summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/sniproxy.pp
blob: 971c2103e51396f172a57c2955d4e0eee5a8a371 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Class: profiles::sniproxy
# =========================
#
# This class takes care of setting up an SNI base proxy for other systems.
#
# Parameters
# ----------
#
# @param https_forwards_sniproxy a list of server names to target ips/ports for
#                                the sniproxy configuration
#
# @param https_forwards          a hash of server names to target ips/ports for
#                                nginx
#
# @param https_port              the https port for nginx
#
# Examples
# --------
#
# @example
#   class roles::myhost {
#     include profiles::sniproxy
#   }
#
# Authors
# -------
#
# Jan Dittberner <jandd@cacert.org>
#
# Copyright
# ---------
#
# Copyright 2017-2021 Jan Dittberner
#
class profiles::sniproxy (
  Array[String]       $https_forwards_sniproxy,
  Hash[String,String] $https_forwards,
  Integer             $https_port = 443,
) {
  # not required since Buster
  file { '/etc/apt/preferences.d/sniproxy':
    ensure => absent,
  }

  package { 'sniproxy':
    ensure => present,
  }

  file { '/etc/default/sniproxy':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    source  => 'puppet:///modules/profiles/sniproxy/etc_default_sniproxy',
    require => Package['sniproxy'],
  }

  file { '/etc/sniproxy.conf':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => epp(
      'profiles/sniproxy/sniproxy.conf.epp',
      {'https_forwards' => $https_forwards_sniproxy}
    ),
    require => Package['sniproxy'],
  }

  service { 'sniproxy':
    ensure    => running,
    enable    => true,
    require   => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
    subscribe => [File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
  }

  package { 'nginx-full':
    ensure => present,
  }
  service { 'nginx':
    ensure => running,
    enable => true,
  }

  file { '/etc/nginx':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  file { '/etc/nginx/sni-servers.conf':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => epp(
      'profiles/sniproxy/nginx.sni-server.epp',
      {
        'https_forwards' => $https_forwards,
        'https_port'     => $https_port,
      },
    ),
    require => Package['nginx-full'],
    notify  => Service['nginx'],
  }
  file { '/etc/nginx/nginx.conf':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    source  => 'puppet:///modules/profiles/sniproxy/nginx.conf',
    require => [File['/etc/nginx/sni-servers.conf'], Package['nginx-full']],
    notify  => Service['nginx'],
  }
}