summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2014-03-07 22:12:58 -0300
committerSilvio Rhatto <rhatto@riseup.net>2014-03-07 22:12:58 -0300
commit8118ad3c0c39c65a97530ca6c5dda4da590d5aa1 (patch)
tree8deca7ce1c664131d6dc03d59e6726573765e63d
parentb649e95885719b4f39ba17a1a9bdbc1f35d02c72 (diff)
downloadpuppet-puppet-8118ad3c0c39c65a97530ca6c5dda4da590d5aa1.tar.gz
puppet-puppet-8118ad3c0c39c65a97530ca6c5dda4da590d5aa1.tar.bz2
Manage passenger vhost
-rw-r--r--manifests/master/passenger.pp13
-rw-r--r--templates/passenger.erb43
2 files changed, 56 insertions, 0 deletions
diff --git a/manifests/master/passenger.pp b/manifests/master/passenger.pp
index bbb0cb8..f0df446 100644
--- a/manifests/master/passenger.pp
+++ b/manifests/master/passenger.pp
@@ -20,4 +20,17 @@ class puppet::master::passenger {
package { 'puppetmaster-passenger':
ensure => installed,
}
+
+ $listen = hiera('puppet::daemon::port', '8140')
+ $certname = hiera('puppet::master::certname', "puppet.${::domain}")
+
+ # manage puppetmaster vhost
+ file { '/etc/apache2/sites-available/puppetmaster':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 0644,
+ content => template("puppet/passenger.erb"),
+ notify => Service['apache'],
+ }
}
diff --git a/templates/passenger.erb b/templates/passenger.erb
new file mode 100644
index 0000000..b58b4c8
--- /dev/null
+++ b/templates/passenger.erb
@@ -0,0 +1,43 @@
+# You probably want to tune these settings
+PassengerHighPerformance on
+PassengerMaxPoolSize 12
+PassengerPoolIdleTime 1500
+# PassengerMaxRequests 1000
+PassengerStatThrottleRate 120
+RackAutoDetect Off
+RailsAutoDetect Off
+
+Listen <%= listen %>
+
+<VirtualHost *:<%= listen %>>
+ SSLEngine on
+ SSLProtocol -ALL +SSLv3 +TLSv1
+ SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
+
+ SSLCertificateFile /var/lib/puppetmaster/ssl/certs/<%= certname %>.pem
+ SSLCertificateKeyFile /var/lib/puppetmaster/ssl/private_keys/<%= certname %>.pem
+ SSLCertificateChainFile /var/lib/puppetmaster/ssl/certs/ca.pem
+ SSLCACertificateFile /var/lib/puppetmaster/ssl/certs/ca.pem
+ # If Apache complains about invalid signatures on the CRL, you can try disabling
+ # CRL checking by commenting the next line, but this is not recommended.
+ SSLCARevocationFile /var/lib/puppetmaster/ssl/ca/ca_crl.pem
+ SSLVerifyClient optional
+ SSLVerifyDepth 1
+ SSLOptions +StdEnvVars
+
+ # This header needs to be set if using a loadbalancer or proxy
+ RequestHeader unset X-Forwarded-For
+
+ RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+ RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+ RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+
+ DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
+ RackBaseURI /
+ <Directory /usr/share/puppet/rack/puppetmasterd/>
+ Options None
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+</VirtualHost>