unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
e19c84b33e
puppet-prod/site/profiles/manifests/edgecache/nginx.pp
Ben Vincent 6f9a606549 feat: configure edgecache for postgresql 
- add fact to record system resolvers
- add resolvers feature in /etc/nginx/conf.d/resolvers.conf
- add rewrite rules for postgres/yum/repodata
2024-05-19 16:56:36 +10:00

130 lines
4.1 KiB
Puppet
Raw Blame History

# profiles::edgecache::nginx
class profiles::edgecache::nginx {
include profiles::edgecache::params
$data_root = $profiles::edgecache::params::data_root
$nginx_vhost = $profiles::edgecache::params::nginx_vhost
$nginx_aliases = $profiles::edgecache::params::nginx_aliases
$nginx_port = $profiles::edgecache::params::nginx_port
$nginx_ssl_port = $profiles::edgecache::params::nginx_ssl_port
$nginx_listen_mode = $profiles::edgecache::params::nginx_listen_mode
$nginx_cert_type = $profiles::edgecache::params::nginx_cert_type
$nginx_resolvers_enable = $profiles::edgecache::params::nginx_resolvers_enable
$nginx_resolvers_ipv4only = $profiles::edgecache::params::nginx_resolvers_ipv4only
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
if $nginx_resolvers_ipv4only and $nginx_resolvers_enable {
$resolvers = $facts['nameservers'].join(' ')
file { '/etc/nginx/conf.d/resolvers.conf':
ensure => file,
content => "resolver ${resolvers} ipv4=on;\n",
}
}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# ensure the requires directories exist
$profiles::edgecache::params::directories.each |$name,$data| {
file { $name:
ensure => 'directory',
before => Class['nginx'],
mode => '0775',
* => $data,
}
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
class { 'nginx':
proxy_cache_path => {
"${data_root}/cache" => 'cache:128m',
},
proxy_cache_levels => '1:2',
proxy_cache_keys_zone => 'cache:128m',
proxy_cache_max_size => '30000m',
proxy_cache_inactive => '60d',
proxy_temp_path => "${data_root}/cache_tmp",
}
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
# create location mirrors
$profiles::edgecache::params::mirrors.each |$name, $data| {
nginx::resource::location { "${nginx_vhost}_${name}":
server => $nginx_vhost,
ssl => true,
ssl_only => false,
* => $data,
}
}
}
Reference in New Issue View Git Blame Copy Permalink