Ben Vincent
6fc5829fce
- merge consul/vault nginx proxy into single class - replace nginx proxy classes for consul/vault with simpleproxy class
117 lines
3.6 KiB
Puppet
117 lines
3.6 KiB
Puppet
# profiles::nginx:simpleproxy
|
|
#
|
|
# only one simpleproxy per host, for anything more advanced, use nginx class
|
|
class profiles::nginx::simpleproxy (
|
|
Stdlib::Fqdn $nginx_vhost = 'localhost',
|
|
Array[Stdlib::Host] $nginx_aliases = [],
|
|
Stdlib::Port $nginx_port = 80,
|
|
Stdlib::Port $nginx_ssl_port = 443,
|
|
Enum['http','https','both'] $nginx_listen_mode = 'https',
|
|
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
|
|
Enum['http','https'] $proxy_scheme = 'http',
|
|
Stdlib::Port $proxy_port = 80,
|
|
Stdlib::Host $proxy_host = $facts['networking']['ip'],
|
|
String $proxy_path = '/',
|
|
) {
|
|
|
|
# if nginx_version isnt set, install nginx
|
|
if ! $facts['nginx_version'] {
|
|
package {'nginx':
|
|
ensure => 'present',
|
|
}
|
|
|
|
# else, configure simple proxy
|
|
}else{
|
|
|
|
# build the proxyurl from proxy_* variables
|
|
$proxyurl = "${proxy_scheme}://${proxy_host}:${proxy_port}${proxy_path}"
|
|
|
|
# set the server_names
|
|
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
|
|
|
|
# select the certificates to use based on cert type
|
|
case $nginx_cert_type {
|
|
'puppet': {
|
|
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
|
|
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
|
|
}
|
|
'vault': {
|
|
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
|
|
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
|
|
}
|
|
default: {
|
|
# enum param prevents this ever being reached
|
|
}
|
|
}
|
|
|
|
# set variables based on the listen_mode
|
|
case $nginx_listen_mode {
|
|
'http': {
|
|
$enable_ssl = false
|
|
$ssl_cert = undef
|
|
$ssl_key = undef
|
|
$listen_port = $nginx_port
|
|
$listen_ssl_port = undef
|
|
$extras_hash = {}
|
|
}
|
|
'https': {
|
|
$enable_ssl = true
|
|
$ssl_cert = $selected_ssl_cert
|
|
$ssl_key = $selected_ssl_key
|
|
$listen_port = $nginx_ssl_port
|
|
$listen_ssl_port = $nginx_ssl_port
|
|
$extras_hash = {
|
|
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
|
}
|
|
}
|
|
'both': {
|
|
$enable_ssl = true
|
|
$ssl_cert = $selected_ssl_cert
|
|
$ssl_key = $selected_ssl_key
|
|
$listen_port = $nginx_port
|
|
$listen_ssl_port = $nginx_ssl_port
|
|
$extras_hash = {
|
|
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
|
}
|
|
}
|
|
default: {
|
|
# enum param prevents this ever being reached
|
|
}
|
|
}
|
|
|
|
# define the default parameters for the nginx server
|
|
$defaults = {
|
|
'listen_port' => $listen_port,
|
|
'server_name' => $server_names,
|
|
'use_default_location' => true,
|
|
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
|
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
|
'autoindex' => 'on',
|
|
'ssl' => $enable_ssl,
|
|
'ssl_cert' => $ssl_cert,
|
|
'ssl_key' => $ssl_key,
|
|
'ssl_port' => $listen_ssl_port,
|
|
'proxy' => $proxyurl,
|
|
}
|
|
|
|
# merge the hashes conditionally
|
|
$nginx_parameters = merge($defaults, $extras_hash)
|
|
|
|
# manage the nginx class
|
|
include 'nginx'
|
|
|
|
# create the nginx vhost with the merged parameters
|
|
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
|
|
|
# manage selinux
|
|
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
|
|
|
# make sure nginx can reverse proxy
|
|
selboolean { 'httpd_can_network_connect':
|
|
persistent => true,
|
|
value => 'on',
|
|
}
|
|
}
|
|
}
|
|
}
|