diff --git a/manifests/config.pp b/manifests/config.pp index bb5ac9e..bb55566 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,310 +1,297 @@ -# Class: nginx::config -# -# This module manages NGINX bootstrap and configuration -# -# Parameters: -# -# There are no default parameters for this class. -# -# Actions: -# -# Requires: -# -# Sample Usage: -# -# This class file is not called directly +# @summary Manage NGINX bootstrap and configuration +# @api private class nginx::config { assert_private() $client_body_temp_path = $nginx::client_body_temp_path $confd_only = $nginx::confd_only $confd_purge = $nginx::confd_purge $conf_dir = $nginx::conf_dir $daemon = $nginx::daemon $daemon_user = $nginx::daemon_user $daemon_group = $nginx::daemon_group $dynamic_modules = $nginx::dynamic_modules $global_owner = $nginx::global_owner $global_group = $nginx::global_group $global_mode = $nginx::global_mode $limit_req_zone = $nginx::limit_req_zone $log_dir = $nginx::log_dir $log_user = $nginx::log_user $log_group = $nginx::log_group $log_mode = $nginx::log_mode $http_access_log = $nginx::http_access_log $http_format_log = $nginx::http_format_log $nginx_error_log = $nginx::nginx_error_log $nginx_error_log_severity = $nginx::nginx_error_log_severity $pid = $nginx::pid $proxy_temp_path = $nginx::proxy_temp_path $root_group = $nginx::root_group $run_dir = $nginx::run_dir $sites_available_owner = $nginx::sites_available_owner $sites_available_group = $nginx::sites_available_group $sites_available_mode = $nginx::sites_available_mode $super_user = $nginx::super_user $temp_dir = $nginx::temp_dir $server_purge = $nginx::server_purge $absolute_redirect = $nginx::absolute_redirect $accept_mutex = $nginx::accept_mutex $accept_mutex_delay = $nginx::accept_mutex_delay $client_body_buffer_size = $nginx::client_body_buffer_size $client_max_body_size = $nginx::client_max_body_size $client_body_timeout = $nginx::client_body_timeout $send_timeout = $nginx::send_timeout $lingering_timeout = $nginx::lingering_timeout $lingering_close = $nginx::lingering_close $lingering_time = $nginx::lingering_time $etag = $nginx::etag $events_use = $nginx::events_use $debug_connections = $nginx::debug_connections $fastcgi_cache_inactive = $nginx::fastcgi_cache_inactive $fastcgi_cache_key = $nginx::fastcgi_cache_key $fastcgi_cache_keys_zone = $nginx::fastcgi_cache_keys_zone $fastcgi_cache_levels = $nginx::fastcgi_cache_levels $fastcgi_cache_max_size = $nginx::fastcgi_cache_max_size $fastcgi_cache_path = $nginx::fastcgi_cache_path $fastcgi_cache_use_stale = $nginx::fastcgi_cache_use_stale $gzip = $nginx::gzip $gzip_buffers = $nginx::gzip_buffers $gzip_comp_level = $nginx::gzip_comp_level $gzip_disable = $nginx::gzip_disable $gzip_min_length = $nginx::gzip_min_length $gzip_http_version = $nginx::gzip_http_version $gzip_proxied = $nginx::gzip_proxied $gzip_types = $nginx::gzip_types $gzip_vary = $nginx::gzip_vary $gzip_static = $nginx::gzip_static $http_raw_prepend = $nginx::http_raw_prepend $http_raw_append = $nginx::http_raw_append $http_cfg_prepend = $nginx::http_cfg_prepend $http_cfg_append = $nginx::http_cfg_append $http_tcp_nodelay = $nginx::http_tcp_nodelay $http_tcp_nopush = $nginx::http_tcp_nopush $keepalive_timeout = $nginx::keepalive_timeout $keepalive_requests = $nginx::keepalive_requests $log_format = $nginx::log_format $mail = $nginx::mail $mime_types_path = $nginx::mime_types_path $stream = $nginx::stream $mime_types = $nginx::mime_types_preserve_defaults ? { true => merge($nginx::params::mime_types,$nginx::mime_types), default => $nginx::mime_types, } $multi_accept = $nginx::multi_accept $names_hash_bucket_size = $nginx::names_hash_bucket_size $names_hash_max_size = $nginx::names_hash_max_size $nginx_cfg_prepend = $nginx::nginx_cfg_prepend $proxy_buffers = $nginx::proxy_buffers $proxy_buffer_size = $nginx::proxy_buffer_size $proxy_busy_buffers_size = $nginx::proxy_busy_buffers_size $proxy_cache_inactive = $nginx::proxy_cache_inactive $proxy_cache_keys_zone = $nginx::proxy_cache_keys_zone $proxy_cache_levels = $nginx::proxy_cache_levels $proxy_cache_max_size = $nginx::proxy_cache_max_size $proxy_cache_path = $nginx::proxy_cache_path $proxy_cache_loader_files = $nginx::proxy_cache_loader_files $proxy_cache_loader_sleep = $nginx::proxy_cache_loader_sleep $proxy_cache_loader_threshold = $nginx::proxy_cache_loader_threshold $proxy_use_temp_path = $nginx::proxy_use_temp_path $proxy_connect_timeout = $nginx::proxy_connect_timeout $proxy_headers_hash_bucket_size = $nginx::proxy_headers_hash_bucket_size $proxy_http_version = $nginx::proxy_http_version $proxy_max_temp_file_size = $nginx::proxy_max_temp_file_size $proxy_read_timeout = $nginx::proxy_read_timeout $proxy_redirect = $nginx::proxy_redirect $proxy_send_timeout = $nginx::proxy_send_timeout $proxy_set_header = $nginx::proxy_set_header $proxy_hide_header = $nginx::proxy_hide_header $proxy_pass_header = $nginx::proxy_pass_header $sendfile = $nginx::sendfile $server_tokens = $nginx::server_tokens $spdy = $nginx::spdy $http2 = $nginx::http2 $ssl_buffer_size = $nginx::ssl_buffer_size $ssl_ciphers = $nginx::ssl_ciphers $ssl_crl = $nginx::ssl_crl $ssl_dhparam = $nginx::ssl_dhparam $ssl_ecdh_curve = $nginx::ssl_ecdh_curve $ssl_session_cache = $nginx::ssl_session_cache $ssl_session_timeout = $nginx::ssl_session_timeout $ssl_session_tickets = $nginx::ssl_session_tickets $ssl_session_ticket_key = $nginx::ssl_session_ticket_key $ssl_stapling = $nginx::ssl_stapling $ssl_stapling_file = $nginx::ssl_stapling_file $ssl_stapling_responder = $nginx::ssl_stapling_responder $ssl_stapling_verify = $nginx::ssl_stapling_verify $ssl_trusted_certificate = $nginx::ssl_trusted_certificate $ssl_password_file = $nginx::ssl_password_file $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers $ssl_protocols = $nginx::ssl_protocols $ssl_verify_depth = $nginx::ssl_verify_depth $types_hash_bucket_size = $nginx::types_hash_bucket_size $types_hash_max_size = $nginx::types_hash_max_size $worker_connections = $nginx::worker_connections $worker_processes = $nginx::worker_processes $worker_rlimit_nofile = $nginx::worker_rlimit_nofile $include_modules_enabled = $nginx::include_modules_enabled # Non-configurable settings $conf_template = 'nginx/conf.d/nginx.conf.erb' $mime_template = 'nginx/conf.d/mime.types.epp' $proxy_conf_template = undef File { owner => $global_owner, group => $global_group, mode => $global_mode, } file { $conf_dir: ensure => directory, } file { "${conf_dir}/conf.stream.d": ensure => directory, } file { "${conf_dir}/conf.d": ensure => directory, } if $confd_purge { # Err on the side of caution - make sure *both* $server_purge and # $confd_purge are set if $confd_only is set, before purging files # ${conf_dir}/conf.d if (($confd_only and $server_purge) or !$confd_only) { File["${conf_dir}/conf.d"] { purge => true, recurse => true, notify => Class['nginx::service'], } File["${conf_dir}/conf.stream.d"] { purge => true, recurse => true, notify => Class['nginx::service'], } } } file { "${conf_dir}/conf.mail.d": ensure => directory, } if $confd_purge == true { File["${conf_dir}/conf.mail.d"] { purge => true, recurse => true, } } file { $run_dir: ensure => directory, mode => '0644', } if $nginx::manage_snippets_dir { file { $nginx::snippets_dir: ensure => directory, } } file { $log_dir: ensure => directory, mode => $log_mode, owner => $log_user, group => $log_group, } if $client_body_temp_path { file { $client_body_temp_path: ensure => directory, owner => $daemon_user, } } if $proxy_temp_path { file { $proxy_temp_path: ensure => directory, owner => $daemon_user, } } unless $confd_only { file { "${conf_dir}/sites-available": ensure => directory, owner => $sites_available_owner, group => $sites_available_group, mode => $sites_available_mode, } file { "${conf_dir}/sites-enabled": ensure => directory, owner => $sites_available_owner, group => $sites_available_group, mode => $sites_available_mode, } if $server_purge { File["${conf_dir}/sites-available"] { purge => true, recurse => true, } File["${conf_dir}/sites-enabled"] { purge => true, recurse => true, } } # No real reason not to make these even if $stream is not enabled. file { "${conf_dir}/streams-enabled": ensure => directory, owner => $sites_available_owner, group => $sites_available_group, mode => $sites_available_mode, } file { "${conf_dir}/streams-available": ensure => directory, owner => $sites_available_owner, group => $sites_available_group, mode => $sites_available_mode, } if $server_purge { File["${conf_dir}/streams-enabled"] { purge => true, recurse => true, } } } file { "${conf_dir}/nginx.conf": ensure => file, content => template($conf_template), tag => 'nginx_config_file', } file { "${conf_dir}/mime.types": ensure => file, content => epp($mime_template), tag => 'nginx_config_file', } file { "${temp_dir}/nginx.d": ensure => absent, purge => true, recurse => true, force => true, } file { "${temp_dir}/nginx.mail.d": ensure => absent, purge => true, recurse => true, force => true, } } diff --git a/manifests/init.pp b/manifests/init.pp index b566b35..56da23d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,253 +1,237 @@ -# @summary -# This module manages NGINX. +# @summary Manage NGINX # -# Parameters: +# Packaged NGINX +# - RHEL: EPEL or custom package +# - Debian/Ubuntu: Default Install or custom package +# - SuSE: Default Install or custom package # -# Actions: -# -# Requires: -# puppetlabs-stdlib - https://github.com/puppetlabs/puppetlabs-stdlib -# -# Packaged NGINX -# - RHEL: EPEL or custom package -# - Debian/Ubuntu: Default Install or custom package -# - SuSE: Default Install or custom package -# -# stdlib -# - puppetlabs-stdlib module >= 0.1.6 -# -# Sample Usage: -# -# The module works with sensible defaults: -# -# node default { +# @example Use the sensible defaults # include nginx -# } # # @param include_modules_enabled # When set, nginx will include module configurations files installed in the # /etc/nginx/modules-enabled directory. # # @param passenger_package_name # The name of the package to install in order for the passenger module of # nginx being usable. # # @param nginx_version # The version of nginx installed (or being installed). # Unfortunately, different versions of nginx may need configuring # differently. The default is derived from the version of nginx # already installed. If the fact is unavailable, it defaults to '1.6.0'. # You may need to set this manually to get a working and idempotent # configuration. # # @param debug_connections # Configures nginx `debug_connection` lines in the `events` section of the nginx config. # See http://nginx.org/en/docs/ngx_core_module.html#debug_connection # # @param service_config_check # whether to en- or disable the config check via nginx -t on config changes # class nginx ( ### START Nginx Configuration ### Variant[Stdlib::Absolutepath, Boolean] $client_body_temp_path = $nginx::params::client_body_temp_path, Boolean $confd_only = false, Boolean $confd_purge = false, $conf_dir = $nginx::params::conf_dir, Optional[Enum['on', 'off']] $daemon = undef, $daemon_user = $nginx::params::daemon_user, $daemon_group = undef, Array[String] $dynamic_modules = [], $global_owner = $nginx::params::global_owner, $global_group = $nginx::params::global_group, $global_mode = $nginx::params::global_mode, Optional[Variant[String[1], Array[String[1]]]] $limit_req_zone = undef, Stdlib::Absolutepath $log_dir = $nginx::params::log_dir, String[1] $log_user = $nginx::params::log_user, String[1] $log_group = $nginx::params::log_group, Stdlib::Filemode $log_mode = $nginx::params::log_mode, Variant[String, Array[String]] $http_access_log = "${log_dir}/${nginx::params::http_access_log_file}", $http_format_log = undef, Variant[String, Array[String]] $nginx_error_log = "${log_dir}/${nginx::params::nginx_error_log_file}", Nginx::ErrorLogSeverity $nginx_error_log_severity = 'error', $pid = $nginx::params::pid, Variant[Stdlib::Absolutepath, Boolean] $proxy_temp_path = $nginx::params::proxy_temp_path, $root_group = $nginx::params::root_group, $run_dir = $nginx::params::run_dir, $sites_available_owner = $nginx::params::sites_available_owner, $sites_available_group = $nginx::params::sites_available_group, $sites_available_mode = $nginx::params::sites_available_mode, Boolean $super_user = $nginx::params::super_user, $temp_dir = $nginx::params::temp_dir, Boolean $server_purge = false, Boolean $include_modules_enabled = $nginx::params::include_modules_enabled, # Primary Templates $conf_template = 'nginx/conf.d/nginx.conf.erb', ### START Nginx Configuration ### Optional[Enum['on', 'off']] $absolute_redirect = undef, Enum['on', 'off'] $accept_mutex = 'on', $accept_mutex_delay = '500ms', $client_body_buffer_size = '128k', String $client_max_body_size = '10m', $client_body_timeout = '60s', $send_timeout = '60s', $lingering_timeout = '5s', Optional[Enum['on','off','always']] $lingering_close = undef, Optional[String[1]] $lingering_time = undef, Optional[Enum['on', 'off']] $etag = undef, Optional[String] $events_use = undef, Array[Nginx::DebugConnection] $debug_connections = [], String $fastcgi_cache_inactive = '20m', Optional[String] $fastcgi_cache_key = undef, String $fastcgi_cache_keys_zone = 'd3:100m', String $fastcgi_cache_levels = '1', String $fastcgi_cache_max_size = '500m', Optional[String] $fastcgi_cache_path = undef, Optional[String] $fastcgi_cache_use_stale = undef, Enum['on', 'off'] $gzip = 'off', $gzip_buffers = undef, $gzip_comp_level = 1, $gzip_disable = 'msie6', $gzip_min_length = 20, $gzip_http_version = 1.1, $gzip_proxied = 'off', $gzip_types = undef, Enum['on', 'off'] $gzip_vary = 'off', Optional[Enum['on', 'off', 'always']] $gzip_static = undef, Optional[Variant[Hash, Array]] $http_cfg_prepend = undef, Optional[Variant[Hash, Array]] $http_cfg_append = undef, Optional[Variant[Array[String], String]] $http_raw_prepend = undef, Optional[Variant[Array[String], String]] $http_raw_append = undef, Enum['on', 'off'] $http_tcp_nodelay = 'on', Enum['on', 'off'] $http_tcp_nopush = 'off', $keepalive_timeout = '65s', $keepalive_requests = '100', $log_format = {}, Boolean $mail = false, Variant[String, Boolean] $mime_types_path = 'mime.types', Boolean $stream = false, String $multi_accept = 'off', Integer $names_hash_bucket_size = 64, Integer $names_hash_max_size = 512, $nginx_cfg_prepend = false, String $proxy_buffers = '32 4k', String $proxy_buffer_size = '8k', String $proxy_cache_inactive = '20m', String $proxy_cache_keys_zone = 'd2:100m', String $proxy_cache_levels = '1', String $proxy_cache_max_size = '500m', Optional[Variant[Hash, String]] $proxy_cache_path = undef, Optional[Integer] $proxy_cache_loader_files = undef, Optional[String] $proxy_cache_loader_sleep = undef, Optional[String] $proxy_cache_loader_threshold = undef, Optional[Enum['on', 'off']] $proxy_use_temp_path = undef, $proxy_connect_timeout = '90s', Integer $proxy_headers_hash_bucket_size = 64, Optional[String] $proxy_http_version = undef, $proxy_read_timeout = '90s', $proxy_redirect = undef, $proxy_send_timeout = '90s', Array $proxy_set_header = [ 'Host $host', 'X-Real-IP $remote_addr', 'X-Forwarded-For $proxy_add_x_forwarded_for', 'Proxy ""', ], Array $proxy_hide_header = [], Array $proxy_pass_header = [], Array $proxy_ignore_header = [], Optional[Nginx::Size] $proxy_max_temp_file_size = undef, Optional[Nginx::Size] $proxy_busy_buffers_size = undef, Enum['on', 'off'] $sendfile = 'on', Enum['on', 'off'] $server_tokens = 'on', Enum['on', 'off'] $spdy = 'off', Enum['on', 'off'] $http2 = 'off', Enum['on', 'off'] $ssl_stapling = 'off', Enum['on', 'off'] $ssl_stapling_verify = 'off', Stdlib::Absolutepath $snippets_dir = $nginx::params::snippets_dir, Boolean $manage_snippets_dir = true, $types_hash_bucket_size = '512', $types_hash_max_size = '1024', Integer $worker_connections = 1024, Enum['on', 'off'] $ssl_prefer_server_ciphers = 'on', Variant[Integer, Enum['auto']] $worker_processes = 'auto', Integer $worker_rlimit_nofile = 1024, String $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', String $ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', # lint:ignore:140chars Optional[Stdlib::Unixpath] $ssl_dhparam = undef, Optional[String] $ssl_ecdh_curve = undef, String $ssl_session_cache = 'shared:SSL:10m', String $ssl_session_timeout = '5m', Optional[Enum['on', 'off']] $ssl_session_tickets = undef, Optional[Stdlib::Absolutepath] $ssl_session_ticket_key = undef, Optional[String] $ssl_buffer_size = undef, Optional[Stdlib::Absolutepath] $ssl_crl = undef, Optional[Stdlib::Absolutepath] $ssl_stapling_file = undef, Optional[String] $ssl_stapling_responder = undef, Optional[Stdlib::Absolutepath] $ssl_trusted_certificate = undef, Optional[Integer] $ssl_verify_depth = undef, Optional[Stdlib::Absolutepath] $ssl_password_file = undef, ### START Package Configuration ### $package_ensure = present, $package_name = $nginx::params::package_name, $package_source = 'nginx', $package_flavor = undef, Boolean $manage_repo = $nginx::params::manage_repo, Hash[String[1], String[1]] $mime_types = $nginx::params::mime_types, Boolean $mime_types_preserve_defaults = false, Optional[String] $repo_release = undef, $passenger_package_ensure = 'present', String[1] $passenger_package_name = $nginx::params::passenger_package_name, Optional[Stdlib::HTTPUrl] $repo_source = undef, ### END Package Configuration ### ### START Service Configuation ### Stdlib::Ensure::Service $service_ensure = 'running', $service_enable = true, $service_flags = undef, $service_restart = undef, $service_name = 'nginx', $service_manage = true, Boolean $service_config_check = false, ### END Service Configuration ### ### START Hiera Lookups ### Hash $geo_mappings = {}, Hash $geo_mappings_defaults = {}, Hash $string_mappings = {}, Hash $string_mappings_defaults = {}, Hash $nginx_locations = {}, Hash $nginx_locations_defaults = {}, Hash $nginx_mailhosts = {}, Hash $nginx_mailhosts_defaults = {}, Hash $nginx_servers = {}, Hash $nginx_servers_defaults = {}, Hash $nginx_streamhosts = {}, Hash $nginx_streamhosts_defaults = {}, Hash $nginx_upstreams = {}, Nginx::UpstreamDefaults $nginx_upstreams_defaults = {}, Boolean $purge_passenger_repo = true, String[1] $nginx_version = pick(fact('nginx_version'), '1.6.0'), ### END Hiera Lookups ### ) inherits nginx::params { contain 'nginx::package' contain 'nginx::config' contain 'nginx::service' create_resources( 'nginx::resource::geo', $geo_mappings, $geo_mappings_defaults ) create_resources( 'nginx::resource::location', $nginx_locations, $nginx_locations_defaults ) create_resources( 'nginx::resource::mailhost', $nginx_mailhosts, $nginx_mailhosts_defaults ) create_resources( 'nginx::resource::map', $string_mappings, $string_mappings_defaults ) create_resources( 'nginx::resource::server', $nginx_servers, $nginx_servers_defaults ) create_resources( 'nginx::resource::streamhost', $nginx_streamhosts, $nginx_streamhosts_defaults ) create_resources( 'nginx::resource::upstream', $nginx_upstreams, $nginx_upstreams_defaults ) # Allow the end user to establish relationships to the "main" class # and preserve