diff --git a/data/common.yaml b/data/common.yaml index 38edb15..7e3832e 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,16 +1,19 @@ --- hitch::package_name: "hitch" hitch::service_name: "hitch" hitch::config_root: "/etc/hitch" hitch::config_file: "/etc/hitch/hitch.conf" hitch::dhparams_file: "/etc/hitch/dhparams.pem" hitch::dhparams_content: :undef hitch::purge_config_root: false hitch::file_owner: "root" hitch::frontend: "[*]:443" hitch::backend: "[::1]:80" hitch::write_proxy_v2: "off" hitch::ciphers: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" -hitch::prefer_server_ciphers: "on" hitch::domains: {} hitch::manage_repo: false +hitch::workers: "auto" +hitch::prefer_server_ciphers: "on" +hitch::alpn_protos: "http/1.1" +hitch::tls_protos: :undef diff --git a/manifests/config.pp b/manifests/config.pp index a917351..4ecc10e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,63 +1,74 @@ # == Class hitch::config # # This class is called from hitch for service config. # # @api private class hitch::config ( Stdlib::Absolutepath $config_root, Stdlib::Absolutepath $config_file, Stdlib::Absolutepath $dhparams_file, Boolean $purge_config_root, String $file_owner, String $user, String $group, Optional[String] $dhparams_content, Enum['on','off'] $write_proxy_v2, - String $frontend, + Variant[String, Array] $frontend, String $backend, String $ciphers, + Variant[Integer, Enum['auto']] $workers, + Enum['on','off'] $prefer_server_ciphers, + Optional[String] $alpn_protos, + Optional[String] $tls_protos, ) { + if is_array($frontend) { + $frontend_array = $frontend + } elsif is_string($frontend) { + $frontend_string = $frontend + } else { + notify {'invalid $frontend': } + } + file { $config_root: ensure => directory, recurse => true, purge => $purge_config_root, owner => $file_owner, group => $group, mode => '0750', } concat { $config_file: ensure => present, } if $dhparams_content { file { $dhparams_file: ensure => present, owner => $file_owner, group => $group, mode => '0640', content => $dhparams_content, } } else { exec { "${title} generate dhparams": path => '/usr/local/bin:/usr/bin:/bin', command => "openssl dhparam -out ${dhparams_file} 2048", creates => $dhparams_file, } -> file { $dhparams_file: ensure => present, owner => $file_owner, group => $group, mode => '0640', } } concat::fragment { "${title} config": content => template('hitch/hitch.conf.erb'), target => $config_file, } - } diff --git a/manifests/init.pp b/manifests/init.pp index 9b5cb56..c4b167b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,92 +1,100 @@ # Class: hitch # =========================== # # Full description of class hitch here. # # Parameters # ---------- # # @param package_name [String] # Package name for installing hitch. # # @param service_name [String] # Service name for the hitch service. # # @param user [String] # User running the service. # # @param group [String] # Group running the service. # # @param file_owner [String] # User owning the configuration files. Defaults to "root". # # @param dhparams_file [Stdlib::Absolutepath] # Path to file for Diffie-Hellman parameters, which are shared # by all domains. # # @param dhparams_content [Optional[String]] # Content for the DH parameter file. If unset, DH parameters will # be generated on the node, which may take a long time. # # @param config_root [Stdlib::Absolutepath] # Configuration root directory. Default: /etc/hitch/ # # @param purge_config_root [Boolean] # If true, will delete all unmanaged files from the config_root. # Defaults to false. # -# @param frontend[String] -# The listening frontend for hitch. +# @param frontend[Variant[String, Array]] +# The listening frontend(s) for hitch. # # @param manage_repo [Boolean] # If true, install the EPEL repository