unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
6f51bffeaa
puppet-prod/site/profiles/manifests/nginx/simpleproxy.pp
Ben Vincent 66d8815e16 fix: ensure nginx restarts on certificate changes (#402) 
Add hasrestart => true to nginx service in simpleproxy profile to ensure
nginx performs a full restart (not reload) when certificate files change.
This is required because nginx reload does not pick up SSL certificate
changes from disk.

Reviewed-on: #402
2025-09-29 22:38:00 +10:00

150 lines
4.5 KiB
Puppet
Raw Blame History

# profiles::nginx:simpleproxy
#
# only one simpleproxy per host, for anything more advanced, use nginx class
class profiles::nginx::simpleproxy (
Stdlib::Fqdn $nginx_vhost = 'localhost',
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
Enum['http','https'] $proxy_scheme = 'http',
Stdlib::Port $proxy_port = 80,
Stdlib::Host $proxy_host = $facts['networking']['ip'],
String $proxy_path = '/',
Boolean $use_default_location = true,
Hash $locations = {},
) {
# if nginx_version isnt set, install nginx
if ! $facts['nginx_version'] {
package {'nginx':
ensure => 'present',
}
# else, configure simple proxy
}else{
# build the proxyurl from proxy_* variables
$proxyurl = "${proxy_scheme}://${proxy_host}:${proxy_port}${proxy_path}"
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => $use_default_location,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
'proxy' => $proxyurl,
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
mkdir::p {'/var/cache/nginx':
before => Class['nginx'],
}
# manage the nginx class
class { 'nginx':
proxy_cache_path => {
'/var/cache/nginx/cache' => 'cache:128m',
},
proxy_cache_levels => '1:2',
proxy_cache_keys_zone => 'cache:128m',
proxy_cache_max_size => '1024m',
proxy_cache_inactive => '10m',
proxy_temp_path => '/var/cache/nginx/cache_temp',
service_manage => false,
manage_repo => false,
}
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
# create nginx locations
if $use_default_location == false {
create_resources('nginx::resource::location', $locations)
}
# manage selinux
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# make sure nginx can reverse proxy
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
}
service { 'nginx':
ensure => true,
enable => true,
hasrestart => true,
subscribe => [
File[$selected_ssl_cert],
File[$selected_ssl_key],
Nginx::Resource::Server[$nginx_vhost]
],
}
}
}
Reference in New Issue View Git Blame Copy Permalink