puppet-prod/site/profiles/manifests/reposync/webserver.pp

# setup a reposync webserver
class profiles::reposync::webserver (
  String  $www_root = '/data/repos/snap',
  String  $cache_root = '/data/repos/cache',
  String  $nginx_vhost = 'repos.main.unkin.net',
  Stdlib::Port $nginx_port = 80,
  Stdlib::Port $nginx_ssl_port = 443,
  Boolean $favicon = true,
  Enum['http','https','both'] $nginx_listen_mode = 'http',
  Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
) {

  # ensure all the required directories exist
  mkdir::p { $www_root: }
  mkdir::p { $cache_root: }

  # select the certificates to use based on cert type
  case $nginx_cert_type {
    'puppet': {
      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
    }
    'vault': {
      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
    }
    default: {
      # enum param prevents this ever being reached
    }
  }

  # set variables based on the listen_mode
  case $nginx_listen_mode {
    'http': {
      $enable_ssl = false
      $ssl_cert = undef
      $ssl_key = undef
      $listen_port = $nginx_port
      $listen_ssl_port = undef
      $extras_hash = {}
    }
    'https': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_ssl_port
      $listen_ssl_port = $nginx_ssl_port
      $extras_hash = {
        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
      }
    }
    'both': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_port
      $listen_ssl_port = $nginx_ssl_port
      $extras_hash = {
        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
      }
    }
    default: {
      # enum param prevents this ever being reached
    }
  }

  # define the default parameters for the nginx server
  $defaults = {
    'listen_port'          => $listen_port,
    'server_name'          => [$nginx_vhost],
    'use_default_location' => true,
    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
    'www_root'             => $www_root,
    'autoindex'            => 'on',
    'ssl'                  => $enable_ssl,
    'ssl_cert'             => $ssl_cert,
    'ssl_key'              => $ssl_key,
    'ssl_port'             => $listen_ssl_port,
  }

  # merge the hashes conditionally
  $nginx_parameters = merge($defaults, $extras_hash)

  # manage the nginx class
  class { 'nginx':
    proxy_cache_path      => {
      "${cache_root}/debian" => 'debian:128m',
    },
    proxy_cache_levels    => '1:2',
    proxy_cache_keys_zone => 'debian:128m',
    proxy_cache_max_size  => '30000m',
    proxy_cache_inactive  => '60d',
    proxy_temp_path       => "${cache_root}/tmp",
  }

  # create the nginx vhost with the merged parameters
  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })

  # cache debian packages from upstream
  nginx::resource::location { "${nginx_vhost}-debian":
    ensure   => present,
    ssl      => true,
    ssl_only => false,
    location => '/debian',
    server   => $nginx_vhost,
    proxy    => 'http://mirror.gsl.icu/debian',
  }

  nginx::resource::location { "${nginx_vhost}-debian_pool":
    ensure            => present,
    ssl               => true,
    ssl_only          => false,
    location          => '/debian/pool',
    server            => $nginx_vhost,
    proxy             => 'http://mirror.gsl.icu/debian/pool',
    proxy_cache       => 'debian',
    proxy_cache_valid => [
        '200 302 1440h',
        '404 1m'
    ],
  }

  if $favicon {
    file { "${www_root}/favicon.ico":
      ensure => 'file',
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
      source => 'puppet:///modules/profiles/reposync/favicon.ico',
    }
  }

  # export cnames for webserver
  profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME":
    value  => $::facts['networking']['hostname'],
    type   => 'CNAME',
    record => 'repos.main.unkin.net.',
    zone   => $::facts['networking']['domain'],
    order  => 10,
  }

  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {

    # set httpd_sys_content_t to all files under the www_root
    selinux::fcontext { $www_root:
      ensure   => 'present',
      seltype  => 'httpd_sys_content_t',
      pathspec => "${www_root}(/.*)?",
    }

    # set httpd_sys_rw_content_t to all files under the cache_root
    selinux::fcontext { $cache_root:
      ensure   => 'present',
      seltype  => 'httpd_sys_rw_content_t',
      pathspec => "${cache_root}(/.*)?",
    }

    # make sure we can connect to port 80
    selboolean { 'httpd_can_network_connect':
      persistent => true,
      value      => 'on',
    }

    exec { "restorecon_${www_root}":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${www_root}",
      refreshonly => true,
      subscribe   => Selinux::Fcontext[$www_root],
    }

    exec { "restorecon_${cache_root}":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${cache_root}",
      refreshonly => true,
      subscribe   => Selinux::Fcontext[$cache_root],
    }
  }
}