From 8118ad3c0c39c65a97530ca6c5dda4da590d5aa1 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 7 Mar 2014 22:12:58 -0300
Subject: Manage passenger vhost

---
 manifests/master/passenger.pp | 13 +++++++++++++
 templates/passenger.erb       | 43 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 templates/passenger.erb

diff --git a/manifests/master/passenger.pp b/manifests/master/passenger.pp
index bbb0cb8..f0df446 100644
--- a/manifests/master/passenger.pp
+++ b/manifests/master/passenger.pp
@@ -20,4 +20,17 @@ class puppet::master::passenger {
   package { 'puppetmaster-passenger':
     ensure => installed,
   }
+
+  $listen   = hiera('puppet::daemon::port', '8140')
+  $certname = hiera('puppet::master::certname', "puppet.${::domain}")
+
+  # manage puppetmaster vhost
+  file { '/etc/apache2/sites-available/puppetmaster':
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => 0644,
+    content => template("puppet/passenger.erb"),
+    notify  => Service['apache'],
+  }
 }
diff --git a/templates/passenger.erb b/templates/passenger.erb
new file mode 100644
index 0000000..b58b4c8
--- /dev/null
+++ b/templates/passenger.erb
@@ -0,0 +1,43 @@
+# You probably want to tune these settings
+PassengerHighPerformance on
+PassengerMaxPoolSize 12
+PassengerPoolIdleTime 1500
+# PassengerMaxRequests 1000
+PassengerStatThrottleRate 120
+RackAutoDetect Off
+RailsAutoDetect Off
+
+Listen <%= listen %>
+
+<VirtualHost *:<%= listen %>>
+        SSLEngine on
+        SSLProtocol -ALL +SSLv3 +TLSv1
+        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
+
+        SSLCertificateFile      /var/lib/puppetmaster/ssl/certs/<%= certname %>.pem
+        SSLCertificateKeyFile   /var/lib/puppetmaster/ssl/private_keys/<%= certname %>.pem
+        SSLCertificateChainFile /var/lib/puppetmaster/ssl/certs/ca.pem
+        SSLCACertificateFile    /var/lib/puppetmaster/ssl/certs/ca.pem
+        # If Apache complains about invalid signatures on the CRL, you can try disabling
+        # CRL checking by commenting the next line, but this is not recommended.
+        SSLCARevocationFile     /var/lib/puppetmaster/ssl/ca/ca_crl.pem
+        SSLVerifyClient optional
+        SSLVerifyDepth  1
+        SSLOptions +StdEnvVars
+
+        # This header needs to be set if using a loadbalancer or proxy
+        RequestHeader unset X-Forwarded-For
+
+        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
+        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
+        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
+
+        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
+        RackBaseURI /
+        <Directory /usr/share/puppet/rack/puppetmasterd/>
+                Options None
+                AllowOverride None
+                Order allow,deny
+                allow from all
+        </Directory>
+</VirtualHost>
-- 
cgit v1.2.3