Splitting into smaller classes and adding puppetmaster proxying support.

2 files changed, 144 insertions, 25 deletions

diff --git a/manifests/init.pp b/manifests/init.pp
index 3482002..6d4711d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -16,7 +16,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-class nginx {
+# Base class
+class nginx::base {
 
   $ssl = $nginx_ssl ? {
     false   => false,
@@ -33,6 +34,40 @@ class nginx {
     group   => "root",
   }
 
+  service { "nginx":
+    enable     => true,
+    ensure     => running,
+    hasrestart => true,
+    require    => [ File["/etc/nginx/sites-enabled/$domain"], Package["nginx"] ],
+  }
+
+  define site($site = $domain, $ensure = present) {
+    # Proxy config file
+    file { "/etc/nginx/sites-available/$site":
+      source  => "puppet://$server/files/etc/nginx/$site",
+      owner   => "root",
+      group   => "root",
+      mode    => 0644,
+      ensure  => $ensure,
+      notify  => Service["nginx"],
+      require => File["/etc/nginx/sites-available"],
+    }
+
+    $link = $ensure ? {
+      present => "/etc/nginx/sites-available/$site",
+      default => absent,
+    }
+  
+    # Symlink to enable proxy configuration
+    file { "/etc/nginx/sites-enabled/$site":
+      ensure  => $link,
+      require => File["/etc/nginx/sites-enabled"],
+      notify  => Service["nginx"],
+    }
+  }
+}
+
+class nginx inherits nginx::base {
   if $ssl == true {
     file { [ "/etc/ssl", "/etc/ssl/certs", "/etc/ssl/private" ]:
       ensure  => directory,
@@ -58,47 +93,35 @@ class nginx {
       require => File["/etc/ssl/private"],
     }
 
-    service { "nginx":
+    Service { "nginx":
       enable     => true,
       ensure     => running,
       hasrestart => true,
       require    => [ File["/etc/nginx/sites-enabled/$domain"], Package["nginx"],
                       File["/etc/ssl/private/cert.pem"], File["/etc/ssl/certs/cert.crt"] ],
     }
-  } else {
-    service { "nginx":
-      enable     => true,
-      ensure     => running,
-      hasrestart => true,
-      require    => [ File["/etc/nginx/sites-enabled/$domain"], Package["nginx"] ],
-    }
   }
 
   # Default site
   site { "$domain": ensure => present, }
 
-  define site($site = $domain, $ensure = present) {
-    # Proxy config file
-    file { "/etc/nginx/sites-available/$site":
-      source  => "puppet://$server/files/etc/nginx/$site",
+}
+
+class nginx::puppetmaster inherits nginx::base {
+
+  define proxy($name, $worker_processes = 4, $worker_connections = 1024,
+               $ssl_port = 8140, $non_ssl_port = 8141,
+               $puppetmaster_servers = [ "127.0.0.1:18140", ]) {
+
+    file { "/etc/nginx/sites-available/$name":
+      content => "puppetmaster.erb",
       owner   => "root",
       group   => "root",
       mode    => 0644,
-      ensure  => $ensure,
+      ensure  => present,
       notify  => Service["nginx"],
       require => File["/etc/nginx/sites-available"],
     }
 
-    $link = $ensure ? {
-      present => "/etc/nginx/sites-available/$site",
-      default => absent,
-    }
-  
-    # Symlink to enable proxy configuration
-    file { "/etc/nginx/sites-enabled/$site":
-      ensure  => $link,
-      require => File["/etc/nginx/sites-enabled"],
-      notify  => Service["nginx"],
-    }
   }
 }
diff --git a/templates/puppetmaster.erb b/templates/puppetmaster.erb
new file mode 100644
index 0000000..87fd996
--- /dev/null
+++ b/templates/puppetmaster.erb
@@ -0,0 +1,96 @@
+# This configuration file was auto-generated by the Puppet configuration
+# management system.  Any changes you make to this file will be overwritten
+# the next time Puppet runs.  Please make configuration changes to this
+# service in Puppet.
+
+user www-data www-data;
+worker_processes  <%= $worker_processes %>;
+
+error_log       /var/log/nginx-puppet.log notice;
+pid             /var/run/nginx-puppet.pid;
+
+events {
+    worker_connections  <%= $worker_connections %>;
+}
+
+http {
+    # include /etc/mime.types;
+    default_type  application/octet-stream;
+
+    # no sendfile on OSX uncomment 
+    #this if your on linux or bsd
+    sendfile        on;
+    tcp_nopush      on;
+    
+    # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
+    large_client_header_buffers     16      4k;
+    proxy_buffers                   128     4k;
+
+    # if you adjust this setting to something higher
+    # you should as well update the proxy_read_timeout 
+    # in the server config part (see below)
+    # Otherwise nginx will rerequest a manifest compile.
+    keepalive_timeout  65;
+    tcp_nodelay        on;
+
+    ssl                     on;
+    ssl_certificate         /Library/Puppet/Generated/Server/SSL/host_cert.pem;
+    ssl_certificate_key     /Library/Puppet/Generated/Server/SSL/host_key.pem;
+    ssl_client_certificate  /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;
+    ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
+    ssl_session_cache       shared:SSL:8m;
+    ssl_session_timeout     5m;
+
+    upstream puppet-production {
+      <% $puppetmaster_servers.each do |upstream| -%>
+        server <%= upstream %>;
+      <% end -%>
+    }
+
+    server {
+        listen                  <%= $ssl_port %>;
+        ssl_verify_client       on;
+        root                    /var/empty;
+        access_log              /var/log/nginx/access-<%= $ssl_port %>.log;
+        rewrite_log             /var/log/nginx/rewrite-<%= $ssl_port %>.log;
+
+        # Variables
+        # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
+        # $ssl_client_serial returns the series number of client certificate for established SSL-connection
+        # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
+        # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
+        # $ssl_protocol returns the protocol of established SSL-connection
+
+        location / {
+            proxy_pass          http://puppet-production;
+            proxy_redirect      off;
+            proxy_set_header    Host             $host;
+            proxy_set_header    X-Real-IP        $remote_addr;
+            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Client-Verify  SUCCESS;
+            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
+            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
+            proxy_read_timeout  65;
+        }
+    }
+
+    server {
+        listen                  <%= $nonssl_port %>;
+        ssl_verify_client       off;
+        root                    /var/empty;
+        access_log              /var/log/nginx/access-<%= $nonssl_port %>.log;
+        rewrite_log             /var/log/nginx/rewrite-<%= $nonssl_port %>.log;
+
+        location / {
+            proxy_pass  http://puppet-production;
+            proxy_redirect     off;
+            proxy_set_header   Host             $host;
+            proxy_set_header   X-Real-IP        $remote_addr;
+            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
+            proxy_set_header   X-Client-Verify  FAILURE;
+            proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
+            proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
+            proxy_read_timeout  65;
+        }
+    }
+}