puppet-prod/site/profiles/manifests/reposync/webserver.pp

# setup a reposync webserver
class profiles::reposync::webserver (
  String  $www_root = '/data/repos/snap',
  String  $nginx_vhost = 'repos.main.unkin.net',
  Stdlib::Port $nginx_port = 80,
  Stdlib::Port $nginx_ssl_port = 443,
  Boolean $favicon = true,
  Enum['http','https','both'] $nginx_listen_mode = 'http',
  Enum['puppet', 'vault'] $nginx_cert_type = 'vault'
) {

  # select the certificates to use based on cert type
  case $nginx_cert_type {
    'puppet': {
      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
    }
    'vault': {
      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
    }
    default: {
      # enum param prevents this ever being reached
    }
  }

  # set variables based on the listen_mode
  case $nginx_listen_mode {
    'http': {
      $enable_ssl = false
      $ssl_cert = undef
      $ssl_key = undef
      $listen_port = $nginx_port
      $listen_ssl_port = undef
    }
    'https': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_ssl_port
      $listen_ssl_port = $nginx_ssl_port
    }
    'both': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_port
      $listen_ssl_port = $nginx_ssl_port
    }
    default: {
      # enum param prevents this ever being reached
    }
  }

  class { 'nginx': }

  # create the nginx vhost
  nginx::resource::server { $nginx_vhost:
    listen_port          => $listen_port,
    server_name          => [$nginx_vhost],
    use_default_location => true,
    access_log           => "/var/log/nginx/${nginx_vhost}_access.log",
    error_log            => "/var/log/nginx/${nginx_vhost}_error.log",
    www_root             => $www_root,
    autoindex            => 'on',
    ssl                  => $enable_ssl,
    ssl_cert             => $ssl_cert,
    ssl_key              => $ssl_key,
    ssl_port             => $listen_ssl_port,
  }

  if $favicon {
    file { "${www_root}/favicon.ico":
      ensure => 'file',
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
      source => 'puppet:///modules/profiles/reposync/favicon.ico',
    }
  }

  # export cnames for webserver
  profiles::dns::record { "${::facts['networking']['fqdn']}_repos.main.unkin.net_CNAME":
    value  => $::facts['networking']['hostname'],
    type   => 'CNAME',
    record => 'repos.main.unkin.net.',
    zone   => $::facts['networking']['domain'],
    order  => 10,
  }

  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {

    # set httpd_sys_content_t to all files under the www_root
    selinux::fcontext { $www_root:
      ensure   => 'present',
      seltype  => 'httpd_sys_content_t',
      pathspec => "${www_root}(/.*)?",
    }

    # make sure we can connect to port 80
    selboolean { 'httpd_can_network_connect':
      persistent => true,
      value      => 'on',
    }

    exec { "restorecon_${www_root}":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${www_root}",
      refreshonly => true,
      subscribe   => Selinux::Fcontext[$www_root],
    }
  }
}