the relationship to the implementation classes through # a transitive relationship to the composite class. Class['nginx::package'] -> Class['nginx::config'] ~> Class['nginx::service'] Class['nginx::package'] ~> Class['nginx::service'] } diff --git a/manifests/package.pp b/manifests/package.pp index fd5e91b..b429f67 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -1,58 +1,45 @@ -# Class: nginx::package -# -# This module manages NGINX package installation -# -# Parameters: -# -# There are no default parameters for this class. -# -# Actions: -# -# Requires: -# -# Sample Usage: -# -# This class file is not called directly +# @summary Manage NGINX package installation +# @api private class nginx::package { $package_name = $nginx::package_name $package_source = $nginx::package_source $package_ensure = $nginx::package_ensure $package_flavor = $nginx::package_flavor $passenger_package_ensure = $nginx::passenger_package_ensure $manage_repo = $nginx::manage_repo assert_private() case $facts['os']['family'] { 'redhat': { contain nginx::package::redhat } 'debian': { contain nginx::package::debian } 'Solaris': { # $package_name needs to be specified. SFEnginx,CSWnginx depending on # where you get it. if $package_name == undef { fail('You must supply a value for $package_name on Solaris') } package { 'nginx': ensure => $package_ensure, name => $package_name, source => $package_source, } } 'OpenBSD': { package { $package_name: ensure => $package_ensure, flavor => $package_flavor, } } default: { package { $package_name: ensure => $package_ensure, } } } } diff --git a/manifests/package/debian.pp b/manifests/package/debian.pp index 33c0b21..7a306ef 100644 --- a/manifests/package/debian.pp +++ b/manifests/package/debian.pp @@ -1,88 +1,75 @@ -# Class: nginx::package::debian -# -# This module manages NGINX package installation on debian based systems -# -# Parameters: -# -# There are no default parameters for this class. -# -# Actions: -# -# Requires: -# -# Sample Usage: -# -# This class file is not called directly +# @summary Manage NGINX package installation on debian based systems +# @api private class nginx::package::debian { $package_name = $nginx::package_name $package_source = $nginx::package_source $package_ensure = $nginx::package_ensure $package_flavor = $nginx::package_flavor $passenger_package_ensure = $nginx::passenger_package_ensure $passenger_package_name = $nginx::passenger_package_name $manage_repo = $nginx::manage_repo $release = $nginx::repo_release $repo_source = $nginx::repo_source $distro = downcase($facts['os']['name']) package { 'nginx': ensure => $package_ensure, name => $package_name, } if $manage_repo { include 'apt' Exec['apt_update'] -> Package['nginx'] case $package_source { 'nginx', 'nginx-stable': { $stable_repo_source = $repo_source ? { undef => "https://nginx.org/packages/${distro}", default => $repo_source, } apt::source { 'nginx': location => $stable_repo_source, repos => 'nginx', key => { 'id' => '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62' }, release => $release, } } 'nginx-mainline': { $mainline_repo_source = $repo_source ? { undef => "https://nginx.org/packages/mainline/${distro}", default => $repo_source, } apt::source { 'nginx': location => $mainline_repo_source, repos => 'nginx', key => { 'id' => '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62' }, release => $release, } } 'passenger': { $passenger_repo_source = $repo_source ? { undef => 'https://oss-binaries.phusionpassenger.com/apt/passenger', default => $repo_source, } apt::source { 'nginx': location => $passenger_repo_source, repos => 'main', key => { 'id' => '16378A33A6EF16762922526E561F9B9CAC40B2F7' }, } package { $passenger_package_name: ensure => $passenger_package_ensure, require => Exec['apt_update'], } if $package_name != 'nginx-extras' { warning('You must set $package_name to "nginx-extras" to enable Passenger') } } default: { fail("\$package_source must be 'nginx-stable', 'nginx-mainline' or 'passenger'. It was set to '${package_source}'") } } } } diff --git a/manifests/package/redhat.pp b/manifests/package/redhat.pp index 4313a69..a49870a 100644 --- a/manifests/package/redhat.pp +++ b/manifests/package/redhat.pp @@ -1,114 +1,101 @@ -# Class: nginx::package::redhat -# -# This module manages NGINX package installation on RedHat based systems -# -# Parameters: -# -# There are no default parameters for this class. -# -# Actions: -# -# Requires: -# -# Sample Usage: -# -# This class file is not called directly +# @summary Manage NGINX package installation on RedHat based systems +# @api private class nginx::package::redhat { $package_name = $nginx::package_name $package_source = $nginx::package_source $package_ensure = $nginx::package_ensure $package_flavor = $nginx::package_flavor $passenger_package_ensure = $nginx::passenger_package_ensure $passenger_package_name = $nginx::passenger_package_name $manage_repo = $nginx::manage_repo $purge_passenger_repo = $nginx::purge_passenger_repo #Install the CentOS-specific packages on that OS, otherwise assume it's a RHEL #clone and provide the Red Hat-specific package. This comes into play when not #on RHEL or CentOS and $manage_repo is set manually to 'true'. $_os = $facts['os']['name'] ? { 'centos' => 'centos', 'VirtuozzoLinux' => 'centos', default => 'rhel' } if $manage_repo { case $package_source { 'nginx', 'nginx-stable': { yumrepo { 'nginx-release': baseurl => "https://nginx.org/packages/${_os}/${facts['os']['release']['major']}/\$basearch/", descr => 'nginx repo', enabled => '1', gpgcheck => '1', priority => '1', gpgkey => 'https://nginx.org/keys/nginx_signing.key', before => Package['nginx'], } if $purge_passenger_repo { yumrepo { 'passenger': ensure => absent, before => Package['nginx'], } } } 'nginx-mainline': { yumrepo { 'nginx-release': baseurl => "https://nginx.org/packages/mainline/${_os}/${facts['os']['release']['major']}/\$basearch/", descr => 'nginx repo', enabled => '1', gpgcheck => '1', priority => '1', gpgkey => 'https://nginx.org/keys/nginx_signing.key', before => Package['nginx'], } if $purge_passenger_repo { yumrepo { 'passenger': ensure => absent, before => Package['nginx'], } } } 'passenger': { if ($facts['os']['name'] in ['RedHat', 'CentOS', 'VirtuozzoLinux']) and ($facts['os']['release']['major'] in ['6', '7']) { # 2019-11: Passenger changed their gpg key from: `https://packagecloud.io/phusion/passenger/gpgkey` # to: `https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt` # Find the latest key by opening: https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo # Also note: Since 6.0.5 there are no nginx packages in the phusion EL7 repository, and nginx packages are expected to come from epel instead yumrepo { 'passenger': baseurl => "https://oss-binaries.phusionpassenger.com/yum/passenger/el/${facts['os']['release']['major']}/\$basearch", descr => 'passenger repo', enabled => '1', gpgcheck => '0', repo_gpgcheck => '1', priority => '1', gpgkey => 'https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt', before => Package['nginx'], } yumrepo { 'nginx-release': ensure => absent, before => Package['nginx'], } package { $passenger_package_name: ensure => $passenger_package_ensure, require => Yumrepo['passenger'], } } else { fail("${facts['os']['name']} version ${facts['os']['release']['major']} is unsupported with \$package_source 'passenger'") } } default: { fail("\$package_source must be 'nginx-stable', 'nginx-mainline', or 'passenger'. It was set to '${package_source}'") } } } package { 'nginx': ensure => $package_ensure, name => $package_name, } } diff --git a/manifests/params.pp b/manifests/params.pp index c93164d..2456288 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,248 +1,245 @@ -# Class: nginx::params -# ==================== -# -# nginx default settings and according to operating system -# +# @summary default settings and according to operating system +# @api private class nginx::params { ### Operating System Configuration ## This is my hacky... no hiera system. Oh well. :) $_module_defaults = { 'conf_dir' => '/etc/nginx', 'daemon_user' => 'nginx', 'pid' => '/var/run/nginx.pid', 'root_group' => 'root', 'log_dir' => '/var/log/nginx', 'log_user' => 'nginx', 'log_group' => 'root', 'log_mode' => '0750', 'run_dir' => '/var/nginx', 'package_name' => 'nginx', 'passenger_package_name' => 'passenger', 'manage_repo' => false, 'include_modules_enabled' => false, 'mime_types' => { 'text/html' => 'html htm shtml', 'text/css' => 'css', 'text/xml' => 'xml', 'image/gif' => 'gif', 'image/jpeg' => 'jpeg jpg', 'application/javascript' => 'js', 'application/atom+xml' => 'atom', 'application/rss+xml' => 'rss', 'text/mathml' => 'mml', 'text/plain' => 'txt', 'text/vnd.sun.j2me.app-descriptor' => 'jad', 'text/vnd.wap.wml' => 'wml', 'text/x-component' => 'htc', 'image/png' => 'png', 'image/tiff' => 'tif tiff', 'image/vnd.wap.wbmp' => 'wbmp', 'image/x-icon' => 'ico', 'image/x-jng' => 'jng', 'image/x-ms-bmp' => 'bmp', 'image/svg+xml' => 'svg svgz', 'image/webp' => 'webp', 'application/font-woff' => 'woff', 'application/java-archive' => 'jar war ear', 'application/json' => 'json', 'application/mac-binhex40' => 'hqx', 'application/msword' => 'doc', 'application/pdf' => 'pdf', 'application/postscript' => 'ps eps ai', 'application/rtf' => 'rtf', 'application/vnd.apple.mpegurl' => 'm3u8', 'application/vnd.ms-excel' => 'xls', 'application/vnd.ms-fontobject' => 'eot', 'application/vnd.ms-powerpoint' => 'ppt', 'application/vnd.wap.wmlc' => 'wmlc', 'application/vnd.google-earth.kml+xml' => 'kml', 'application/vnd.google-earth.kmz' => 'kmz', 'application/x-7z-compressed' => '7z', 'application/x-cocoa' => 'cco', 'application/x-java-archive-diff' => 'jardiff', 'application/x-java-jnlp-file' => 'jnlp', 'application/x-makeself' => 'run', 'application/x-perl' => 'pl pm', 'application/x-pilot' => 'prc pdb', 'application/x-rar-compressed' => 'rar', 'application/x-redhat-package-manager' => 'rpm', 'application/x-sea' => 'sea', 'application/x-shockwave-flash' => 'swf', 'application/x-stuffit' => 'sit', 'application/x-tcl' => 'tcl tk', 'application/x-x509-ca-cert' => 'der pem crt', 'application/x-xpinstall' => 'xpi', 'application/xhtml+xml' => 'xhtml', 'application/xspf+xml' => 'xspf', 'application/zip' => 'zip', 'application/octet-stream' => 'bin exe dll deb dmg iso img msi msp msm', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' => 'docx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' => 'xlsx', 'application/vnd.openxmlformats-officedocument.presentationml.presentation' => 'pptx', 'audio/midi' => 'mid midi kar', 'audio/mpeg' => 'mp3', 'audio/ogg' => 'ogg', 'audio/x-m4a' => 'm4a', 'audio/x-realaudio' => 'ra', 'video/3gpp' => '3gpp 3gp', 'video/mp2t' => 'ts', 'video/mp4' => 'mp4', 'video/mpeg' => 'mpeg mpg', 'video/quicktime' => 'mov', 'video/webm' => 'webm', 'video/x-flv' => 'flv', 'video/x-m4v' => 'm4v', 'video/x-mng' => 'mng', 'video/x-ms-asf' => 'asx asf', 'video/x-ms-wmv' => 'wmv', 'video/x-msvideo' => 'avi', }, } case $facts['os']['family'] { 'ArchLinux': { $_module_os_overrides = { 'pid' => false, 'daemon_user' => 'http', 'log_user' => 'http', 'log_group' => 'log', 'package_name' => 'nginx-mainline', } } 'Debian': { if ($facts['os']['name'] == 'ubuntu' and $facts['os']['distro']['codename'] in ['bionic']) or ($facts['os']['name'] == 'debian' and $facts['os']['release']['major'] in ['9', '10']) { $_module_os_overrides = { 'manage_repo' => true, 'daemon_user' => 'www-data', 'log_user' => 'root', 'log_group' => 'adm', 'log_mode' => '0755', 'run_dir' => '/run/nginx', 'passenger_package_name' => 'libnginx-mod-http-passenger', 'include_modules_enabled' => true, } } elsif ($facts['os']['name'] == 'ubuntu' and $facts['os']['distro']['codename'] in ['lucid', 'precise', 'trusty', 'xenial']) { $_module_os_overrides = { 'manage_repo' => true, 'daemon_user' => 'www-data', 'log_user' => 'root', 'log_group' => 'adm', 'log_mode' => '0755', 'run_dir' => '/run/nginx', } } else { $_module_os_overrides = { 'daemon_user' => 'www-data', 'log_user' => 'root', 'log_group' => 'adm', 'log_mode' => '0755', 'run_dir' => '/run/nginx', } } } 'DragonFly', 'FreeBSD': { $_module_os_overrides = { 'conf_dir' => '/usr/local/etc/nginx', 'daemon_user' => 'www', 'root_group' => 'wheel', 'log_group' => 'wheel', 'log_user' => 'root', } } 'Gentoo': { $_module_os_overrides = { 'package_name' => 'www-servers/nginx', } } 'RedHat': { if ($facts['os']['name'] in ['RedHat', 'CentOS', 'Oracle', 'virtuozzolinux'] and $facts['os']['release']['major'] in ['6', '7']) { $_module_os_overrides = { 'manage_repo' => true, 'log_group' => 'nginx', } } else { $_module_os_overrides = { 'log_group' => 'nginx', } } } 'Solaris': { case $facts['os']['name'] { 'SmartOS': { $_module_os_overrides = { 'conf_dir' => '/opt/local/etc/nginx', 'daemon_user' => 'www', 'log_user' => 'www', 'log_group' => 'root', } } default: { $_module_os_overrides = { 'daemon_user' => 'webservd', 'package_name' => undef, } } } } 'OpenBSD': { $_module_os_overrides = { 'daemon_user' => 'www', 'root_group' => 'wheel', 'log_dir' => '/var/www/logs', 'log_user' => 'www', 'log_group' => 'wheel', 'run_dir' => '/var/www', } } 'AIX': { $_module_os_overrides = { 'daemon_user' => 'nginx', 'root_group' => 'system', 'conf_dir' => '/opt/freeware/etc/nginx/', 'log_dir' => '/opt/freeware/var/log/nginx/', 'log_group' => 'system', 'run_dir' => '/opt/freeware/share/nginx/html', } } default: { ## For cases not covered in $::osfamily case $facts['os']['name'] { default: { $_module_os_overrides = {} } } } } $_module_parameters = merge($_module_defaults, $_module_os_overrides) ### END Operating System Configuration ### Referenced Variables $conf_dir = $_module_parameters['conf_dir'] $snippets_dir = "${conf_dir}/snippets" $log_dir = $_module_parameters['log_dir'] $log_user = $_module_parameters['log_user'] $log_group = $_module_parameters['log_group'] $log_mode = $_module_parameters['log_mode'] $run_dir = $_module_parameters['run_dir'] $temp_dir = '/tmp' $pid = $_module_parameters['pid'] $include_modules_enabled = $_module_parameters['include_modules_enabled'] $client_body_temp_path = "${run_dir}/client_body_temp" $daemon_user = $_module_parameters['daemon_user'] $global_owner = 'root' $global_group = $_module_parameters['root_group'] $global_mode = '0644' $http_access_log_file = 'access.log' $manage_repo = $_module_parameters['manage_repo'] $mime_types = $_module_parameters['mime_types'] $nginx_error_log_file = 'error.log' $root_group = $_module_parameters['root_group'] $package_name = $_module_parameters['package_name'] $passenger_package_name = $_module_parameters['passenger_package_name'] $proxy_temp_path = "${run_dir}/proxy_temp" $sites_available_owner = 'root' $sites_available_group = $_module_parameters['root_group'] $sites_available_mode = '0644' $super_user = true ### END Referenced Variables } diff --git a/manifests/resource/geo.pp b/manifests/resource/geo.pp index 6bcb51f..12eefa8 100644 --- a/manifests/resource/geo.pp +++ b/manifests/resource/geo.pp @@ -1,85 +1,88 @@ -# define: nginx::resource::geo +# @summary Create a new geo mapping entry for NGINX # -# This definition creates a new geo mapping entry for NGINX +# @param networks +# Hash of geo lookup keys and resultant values # -# Parameters: -# [*networks*] - Hash of geo lookup keys and resultant values -# [*default*] - Sets the resulting value if the source value fails to -# match any of the variants. -# [*ensure*] - Enables or disables the specified location -# [*ranges*] - Indicates that lookup keys (network addresses) are -# specified as ranges. -# [*address*] - Nginx defaults to using $remote_addr for testing. -# This allows you to override that with another variable -# name (automatically prefixed with $) -# [*delete*] - deletes the specified network (see: geo module docs) -# [*proxy_recursive*] - Changes the behavior of address acquisition when -# specifying trusted proxies via 'proxies' directive -# [*proxies*] - Hash of network->value mappings. +# @param default +# Sets the resulting value if the source value fails to match any of the +# variants. # -# Actions: +# @param ensure +# Enables or disables the specified location # -# Requires: +# @param ranges +# Indicates that lookup keys (network addresses) are specified as ranges. # -# Sample Usage: +# @param address +# Nginx defaults to using $remote_addr for testing. This allows you to +# override that with another variable name (automatically prefixed with $) # -# nginx::resource::geo { 'client_network': -# ensure => present, -# ranges => false, -# default => extra, -# proxy_recursive => false, -# proxies => [ '192.168.99.99' ], -# networks => { -# '10.0.0.0/8' => 'intra', -# '172.16.0.0/12' => 'intra', -# '192.168.0.0/16' => 'intra', -# } -# } +# @param delete +# deletes the specified network (see: geo module docs) # -# Sample Hiera usage: +# @param proxy_recursive +# Changes the behavior of address acquisition when specifying trusted +# proxies via 'proxies' directive # -# nginx::geo_mappings: -# client_network: -# ensure: present -# ranges: false -# default: 'extra' -# proxy_recursive: false -# proxies: -# - 192.168.99.99 -# networks: -# '10.0.0.0/8': 'intra' -# '172.16.0.0/12': 'intra' -# '192.168.0.0/16': 'intra' - +# @param proxies +# Hash of network->value mappings. +# +# @example Puppet usage +# nginx::resource::geo { 'client_network': +# ensure => present, +# ranges => false, +# default => extra, +# proxy_recursive => false, +# proxies => [ '192.168.99.99' ], +# networks => { +# '10.0.0.0/8' => 'intra', +# '172.16.0.0/12' => 'intra', +# '192.168.0.0/16' => 'intra', +# } +# } +# +# @example Hiera usage +# nginx::geo_mappings: +# client_network: +# ensure: present +# ranges: false +# default: 'extra' +# proxy_recursive: false +# proxies: +# - 192.168.99.99 +# networks: +# '10.0.0.0/8': 'intra' +# '172.16.0.0/12': 'intra' +# '192.168.0.0/16': 'intra' define nginx::resource::geo ( Hash $networks, Optional[String] $default = undef, Enum['present', 'absent'] $ensure = 'present', Boolean $ranges = false, Optional[String] $address = undef, Optional[String] $delete = undef, Optional[Array] $proxies = undef, Optional[Boolean] $proxy_recursive = undef ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } $root_group = $nginx::root_group $conf_dir = "${nginx::conf_dir}/conf.d" $ensure_real = $ensure ? { 'absent' => 'absent', default => 'file', } file { "${conf_dir}/${name}-geo.conf": ensure => $ensure_real, owner => 'root', group => $root_group, mode => $nginx::global_mode, content => template('nginx/conf.d/geo.erb'), notify => Class['nginx::service'], tag => 'nginx_config_file', } } diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 88f08a5..2622bfb 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -1,349 +1,391 @@ -# define: nginx::resource::location +# @summary Create a new location entry within a virtual host # -# This definition creates a new location entry within a virtual host +# @param ensure +# Enables or disables the specified location +# (present|absent) +# @param internal +# Indicates whether or not this location can