on RedHat OS family. # class hitch ( String $package_name, String $service_name, String $user, String $group, String $file_owner, Stdlib::Absolutepath $config_file, Stdlib::Absolutepath $dhparams_file, Stdlib::Absolutepath $config_root, Boolean $purge_config_root, - String $frontend, + Variant[String, Array] $frontend, String $backend, Enum['on', 'off'] $write_proxy_v2, String $ciphers, Optional[Hash] $domains, Optional[String] $dhparams_content, Boolean $manage_repo, + Variant[Integer, Enum['auto']] $workers, + Enum['on','off'] $prefer_server_ciphers, + Optional[String] $alpn_protos, + Optional[String] $tls_protos, ) { class { '::hitch::install': package => $package_name, manage_repo => $manage_repo, } -> class { '::hitch::config': - config_root => $config_root, - config_file => $config_file, - dhparams_file => $dhparams_file, - dhparams_content => $dhparams_content, - purge_config_root => $purge_config_root, - file_owner => $file_owner, - user => $user, - group => $group, - frontend => $frontend, - backend => $backend, - write_proxy_v2 => $write_proxy_v2, - ciphers => $ciphers, + config_root => $config_root, + config_file => $config_file, + dhparams_file => $dhparams_file, + dhparams_content => $dhparams_content, + purge_config_root => $purge_config_root, + file_owner => $file_owner, + user => $user, + group => $group, + frontend => $frontend, + backend => $backend, + write_proxy_v2 => $write_proxy_v2, + ciphers => $ciphers, + workers => $workers, + prefer_server_ciphers => $prefer_server_ciphers, + alpn_protos => $alpn_protos, + tls_protos => $tls_protos, } ~> class { '::hitch::service': service_name => $service_name, } -> Class['::hitch'] $domains.each |$domain_title, $domain_params| { hitch::domain { $domain_title: * => $domain_params, } } } diff --git a/manifests/service.pp b/manifests/service.pp index 32f9576..f67c1e0 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -1,16 +1,22 @@ # == Class hitch::service # # This class is meant to be called from hitch. # It ensure the service is running. # class hitch::service ( String $service_name, ) { service { $service_name: ensure => running, enable => true, hasstatus => true, hasrestart => true, } + + # configure hitch.service + systemd::dropin_file { 'limits.conf': + unit => 'hitch.service', + content => template('hitch/limits.conf.erb'), + } } diff --git a/templates/hitch.conf.erb b/templates/hitch.conf.erb index 094ffd7..a304e2b 100644 --- a/templates/hitch.conf.erb +++ b/templates/hitch.conf.erb @@ -1,15 +1,35 @@ # Configuration for hitch user = "<%= @user %>" group = "<%= @group %>" -frontend = "<%= @frontend %>" +<% if @frontend_string -%> +frontend = "<%= @frontend_string %>" +<% end -%> +<% if @frontend_array -%> +<% @frontend_array.each do |frontend| -%> +frontend = "<%= frontend %>" +<% end -%> +<% end -%> backend = "<%= @backend %>" - +<% if @workers == 'auto' && @facts['processors']['count'] -%> +workers = <%= @facts['processors']['count'] %> +<% elsif @workers.respond_to?(:to_i) -%> +workers = <%= @workers %> +<% end -%> <% if @write_proxy_v2 == "on" -%> # use the PROXY v2 protocol to communicate with backend write-proxy-v2 = "<%= @write_proxy_v2 %>" <% end -%> - +<% if @alpn_protos -%> +alpn-protos = "<%= @alpn_protos %>" +<% end -%> +<% if @tls_protos %> +tls-protos = <%= @tls_protos %> +<% end -%> +<% if @ciphers.length > 0 -%> # Define a cipher list for communication ciphers = "<%= @ciphers %>" -prefer-server-ciphers = on +<% end -%> +<% if @prefer_server_ciphers -%> +prefer-server-ciphers = <%= @prefer_server_ciphers %> +<% end -%> diff --git a/templates/limits.conf.erb b/templates/limits.conf.erb new file mode 100644 index 0000000..0a7dd67 --- /dev/null +++ b/templates/limits.conf.erb @@ -0,0 +1,2 @@ +[Service] +LimitNOFILE=65536