puppet-prod/site/profiles/manifests/puppet/puppetboard.pp

# Class: profiles::puppet::puppetboard
#
# This class manages the Puppetboard, a web interface to PuppetDB.
#
class profiles::puppet::puppetboard (
  String  $python_version       = $facts['python3_release'],
  Boolean $manage_virtualenv    = false,
  Integer $reports_count        = 40,
  Boolean $offline_mode         = true,
  String  $default_environment  = '*',
  String  $puppetdb_host        = lookup('puppetdbapi'),
  Stdlib::AbsolutePath $basedir = '/opt/puppetboard',
  Stdlib::Absolutepath $virtualenv_dir  = "${basedir}/venv",
  Stdlib::Absolutepath $settings_file   = "${basedir}/settings.py",
  String  $user                 = 'puppetboard',
  String  $group                = 'puppetboard',
  String  $gunicorn_bind        = '127.0.0.1:8080',
  String  $gunicorn_bind_prefix = 'http://',
  Integer $gunicorn_workers     = 1,
  Integer $gunicorn_threads     = 4,
  Stdlib::Port $nginx_port      = 80,
  Stdlib::Host $nginx_vhost     = 'puppetboard.main.unkin.net',
  Array[Stdlib::Host]  $nginx_aliases = [],
  String[1] $secret_key         = "${fqdn_rand_string(32)}",
) {

  # store puppet-agents ssl settings/certname
  $ssl_dir = $::settings::ssldir
  $puppetboard_certname = $trusted['certname']

  # setup the puppetboard venv
  class { 'puppetboard':
    python_version      => $python_version,
    manage_virtualenv   => $manage_virtualenv,
    reports_count       => $reports_count,
    offline_mode        => $offline_mode,
    basedir             => $basedir,
    virtualenv_dir      => $virtualenv_dir,
    settings_file       => $settings_file,
    secret_key          => $secret_key,
    default_environment => $default_environment,
    puppetdb_host       => $puppetdb_host,
    puppetdb_port       => 8081,
    puppetdb_key        => "${basedir}/ssl/${puppetboard_certname}.pem",
    puppetdb_ssl_verify => "${ssl_dir}/certs/ca.pem",
    puppetdb_cert       => "${ssl_dir}/certs/${puppetboard_certname}.pem",
    user                => $user,
    group               => $group,
    notify              => Service['puppetboard.service'],
  }

  # install gunicorn
  python::pip { 'puppetboard_gunicorn':
    ensure     => 'latest',
    pkgname    => 'gunicorn',
    virtualenv => $virtualenv_dir,
    require    => Class['puppetboard'],
  }

  # create ssl dir for puppetboard
  file { "${basedir}/ssl":
    ensure  => directory,
    owner   => $user,
    group   => $group,
    mode    => '0750',
    require => Class['puppetboard'],
  }

  # copy the ssl certs for puppetboard
  file { "${basedir}/ssl/${puppetboard_certname}.pem":
    ensure  => present,
    owner   => $user,
    group   => $group,
    mode    => '0750',
    source  => "${ssl_dir}/private_keys/${puppetboard_certname}.pem",
    require => File["${basedir}/ssl"],
    notify  => Service['puppetboard.service'],
  }

  # create script to start service
  file { "${virtualenv_dir}/bin/start_puppetboard":
    ensure  => file,
    owner   => $user,
    group   => $group,
    mode    => '0755',
    content => template('profiles/puppet/puppetboard/start_puppetboard.erb'),
    require => Class['puppetboard'],
    notify  => Service['puppetboard.service'],
  }

  # create systemd service unit
  systemd::unit_file { 'puppetboard.service':
    content => template('profiles/puppet/puppetboard/puppetboard.service.erb'),
    active  => true,
    enable  => true,
    require => File["${virtualenv_dir}/bin/start_puppetboard"],
  }

  # ensure the nginx service is managed
  class { 'nginx': }

  $nginx_server_names = unique([$nginx_vhost] + $nginx_aliases)

  # create the nginx vhost
  nginx::resource::server { $nginx_vhost:
      listen_port           => $nginx_port,
      server_name           => $nginx_server_names,
      proxy                 => "${gunicorn_bind_prefix}${gunicorn_bind}",
      proxy_set_header      => [
          'Host $http_host',
          'X-Real-IP $remote_addr',
          'X-Scheme $scheme',
      ],
      proxy_pass_header     => ['Server'],
      proxy_redirect        => 'off',
      proxy_connect_timeout => '10s',
      proxy_read_timeout    => '10s',
  }

  # service static files from nginx for performance
  nginx::resource::location { "${nginx_vhost}_static":
      location       => '/static',
      server         => $nginx_vhost,
      location_alias => "${virtualenv_dir}/lib/python${python_version}/site-packages/puppetboard/static",
  }

  # export haproxy balancemember
  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_${nginx_port}}":
    service => 'be_puppetboard',
    ports   => [$nginx_port],
    options => [
      "cookie ${facts['networking']['hostname']}",
      'check',
      'inter 2s',
      'rise 3',
      'fall 2',
    ]
  }
  #@@haproxy::balancermember { "${facts['networking']['fqdn']}_${nginx_port}}":
  #  listening_service => 'be_puppetboard',
  #  ports             => [$nginx_port],
  #  server_names      => $facts['networking']['hostname'],
  #  ipaddresses       => $facts['networking']['ip'],
  #  options           => [
  #    "cookie ${facts['networking']['hostname']}",
  #    'check',
  #    'inter 2s',
  #    'rise 3',
  #    'fall 2',
  #  ]
  #}

  # if selinux is defined, manage it
  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {

    # call the nginx selinux class
    class { 'profiles::selinux::nginx':
      require => Class['Nginx'],
    }
  }
}