be +# used for internal requests only. Default: false +# @param server +# Defines a server or list of servers that include this location +# @param location +# Specifies the URI associated with this location +# entry +# @param location_satisfy +# Allows access if all (all) or at least one (any) of the auth modules allow access. +# @param location_allow +# Locations to allow connections from. +# @param location_deny +# Locations to deny connections from. +# @param www_root +# Specifies the location on disk for files to be read from. Cannot be set in +# conjunction with $proxy +# @param autoindex +# Set it on 'on' to activate autoindex directory listing. +# @param autoindex_exact_size +# Set it on 'on' or 'off' to activate/deactivate autoindex displaying exact +# filesize, or rounded to kilobytes, megabytes and gigabytes. +# @param autoindex_format +# Sets the format of a directory listing. +# @param autoindex_localtime +# Specifies whether times in the directory listing should be output in the +# local time zone or UTC. +# @param index_files +# Default index files for NGINX to read when traversing a directory +# @param proxy +# Proxy server(s) for a location to connect to. Accepts a single value, can +# be used in conjunction with nginx::resource::upstream +# @param proxy_redirect +# sets the text, which must be changed in response-header "Location" and +# "Refresh" in the response of the proxied server. +# @param proxy_read_timeout +# Override the default the proxy read timeout value of 90 seconds +# @param proxy_connect_timeout +# Override the default the proxy connect timeout value of 90 seconds +# @param proxy_send_timeout +# Override the default the proxy send timeout +# value of 90 seconds +# @param proxy_set_header +# Array of server headers to set +# @param proxy_hide_header +# Array of server headers to hide +# @param proxy_pass_header +# Array of server headers to pass +# @param proxy_ignore_header +# Array of server headers to ignore +# @param proxy_next_upstream +# Specify cases a request should be passed to the next server in the upstream. +# @param fastcgi +# location of fastcgi (host:port) +# @param fastcgi_param +# Set additional custom fastcgi_params +# @param fastcgi_params +# optional alternative fastcgi_params file to use +# @param fastcgi_script +# optional SCRIPT_FILE parameter +# @param fastcgi_split_path +# Allows settings of fastcgi_split_path_info so that you can split the +# script_name and path_info via regex +# @param uwsgi +# location of uwsgi (host:port) +# @param uwsgi_param +# Set additional custom uwsgi_params +# @param uwsgi_params +# optional alternative uwsgi_params file to use +# @param uwsgi_read_timeout +# optional value for uwsgi_read_timeout +# @param ssl +# Indicates whether to setup SSL bindings for this location. +# @param ssl_only +# Required if the SSL and normal server have the same port. +# @param location_alias +# Path to be used as basis for serving requests for this location +# @param stub_status +# If true it will point configure module stub_status to provide nginx stats +# on location +# @param raw_prepend +# A single string, or an array of strings to prepend to the location +# directive (after custom_cfg directives). NOTE: YOU are responsible for a +# semicolon on each line that requires one. +# @param raw_append +# A single string, or an array of strings to append to the location directive +# (after custom_cfg directives). NOTE: YOU are responsible for a semicolon on +# each line that requires one. +# @param limit_zone +# Apply a limit_req_zone to the location. Expects a string indicating a +# previously defined limit_req_zone in the main nginx configuration +# @param location_custom_cfg +# Expects a hash with custom directives, cannot be used with other location +# types (proxy, fastcgi, root, or stub_status) +# @param location_cfg_prepend +# Expects a hash with extra directives to put before anything else inside +# location (used with all other types except custom_cfg) +# @param location_custom_cfg_prepend +# Expects a array with extra directives to put before anything else inside +# location (used with all other types except custom_cfg). Used for logical +# structures such as if. +# @param location_custom_cfg_append +# Expects a array with extra directives to put after anything else inside +# location (used with all other types except custom_cfg). Used for logical +# structures such as if. +# @param location_cfg_append +# Expects a hash with extra directives to put +# after everything else inside location (used with all other types except +# custom_cfg) +# @param include +# An array of files to include for this location +# @param try_files +# An array of file locations to try +# @param proxy_cache +# This directive sets name of zone for caching. The same zone can be used in +# multiple places. +# @param proxy_cache_key +# Override the default proxy_cache_key of $scheme$proxy_host$request_uri +# @param proxy_cache_use_stale +# Override the default proxy_cache_use_stale value of off. +# @param proxy_cache_valid +# This directive sets the time for caching different replies. +# @param proxy_cache_lock +# This directive sets the locking mechanism for pouplating cache. +# @param proxy_cache_bypass +# Defines conditions which the response will not be cached +# @param proxy_method +# If defined, overrides the HTTP method of the request to be passed to the +# backend. +# @param proxy_http_version +# Sets the proxy http version +# @param proxy_set_body +# If defined, sets the body passed to the backend. +# @param proxy_buffering +# If defined, sets the proxy_buffering to the passed value. +# @param proxy_request_buffering +# If defined, sets the proxy_request_buffering to the passed value. +# @param proxy_max_temp_file_size +# Sets the maximum size of the temporary buffer file. +# @param proxy_busy_buffers_size +# Sets the total size of buffers that can be busy sending a response to the +# client while the response is not yet fully read. +# @param absolute_redirect +# Enables or disables the absolute redirect functionality of nginx +# @param auth_basic +# This directive includes testing name and password with HTTP Basic +# Authentication. +# @param auth_basic_user_file +# This directive sets the htpasswd filename for the authentication realm. +# @param auth_request +# This allows you to specify a custom auth endpoint +# @param priority +# Location priority. User priority 401-499, 501-599. If the priority is +# higher than the default priority (500), the location will be defined after +# root, or before root. +# @param mp4 +# Indicates whether or not this loation can be +# used for mp4 streaming. Default: false +# @param flv +# Indicates whether or not this loation can be +# used for flv streaming. Default: false +# @param expires +# Setup expires time for locations content +# @param add_header +# Adds headers to the location block. If any are specified, locations will +# no longer inherit headers from the parent server context +# @param gzip_static +# Defines gzip_static, nginx default is off # -# Parameters: -# [*ensure*] - Enables or disables the specified location -# (present|absent) -# [*internal*] - Indicates whether or not this location can be -# used for internal requests only. Default: false -# [*server*] - Defines a server or list of servers that include this location -# [*location*] - Specifies the URI associated with this location -# entry -# [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access. -# [*location_allow*] - Array: Locations to allow connections from. -# [*location_deny*] - Array: Locations to deny connections from. -# [*www_root*] - Specifies the location on disk for files to be -# read from. Cannot be set in conjunction with $proxy -# [*autoindex*] - Set it on 'on' to activate autoindex directory -# listing. Undef by default. -# [*autoindex_exact_size*] - Set it on 'on' or 'off' to -# activate/deactivate autoindex displaying exact filesize, or rounded to -# kilobytes, megabytes and gigabytes. Undef by default. -# [*autoindex_format*] - Sets the format of a directory listing. -# Undef by default. -# [*autoindex_localtime*] - Specifies whether times in the directory -# listing should be output in the local time zone or UTC. -# [*index_files*] - Default index files for NGINX to read when -# traversing a directory -# [*proxy*] - Proxy server(s) for a location to connect to. -# Accepts a single value, can be used in conjunction with -# nginx::resource::upstream -# [*proxy_redirect*] - sets the text, which must be changed in -# response-header "Location" and "Refresh" in the response of the proxied -# server. -# [*proxy_read_timeout*] - Override the default the proxy read timeout -# value of 90 seconds -# [*proxy_connect_timeout*] - Override the default the proxy connect timeout -# value of 90 seconds -# [*proxy_send_timeout*] - Override the default the proxy send timeout -# value of 90 seconds -# [*proxy_set_header*] - Array of server headers to set -# [*proxy_hide_header*] - Array of server headers to hide -# [*proxy_pass_header*] - Array of server headers to pass -# [*proxy_ignore_header*] - Array of server headers to ignore -# [*proxy_next_upstream*] - Specify cases a request should be passed to the next server in the upstream. -# [*fastcgi*] - location of fastcgi (host:port) -# [*fastcgi_param*] - Set additional custom fastcgi_params -# [*fastcgi_params*] - optional alternative fastcgi_params file to use -# [*fastcgi_script*] - optional SCRIPT_FILE parameter -# [*fastcgi_split_path*] - Allows settings of fastcgi_split_path_info so -# that you can split the script_name and path_info via regex -# [*uwsgi*] - location of uwsgi (host:port) -# [*uwsgi_param*] - Set additional custom uwsgi_params -# [*uwsgi_params*] - optional alternative uwsgi_params file to use -# [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout -# [*ssl*] - Indicates whether to setup SSL bindings for -# this location. -# [*ssl_only*] - Required if the SSL and normal server have the -# same port. -# [*location_alias*] - Path to be used as basis for serving requests -# for this location -# [*stub_status*] - If true it will point configure module -# stub_status to provide nginx stats on location -# [*raw_prepend*] - A single string, or an array of strings to -# prepend to the location directive (after custom_cfg directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*raw_append*] - A single string, or an array of strings to -# append to the location directive (after custom_cfg directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*limit_zone*] - Apply a limit_req_zone to the location. Expects a string indicating a -# previously defined limit_req_zone in the main nginx configuration -# [*location_custom_cfg*] - Expects a hash with custom directives, cannot -# be used with other location types (proxy, fastcgi, root, or stub_status) -# [*location_cfg_prepend*] - Expects a hash with extra directives to put -# before anything else inside location (used with all other types except -# custom_cfg) -# [*location_custom_cfg_prepend*] - Expects a array with extra directives -# to put before anything else inside location (used with all other types -# except custom_cfg). Used for logical structures such as if. -# [*location_custom_cfg_append*] - Expects a array with extra directives -# to put after anything else inside location (used with all other types -# except custom_cfg). Used for logical structures such as if. -# [*location_cfg_append*] - Expects a hash with extra directives to put -# after everything else inside location (used with all other types except -# custom_cfg) -# [*include*] - An array of files to include for this location -# [*try_files*] - An array of file locations to try -# [*option*] - Reserved for future use -# [*proxy_cache*] - This directive sets name of zone for caching. -# The same zone can be used in multiple places. -# [*proxy_cache_key*] - Override the default proxy_cache_key of -# $scheme$proxy_host$request_uri -# [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value -# of off. -# [*proxy_cache_valid*] - This directive sets the time for caching -# different replies. -# [*proxy_cache_lock*] - This directive sets the locking mechanism for pouplating cache. -# [*proxy_cache_bypass*] - Defines conditions which the response will not be cached -# [*proxy_method*] - If defined, overrides the HTTP method of the -# request to be passed to the backend. -# [*proxy_http_version*] - Sets the proxy http version -# [*proxy_set_body*] - If defined, sets the body passed to the backend. -# [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed -# value. -# [*proxy_request_buffering*] - If defined, sets the proxy_request_buffering to the passed -# value. -# [*proxy_max_temp_file_size*] - Sets the maximum size of the temporary buffer file. -# [*proxy_busy_buffers_size*] - Sets the total size of buffers that can be -# busy sending a response to the client while the response is not yet fully read. -# [*absolute_redirect*] - Enables or disables the absolute redirect functionality of nginx -# [*auth_basic*] - This directive includes testing name and password -# with HTTP Basic Authentication. -# [*auth_basic_user_file*] - This directive sets the htpasswd filename for -# the authentication realm. -# [*auth_request*] - This allows you to specify a custom auth endpoint -# [*priority*] - Location priority. Default: 500. User priority -# 401-499, 501-599. If the priority is higher than the default priority, -# the location will be defined after root, or before root. -# [*mp4*] - Indicates whether or not this loation can be -# used for mp4 streaming. Default: false -# [*flv*] - Indicates whether or not this loation can be -# used for flv streaming. Default: false -# [*expires*] - Setup expires time for locations content -# [*add_header*] - Hash: Adds headers to the location block. If any are specified, locations will no longer inherit headers from the parent server context -# [*gzip_static*] - Defines gzip_static, nginx default is off +# @example Simple example +# nginx::resource::location { 'test2.local-bob': +# ensure => present, +# www_root => '/var/www/bob', +# location => '/bob', +# server => 'test2.local', +# } # +# @example Use one location in multiple servers +# nginx::resource::location { 'test2.local-bob': +# ensure => present, +# www_root => '/var/www/bob', +# location => '/bob', +# server => ['test1.local','test2.local'], +# } # -# Actions: +# @example Custom config example to limit location on localhost, create a hash with any extra custom config you want. +# $my_config = { +# 'access_log' => 'off', +# 'allow' => '127.0.0.1', +# 'deny' => 'all' +# } +# nginx::resource::location { 'test2.local-bob': +# ensure => present, +# www_root => '/var/www/bob', +# location => '/bob', +# server => 'test2.local', +# location_cfg_append => $my_config, +# } # -# Requires: +# @example Add Custom fastcgi_params +# nginx::resource::location { 'test2.local-bob': +# ensure => present, +# www_root => '/var/www/bob', +# location => '/bob', +# server => 'test2.local', +# fastcgi_param => { +# 'APP_ENV' => 'local', +# } +# } # -# Sample Usage: -# nginx::resource::location { 'test2.local-bob': -# ensure => present, -# www_root => '/var/www/bob', -# location => '/bob', -# server => 'test2.local', -# } +# @example Add Custom uwsgi_params +# nginx::resource::location { 'test2.local-bob': +# ensure => present, +# www_root => '/var/www/bob', +# location => '/bob', +# server => 'test2.local', +# uwsgi_param => { +# 'APP_ENV' => 'local', +# } +# } # -# Use one location in multiple servers -# nginx::resource::location { 'test2.local-bob': -# ensure => present, -# www_root => '/var/www/bob', -# location => '/bob', -# server => ['test1.local','test2.local'], -# } -# -# Custom config example to limit location on localhost, -# create a hash with any extra custom config you want. -# $my_config = { -# 'access_log' => 'off', -# 'allow' => '127.0.0.1', -# 'deny' => 'all' -# } -# nginx::resource::location { 'test2.local-bob': -# ensure => present, -# www_root => '/var/www/bob', -# location => '/bob', -# server => 'test2.local', -# location_cfg_append => $my_config, -# } -# -# Add Custom fastcgi_params -# nginx::resource::location { 'test2.local-bob': -# ensure => present, -# www_root => '/var/www/bob', -# location => '/bob', -# server => 'test2.local', -# fastcgi_param => { -# 'APP_ENV' => 'local', -# } -# } -# -# Add Custom uwsgi_params -# nginx::resource::location { 'test2.local-bob': -# ensure => present, -# www_root => '/var/www/bob', -# location => '/bob', -# server => 'test2.local', -# uwsgi_param => { -# 'APP_ENV' => 'local', -# } -# } - define nginx::resource::location ( Enum['present', 'absent'] $ensure = 'present', Boolean $internal = false, String $location = $name, Variant[String[1],Array[String[1],1]] $server = undef, Optional[String] $www_root = undef, Optional[String] $autoindex = undef, Optional[Enum['on', 'off']] $autoindex_exact_size = undef, Optional[Enum['html', 'xml', 'json', 'jsonp']] $autoindex_format = undef, Optional[Enum['on', 'off']] $autoindex_localtime = undef, Array $index_files = [ 'index.html', 'index.htm', 'index.php', ], Optional[String] $proxy = undef, Optional[String] $proxy_redirect = $nginx::proxy_redirect, String $proxy_read_timeout = $nginx::proxy_read_timeout, String $proxy_connect_timeout = $nginx::proxy_connect_timeout, String $proxy_send_timeout = $nginx::proxy_send_timeout, Array $proxy_set_header = $nginx::proxy_set_header, Array $proxy_hide_header = $nginx::proxy_hide_header, Array $proxy_pass_header = $nginx::proxy_pass_header, Array $proxy_ignore_header = $nginx::proxy_ignore_header, Optional[String] $proxy_next_upstream = undef, Optional[String] $fastcgi = undef, Optional[String] $fastcgi_index = undef, Optional[Hash] $fastcgi_param = undef, String $fastcgi_params = "${nginx::conf_dir}/fastcgi.conf", Optional[String] $fastcgi_script = undef, Optional[String] $fastcgi_split_path = undef, Optional[String] $uwsgi = undef, Optional[Hash] $uwsgi_param = undef, String $uwsgi_params = "${nginx::config::conf_dir}/uwsgi_params", Optional[String] $uwsgi_read_timeout = undef, Boolean $ssl = false, Boolean $ssl_only = false, Optional[String] $location_alias = undef, Optional[String[1]] $limit_zone = undef, Optional[Enum['any', 'all']] $location_satisfy = undef, Optional[Array] $location_allow = undef, Optional[Array] $location_deny = undef, Optional[Boolean] $stub_status = undef, Optional[Variant[String, Array]] $raw_prepend = undef, Optional[Variant[String, Array]] $raw_append = undef, Optional[Hash] $location_custom_cfg = undef, Optional[Hash] $location_cfg_prepend = undef, Optional[Hash] $location_cfg_append = undef, Optional[Hash] $location_custom_cfg_prepend = undef, Optional[Hash] $location_custom_cfg_append = undef, Optional[Array] $include = undef, Optional[Array] $try_files = undef, Optional[String] $proxy_cache = undef, Optional[String] $proxy_cache_key = undef, Optional[String] $proxy_cache_use_stale = undef, Optional[Enum['on', 'off']] $proxy_cache_lock = undef, Optional[Variant[Array, String]] $proxy_cache_valid = undef, Optional[Variant[Array, String]] $proxy_cache_bypass = undef, Optional[String] $proxy_method = undef, Optional[String] $proxy_http_version = undef, Optional[String] $proxy_set_body = undef, Optional[Enum['on', 'off']] $proxy_buffering = undef, Optional[Enum['on', 'off']] $proxy_request_buffering = undef, Optional[Nginx::Size] $proxy_max_temp_file_size = undef, Optional[Nginx::Size] $proxy_busy_buffers_size = undef, Optional[Enum['on', 'off']] $absolute_redirect = undef, Optional[String] $auth_basic = undef, Optional[String] $auth_basic_user_file = undef, Optional[String] $auth_request = undef, Array $rewrite_rules = [], Integer[401,599] $priority = 500, Boolean $mp4 = false, Boolean $flv = false, Optional[String] $expires = undef, Hash $add_header = {}, Optional[Enum['on', 'off', 'always']] $gzip_static = undef, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } $root_group = $nginx::root_group File { owner => 'root', group => $root_group, mode => $nginx::global_mode, notify => Class['nginx::service'], } # # Shared Variables $ensure_real = $ensure ? { 'absent' => absent, default => file, } if ($www_root and $proxy) { fail("Cannot define both directory and proxy in ${server}:${title}") } # Use proxy, fastcgi or uwsgi template if $proxy is defined, otherwise use directory template. # fastcgi_script is deprecated if ($fastcgi_script != undef) { warning('The $fastcgi_script parameter is deprecated; please use $fastcgi_param instead to define custom fastcgi_params!') } # Only try to manage these files if they're the default one (as you presumably # usually don't want the default template if you're using a custom file. if ( $ensure == 'present' and $fastcgi != undef and !defined(File[$fastcgi_params]) and $fastcgi_params == "${nginx::conf_dir}/fastcgi.conf" ) { file { $fastcgi_params: ensure => 'file', mode => $nginx::global_mode, content => template('nginx/server/fastcgi.conf.erb'), tag => 'nginx_config_file', } } if $ensure == 'present' and $uwsgi != undef and !defined(File[$uwsgi_params]) and $uwsgi_params == "${nginx::conf_dir}/uwsgi_params" { file { $uwsgi_params: ensure => 'file', mode => $nginx::global_mode, content => template('nginx/server/uwsgi_params.erb'), tag => 'nginx_config_file', } } any2array($server).each |$s| { $server_sanitized = regsubst($s, ' ', '_', 'G') if $nginx::confd_only { $server_dir = "${nginx::conf_dir}/conf.d" } else { $server_dir = "${nginx::conf_dir}/sites-available" } $config_file = "${server_dir}/${server_sanitized}.conf" if $ensure == 'present' { ## Create stubs for server File Fragment Pattern $location_md5 = md5($location) if ($ssl_only != true) { concat::fragment { "${server_sanitized}-${priority}-${location_md5}": target => $config_file, content => template('nginx/server/location.erb'), order => $priority, } } ## Only create SSL Specific locations if $ssl is true. if ($ssl == true or $ssl_only == true) { $ssl_priority = $priority + 300 concat::fragment { "${server_sanitized}-${ssl_priority}-${location_md5}-ssl": target => $config_file, content => template('nginx/server/location.erb'), order => $ssl_priority, } } } } } diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp index 2da3848..c6ec7ef 100644 --- a/manifests/resource/mailhost.pp +++ b/manifests/resource/mailhost.pp @@ -1,169 +1,220 @@ -# define: nginx::resource::mailhost +# @summary Define a mailhost # -# Parameters: -# [*ensure*] - Enables or disables the specified mailhost (present|absent) -# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) -# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80 -# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. -# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 -# support exists on your system before enabling. -# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) -# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 -# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. -# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. -# [*index_files*] - Default index files for NGINX to read when traversing a directory -# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost. -# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. -# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers -# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. -# This is not generated by this module. -# [*ssl_crl*] - String: Specifies CRL path in file system -# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic -# parameters, in PEM format, utilized for exchanging session keys between server and client. -# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers. -# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. -# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys. -# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443 -# [*ssl_prefer_server_ciphers*] - Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 -# and TLS protocols. Defaults to $nginx::ssl_prefer_server_ciphers. -# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols -# [*ssl_session_cache*] - Sets the type and size of the session cache. -# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets. -# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets. -# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache. -# Defaults to 5m. -# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client -# certificates and OCSP responses if ssl_stapling is enabled. -# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain. -# [*starttls*] - Enable STARTTLS support: (on|off|only) -# [*protocol*] - Mail protocol to use: (imap|pop3|smtp) -# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization. -# [*xclient*] - Whether to use xclient for smtp (on|off) -# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients. -# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPA command. -# [*imap_client_buffer*] - Sets the IMAP commands read buffer size. -# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients. -# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command. -# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients. -# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command. -# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend -# to the client. -# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name]. -# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend -# directive). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append -# directive). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside server -# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server +# @param ensure +# Enables or disables the specified mailhost +# @param listen_ip +# Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) +# @param listen_port +# Default IP Port for NGINX to listen with this server on. +# @param listen_options +# Extra options for listen directive like 'default' to catchall. +# @param ipv6_enable +# value to enable/disable IPv6 support (false|true). Module will check to see +# if IPv6 support exists on your system before enabling. +# @param ipv6_listen_ip +# Default IPv6 Address for NGINX to listen with this server on. Defaults to +# all interfaces (::) +# @param ipv6_listen_port +# Default IPv6 Port for NGINX to listen with this server on. +# @param ipv6_listen_options +# Extra options for listen directive like 'default' to catchall. Template +# will allways add ipv6only=on. While issue jfryman/puppet-nginx#30 is +# discussed, default value is 'default'. +# @param ssl +# Indicates whether to setup SSL bindings for this mailhost. +# @param ssl_cert +# Pre-generated SSL Certificate file to reference for SSL Support. This is +# not generated by this module. +# @param ssl_ciphers +# Override default SSL ciphers. +# @param ssl_client_cert +# Pre-generated SSL Certificate file to reference for client verify SSL +# Support. This is not generated by this module. +# @param ssl_crl +# String: Specifies CRL path in file system +# @param ssl_dhparam +# This directive specifies a file containing Diffie-Hellman key agreement +# protocol cryptographic parameters, in PEM format, utilized for exchanging +# session keys between server and client. +# @param ssl_ecdh_curve +# This directive specifies a curve for ECDHE ciphers. +# @param ssl_key +# Pre-generated SSL Key file to reference for SSL Support. This is not +# generated by this module. +# @param ssl_password_file +# This directive specifies a file containing passphrases for secret keys. +# @param ssl_port +# Default IP Port for NGINX to listen with this SSL server on. +# @param ssl_prefer_server_ciphers +# Specifies that server ciphers should be preferred over client ciphers when +# using the SSLv3 and TLS protocols. +# @param ssl_protocols +# SSL protocols enabled. +# @param ssl_session_cache +# Sets the type and size of the session cache. +# @param ssl_session_ticket_key +# This directive specifies a file containing secret key used to encrypt and +# decrypt TLS session tickets. +# @param ssl_session_tickets +# Whether to enable or disable session resumption through TLS session tickets. +# @param ssl_session_timeout +# Specifies a time during which a client may reuse the session parameters +# stored in a cache. +# @param ssl_trusted_cert +# Specifies a file with trusted CA certificates in the PEM format used to +# verify client certificates and OCSP responses if ssl_stapling is enabled. +# @param ssl_verify_depth +# Sets the verification depth in the client certificates chain. +# @param starttls +# Enable STARTTLS support +# @param protocol +# Mail protocol to use +# @param auth_http +# With this directive you can set the URL to the external HTTP-like server +# for authorization. +# @param xclient +# Whether to use xclient for smtp +# @param imap_auth +# Sets permitted methods of authentication for IMAP clients. +# @param imap_capabilities +# Sets the IMAP protocol extensions list that is passed to the client in +# response to the CAPA command. +# @param imap_client_buffer +# Sets the IMAP commands read buffer size. +# @param pop3_auth +# Sets permitted methods of authentication for POP3 clients. +# @param pop3_capabilities +# Sets the POP3 protocol extensions list that is passed to the client in +# response to the CAPA command. +# @param smtp_auth +# Sets permitted methods of SASL authentication for SMTP clients. +# @param smtp_capabilities +# Sets the SMTP protocol extensions list that is passed to the client in +# response to the EHLO command. +# @param proxy_pass_error_message +# Indicates whether to pass the error message obtained during the +# authentication on the backend to the client. +# @param server_name +# List of mailhostnames for which this mailhost will respond. +# @param raw_prepend +# A single string, or an array of strings to prepend to the server directive +# (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a +# semicolon on each line that requires one. +# @param raw_append +# A single string, or an array of strings to append to the server directive +# (after mailhost_cfg_append directive). NOTE: YOU are responsible for a +# semicolon on each line that requires one. +# @param mailhost_cfg_append +# It expects a hash with custom directives to put after everything else +# inside server +# @param mailhost_cfg_prepend +# It expects a hash with custom directives to put before everything else +# inside server # -# Actions: -# -# Requires: -# -# Sample Usage: -# nginx::resource::mailhost { 'domain1.example': -# ensure => present, -# auth_http => 'server2.example/cgi-bin/auth', -# protocol => 'smtp', -# listen_port => 587, -# ssl_port => 465, -# starttls => 'only', -# xclient => 'off', -# ssl => true, -# ssl_cert => '/tmp/server.crt', -# ssl_key => '/tmp/server.pem', -# } +# @example SMTP server definition +# nginx::resource::mailhost { 'domain1.example': +# ensure => present, +# auth_http => 'server2.example/cgi-bin/auth', +# protocol => 'smtp', +# listen_port => 587, +# ssl_port => 465, +# starttls => 'only', +# xclient => 'off', +# ssl => true, +# ssl_cert => '/tmp/server.crt', +# ssl_key => '/tmp/server.pem', +# } # define nginx::resource::mailhost ( Stdlib::Port $listen_port, Enum['absent', 'present'] $ensure = 'present', Variant[Array[String], String] $listen_ip = '*', Optional[String] $listen_options = undef, Boolean $ipv6_enable = false, Variant[Array[String], String] $ipv6_listen_ip = '::', Stdlib::Port $ipv6_listen_port = 80, String $ipv6_listen_options = 'default ipv6only=on', Boolean $ssl = false, Optional[String] $ssl_cert = undef, String $ssl_ciphers = $nginx::ssl_ciphers, Optional[String] $ssl_client_cert = undef, Optional[String] $ssl_crl = undef, Optional[String] $ssl_dhparam = $nginx::ssl_dhparam, Optional[String] $ssl_ecdh_curve = undef, Optional[String] $ssl_key = undef, Optional[String] $ssl_password_file = undef, Optional[Stdlib::Port] $ssl_port = undef, Enum['on', 'off'] $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers, String $ssl_protocols = $nginx::ssl_protocols, Optional[String] $ssl_session_cache = undef, Optional[String] $ssl_session_ticket_key = undef, Optional[String] $ssl_session_tickets = undef, String $ssl_session_timeout = '5m', Optional[String] $ssl_trusted_cert = undef, Optional[Integer] $ssl_verify_depth = undef, Enum['on', 'off', 'only'] $starttls = 'off', - $protocol = undef, + Optional[Enum['imap', 'pop3', 'smtp']] $protocol = undef, Optional[String] $auth_http = undef, Optional[String] $auth_http_header = undef, - String $xclient = 'on', + Enum['on', 'off'] $xclient = 'on', Optional[String] $imap_auth = undef, Optional[Array] $imap_capabilities = undef, Optional[String] $imap_client_buffer = undef, Optional[String] $pop3_auth = undef, Optional[Array] $pop3_capabilities = undef, Optional[String] $smtp_auth = undef, Optional[Array] $smtp_capabilities = undef, Optional[Variant[Array, String]] $raw_prepend = undef, Optional[Variant[Array, String]] $raw_append = undef, Optional[Hash] $mailhost_cfg_prepend = undef, Optional[Hash] $mailhost_cfg_append = undef, String $proxy_pass_error_message = 'off', Array $server_name = [$name] ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled # and support does not exist for it in the kernel. if ($ipv6_enable and !$facts['networking']['ip6']) { warning('nginx: IPv6 support is not enabled or configured properly') } # Check to see if SSL Certificates are properly defined. if ($ssl or $starttls == 'on' or $starttls == 'only') { if ($ssl_cert == undef) or ($ssl_key == undef) { fail('nginx: SSL certificate/key (ssl_cert/ssl_cert) and/or SSL Private must be defined and exist on the target system(s)') } } $config_dir = "${nginx::conf_dir}/conf.mail.d" $config_file = "${config_dir}/${name}.conf" concat { $config_file: ensure => $ensure, owner => 'root', group => $nginx::root_group, mode => $nginx::global_mode, notify => Class['nginx::service'], require => File[$config_dir], tag => 'nginx_config_file', } if $ssl_port == undef or $listen_port != $ssl_port { concat::fragment { "${name}-header": target => $config_file, content => template('nginx/mailhost/mailhost.erb'), order => '001', } } # Create SSL File Stubs if SSL is enabled if $ssl { concat::fragment { "${name}-ssl": target => $config_file, content => template('nginx/mailhost/mailhost_ssl.erb'), order => '700', } } } diff --git a/manifests/resource/map.pp b/manifests/resource/map.pp index 41c0ae3..e86f966 100644 --- a/manifests/resource/map.pp +++ b/manifests/resource/map.pp @@ -1,107 +1,100 @@ -# define: nginx::resource::map +# @summary Create a new mapping entry for NGINX +# +# @param ensure +# Enables or disables the specified location +# @param default +# Sets the resulting value if the source values fails to match any of the +# variants. +# @param string +# Source string or variable to provide mapping for +# @param mappings +# Hash of map lookup keys and resultant values +# @param hostnames +# Indicates that source values can be hostnames with a prefix or suffix mask. +# @param include_files +# An array of external files to include +# @param context +# Specify if mapping is for http or stream context +# +# @example +# nginx::resource::map { 'backend_pool': +# ensure => present, +# hostnames => true, +# default => 'ny-pool-1, +# string => '$http_host', +# mappings => { +# '*.nyc.example.com' => 'ny-pool-1', +# '*.sf.example.com' => 'sf-pool-1', +# } +# } +# +# @example Preserving input of order of mappings +# nginx::resource::map { 'backend_pool': +# ... +# mappings => [ +# { 'key' => '*.sf.example.com', 'value' => 'sf-pool-1' }, +# { 'key' => '*.nyc.example.com', 'value' => 'ny-pool-1' }, +# ] +# } +# +# @example Using external include +# nginx::resource::map { 'redirections': +# include_files => [ '/etc/nginx/conf.d/redirections.map'] +# } +# +# @example Hiera usage +# nginx::string_mappings: +# client_network: +# ensure: present +# hostnames: true +# default: 'ny-pool-1' +# string: $http_host +# mappings: +# '*.nyc.example.com': 'ny-pool-1' +# '*.sf.example.com': 'sf-pool-1' +# +# @example Hiera usage: preserving input of order of mappings: +# nginx::string_mappings: +# client_network: +# ... +# mappings: +# - key: '*.sf.example.com' +# value: 'sf-pool-1' +# - key: '*.nyc.example.com' +# value: 'ny-pool-1' # -# This definition creates a new mapping entry for NGINX -# -# Parameters: -# [*ensure*] - Enables or disables the specified location (present|absent) -# [*default*] - Sets the resulting value if the source values fails to -# match any of the variants. -# [*string*] - Source string or variable to provide mapping for -# [*mappings*] - Hash of map lookup keys and resultant values -# [*hostnames*] - Indicates that source values can be hostnames with a -# prefix or suffix mask. -# [*include_files*] - An array of external files to include -# [*context'] - Specify if mapping is for http or stream context -# -# Actions: -# -# Requires: -# -# Sample Usage: -# -# nginx::resource::map { 'backend_pool': -# ensure => present, -# hostnames => true, -# default => 'ny-pool-1, -# string => '$http_host', -# mappings => { -# '*.nyc.example.com' => 'ny-pool-1', -# '*.sf.example.com' => 'sf-pool-1', -# } -# } -# -# Sample Usage (preserving input of order of mappings): -# -# nginx::resource::map { 'backend_pool': -# ... -# mappings => [ -# { 'key' => '*.sf.example.com', 'value' => 'sf-pool-1' }, -# { 'key' => '*.nyc.example.com', 'value' => 'ny-pool-1' }, -# ] -# } -# -# Sample Usage (using external include) -# -# nginx::resource::map { 'redirections': -# -# include_files => [ '/etc/nginx/conf.d/redirections.map'] -# -# } -# -# Sample Hiera usage: -# -# nginx::string_mappings: -# client_network: -# ensure: present -# hostnames: true -# default: 'ny-pool-1' -# string: $http_host -# mappings: -# '*.nyc.example.com': 'ny-pool-1' -# '*.sf.example.com': 'sf-pool-1' -# -# Sample Hiera usage (preserving input of order of mappings): -# -# nginx::string_mappings: -# client_network: -# ... -# mappings: -# - key: '*.sf.example.com' -# value: 'sf-pool-1' -# - key: '*.nyc.example.com' -# value: 'ny-pool-1' define nginx::resource::map ( String[2] $string, Variant[Array, Hash] $mappings, Optional[String] $default = undef, Enum['absent', 'present'] $ensure = 'present', Array[String] $include_files = [], Boolean $hostnames = false, Enum['http', 'stream'] $context = 'http', ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } $root_group = $nginx::root_group $conf_dir = $context ? { 'stream' => "${nginx::conf_dir}/conf.stream.d", 'http' => "${nginx::conf_dir}/conf.d", } $ensure_real = $ensure ? { 'absent' => absent, default => 'file', } file { "${conf_dir}/${name}-map.conf": ensure => $ensure_real, owner => 'root', group => $root_group, mode => $nginx::global_mode, content => template('nginx/conf.d/map.erb'), notify => Class['nginx::service'], tag => 'nginx_config_file', } } diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp index 54a2631..c56d665 100644 --- a/manifests/resource/server.pp +++ b/manifests/resource/server.pp @@ -1,503 +1,627 @@ -# define: nginx::resource::server +# @summary Create a virtual host # -# This definition creates a virtual host -# -# Parameters: -# [*ensure*] - Enables or disables the specified server (present|absent) -# [*listen_ip*] - Default IP Address for NGINX to listen with this server on. Defaults to all interfaces (*) -# [*listen_port*] - Default IP Port for NGINX to listen with this server on. Defaults to TCP 80 -# [*listen_options*] - Extra options for listen directive like 'default_server' to catchall. Undef by default. -# [*listen_unix_socket_enable*] - BOOL value to enable/disable UNIX socket listening support (false|true). -# [*listen_unix_socket*] - Default unix socket for NGINX to listen with this server on. Defaults to UNIX /var/run/nginx.sock -# [*listen_unix_socket_options*] - Extra options for listen directive like 'default' to catchall. Undef by default. -# [*location_satisfy*] - Allows access if all (all) or at least one (any) of the auth modules allow access. -# [*location_allow*] - Array: Locations to allow connections from. -# [*location_deny*] - Array: Locations to deny connections from. -# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6 support -# exists on your system before enabling. -# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) -# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 -# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on. -# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'. -# [*add_header*] - Hash: Adds headers to the HTTP response when response code is equal to 200, 204, 301, 302 or 304. -# [*index_files*] - Default index files for NGINX to read when traversing a directory -# [*autoindex*] - Set it on 'on' or 'off 'to activate/deactivate autoindex directory listing. Undef by default. -# [*autoindex_exact_size*] - Set it on 'on' or 'off' to activate/deactivate autoindex displaying exact filesize, or rounded to -# kilobytes, megabytes and gigabytes. Undef by default. -# [*autoindex_format*] - Sets the format of a directory listing. Undef by default. -# [*autoindex_localtime*] - Specifies whether times in the directory listing should be output in the local time zone or UTC. -# [*proxy*] - Proxy server(s) for the root location to connect to. Accepts a single value, can be used in -# conjunction with nginx::resource::upstream -# [*proxy_read_timeout*] - Override the default proxy read timeout value of 90 seconds -# [*proxy_send_timeout*] - Override the default proxy send timeout value of 90 seconds -# [*proxy_redirect*] - Override the default proxy_redirect value of off. -# [*proxy_buffering*] - If defined, sets the proxy_buffering to the passed value. -# [*proxy_request_buffering*] - If defined, sets the proxy_request_buffering to the passed value. -# [*proxy_max_temp_file_size*] - Sets the maximum size of the temporary buffer file. -# [*proxy_busy_buffers_size*] - Sets the total size of buffers that can be -# busy sending a response to the client while the response is not yet fully read. -# [*resolver*] - Array: Configures name servers used to resolve names of upstream servers into addresses. -# [*fastcgi*] - location of fastcgi (host:port) -# [*fastcgi_param*] - Set additional custom fastcgi_params -# [*fastcgi_params*] - optional alternative fastcgi_params file to use -# [*fastcgi_index*] - optional FastCGI index page -# [*fastcgi_script*] - optional SCRIPT_FILE parameter -# [*uwsgi_read_timeout*] - optional value for uwsgi_read_timeout -# [*ssl*] - Indicates whether to setup SSL bindings for this server. -# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. -# Set to `false` to inherit from the http section, which improves performance by conserving memory. -# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by -# this module. -# [*ssl_verify_client*] - Enables verification of client certificates. -# [*ssl_crl*] - String: Specifies CRL path in file system -# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic -# parameters, in PEM format, utilized for exchanging session keys between server and client. Defaults to nginx::ssl_dhparam -# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers. -# [*ssl_prefer_server_ciphers*] - String: Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and -# TLS protocols. Defaults to nginx::ssl_prefer_server_ciphers. -# [*ssl_redirect*] - Adds a server directive and return statement to force ssl redirect. Will honor ssl_port if it's set. -# [*ssl_redirect_port*] - Overrides $ssl_port in the SSL redirect set by ssl_redirect -# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. Set to -# `false` to inherit from the http section, which improves performance by conserving memory. -# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL server on. Defaults to TCP 443 -# [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 TLSv1.2'. -# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data. -# [*ssl_ciphers*] - SSL ciphers enabled. Defaults to nginx::ssl_ciphers -# [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP responses by the server. Defaults to false. -# [*ssl_stapling_file*] - String: When set, the stapled OCSP response will be taken from the specified file instead of querying -# the OCSP responder specified in the server certificate. -# [*ssl_stapling_responder*] - String: Overrides the URL of the OCSP responder specified in the Authority Information Access -# certificate extension. -# [*ssl_stapling_verify*] - Bool: Enables or disables verification of OCSP responses by the server. Defaults to false. -# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache. +# @param ensure +# Enables or disables the specified server +# @param listen_ip +# Default IP Address for NGINX to listen with this server on. Defaults to all +# interfaces (*) +# @param listen_port +# Default TCP Port for NGINX to listen with this server on. +# @param listen_options +# Extra options for listen directive like 'default_server' to catchall. +# @param listen_unix_socket_enable +# value to enable/disable UNIX socket listening support. +# @param listen_unix_socket +# Default unix socket for NGINX to listen with this server on. +# @param listen_unix_socket_options +# Extra options for listen directive like 'default' to catchall. +# @param location_satisfy +# Allows access if all (all) or at least one (any) of the auth modules allow +# access. +# @param location_allow +# Locations to allow connections from. +# @param location_deny +# Locations to deny connections from. +# @param ipv6_enable +# value to enable/disable IPv6 support (false|true). Module will check to see +# if IPv6 support exists on your system before enabling. +# @param ipv6_listen_ip +# Default IPv6 Address for NGINX to listen with this server on. Defaults to all interfaces (::) +# @param ipv6_listen_port +# Default IPv6 Port for NGINX to listen with this server on. Defaults to TCP 80 +# @param ipv6_listen_options +# Extra options for listen directive like 'default' to catchall. Template +# will allways add ipv6only=on. While issue jfryman/puppet-nginx#30 is +# discussed, default value is 'default'. +# @param add_header +# Adds headers to the HTTP response when response code is equal to 200, 204, +# 301, 302 or 304. +# @param index_files +# Default index files for NGINX to read when traversing a directory +# @param autoindex +# Set it on 'on' or 'off 'to activate/deactivate autoindex directory listing. +# @param autoindex_exact_size +# Set it on 'on' or 'off' to activate/deactivate autoindex displaying exact +# filesize, or rounded to kilobytes, megabytes and gigabytes. +# @param autoindex_format +# Sets the format of a directory listing. +# @param autoindex_localtime +# Specifies whether times in the directory listing should be output in the +# local time zone or UTC. +# @param proxy +# Proxy server(s) for the root location to connect to. Accepts a single +# value, can be used in conjunction with nginx::resource::upstream +# @param proxy_read_timeout +# Override the default proxy read timeout value of 90 seconds +# @param proxy_send_timeout +# Override the default proxy send timeout value of 90 seconds +# @param proxy_redirect +# Override the default proxy_redirect value of off. +# @param proxy_buffering +# If defined, sets the proxy_buffering to the passed value. +# @param proxy_request_buffering +# If defined, sets the proxy_request_buffering to the passed value. +# @param proxy_max_temp_file_size +# Sets the maximum size of the temporary buffer file. +# @param proxy_busy_buffers_size +# Sets the total size of buffers that can be busy sending a response to the +# client while the response is not yet fully read. +# @param resolver +# Configures name servers used to resolve names of upstream servers into addresses. +# @param fastcgi +# location of fastcgi (host:port) +# @param fastcgi_param +# Set additional custom fastcgi_params +# @param fastcgi_params +# optional alternative fastcgi_params file to use +# @param fastcgi_index +# optional FastCGI index page +# @param fastcgi_script +# optional SCRIPT_FILE parameter +# @param uwsgi_read_timeout +# optional value for uwsgi_read_timeout +# @param ssl +# Indicates whether to setup SSL bindings for this server. +# @param ssl_cert +# Pre-generated SSL Certificate file to reference for SSL Support. This is +# not generated by this module. Set to `false` to inherit from the http +# section, which improves performance by conserving memory. +# @param ssl_client_cert +# Pre-generated SSL Certificate file to reference for client verify SSL +# Support. This is not generated by this module. +# @param ssl_verify_client +# Enables verification of client certificates. +# @param ssl_crl +# Specifies CRL path in file system +# @param ssl_dhparam +# This directive specifies a file containing Diffie-Hellman key agreement +# protocol cryptographic parameters, in PEM format, utilized for exchanging +# session keys between server and client. +# @param ssl_ecdh_curve +# This directive specifies a curve for ECDHE ciphers. +# @param ssl_prefer_server_ciphers +# String: Specifies that server ciphers should be preferred over client +# ciphers when using the SSLv3 and TLS protocols. +# @param ssl_redirect +# Adds a server directive and return statement to force ssl redirect. Will +# honor ssl_port if it's set. +# @param ssl_redirect_port +# Overrides $ssl_port in the SSL redirect set by ssl_redirect +# @param ssl_key +# Pre-generated SSL Key file to reference for SSL Support. This is not +# generated by this module. Set to `false` to inherit from the http section, +# which improves performance by conserving memory. +# @param ssl_port +# Default IP Port for NGINX to listen with this SSL server on. +# @param ssl_protocols +# SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 TLSv1.2'. +# @param ssl_buffer_size +# Sets the size of the buffer used for sending data. +# @param ssl_ciphers +# SSL ciphers enabled. +# @param ssl_stapling +# Enables or disables stapling of OCSP responses by the server. +# @param ssl_stapling_file +# When set, the stapled OCSP response will be taken from the specified file +# instead of querying the OCSP responder specified in the server certificate. +# @param ssl_stapling_responder +# Overrides the URL of the OCSP responder specified in the Authority +# Information Access certificate extension. +# @param ssl_stapling_verify +# Enables or disables verification of OCSP responses by the server. Defaults to false. +# @param ssl_session_timeout +# Specifies a time during which a client may reuse the session parameters stored in a cache. # Defaults to 5m. -# [*ssl_session_tickets*] - String: Enables or disables session resumption through TLS session tickets. -# [*ssl_session_ticket_key*] - String: Sets a file with the secret key used to encrypt and decrypt TLS session tickets. -# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client +# @param ssl_session_tickets +# Enables or disables session resumption through TLS session tickets. +# @param ssl_session_ticket_key +# Sets a file with the secret key used to encrypt and decrypt TLS session tickets. +# @param ssl_trusted_cert +# Specifies a file with trusted CA certificates in the PEM format used to verify client # certificates and OCSP responses if ssl_stapling is enabled. -# [*ssl_verify_depth*] - Integer: Sets the verification depth in the client certificates chain. -# [*ssl_password_file*] - String: File containing the password for the SSL Key file. -# [*spdy*] - Toggles SPDY protocol. -# [*http2*] - Toggles HTTP/2 protocol. -# [*server_name*] - List of servernames for which this server will respond. Default [$name]. -# [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy -# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to rewrite www.domain.com to domain.com in order to avoid +# @param ssl_verify_depth +# Sets the verification depth in the client certificates chain. +# @param ssl_password_file +# File containing the password for the SSL Key file. +# @param spdy +# Toggles SPDY protocol. +# @param http2 +# Toggles HTTP/2 protocol. +# @param server_name +# List of servernames for which this server will respond. Default [$name]. +# @param www_root +# Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy +# @param rewrite_www_to_non_www +# Adds a server directive and rewrite rule to rewrite www.domain.com to domain.com in order to avoid # duplicate content (SEO); -# [*rewrite_non_www_to_www*] - Adds a server directive and rewrite rule to rewrite domain.com to www.domain.com in order to avoid +# @param rewrite_non_www_to_www +# Adds a server directive and rewrite rule to rewrite domain.com to www.domain.com in order to avoid # duplicate content (SEO); -# [*try_files*] - Specifies the locations for files to be checked as an array. Cannot be used in conjuction with $proxy. -# [*proxy_cache*] - This directive sets name of zone for caching. The same zone can be used in multiple places. -# [*proxy_cache_key*] - Override the default proxy_cache_key of $scheme$proxy_host$request_uri -# [*proxy_cache_use_stale*] - Override the default proxy_cache_use_stale value of off. -# [*proxy_cache_valid*] - This directive sets the time for caching different replies. -# [*proxy_cache_lock*] - This directive sets the locking mechanism for pouplating cache. -# [*proxy_cache_bypass*] - Defines conditions which the response will not be cached -# [*proxy_method*] - If defined, overrides the HTTP method of the request to be passed to the backend. -# [*proxy_http_version*] - Sets the proxy http version -# [*proxy_set_body*] - If defined, sets the body passed to the backend. -# [*absolute_redirect*] - Enables or disables the absolute redirect functionality of nginx -# [*auth_basic*] - This directive includes testing name and password with HTTP Basic Authentication. -# [*auth_basic_user_file*] - This directive sets the htpasswd filename for the authentication realm. -# [*auth_request*] - This allows you to specify a custom auth endpoint -# [*client_max_body_size*] - This directive sets client_max_body_size. -# [*client_body_timeout*] - Sets how long the server will wait for a client body. Default is 60s -# [*client_header_timeout*] - Sets how long the server will wait for a client header. Default is 60s -# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after cfg prepend -# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*raw_append*] - A single string, or an array of strings to append to the server directive (after cfg append -# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*location_raw_prepend*] - A single string, or an array of strings to prepend to the location directive (after custom_cfg -# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*location_raw_append*] - A single string, or an array of strings to append to the location directive (after custom_cfg -# directives). NOTE: YOU are responsible for a semicolon on each line that requires one. -# [*server_cfg_append*] - It expects a hash with custom directives to put after everything else inside server -# [*server_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside server -# [*server_cfg_ssl_append*] - It expects a hash with custom directives to put after everything else inside server ssl -# [*server_cfg_ssl_prepend*] - It expects a hash with custom directives to put before everything else inside server ssl -# [*include_files*] - Adds include files to server -# [*access_log*] - Where to write access log (log format can be set with $format_log). This can be either a string or an -# array; in the latter case, multiple lines will be created. Additionally, unlike the earlier behavior, setting it to 'absent' in the -# server context will remove this directive entirely from the server stanza, rather than setting a default. Can also be disabled for -# this server with the string 'off'. -# [*error_log*] - Where to write error log. May add additional options like error level to the end. May set to 'absent', -# in which case it will be omitted in this server stanza (and default to nginx.conf setting) -# [*passenger_cgi_param*] - Allows one to define additional CGI environment variables to pass to the backend application -# [*passenger_set_header*] - Allows one to set headers to pass to the backend application (Passenger 5.0+) -# [*passenger_env_var*] - Allows one to set environment variables to pass to the backend application (Passenger 5.0+) -# [*passenger_pre_start*] - Allows setting a URL to pre-warm the host. Per Passenger docs, the "domain part of the URL" must match -# a value of server_name. If this is an array, multiple URLs can be specified. -# [*log_by_lua*] - Run the Lua source code inlined as the at the log request processing phase. This does -# not replace the current access logs, but runs after. -# [*log_by_lua_file*] - Equivalent to log_by_lua, except that the file specified by contains the Lua -# code, or, as from the v0.5.0rc32 release, the Lua/LuaJIT bytecode to be executed. -# [*gzip_types*] - Defines gzip_types, nginx default is text/html -# [*gzip_static*] - Defines gzip_static, nginx default is off -# [*owner*] - Defines owner of the .conf file -# [*group*] - Defines group of the .conf file -# [*mode*] - Defines mode of the .conf file -# [*maintenance*] - A boolean value to set a server in maintenance -# [*maintenance_value*] - Value to return when maintenance is on. Default to return 503 -# [*error_pages*] - Hash: setup errors pages, hash key is the http code and hash value the page -# [*locations*] - Hash of location resources used by this server -# [*locations_defaults*] - Hash of location default settings -# Actions: +# @param try_files +# Specifies the locations for files to be checked as an array. Cannot be used in conjuction with $proxy. +# @param proxy_cache +# This directive sets name of zone for caching. The same zone can be used in multiple places. +# @param proxy_cache_key +# Override the default proxy_cache_key of $scheme$proxy_host$request_uri +# @param proxy_cache_use_stale +# Override the default proxy_cache_use_stale value of off. +# @param proxy_cache_valid +# This directive sets the time for caching different replies. +# @param proxy_cache_lock +# This directive sets the locking mechanism for pouplating cache. +# @param proxy_cache_bypass +# Defines conditions which the response will not be cached +# @param proxy_method +# If defined, overrides the HTTP method of the request to be passed to the backend. +# @param proxy_http_version +# Sets the proxy http version +# @param proxy_set_body +# If defined, sets the body passed to the backend. +# @param absolute_redirect +# Enables or disables the absolute redirect functionality of nginx +# @param auth_basic +# This directive includes testing name and password with HTTP Basic Authentication. +# @param auth_basic_user_file +# This directive sets the htpasswd filename for the authentication realm. +# @param auth_request +# This allows you to specify a custom auth endpoint +# @param client_max_body_size +# This directive sets client_max_body_size. +# @param client_body_timeout +# Sets how long the server will wait for a client body. Default is 60s +# @param client_header_timeout +# Sets how long the server will wait for a client header. Default is 60s +# @param raw_prepend +# A single string, or an array of strings to prepend to the server directive +# (after cfg prepend directives). NOTE: YOU are responsible for a semicolon +# on each line that requires one. +# @param raw_append +# A single string, or an array of strings to append to the server directive +# (after cfg append directives). NOTE: YOU are responsible for a semicolon on +# each line that requires one. +# @param location_raw_prepend +# A single string, or an array of strings to prepend to the location +# directive (after custom_cfg directives). NOTE: YOU are responsible for a +# semicolon on each line that requires one. +# @param location_raw_append +# A single string, or an array of strings to append to the location directive +# (after custom_cfg directives). NOTE: YOU are responsible for a semicolon on +# each line that requires one. +# @param server_cfg_append +# It expects a hash with custom directives to put after everything else inside server +# @param server_cfg_prepend +# It expects a hash with custom directives to put before everything else inside server +# @param server_cfg_ssl_append +# It expects a hash with custom directives to put after everything else inside server ssl +# @param server_cfg_ssl_prepend +# It expects a hash with custom directives to put before everything else inside server ssl +# @param include_files +# Adds include files to server +# @param access_log +# Where to write access log (log format can be set with $format_log). This +# can be either a string or an array; in the latter case, multiple lines will +# be created. Additionally, unlike the earlier behavior, setting it to +# 'absent' in the server context will remove this directive entirely from the +# server stanza, rather than setting a default. Can also be disabled for this +# server with the string 'off'. +# @param error_log +# Where to write error log. May add additional options like error level to +# the end. May set to 'absent', in which case it will be omitted in this +# server stanza (and default to nginx.conf setting) +# @param passenger_cgi_param +# Allows one to define additional CGI environment variables to pass to the backend application +# @param passenger_set_header +# Allows one to set headers to pass to the backend application (Passenger 5.0+) +# @param passenger_env_var +# Allows one to set environment variables to pass to the backend application (Passenger 5.0+) +# @param passenger_pre_start +# Allows setting a URL to pre-warm the host. Per Passenger docs, the "domain +# part of the URL" must match a value of server_name. If this is an array, +# multiple URLs can be specified. +# @param log_by_lua +# Run the Lua source code inlined as the at the log request +# processing phase. This does not replace the current access logs, but runs +# after. +# @param log_by_lua_file +# Equivalent to log_by_lua, except that the file specified by +# contains the Lua code, or, as from the v0.5.0rc32 +# release, the Lua/LuaJIT bytecode to be executed. +# @param gzip_types +# Defines gzip_types, nginx default is text/html +# @param gzip_static +# Defines gzip_static, nginx default is off +# @param owner +# Defines owner of the .conf file +# @param group +# Defines group of the .conf file +# @param mode +# Defines mode of the .conf file +# @param maintenance +# A boolean value to set a server in maintenance +# @param maintenance_value +# Value to return when maintenance is on. +# @param error_pages +# Setup errors pages, hash key is the http code and hash value the page +# @param locations +# Hash of location resources used by this server +# @param locations_defaults +# Hash of location default settings # -# Requires: +# @example +# nginx::resource::server { 'test2.local': +# ensure => present, +# www_root => '/var/www/nginx-default', +# ssl => true, +# ssl_cert => '/tmp/server.crt', +# ssl_key => '/tmp/server.pem', +# } # -# Sample Usage: -# nginx::resource::server { 'test2.local': -# ensure => present, -# www_root => '/var/www/nginx-default', -# ssl => true, -# ssl_cert => '/tmp/server.crt', -# ssl_key => '/tmp/server.pem', -# } define nginx::resource::server ( Enum['absent', 'present'] $ensure = 'present', Variant[Array, String] $listen_ip = '*', Integer $listen_port = 80, Optional[String] $listen_options = undef, Boolean $listen_unix_socket_enable = false, Variant[Array[Stdlib::Absolutepath], Stdlib::Absolutepath] $listen_unix_socket = '/var/run/nginx.sock', Optional[String] $listen_unix_socket_options = undef, Optional[Enum['any', 'all']] $location_satisfy = undef, Array $location_allow = [], Array $location_deny = [], Boolean $ipv6_enable = false, Variant[Array, String] $ipv6_listen_ip = '::', Integer $ipv6_listen_port = 80, String $ipv6_listen_options = 'default ipv6only=on', Hash $add_header = {}, Boolean $ssl = false, Boolean $ssl_listen_option = true, Optional[Variant[String, Boolean]] $ssl_cert = undef, Optional[String] $ssl_client_cert = undef, String $ssl_verify_client = 'on', Optional[String] $ssl_dhparam = undef, Optional[String] $ssl_ecdh_curve = undef, Boolean $ssl_redirect = false, Optional[Integer] $ssl_redirect_port = undef, Optional[Variant[String, Boolean]] $ssl_key = undef, Integer $ssl_port = 443, Optional[Enum['on', 'off']] $ssl_prefer_server_ciphers = undef, Optional[String] $ssl_protocols = undef, Optional[String] $ssl_buffer_size = undef, Optional[String] $ssl_ciphers = undef, Optional[String] $ssl_cache = undef, Optional[String] $ssl_crl = undef, Boolean $ssl_stapling = false, Optional[String] $ssl_stapling_file = undef, Optional[String] $ssl_stapling_responder = undef, Boolean $ssl_stapling_verify = false, Optional[String] $ssl_session_timeout = undef, Optional[Enum['on', 'off']] $ssl_session_tickets = undef, Optional[String] $ssl_session_ticket_key = undef, Optional[String] $ssl_trusted_cert = undef, Optional[Integer] $ssl_verify_depth = undef, Optional[Stdlib::Absolutepath] $ssl_password_file = undef, Enum['on', 'off'] $spdy = $nginx::spdy, Enum['on', 'off'] $http2 = $nginx::http2, Optional[String] $proxy = undef, Optional[String] $proxy_redirect = undef, String $proxy_read_timeout = $nginx::proxy_read_timeout, String $proxy_send_timeout = $nginx::proxy_send_timeout, $proxy_connect_timeout = $nginx::proxy_connect_timeout, Array[String] $proxy_set_header = $nginx::proxy_set_header, Array[String] $proxy_hide_header = $nginx::proxy_hide_header, Array[String] $proxy_pass_header = $nginx::proxy_pass_header, Optional[String] $proxy_cache = undef, Optional[String] $proxy_cache_key = undef, Optional[String] $proxy_cache_use_stale = undef, Optional[Variant[Array[String], String]] $proxy_cache_valid = undef, Optional[Enum['on', 'off']] $proxy_cache_lock = undef, Optional[Variant[Array[String], String]] $proxy_cache_bypass = undef, Optional[String] $proxy_method = undef, Optional[String] $proxy_http_version = undef, Optional[String] $proxy_set_body = undef, Optional[String] $proxy_buffering = undef, Optional[String] $proxy_request_buffering = undef, Optional[Nginx::Size] $proxy_max_temp_file_size = undef, Optional[Nginx::Size] $proxy_busy_buffers_size = undef, Array $resolver = [], Optional[String] $fastcgi = undef, Optional[String] $fastcgi_index = undef, $fastcgi_param = undef, String $fastcgi_params = "${nginx::conf_dir}/fastcgi.conf", Optional[String] $fastcgi_script = undef, Optional[String] $uwsgi = undef, String $uwsgi_params = "${nginx::config::conf_dir}/uwsgi_params", Optional[String] $uwsgi_read_timeout = undef, Array $index_files = [ 'index.html', 'index.htm', 'index.php', ], Optional[String] $autoindex = undef, Optional[Enum['on', 'off']] $autoindex_exact_size = undef, Optional[Enum['html', 'xml', 'json', 'jsonp']] $autoindex_format = undef, Optional[Enum['on', 'off']] $autoindex_localtime = undef, Array[String] $server_name = [$name], Optional[String] $www_root = undef, Boolean $rewrite_www_to_non_www = false, Boolean $rewrite_non_www_to_www = false, Optional[Hash] $location_custom_cfg = undef, Optional[Hash] $location_cfg_prepend = undef, Optional[Hash] $location_cfg_append = undef, Optional[Hash] $location_custom_cfg_prepend = undef, Optional[Hash] $location_custom_cfg_append = undef, Optional[Array[String]] $try_files = undef, Optional[Enum['on', 'off']] $absolute_redirect = undef, Optional[String] $auth_basic = undef, Optional[String] $auth_basic_user_file = undef, Optional[String] $auth_request = undef, Optional[String] $client_body_timeout = undef, Optional[String] $client_header_timeout = undef, $client_max_body_size = undef, Optional[Variant[Array[String], String]] $raw_prepend = undef, Optional[Variant[Array[String], String]] $raw_append = undef, Optional[Variant[Array[String], String]] $location_raw_prepend = undef, Optional[Variant[Array[String], String]] $location_raw_append = undef, Optional[Hash] $server_cfg_prepend = undef, Optional[Hash] $server_cfg_append = undef, Optional[Hash] $server_cfg_ssl_prepend = undef, Optional[Hash] $server_cfg_ssl_append = undef, Optional[Array[String]] $include_files = undef, Optional[Variant[String, Array]] $access_log = undef, Optional[Variant[String, Array]] $error_log = undef, $format_log = 'combined', Optional[Hash] $passenger_cgi_param = undef, Optional[Hash] $passenger_set_header = undef, Optional[Hash] $passenger_env_var = undef, Optional[Variant[Array[String], String]] $passenger_pre_start = undef, Optional[String] $log_by_lua = undef, Optional[String] $log_by_lua_file = undef, $use_default_location = true, $rewrite_rules = [], $string_mappings = {}, $geo_mappings = {}, Optional[String] $gzip_types = undef, Optional[String] $gzip_static = undef, String $owner = $nginx::global_owner, String $group = $nginx::global_group, String $mode = $nginx::global_mode, Boolean $maintenance = false, String $maintenance_value = 'return 503', $error_pages = undef, Hash $locations = {}, Hash $locations_defaults = {}, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } if $rewrite_www_to_non_www == true and $rewrite_non_www_to_www == true { fail('You must not set both $rewrite_www_to_non_www and $rewrite_non_www_to_www to true') } # Variables if $nginx::confd_only { $server_dir = "${nginx::conf_dir}/conf.d" } else { $server_dir = "${nginx::conf_dir}/sites-available" $server_enable_dir = "${nginx::conf_dir}/sites-enabled" $server_symlink_ensure = $ensure ? { 'absent' => absent, default => 'link', } } $name_sanitized = regsubst($name, ' ', '_', 'G') $config_file = "${server_dir}/${name_sanitized}.conf" File { ensure => $ensure ? { 'absent' => absent, default => 'file', }, notify => Class['nginx::service'], owner => $owner, group => $group, mode => $mode, } # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled # and support does not exist for it in the kernel. if $ipv6_enable and !$ipv6_listen_ip { warning('nginx: IPv6 support is not enabled or configured properly') } # Check to see if SSL Certificates are properly defined. if $ssl { if $ssl_cert == undef { fail('nginx: ssl_cert must be set to false or to a fully qualified path') } if $ssl_key == undef { fail('nginx: ssl_key must be set to false or to a fully qualified path') } } # Try to error in the case where the user sets ssl_port == listen_port but # doesn't set ssl = true if !$ssl and $ssl_port == $listen_port { warning('nginx: ssl must be true if listen_port is the same as ssl_port') } concat { $config_file: ensure => $ensure, owner => $owner, group => $group, mode => $mode, notify => Class['nginx::service'], require => File[$server_dir], tag => 'nginx_config_file', } # This deals with a situation where the listen directive for SSL doesn't match # the port we want to force the SSL redirect to. if $ssl_redirect_port { $_ssl_redirect_port = $ssl_redirect_port } elsif $ssl_port { $_ssl_redirect_port = $ssl_port } # Suppress unneeded stuff in non-SSL location block when certain conditions are # met. $ssl_only = ($ssl and $ssl_port == $listen_port) or $ssl_redirect # If we're redirecting to SSL, the default location block is useless, *unless* # SSL is enabled for this server # either and ssl -> true # ssl redirect and no ssl -> false if (!$ssl_redirect or $ssl) and $use_default_location { # Create the default location reference for the server nginx::resource::location { "${name_sanitized}-default": ensure => $ensure, server => $name_sanitized, ssl => $ssl, ssl_only => $ssl_only, location => '/', location_satisfy => $location_satisfy, location_allow => $location_allow, location_deny => $location_deny, proxy => $proxy, proxy_redirect => $proxy_redirect, proxy_read_timeout => $proxy_read_timeout, proxy_send_timeout => $proxy_send_timeout, proxy_connect_timeout => $proxy_connect_timeout, proxy_cache => $proxy_cache, proxy_cache_key => $proxy_cache_key, proxy_cache_use_stale => $proxy_cache_use_stale, proxy_cache_valid => $proxy_cache_valid, proxy_method => $proxy_method, proxy_http_version => $proxy_http_version, proxy_set_header => $proxy_set_header, proxy_hide_header => $proxy_hide_header, proxy_pass_header => $proxy_pass_header, proxy_cache_lock => $proxy_cache_lock, proxy_set_body => $proxy_set_body, proxy_cache_bypass => $proxy_cache_bypass, proxy_buffering => $proxy_buffering, proxy_request_buffering => $proxy_request_buffering, proxy_busy_buffers_size => $proxy_busy_buffers_size, proxy_max_temp_file_size => $proxy_max_temp_file_size, fastcgi => $fastcgi, fastcgi_index => $fastcgi_index, fastcgi_param => $fastcgi_param, fastcgi_params => $fastcgi_params, fastcgi_script => $fastcgi_script, uwsgi => $uwsgi, uwsgi_params => $uwsgi_params, uwsgi_read_timeout => $uwsgi_read_timeout, try_files => $try_files, www_root => $www_root, autoindex => $autoindex, autoindex_exact_size => $autoindex_exact_size, autoindex_format => $autoindex_format, autoindex_localtime => $autoindex_localtime, index_files => $index_files, location_custom_cfg => $location_custom_cfg, location_cfg_prepend => $location_cfg_prepend, location_cfg_append => $location_cfg_append, location_custom_cfg_prepend => $location_custom_cfg_prepend, location_custom_cfg_append => $location_custom_cfg_append, rewrite_rules => $rewrite_rules, raw_prepend => $location_raw_prepend, raw_append => $location_raw_append, notify => Class['nginx::service'], } $root = undef } else { $root = $www_root } # Only try to manage these files if they're the default one (as you presumably # usually don't want the default template if you're using a custom file. if $fastcgi != undef and !defined(File[$fastcgi_params]) and $fastcgi_params == "${nginx::conf_dir}/fastcgi.conf" { file { $fastcgi_params: ensure => file, mode => $nginx::global_mode, content => template('nginx/server/fastcgi.conf.erb'), } } if $uwsgi != undef and !defined(File[$uwsgi_params]) and $uwsgi_params == "${nginx::conf_dir}/uwsgi_params" { file { $uwsgi_params: ensure => file, mode => $nginx::global_mode, content => template('nginx/server/uwsgi_params.erb'), } } if $listen_port != $ssl_port { concat::fragment { "${name_sanitized}-header": target => $config_file, content => template('nginx/server/server_header.erb'), order => '001', } # Create a proper file close stub. concat::fragment { "${name_sanitized}-footer": target => $config_file, content => template('nginx/server/server_footer.erb'), order => '699', } } # Create SSL File Stubs if SSL is enabled if $ssl { # Access and error logs are named differently in ssl template File <| title == $ssl_cert or path == $ssl_cert or title == $ssl_key or path == $ssl_key |> -> concat::fragment { "${name_sanitized}-ssl-header": target => $config_file, content => template('nginx/server/server_ssl_header.erb'), order => '700', } concat::fragment { "${name_sanitized}-ssl-footer": target => $config_file, content => template('nginx/server/server_ssl_footer.erb'), order => '999', } } unless $nginx::confd_only { file { "${name_sanitized}.conf symlink": ensure => $server_symlink_ensure, path => "${server_enable_dir}/${name_sanitized}.conf", target => $config_file, require => [File[$server_dir], Concat[$config_file]], notify => Class['nginx::service'], } } create_resources('::nginx::resource::map', $string_mappings) create_resources('::nginx::resource::geo', $geo_mappings) create_resources('::nginx::resource::location', $locations, { ensure => $ensure, server => $name_sanitized, ssl => $ssl, ssl_only => $ssl_only, www_root => $www_root, } + $locations_defaults) } diff --git a/manifests/resource/snippet.pp b/manifests/resource/snippet.pp index f540890..7b871e0 100644 --- a/manifests/resource/snippet.pp +++ b/manifests/resource/snippet.pp @@ -1,38 +1,43 @@ -# This definition creates a reusable config snippet that can be included by other resources +# @summary Create a reusable config snippet that can be included by other resources +# +# @param ensure +# Enables or disables the specified snippet +# @param owner +# Defines owner of the .conf file +# @param group +# Defines group of the .conf file +# @param mode +# Defines mode of the .conf file +# @param raw_content +# Raw content that will be inserted into the snipped as-is # -# @param