diff --git a/.fixtures.yml b/.fixtures.yml index edc621c..190521d 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,6 +1,7 @@ fixtures: forge_modules: - stdlib: "puppetlabs/stdlib" concat: "puppetlabs/concat" - symlinks: - hitch: "#{source_dir}" + inifile: "puppetlabs/inifile" + stdlib: "puppetlabs/stdlib" + systemd: "camptocamp/systemd" + translate: "puppetlabs/translate" diff --git a/data/common.yaml b/data/common.yaml index 38edb15..7e3832e 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,16 +1,19 @@ --- hitch::package_name: "hitch" hitch::service_name: "hitch" hitch::config_root: "/etc/hitch" hitch::config_file: "/etc/hitch/hitch.conf" hitch::dhparams_file: "/etc/hitch/dhparams.pem" hitch::dhparams_content: :undef hitch::purge_config_root: false hitch::file_owner: "root" hitch::frontend: "[*]:443" hitch::backend: "[::1]:80" hitch::write_proxy_v2: "off" hitch::ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" -hitch::prefer_server_ciphers: "on" hitch::domains: {} hitch::manage_repo: false +hitch::workers: "auto" +hitch::prefer_server_ciphers: "on" +hitch::alpn_protos: "http/1.1" +hitch::tls_protos: :undef diff --git a/manifests/config.pp b/manifests/config.pp index a917351..0ff4c31 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,63 +1,78 @@ # == Class hitch::config # # This class is called from hitch for service config. # # @api private class hitch::config ( Stdlib::Absolutepath $config_root, Stdlib::Absolutepath $config_file, Stdlib::Absolutepath $dhparams_file, Boolean $purge_config_root, String $file_owner, String $user, String $group, - Optional[String] $dhparams_content, Enum['on','off'] $write_proxy_v2, - String $frontend, + Variant[String, Array] $frontend, String $backend, String $ciphers, + Variant[Integer, Enum['auto']] $workers, + Enum['on','off'] $prefer_server_ciphers, + Optional[String] $dhparams_content = undef, + Optional[String] $alpn_protos = undef, + Optional[String] $tls_protos = undef, ) { + case $frontend { + Array: { + $frontend_array = $frontend + } + String: { + $frontend_string = $frontend + } + default: { + fail('invalid frontend') + } + } + file { $config_root: ensure => directory, recurse => true, purge => $purge_config_root, owner => $file_owner, group => $group, mode => '0750', } concat { $config_file: ensure => present, } if $dhparams_content { file { $dhparams_file: ensure => present, owner => $file_owner, group => $group, mode => '0640', content => $dhparams_content, } } else { exec { "${title} generate dhparams": path => '/usr/local/bin:/usr/bin:/bin', command => "openssl dhparam -out ${dhparams_file} 2048", creates => $dhparams_file, } -> file { $dhparams_file: ensure => present, owner => $file_owner, group => $group, mode => '0640', } } concat::fragment { "${title} config": content => template('hitch/hitch.conf.erb'), target => $config_file, } - } diff --git a/manifests/init.pp b/manifests/init.pp index 9b5cb56..c4b167b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,92 +1,100 @@ # Class: hitch # =========================== # # Full description of class hitch here. # # Parameters # ---------- # # @param package_name [String] # Package name for installing hitch. # # @param service_name [String] # Service name for the hitch service. # # @param user [String] # User running the service. # # @param group [String] # Group running the service. # # @param file_owner [String] # User owning the configuration files. Defaults to "root". # # @param dhparams_file [Stdlib::Absolutepath] # Path to file for Diffie-Hellman parameters, which are shared # by all domains. # # @param dhparams_content [Optional[String]] # Content for the DH parameter file. If unset, DH parameters will # be generated on the node, which may take a long time. # # @param config_root [Stdlib::Absolutepath] # Configuration root directory. Default: /etc/hitch/ # # @param purge_config_root [Boolean] # If true, will delete all unmanaged files from the config_root. # Defaults to false. # -# @param frontend[String] -# The listening frontend for hitch. +# @param frontend[Variant[String, Array]] +# The listening frontend(s) for hitch. # # @param manage_repo [Boolean] # If true, install the EPEL repository on RedHat OS family. # class hitch ( String $package_name, String $service_name, String $user, String $group, String $file_owner, Stdlib::Absolutepath $config_file, Stdlib::Absolutepath $dhparams_file, Stdlib::Absolutepath $config_root, Boolean $purge_config_root, - String $frontend, + Variant[String, Array] $frontend, String $backend, Enum['on', 'off'] $write_proxy_v2, String $ciphers, Optional[Hash] $domains, Optional[String] $dhparams_content, Boolean $manage_repo, + Variant[Integer, Enum['auto']] $workers, + Enum['on','off'] $prefer_server_ciphers, + Optional[String] $alpn_protos, + Optional[String] $tls_protos, ) { class { '::hitch::install': package => $package_name, manage_repo => $manage_repo, } -> class { '::hitch::config': - config_root => $config_root, - config_file => $config_file, - dhparams_file => $dhparams_file, - dhparams_content => $dhparams_content, - purge_config_root => $purge_config_root, - file_owner => $file_owner, - user => $user, - group => $group, - frontend => $frontend, - backend => $backend, - write_proxy_v2 => $write_proxy_v2, - ciphers => $ciphers, + config_root => $config_root, + config_file => $config_file, + dhparams_file => $dhparams_file, + dhparams_content => $dhparams_content, + purge_config_root => $purge_config_root, + file_owner => $file_owner, + user => $user, + group => $group, + frontend => $frontend, + backend => $backend, + write_proxy_v2 => $write_proxy_v2, + ciphers => $ciphers, + workers => $workers, + prefer_server_ciphers => $prefer_server_ciphers, + alpn_protos => $alpn_protos, + tls_protos => $tls_protos, } ~> class { '::hitch::service': service_name => $service_name, } -> Class['::hitch'] $domains.each |$domain_title, $domain_params| { hitch::domain { $domain_title: * => $domain_params, } } } diff --git a/manifests/service.pp b/manifests/service.pp index 32f9576..f67c1e0 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,16 +1,22 @@ # == Class hitch::service # # This class is meant to be called from hitch. # It ensure the service is running. # class hitch::service ( String $service_name, ) { service { $service_name: ensure => running, enable => true, hasstatus => true, hasrestart => true, } + + # configure hitch.service + systemd::dropin_file { 'limits.conf': + unit => 'hitch.service', + content => template('hitch/limits.conf.erb'), + } } diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index 31f7540..9d4d7c1 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -1,34 +1,52 @@ require 'spec_helper' describe 'hitch::config' do on_supported_os.each do |os, os_facts| context "on #{os}" do let(:facts) { os_facts } let(:params) do { config_root: '/etc/hitch', config_file: '/etc/hitch/hitch.conf', dhparams_file: '/etc/hitch/dhparams.pem', purge_config_root: true, file_owner: 'root', user: 'hitch', group: 'hitch', dhparams_content: :undef, write_proxy_v2: 'off', frontend: '[*]:443', backend: '[::1]:80', ciphers: 'MODERN', + workers: 'auto', + prefer_server_ciphers: 'on', } end - it { is_expected.to compile } - it { is_expected.to contain_file('/etc/hitch') } + context 'defaults' do + it { is_expected.to compile } + it { is_expected.to contain_file('/etc/hitch') } - it { is_expected.to contain_concat('/etc/hitch/hitch.conf') } - it { is_expected.to contain_concat__fragment('hitch::config config') } + it { is_expected.to contain_concat('/etc/hitch/hitch.conf') } + it { is_expected.to contain_concat__fragment('hitch::config config') } - it { is_expected.to contain_file('/etc/hitch/dhparams.pem') } - it { is_expected.to contain_exec('hitch::config generate dhparams') } + it { is_expected.to contain_file('/etc/hitch/dhparams.pem') } + it { is_expected.to contain_exec('hitch::config generate dhparams') } + end + + context 'with frontend as array of strings' do + let(:params) do + super().merge(frontend: ['[192.0.2.1]:443', '[192.0.2.2]:443']) + end + + it { is_expected.to compile } + it { is_expected.to contain_concat('/etc/hitch/hitch.conf') } + it { + is_expected.to contain_concat__fragment('hitch::config config') + .with_content(%r{^frontend = "\[192\.0\.2\.1\]:443"$}) + .with_content(%r{^frontend = "\[192\.0\.2\.2\]:443"$}) + } + end end end end diff --git a/templates/hitch.conf.erb b/templates/hitch.conf.erb index 094ffd7..a304e2b 100644 --- a/templates/hitch.conf.erb +++ b/templates/hitch.conf.erb @@ -1,15 +1,35 @@ # Configuration for hitch user = "<%= @user %>" group = "<%= @group %>" -frontend = "<%= @frontend %>" +<% if @frontend_string -%> +frontend = "<%= @frontend_string %>" +<% end -%> +<% if @frontend_array -%> +<% @frontend_array.each do |frontend| -%> +frontend = "<%= frontend %>" +<% end -%> +<% end -%> backend = "<%= @backend %>" - +<% if @workers == 'auto' && @facts['processors']['count'] -%> +workers = <%= @facts['processors']['count'] %> +<% elsif @workers.respond_to?(:to_i) -%> +workers = <%= @workers %> +<% end -%> <% if @write_proxy_v2 == "on" -%> # use the PROXY v2 protocol to communicate with backend write-proxy-v2 = "<%= @write_proxy_v2 %>" <% end -%> - +<% if @alpn_protos -%> +alpn-protos = "<%= @alpn_protos %>" +<% end -%> +<% if @tls_protos %> +tls-protos = <%= @tls_protos %> +<% end -%> +<% if @ciphers.length > 0 -%> # Define a cipher list for communication ciphers = "<%= @ciphers %>" -prefer-server-ciphers = on +<% end -%> +<% if @prefer_server_ciphers -%> +prefer-server-ciphers = <%= @prefer_server_ciphers %> +<% end -%> diff --git a/templates/limits.conf.erb b/templates/limits.conf.erb new file mode 100644 index 0000000..0a7dd67 --- /dev/null +++ b/templates/limits.conf.erb @@ -0,0 +1,2 @@ +[Service] +LimitNOFILE=65536