ -2,6 +2,11 @@
 profiles::packages::install:
  - createrepo

+profiles::pki::vault::alt_names:
+  - repos.main.unkin.net
+
+profiles::reposync::webserver::nginx_listen_mode: both
+profiles::reposync::webserver::nginx_cert_type: vault
 profiles::reposync::repos_list:
  almalinux_8_9_baseos:
    repository: 'BaseOS'
--- a/site/profiles/manifests/reposync/webserver.pp
+++ b/site/profiles/manifests/reposync/webserver.pp
@ -2,21 +2,71 @@
 class profiles::reposync::webserver (
  String  $www_root = '/data/repos/snap',
  String  $nginx_vhost = 'repos.main.unkin.net',
-  Integer $nginx_port = 80,
+  Stdlib::Port $nginx_port = 80,
+  Stdlib::Port $nginx_ssl_port = 443,
  Boolean $favicon = true,
+  Enum['http','https','both'] $nginx_listen_mode = 'http',
+  Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
 ) {

+  # select the certificates to use based on cert type
+  case $nginx_cert_type {
+    'puppet': {
+      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
+      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
+    }
+    'vault': {
+      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
+      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
+  # set variables based on the listen_mode
+  case $nginx_listen_mode {
+    'http': {
+      $enable_ssl = false
+      $ssl_cert = undef
+      $ssl_key = undef
+      $listen_port = $nginx_port
+      $listen_ssl_port = undef
+    }
+    'https': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_ssl_port
+      $listen_ssl_port = $nginx_ssl_port
+    }
+    'both': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_port
+      $listen_ssl_port = $nginx_ssl_port
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
  class { 'nginx': }

  # create the nginx vhost
  nginx::resource::server { $nginx_vhost:
-    listen_port          => $nginx_port,
+    listen_port          => $listen_port,
    server_name          => [$nginx_vhost],
    use_default_location => true,
    access_log           => "/var/log/nginx/${nginx_vhost}_access.log",
    error_log            => "/var/log/nginx/${nginx_vhost}_error.log",
    www_root             => $www_root,
    autoindex            => 'on',
+    ssl                  => $enable_ssl,
+    ssl_cert             => $ssl_cert,
+    ssl_key              => $ssl_key,
+    ssl_port             => $listen_ssl_port,
  }

  if $favicon {