ensure Enables or disables the specified snippet -# @param owner Defines owner of the .conf file -# @param group Defines group of the .conf file -# @param mode Defines mode of the .conf file -# @param raw_content Raw content that will be inserted into the snipped as-is - define nginx::resource::snippet ( String[1] $raw_content, Enum['absent', 'present'] $ensure = 'present', String $owner = $nginx::global_owner, String $group = $nginx::global_group, Stdlib::Filemode $mode = $nginx::global_mode, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } $name_sanitized = regsubst($name, ' ', '_', 'G') $config_file = "${nginx::snippets_dir}/${name_sanitized}.conf" concat { $config_file: ensure => $ensure, owner => $owner, group => $group, mode => $mode, notify => Class['nginx::service'], require => File[$nginx::snippets_dir], tag => 'nginx_config_file', } concat::fragment { "snippet-${name_sanitized}-header": target => $config_file, content => epp("${module_name}/snippet/snippet_header.epp", { 'raw_content' => $raw_content }), order => '001', } } diff --git a/manifests/resource/streamhost.pp b/manifests/resource/streamhost.pp index be2a8e2..ddba8a9 100644 --- a/manifests/resource/streamhost.pp +++ b/manifests/resource/streamhost.pp @@ -1,121 +1,124 @@ -# define: nginx::resource::streamhost +# @summary Create a virtual steamhost # -# This definition creates a virtual host +# @param ensure +# Enables or disables the specified streamhost +# @param listen_ip +# Default IP Address for NGINX to listen with this streamhost on. Defaults to +# all interfaces (*) +# @param listen_port +# Default TCP Port for NGINX to listen with this streamhost on. +# @param listen_options +# Extra options for listen directive like 'default' to catchall. +# @param ipv6_enable +# Value to enable/disable IPv6 support Module will check to see if IPv6 +# support exists on your system before enabling. +# @param ipv6_listen_ip +# Default IPv6 Address for NGINX to listen with this streamhost on. Defaults +# to all interfaces (::) +# @param ipv6_listen_port +# Default IPv6 Port for NGINX to listen with this streamhost on. +# @param ipv6_listen_options +# Extra options for listen directive like 'default' to catchall. Template +# will allways add ipv6only=on. While issue jfryman/puppet-nginx#30 is +# discussed, default value is 'default'. +# @param proxy +# Proxy server(s) for the root location to connect to. Accepts a single +# value, can be used in conjunction with nginx::resource::upstream +# @param proxy_read_timeout +# Override the default the proxy read timeout value of 90 seconds +# @param resolver +# Configures name servers used to resolve names of upstream servers into +# addresses. +# @param raw_prepend +# A single string, or an array of strings to prepend to the server directive +# (after cfg prepend directives). NOTE: YOU are responsible for a semicolon +# on each line that requires one. +# @param raw_append +# A single string, or an array of strings to append to the server directive +# (after cfg append directives). NOTE: YOU are responsible for a semicolon on +# each line that requires one. +# @param owner +# Defines owner of the .conf file +# @param group +# Defines group of the .conf file +# @param mode +# Defines mode of the .conf file Default to return 503 # -# Parameters: -# [*ensure*] - Enables or disables the specified streamhost -# (present|absent) -# [*listen_ip*] - Default IP Address for NGINX to listen with this -# streamhost on. Defaults to all interfaces (*) -# [*listen_port*] - Default IP Port for NGINX to listen with this -# streamhost on. Defaults to TCP 80 -# [*listen_options*] - Extra options for listen directive like -# 'default' to catchall. Undef by default. -# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support -# (false|true). Module will check to see if IPv6 support exists on your -# system before enabling. -# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with -# this streamhost on. Defaults to all interfaces (::) -# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this -# streamhost on. Defaults to TCP 80 -# [*ipv6_listen_options*] - Extra options for listen directive like 'default' -# to catchall. Template will allways add ipv6only=on. While issue -# jfryman/puppet-nginx#30 is discussed, default value is 'default'. -# [*proxy*] - Proxy server(s) for the root location to connect -# to. Accepts a single value, can be used in conjunction with -# nginx::resource::upstream -# [*proxy_read_timeout*] - Override the default the proxy read timeout value -# of 90 seconds -# [*resolver*] - Array: Configures name servers used to resolve -# names of upstream servers into addresses. -# [*raw_prepend*] - A single string, or an array of strings to -# prepend to the server directive (after cfg prepend directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*raw_append*] - A single string, or an array of strings to -# append to the server directive (after cfg append directives). NOTE: -# YOU are responsible for a semicolon on each line that requires one. -# [*owner*] - Defines owner of the .conf file -# [*group*] - Defines group of the .conf file -# [*mode*] - Defines mode of the .conf file -# Default to return 503 -# Actions: +# @example +# nginx::resource::streamhost { 'test2.local': +# ensure => present, +# } # -# Requires: -# -# Sample Usage: -# nginx::resource::streamhost { 'test2.local': -# ensure => present, -# } define nginx::resource::streamhost ( Enum['absent', 'present'] $ensure = 'present', Variant[Array, String] $listen_ip = '*', Integer $listen_port = 80, Optional[String] $listen_options = undef, Boolean $ipv6_enable = false, Variant[Array, String] $ipv6_listen_ip = '::', Integer $ipv6_listen_port = 80, String $ipv6_listen_options = 'default ipv6only=on', $proxy = undef, String $proxy_read_timeout = $nginx::proxy_read_timeout, $proxy_connect_timeout = $nginx::proxy_connect_timeout, Array $resolver = [], Variant[Array[String], String] $raw_prepend = [], Variant[Array[String], String] $raw_append = [], String $owner = $nginx::global_owner, String $group = $nginx::global_group, String $mode = $nginx::global_mode, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } # Variables if $nginx::confd_only { $streamhost_dir = "${nginx::conf_dir}/conf.stream.d" } else { $streamhost_dir = "${nginx::conf_dir}/streams-available" $streamhost_enable_dir = "${nginx::conf_dir}/streams-enabled" $streamhost_symlink_ensure = $ensure ? { 'absent' => absent, default => 'link', } } $name_sanitized = regsubst($name, ' ', '_', 'G') $config_file = "${streamhost_dir}/${name_sanitized}.conf" # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled # and support does not exist for it in the kernel. if $ipv6_enable and !$facts['networking']['ip6'] { warning('nginx: IPv6 support is not enabled or configured properly') } concat { $config_file: ensure => $ensure, owner => $owner, group => $group, mode => $mode, notify => Class['nginx::service'], require => File[$streamhost_dir], tag => 'nginx_config_file', } concat::fragment { "${name_sanitized}-header": target => $config_file, content => template('nginx/streamhost/streamhost.erb'), order => '001', } unless $nginx::confd_only { file { "${name_sanitized}.conf symlink": ensure => $streamhost_symlink_ensure, path => "${streamhost_enable_dir}/${name_sanitized}.conf", target => $config_file, owner => $owner, group => $group, mode => $mode, require => Concat[$config_file], notify => Class['nginx::service'], } } } diff --git a/manifests/resource/upstream.pp b/manifests/resource/upstream.pp index 82db031..a9a3f27 100644 --- a/manifests/resource/upstream.pp +++ b/manifests/resource/upstream.pp @@ -1,182 +1,213 @@ -# define: nginx::resource::upstream +# @summary Create a new upstream proxy entry for NGINX # -# This definition creates a new upstream proxy entry for NGINX +# @param ensure +# Enables or disables the specified location +# @param context +# Set the type of this upstream. +# @param members +# Hash of member URIs for NGINX to connect to. Must follow valid NGINX +# syntax. If omitted, individual members should be defined with +# nginx::resource::upstream::member +# @param members_tag +# Restrict collecting the exported members for this upstream with a tag. +# @param member_defaults +# Specify default settings added to each member of this upstream. +# @param hash +# Activate the hash load balancing method +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash). +# @param ip_hash +# Activate ip_hash for this upstream +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash). +# @param keepalive +# Set the maximum number of idle keepalive connections +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive). +# @param keepalive_requests +# Sets the maximum number of requests that can be served through one +# keepalive connection +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests). +# @param keepalive_timeout +# Sets a timeout during which an idle keepalive connection to an upstream +# server will stay open +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout). +# @param least_conn +# Activate the least_conn load balancing method +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#least_conn). +# @param least_time +# Activate the least_time load balancing method +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#least_time). +# @param ntlm +# Allow NTLM authentication +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm). +# @param queue_max +# Set the maximum number of queued requests +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue). +# @param queue_timeout +# Set the timeout for the queue +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue). +# @param random +# Activate the random load balancing method +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#random). +# @param statefile +# Specifies a file that keeps the state of the dynamically configurable group +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#state). +# @param sticky +# Enables session affinity +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#sticky). +# @param zone +# Defines the name and optional the size of the shared memory zone +# (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone). +# @param cfg_append +# Hash of custom directives to put after other directives in upstream +# @param cfg_prepend +# It expects a hash with custom directives to put before anything else inside +# upstream # -# Parameters: -# [*ensure*] - Enables or disables the specified location (present|absent) -# [*context*] - Set the type of this upstream (http|stream). -# [*members*] - Hash of member URIs for NGINX to connect to. Must follow valid NGINX syntax. -# If omitted, individual members should be defined with nginx::resource::upstream::member -# [*members_tag*] - Restrict collecting the exported members for this upstream with a tag. -# [*member_defaults*] - Specify default settings added to each member of this upstream. -# [*hash*] - Activate the hash load balancing method (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash). -# [*ip_hash*] - Activate ip_hash for this upstream (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#ip_hash). -# [*keepalive*] - Set the maximum number of idle keepalive connections (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive). -# [*keepalive_requests*] - Sets the maximum number of requests that can be served through one keepalive connection (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests). -# [*keepalive_timeout*] - Sets a timeout during which an idle keepalive connection to an upstream server will stay open (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout). -# [*least_conn*] - Activate the least_conn load balancing method (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#least_conn). -# [*least_time*] - Activate the least_time load balancing method (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#least_time). -# [*ntlm*] - Allow NTLM authentication (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm). -# [*queue_max*] - Set the maximum number of queued requests (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue). -# [*queue_timeout*] - Set the timeout for the queue (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue). -# [*random*] - Activate the random load balancing method (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#random). -# [*statefile*] - Specifies a file that keeps the state of the dynamically configurable group (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#state). -# [*sticky*] - Enables session affinity (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#sticky). -# [*zone*] - Defines the name and optional the size of the shared memory zone (https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone). -# [*cfg_append*] - Hash of custom directives to put after other directives in upstream -# [*cfg_prepend*] - It expects a hash with custom directives to put before anything else inside upstream +# @example +# nginx::resource::upstream { 'proxypass': +# ensure => present, +# members => { +# 'localhost:3001' => { +# server => 'localhost', +# port => 3001, +# }, +# 'localhost:3002' => { +# server => 'localhost', +# port => 3002, +# }, +# 'localhost:3003' => { +# server => 'localhost', +# port => 3003, +# }, +# }, +# } # -# Actions: -# -# Requires: -# -# Sample Usage: -# nginx::resource::upstream { 'proxypass': -# ensure => present, -# members => { -# 'localhost:3001' => { -# server => 'localhost', -# port => 3001, -# }, -# 'localhost:3002' => { -# server => 'localhost', -# port => 3002, -# }, -# 'localhost:3003' => { -# server => 'localhost', -# port => 3003, -# }, -# }, -# } -# -# Custom config example to use ip_hash, and 20 keepalive connections -# create a hash with any extra custom config you want. -# nginx::resource::upstream { 'proxypass': -# ensure => present, -# members => { -# 'localhost:3001' => { -# server => 'localhost', -# port => 3001, -# }, -# 'localhost:3002' => { -# server => 'localhost', -# port => 3002, -# }, -# 'localhost:3003' => { -# server => 'localhost', -# port => 3003, -# }, -# }, -# ip_hash => true, -# keepalive => 20, -# } +# @example Custom config example to use ip_hash, and 20 keepalive connections create a hash with any extra custom config you want. +# nginx::resource::upstream { 'proxypass': +# ensure => present, +# members => { +# 'localhost:3001' => { +# server => 'localhost', +# port => 3001, +# }, +# 'localhost:3002' => { +# server => 'localhost', +# port => 3002, +# }, +# 'localhost:3003' => { +# server => 'localhost', +# port => 3003, +# }, +# }, +# ip_hash => true, +# keepalive => 20, +# } # define nginx::resource::upstream ( Enum['present', 'absent'] $ensure = 'present', Enum['http', 'stream'] $context = 'http', Nginx::UpstreamMembers $members = {}, Optional[String[1]] $members_tag = undef, Nginx::UpstreamMemberDefaults $member_defaults = {}, Optional[String[1]] $hash = undef, Boolean $ip_hash = false, Optional[Integer[1]] $keepalive = undef, Optional[Integer[1]] $keepalive_requests = undef, Optional[Nginx::Time] $keepalive_timeout = undef, Boolean $least_conn = false, Optional[Nginx::UpstreamLeastTime] $least_time = undef, Boolean $ntlm = false, Optional[Integer] $queue_max = undef, Optional[Nginx::Time] $queue_timeout = undef, Optional[String[1]] $random = undef, Optional[Stdlib::Unixpath] $statefile = undef, Optional[Nginx::UpstreamSticky] $sticky = undef, Optional[Nginx::UpstreamZone] $zone = undef, Nginx::UpstreamCustomParameters $cfg_append = {}, Nginx::UpstreamCustomParameters $cfg_prepend = {}, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } if $least_time { if $context == 'http' and ! ($least_time =~ Nginx::UpstreamLeastTimeHttp) { fail('The parameter "least_time" does not match the datatype "Nginx::UpstreamLeastTimeHttp"') } if $context == 'stream' and ! ($least_time =~ Nginx::UpstreamLeastTimeStream) { fail('The parameter "least_time" does not match the datatype "Nginx::UpstreamLeastTimeStream"') } } $conf_dir = $context ? { 'stream' => "${nginx::config::conf_dir}/conf.stream.d", default => "${nginx::config::conf_dir}/conf.d", } Concat { owner => 'root', group => $nginx::root_group, mode => $nginx::global_mode, } concat { "${conf_dir}/${name}-upstream.conf": ensure => $ensure, notify => Class['nginx::service'], require => File[$conf_dir], tag => 'nginx_config_file', } concat::fragment { "${name}_upstream_header": target => "${conf_dir}/${name}-upstream.conf", order => '10', content => epp('nginx/upstream/upstream_header.epp', { cfg_prepend => $cfg_prepend, name => $name, }), } if ! empty($members) { $members.each |$member,$values| { $member_values = merge($member_defaults,$values,{ 'upstream' => $name,'context' => $context }) if $context == 'stream' and $member_values['route'] { fail('The parameter "route" is not available for upstreams with context "stream"') } if $context == 'stream' and $member_values['state'] and $member_values['state'] == 'drain' { fail('The state "drain" is not available for upstreams with context "stream"') } nginx::resource::upstream::member { $member: * => $member_values, } } } else { # Collect exported members: if $members_tag { Nginx::Resource::Upstream::Member <<| upstream == $name and tag == $members_tag |>> } else { Nginx::Resource::Upstream::Member <<| upstream == $name |>> } } concat::fragment { "${name}_upstream_footer": target => "${conf_dir}/${name}-upstream.conf", order => '90', content => epp('nginx/upstream/upstream_footer.epp', { cfg_append => $cfg_append, hash => $hash, ip_hash => $ip_hash, keepalive => $keepalive, keepalive_requests => $keepalive_requests, keepalive_timeout => $keepalive_timeout, least_conn => $least_conn, least_time => $least_time, ntlm => $ntlm, queue_max => $queue_max, queue_timeout => $queue_timeout, random => $random, statefile => $statefile, sticky => $sticky, zone => $zone, }), } } diff --git a/manifests/resource/upstream/member.pp b/manifests/resource/upstream/member.pp index 1baa040..a9ce6a4 100644 --- a/manifests/resource/upstream/member.pp +++ b/manifests/resource/upstream/member.pp @@ -1,104 +1,112 @@ -# Define: nginx::resources::upstream::member +# @summary Create an upstream member inside the upstream block. # -# Creates an upstream member inside the upstream block. Export this resource -# in all upstream member servers and collect them on the NGINX server. +# Export this resource in all upstream member servers and collect them on the +# NGINX server. Exporting resources requires storeconfigs on the Puppetserver +# to export and collect resources # +# @param upstream +# The name of the upstream resource +# @param ensure +# Enables or disables the specified member +# @param context +# Set the type of this upstream +# @param server +# Hostname or IP of the upstream member server +# @param port +# Port of the listening service on the upstream member +# @param weight +# Set the weight for this upstream member +# @param max_conns +# Set the max_conns for this upstream member +# @param max_fails +# Set the max_fails for this upstream