# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-class nginx {
+# Base class
+class nginx::base {
$ssl = $nginx_ssl ? {
false => false,
group => "root",
}
+ service { "nginx":
+ enable => true,
+ ensure => running,
+ hasrestart => true,
+ require => [ File["/etc/nginx/sites-enabled/$domain"], Package["nginx"] ],
+ }
+
+ define site($site = $domain, $ensure = present) {
+ # Proxy config file
+ file { "/etc/nginx/sites-available/$site":
+ source => "puppet://$server/files/etc/nginx/$site",
+ owner => "root",
+ group => "root",
+ mode => 0644,
+ ensure => $ensure,
+ notify => Service["nginx"],
+ require => File["/etc/nginx/sites-available"],
+ }
+
+ $link = $ensure ? {
+ present => "/etc/nginx/sites-available/$site",
+ default => absent,
+ }
+
+ # Symlink to enable proxy configuration
+ file { "/etc/nginx/sites-enabled/$site":
+ ensure => $link,
+ require => File["/etc/nginx/sites-enabled"],
+ notify => Service["nginx"],
+ }
+ }
+}
+
+class nginx inherits nginx::base {
if $ssl == true {
file { [ "/etc/ssl", "/etc/ssl/certs", "/etc/ssl/private" ]:
ensure => directory,
require => File["/etc/ssl/private"],
}
- service { "nginx":
+ Service { "nginx":
enable => true,
ensure => running,
hasrestart => true,
require => [ File["/etc/nginx/sites-enabled/$domain"], Package["nginx"],
File["/etc/ssl/private/cert.pem"], File["/etc/ssl/certs/cert.crt"] ],
}
- } else {
- service { "nginx":
- enable => true,
- ensure => running,
- hasrestart => true,
- require => [ File["/etc/nginx/sites-enabled/$domain"], Package["nginx"] ],
- }
}
# Default site
site { "$domain": ensure => present, }
- define site($site = $domain, $ensure = present) {
- # Proxy config file
- file { "/etc/nginx/sites-available/$site":
- source => "puppet://$server/files/etc/nginx/$site",
+}
+
+class nginx::puppetmaster inherits nginx::base {
+
+ define proxy($name, $worker_processes = 4, $worker_connections = 1024,
+ $ssl_port = 8140, $non_ssl_port = 8141,
+ $puppetmaster_servers = [ "127.0.0.1:18140", ]) {
+
+ file { "/etc/nginx/sites-available/$name":
+ content => "puppetmaster.erb",
owner => "root",
group => "root",
mode => 0644,
- ensure => $ensure,
+ ensure => present,
notify => Service["nginx"],
require => File["/etc/nginx/sites-available"],
}
- $link = $ensure ? {
- present => "/etc/nginx/sites-available/$site",
- default => absent,
- }
-
- # Symlink to enable proxy configuration
- file { "/etc/nginx/sites-enabled/$site":
- ensure => $link,
- require => File["/etc/nginx/sites-enabled"],
- notify => Service["nginx"],
- }
}
}
--- /dev/null
+# This configuration file was auto-generated by the Puppet configuration
+# management system. Any changes you make to this file will be overwritten
+# the next time Puppet runs. Please make configuration changes to this
+# service in Puppet.
+
+user www-data www-data;
+worker_processes <%= $worker_processes %>;
+
+error_log /var/log/nginx-puppet.log notice;
+pid /var/run/nginx-puppet.pid;
+
+events {
+ worker_connections <%= $worker_connections %>;
+}
+
+http {
+ # include /etc/mime.types;
+ default_type application/octet-stream;
+
+ # no sendfile on OSX uncomment
+ #this if your on linux or bsd
+ sendfile on;
+ tcp_nopush on;
+
+ # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
+ large_client_header_buffers 16 4k;
+ proxy_buffers 128 4k;
+
+ # if you adjust this setting to something higher
+ # you should as well update the proxy_read_timeout
+ # in the server config part (see below)
+ # Otherwise nginx will rerequest a manifest compile.
+ keepalive_timeout 65;
+ tcp_nodelay on;
+
+ ssl on;
+ ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem;
+ ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem;
+ ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;
+ ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
+ ssl_session_cache shared:SSL:8m;
+ ssl_session_timeout 5m;
+
+ upstream puppet-production {
+ <% $puppetmaster_servers.each do |upstream| -%>
+ server <%= upstream %>;
+ <% end -%>
+ }
+
+ server {
+ listen <%= $ssl_port %>;
+ ssl_verify_client on;
+ root /var/empty;
+ access_log /var/log/nginx/access-<%= $ssl_port %>.log;
+ rewrite_log /var/log/nginx/rewrite-<%= $ssl_port %>.log;
+
+ # Variables
+ # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
+ # $ssl_client_serial returns the series number of client certificate for established SSL-connection
+ # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
+ # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
+ # $ssl_protocol returns the protocol of established SSL-connection
+
+ location / {
+ proxy_pass http://puppet-production;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Client-Verify SUCCESS;
+ proxy_set_header X-SSL-Subject $ssl_client_s_dn;
+ proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
+ proxy_read_timeout 65;
+ }
+ }
+
+ server {
+ listen <%= $nonssl_port %>;
+ ssl_verify_client off;
+ root /var/empty;
+ access_log /var/log/nginx/access-<%= $nonssl_port %>.log;
+ rewrite_log /var/log/nginx/rewrite-<%= $nonssl_port %>.log;
+
+ location / {
+ proxy_pass http://puppet-production;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Client-Verify FAILURE;
+ proxy_set_header X-SSL-Subject $ssl_client_s_dn;
+ proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
+ proxy_read_timeout 65;
+ }
+ }
+}
projects / puppet-nginx.git / commitdiff