member +# @param fail_timeout +# Set the fail_timeout for this upstream member +# @param backup +# Activate backup for this upstream member +# @param resolve +# Activate resolve for this upstream member +# @param route +# Set the route for this upstream member +# @param service +# Set the service for this upstream member +# @param slow_start +# Set the slow_start for this upstream member +# @param state +# Set the state for this upstream member +# @param params_prepend +# prepend a parameter for this upstream member +# @param params_append +# append a paremeter for this upstream member +# @param comment +# Add a comment for this upstream member # -# Requirements: -# Requires storeconfigs on the Puppet Master to export and collect resources -# -# -# Parameters: -# [*upstream*] - The name of the upstream resource -# [*ensure*] - Enables or disables the specified member (present|absent) -# [*context*] - Set the type of this upstream (http|stream). -# [*server*] - Hostname or IP of the upstream member server -# [*port*] - Port of the listening service on the upstream member -# [*weight*] - Set the weight for this upstream member -# [*max_conns*] - Set the max_conns for this upstream member -# [*max_fails*] - Set the max_fails for this upstream member -# [*fail_timeout*] - Set the fail_timeout for this upstream member -# [*backup*] - Activate backup for this upstream member -# [*resolve*] - Activate resolve for this upstream member -# [*route*] - Set the route for this upstream member -# [*service*] - Set the service for this upstream member -# [*slow_start*] - Set the slow_start for this upstream member -# [*state*] - Set the state for this upstream member -# [*params_prepend*] - prepend a parameter for this upstream member -# [*params_append*] - append a paremeter for this upstream member -# [*comment*] - Add a comment for this upstream member -# -# Examples: -# -# Exporting the resource on a upstream member server: -# +# @example Exporting the resource on a upstream member server: # @@nginx::resource::upstream::member { $trusted['certname']: # ensure => present, # upstream => 'proxypass', # server => $facts['networking']['ip'], # port => 3000, # } # -# -# Collecting the resource on the NGINX server: -# +# @example Collecting the resource on the NGINX server: # nginx::resource::upstream { 'proxypass': # ensure => present, # } # define nginx::resource::upstream::member ( String[1] $upstream, Enum['present', 'absent'] $ensure = 'present', Enum['http', 'stream'] $context = 'http', Optional[Nginx::UpstreamMemberServer] $server = $name, Stdlib::Port $port = 80, Optional[Integer[1]] $weight = undef, Optional[Integer[1]] $max_conns = undef, Optional[Integer[0]] $max_fails = undef, Optional[Nginx::Time] $fail_timeout = undef, Boolean $backup = false, Boolean $resolve = false, Optional[String[1]] $route = undef, Optional[String[1]] $service = undef, Optional[Nginx::Time] $slow_start = undef, Optional[Enum['drain','down']] $state = undef, Optional[String[1]] $params_prepend = undef, Optional[String[1]] $params_append = undef, Optional[String[1]] $comment = undef, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') } $conf_dir = $context ? { 'stream' => "${nginx::config::conf_dir}/conf.stream.d", default => "${nginx::config::conf_dir}/conf.d", } $_server = $server ? { Pattern[/^unix:\/([^\/\0]+\/*)*$/] => $server, Stdlib::IP::Address::V6 => "[${server}]:${port}", #lint:ignore:unquoted_string_in_selector default => "${server}:${port}", } concat::fragment { "${upstream}_upstream_member_${name}": target => "${conf_dir}/${upstream}-upstream.conf", order => 40, content => epp('nginx/upstream/upstream_member.epp', { server => $_server, backup => $backup, comment => $comment, fail_timeout => $fail_timeout, max_conns => $max_conns, max_fails => $max_fails, params_append => $params_append, params_prepend => $params_prepend, resolve => $resolve, route => $route, service => $service, slow_start => $slow_start, state => $state, weight => $weight, }), } } diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index f6812e5..4011a49 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -1,764 +1,764 @@ require 'spec_helper' describe 'nginx::resource::mailhost' do on_supported_os.each do |os, facts| context "on #{os} with Facter #{facts[:facterversion]} and Puppet #{facts[:puppetversion]}" do let(:facts) do facts end let(:title) { 'www.rspec.example.com' } let :default_params do { listen_port: 25, ipv6_enable: true } end let(:pre_condition) { ['include ::nginx'] } describe 'os-independent items' do describe 'basic assumptions' do let(:params) { default_params } it { is_expected.to contain_class('nginx') } it { is_expected.to contain_concat("/etc/nginx/conf.mail.d/#{title}.conf").that_requires('File[/etc/nginx/conf.mail.d]') } it do is_expected.to contain_concat("/etc/nginx/conf.mail.d/#{title}.conf").with('owner' => 'root', 'group' => 'root', 'mode' => '0644') end it { is_expected.to contain_concat__fragment("#{title}-header") } it { is_expected.not_to contain_concat__fragment("#{title}-ssl") } end describe 'absent assumption' do let(:params) { default_params.merge('ensure'.to_sym => 'absent') } it { is_expected.to contain_class('nginx') } it { is_expected.to contain_concat("/etc/nginx/conf.mail.d/#{title}.conf").with('ensure' => 'absent') } end describe 'mailhost template content' do [ { title: 'should set the IPv4 listen IP', attr: 'listen_ip', value: '127.0.0.1', match: ' listen 127.0.0.1:25;' }, { title: 'should set the IPv4 listen port', attr: 'listen_port', value: 45, match: ' listen *:45;' }, { title: 'should set the IPv4 listen options', attr: 'listen_options', value: 'spdy default', match: ' listen *:25 spdy default;' }, { title: 'should enable IPv6', attr: 'ipv6_enable', value: true, match: ' listen [::]:80 default ipv6only=on;' }, { title: 'should not enable IPv6', attr: 'ipv6_enable', value: false, notmatch: %r{ listen \[::\]:80 default ipv6only=on;} }, { title: 'should set the IPv6 listen IP', attr: 'ipv6_listen_ip', value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334', match: ' listen [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80 default ipv6only=on;' }, { title: 'should set the IPv6 listen port', attr: 'ipv6_listen_port', value: 45, match: ' listen [::]:45 default ipv6only=on;' }, { title: 'should set the IPv6 listen options', attr: 'ipv6_listen_options', value: 'spdy', match: ' listen [::]:80 spdy;' }, { title: 'should set servername(s)', attr: 'server_name', value: %w[name1 name2], match: ' server_name name1 name2;' }, { title: 'should set protocol', attr: 'protocol', - value: 'test-protocol', - match: ' protocol test-protocol;' + value: 'imap', + match: ' protocol imap;' }, { title: 'should set xclient', attr: 'xclient', - value: 'test-xclient', - match: ' xclient test-xclient;' + value: 'off', + match: ' xclient off;' }, { title: 'should set auth_http', attr: 'auth_http', value: 'test-auth_http', match: ' auth_http test-auth_http;' }, { title: 'should set auth_http_header', attr: 'auth_http_header', value: 'X-Auth-Key "secret_string"', match: ' auth_http_header X-Auth-Key "secret_string";' }, { title: 'should set starttls', attr: 'starttls', value: 'on', match: ' starttls on;' }, { title: 'should set starttls', attr: 'starttls', value: 'only', match: ' starttls only;' }, { title: 'should not enable SSL', attr: 'starttls', value: 'off', notmatch: %r{ ssl_session_timeout 5m;} }, { title: 'should contain raw_prepend directives', attr: 'raw_prepend', value: [ 'if (a) {', ' b;', '}' ], match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { title: 'should contain raw_append directives', attr: 'raw_append', value: [ 'if (a) {', ' b;', '}' ], match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { title: 'should contain ordered prepended directives', attr: 'mailhost_cfg_prepend', value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' }, match: [ ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;', ' test3 test value 3;' ] }, { title: 'should contain ordered appended directives', attr: 'mailhost_cfg_append', value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' }, match: [ ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;', ' test3 test value 3;' ] } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { listen_port: 25, ipv6_enable: true, ssl_cert: 'dummy.crt', ssl_key: 'dummy.key' } end let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end end end end end describe 'mailhost template content for imap' do [ { title: 'should set imap_auth', attr: 'imap_auth', value: 'login', match: ' imap_auth login;' }, { title: 'should set imap_capabilities', attr: 'imap_capabilities', value: ['"SIZE 52428800"', 'IMAP4rev1', 'UIDPLUS'], match: ' imap_capabilities "SIZE 52428800" IMAP4rev1 UIDPLUS;' }, { title: 'should set imap_client_buffer', attr: 'imap_client_buffer', value: '8k', match: ' imap_client_buffer 8k;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { listen_port: 25, ipv6_enable: true, protocol: 'imap' } end let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end end end end end describe 'mailhost template content for pop3' do [ { title: 'should set pop3_auth', attr: 'pop3_auth', value: 'login', match: ' pop3_auth login;' }, { title: 'should set pop3_capabilities', attr: 'pop3_capabilities', value: %w[TOP USER UIDL], match: ' pop3_capabilities TOP USER UIDL;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { listen_port: 25, ipv6_enable: true, protocol: 'pop3' } end let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end end end end end describe 'mailhost template content for smtp' do [ { title: 'should set smtp_auth', attr: 'smtp_auth', value: 'login', match: ' smtp_auth login;' }, { title: 'should set smtp_capabilities', attr: 'smtp_capabilities', value: %w[8BITMIME PIPELINING HELP], match: ' smtp_capabilities 8BITMIME PIPELINING HELP;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { listen_port: 25, ipv6_enable: true, protocol: 'smtp' } end let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end end end end end describe 'mailhost template content (SSL enabled)' do [ { title: 'should set starttls', attr: 'starttls', value: 'on', match: ' starttls on;' }, { title: 'should set starttls', attr: 'starttls', value: 'only', match: ' starttls only;' }, { title: 'should not enable SSL', attr: 'starttls', value: 'off', notmatch: %r{ ssl_session_timeout 5m;} }, { title: 'should set ssl_certificate', attr: 'ssl_cert', value: 'test-ssl-cert', match: ' ssl_certificate test-ssl-cert;' }, { title: 'should set ssl_certificate_key', attr: 'ssl_key', value: 'test-ssl-cert-key', match: ' ssl_certificate_key test-ssl-cert-key;' }, { title: 'should set ssl_ciphers', attr: 'ssl_ciphers', value: 'ECDHE-ECDSA-CHACHA20-POLY1305', match: ' ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305;' }, { title: 'should set ssl_prefer_server_ciphers to on', attr: 'ssl_prefer_server_ciphers', value: 'on', match: ' ssl_prefer_server_ciphers on;' }, { title: 'should set ssl_prefer_server_ciphers to off', attr: 'ssl_prefer_server_ciphers', value: 'off', match: ' ssl_prefer_server_ciphers off;' }, { title: 'should set ssl_client_certificate', attr: 'ssl_client_cert', value: 'client-cert', match: ' ssl_client_certificate client-cert;' }, { title: 'should set ssl_crl', attr: 'ssl_crl', value: 'crl-file', match: ' ssl_crl crl-file;' }, { title: 'should set ssl_dhparam', attr: 'ssl_dhparam', value: 'dhparam-file', match: ' ssl_dhparam dhparam-file;' }, { title: 'should set ssl_ecdh_curve', attr: 'ssl_ecdh_curve', value: 'secp521r1', match: ' ssl_ecdh_curve secp521r1;' }, { title: 'should set ssl_client_certificate', attr: 'ssl_client_cert', value: 'client-cert', match: ' ssl_client_certificate client-cert;' }, { title: 'should set ssl_password_file', attr: 'ssl_password_file', value: 'password-file', match: ' ssl_password_file password-file;' }, { title: 'should set ssl_protocols', attr: 'ssl_protocols', value: 'TLSv1.2', match: ' ssl_protocols TLSv1.2;' }, { title: 'should set ssl_session_cache', attr: 'ssl_session_cache', value: 'none', match: ' ssl_session_cache none;' }, { title: 'should set ssl_session_ticket_key', attr: 'ssl_session_ticket_key', value: 'key-file', match: ' ssl_session_ticket_key key-file;' }, { title: 'should set ssl_session_tickets', attr: 'ssl_session_tickets', value: 'on', match: ' ssl_session_tickets on;' }, { title: 'should set ssl_session_timeout', attr: 'ssl_session_timeout', value: '20m', match: ' ssl_session_timeout 20m;' }, { title: 'should set ssl_trusted_certificate', attr: 'ssl_trusted_cert', value: 'trust-cert', match: ' ssl_trusted_certificate trust-cert;' }, { title: 'should set ssl_verify_depth', attr: 'ssl_verify_depth', value: 2, match: ' ssl_verify_depth 2;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { listen_port: 25, starttls: 'on', ssl_cert: 'dummy.crt', ssl_key: 'dummy.key' } end let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end end end end end describe 'mailhost_ssl template content' do [ { title: 'should set the IPv4 SSL listen port', attr: 'ssl_port', value: 45, match: ' listen *:45;' }, { title: 'should enable IPv6', attr: 'ipv6_enable', value: true, match: ' listen [::]:587 default ipv6only=on;' }, { title: 'should not enable IPv6', attr: 'ipv6_enable', value: false, notmatch: %r{ listen\s+\[::\]:587 default ipv6only=on;} }, { title: 'should set the IPv6 listen IP', attr: 'ipv6_listen_ip', value: '2001:0db8:85a3:0000:0000:8a2e:0370:7334', match: ' listen [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:587 default ipv6only=on;' }, { title: 'should set the IPv6 ssl port', attr: 'ssl_port', value: 45, match: ' listen [::]:45 default ipv6only=on;' }, { title: 'should set the IPv6 listen options', attr: 'ipv6_listen_options', value: 'spdy', match: ' listen [::]:587 spdy;' }, { title: 'should set servername(s)', attr: 'server_name', value: %w[name1 name2], match: ' server_name name1 name2;' }, { title: 'should set protocol', attr: 'protocol', - value: 'test-protocol', - match: ' protocol test-protocol;' + value: 'imap', + match: ' protocol imap;' }, { title: 'should set xclient', attr: 'xclient', - value: 'test-xclient', - match: ' xclient test-xclient;' + value: 'off', + match: ' xclient off;' }, { title: 'should set auth_http', attr: 'auth_http', value: 'test-auth_http', match: ' auth_http test-auth_http;' }, { title: 'should set auth_http_header', attr: 'auth_http_header', value: 'X-Auth-Key "secret_string"', match: ' auth_http_header X-Auth-Key "secret_string";' }, { title: 'should set ssl_protocols', attr: 'ssl_protocols', value: 'test-ssl-protocol', match: ' ssl_protocols test-ssl-protocol;' }, { title: 'should set ssl_ciphers', attr: 'ssl_ciphers', value: 'test-ssl-ciphers', match: ' ssl_ciphers test-ssl-ciphers;' }, { title: 'should set ssl_certificate', attr: 'ssl_cert', value: 'test-ssl-cert', match: ' ssl_certificate test-ssl-cert;' }, { title: 'should set ssl_certificate_key', attr: 'ssl_key', value: 'test-ssl-cert-key', match: ' ssl_certificate_key test-ssl-cert-key;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { listen_port: 25, ssl_port: 587, ipv6_enable: true, ssl: true, ssl_protocols: 'default-protocols', ssl_ciphers: 'default-ciphers', ssl_cert: 'dummy.crt', ssl_key: 'dummy.key' } end let(:params) { default_params.merge(param[:attr].to_sym => param[:value]) } it { is_expected.to contain_concat__fragment("#{title}-ssl") } it param[:title] do matches = Array(param[:match]) if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl").with_content(item) } else lines = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end end end end context 'on nginx 1.16' do let(:params) do { listen_port: 25, ssl_port: 587, ipv6_enable: true, ssl: true, ssl_protocols: 'default-protocols', ssl_ciphers: 'default-ciphers', ssl_cert: 'dummy.crt', ssl_key: 'dummy.key' } end context 'when version comes from fact' do let(:facts) do facts.merge(nginx_version: '1.16.0') end let(:pre_condition) { ['include ::nginx'] } it 'has `ssl` at end of listen directive' do content = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content] expect(content).to include('listen *:587 ssl;') end end context 'when version comes from parameter' do let(:pre_condition) { ['class { "nginx": nginx_version => "1.16.0"}'] } it 'also has `ssl` at end of listen directive' do content = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content] expect(content).to include('listen *:587 ssl;') end end end end context 'attribute resources' do context 'SSL cert missing and ssl => true' do let(:params) do default_params.merge( ssl: true, ssl_key: 'key' ) end it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) } end context 'SSL key missing and ssl => true' do let :params do default_params.merge(ssl: true, ssl_cert: 'cert') end it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) } end context "SSL cert missing and starttls => 'on'" do let :params do default_params.merge(starttls: 'on', ssl_key: 'key') end it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) } end context "SSL key missing and starttls => 'on'" do let :params do default_params.merge(starttls: 'on', ssl_cert: 'cert') end it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) } end context "SSL cert missing and starttls => 'only'" do let :params do default_params.merge(starttls: 'only', ssl_key: 'key') end it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) } end context "SSL key missing and starttls => 'only'" do let :params do default_params.merge(starttls: 'only', ssl_cert: 'cert') end it { expect { is_expected.to contain_class('nginx::resource::server') }.to raise_error(Puppet::Error, %r{nginx: SSL certificate/key \(ssl_cert/ssl_cert\) and/or SSL Private must be defined and exist on the target system\(s\)}) } end context 'when listen_port != ssl_port' do let :params do default_params.merge(listen_port: 80, ssl_port: 443) end it { is_expected.to contain_concat__fragment("#{title}-header") } end context 'when listen_port != "ssl_port"' do let :params do default_params.merge(listen_port: 80, ssl_port: 443) end it { is_expected.to contain_concat__fragment("#{title}-header") } end context 'when listen_port == ssl_port' do let :params do default_params.merge(listen_port: 80, ssl_port: 80) end it { is_expected.not_to contain_concat__fragment("#{title}-header") } end context 'when listen_port == "ssl_port"' do let :params do default_params.merge(listen_port: 80, ssl_port: 80) end it { is_expected.not_to contain_concat__fragment("#{title}-header") } end context 'when ssl => true' do let :params do default_params.merge(ensure: 'absent', ssl: true, ssl_key: 'dummy.key', ssl_cert: 'dummy.cert') end it { is_expected.to contain_concat__fragment("#{title}-header") } it { is_expected.to contain_concat__fragment("#{title}-ssl") } end context 'when ssl => false' do let :params do default_params.merge(ensure: 'absent', ssl: false) end it { is_expected.to contain_concat__fragment("#{title}-header") } it { is_expected.not_to contain_concat__fragment("#{title}-ssl") } end end end end end end