Merge pull request #102 from danieldreier/switch_nginx_modules

zachfi · zachfi · commit e19ca60f46fe · 2014-11-03T09:30:08.000-08:00
Switch to jfryman/nginx module
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -11,7 +11,9 @@ fixtures:
     unicorn: "git://github.com/puppetlabs-operations/puppet-unicorn.git"
     rack: "git://github.com/puppetlabs-operations/puppet-rack.git"
     bundler: "git://github.com/puppetlabs-operations/puppet-bundler.git"
-    nginx: "git://github.com/puppetlabs-operations/puppet-nginx.git"
+    nginx:
+      repo: "git://github.com/jfryman/puppet-nginx.git"
+      ref: "v0.0.10"
     inifile: "git://github.com/puppetlabs/puppetlabs-inifile.git"
     apache: "git://github.com/puppetlabs/puppetlabs-apache.git"
     portage: "git://github.com/gentoo/puppet-portage.git"
diff --git a/Modulefile b/Modulefile
@@ -15,5 +15,5 @@ dependency 'ploperations/unicorn',        '>= 1.0.0'
 dependency 'puppetlabs/inifile',          '>= 1.0.0'
 dependency 'puppetlabs/apache',           '>= 0.9.0'
 dependency 'gentoo/portage',              '>= 2.1.0'
-dependency 'ploperations/nginx'
+dependency 'jfryman/nginx',               '<= 0.0.10'
 dependency 'danieldreier/thin'
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -8,10 +8,16 @@
 # This module should not be directly included.
 #
 class puppet (
-  $logdir = $puppet::params::puppet_logdir,
-  $vardir = $puppet::params::puppet_vardir,
-  $ssldir = $puppet::params::puppet_ssldir,
-  $rundir = $puppet::params::puppet_rundir,
+  $logdir  = $puppet::params::puppet_logdir,
+  $vardir  = $puppet::params::puppet_vardir,
+  $ssldir  = $puppet::params::puppet_ssldir,
+  $rundir  = $puppet::params::puppet_rundir,
+  $confdir = $puppet::params::puppet_confdir,
 ) inherits puppet::params {
 
+  file { $confdir:
+    ensure => 'directory',
+    owner  => 'puppet',
+    group  => 'puppet',
+  }
 }
diff --git a/manifests/server/thin.pp b/manifests/server/thin.pp
@@ -11,9 +11,12 @@
     loglevel => 'warning',
   }
 
-  class { 'puppet::server::standalone': enabled => false }
-  class { '::thin': }
-  class { 'nginx::server': }
+  class { 'puppet::server::standalone':
+    enabled => false,
+    before  => Class['nginx'],
+  }
+  include ::thin
+  include nginx
 
   Ini_setting {
     ensure  => 'present',
@@ -30,10 +33,40 @@
       setting => 'ssl_client_verify_header';
   }
 
-  $servers = $::processorcount
-  nginx::vhost { 'puppetmaster':
-    port     => 8140,
-    template => 'puppet/vhost/nginx/thin.conf.erb',
+  $servers     = $::processorcount
+  $servername  = pick($::puppet::server::servername, $::clientcert, $::fqdn)
+  $thin_socket = "unix:${puppet::params::puppet_rundir}/puppetmaster.0.sock"
+
+  nginx::resource::vhost { 'puppetmaster':
+    server_name        => [$servername],
+    ssl                => true,
+    ssl_port           => '8140',
+    listen_port        => '8140', # force ssl_only by matching ssl_port
+    ssl_cert           => "${::puppet::ssldir}/certs/${servername}.pem",
+    ssl_key            => "${::puppet::ssldir}/private_keys/${servername}.pem",
+    ssl_ciphers        => $::puppet::server::ssl_ciphers,
+    ssl_protocols      => $::puppet::server::ssl_protocols,
+    proxy_read_timeout => '300',
+    proxy              => 'http://puppetmaster_thin',
+    vhost_cfg_append   => {
+      ssl_crl                => "${::puppet::ssldir}/crl.pem",
+      ssl_client_certificate => "${::puppet::ssldir}/certs/ca.pem",
+      ssl_verify_client      => 'optional',
+      proxy_connect_timeout  => '300',
+      proxy_set_header       => [ 'Host $host',
+                                'X-Real-IP $remote_addr',
+                                'X-Forwarded-For $proxy_add_x_forwarded_for',
+                                'X-Client-Verify $ssl_client_verify',
+                                'X-Client-DN $ssl_client_s_dn',
+                                'X-SSL-Issuer $ssl_client_i_dn'],
+      root                   => '/usr/share/empty',
+    }
+  }
+
+  nginx::resource::upstream { 'puppetmaster_thin':
+    members => [
+      $thin_socket
+    ],
   }
 
   concat::fragment { 'proctitle':
@@ -49,7 +82,7 @@
     chdir      => $puppet::params::puppet_confdir,
     subscribe  => Concat["${::puppet::params::puppet_confdir}/config.ru"],
     require    => Class['::thin'],
-    socket     => '/var/run/thin/puppetmaster.sock',
+    socket     => "${puppet::params::puppet_rundir}/puppetmaster.sock",
     force_home => '/etc/puppet',
   }
 }
diff --git a/manifests/server/unicorn.pp b/manifests/server/unicorn.pp
@@ -2,45 +2,55 @@
 
   include puppet::params
   include puppet::server::rack
-  include nginx::server
+  class { 'nginx': }
 
   class { 'puppet::server::standalone':
     enabled => false,
     before  => [
-      Nginx::Unicorn['puppetmaster'],
+      Nginx::Resource::Vhost['puppetmaster'],
       Unicorn::App['puppetmaster'],
     ],
   }
 
   $servername     = pick($::puppet::server::servername, $::clientcert, $::fqdn)
-  $unicorn_socket = "${puppet::params::puppet_rundir}/puppetmaster_unicorn.sock"
+  $unicorn_socket = "unix:${puppet::params::puppet_rundir}/puppetmaster_unicorn.sock"
 
-  nginx::unicorn { 'puppetmaster':
-    servername        => $servername,
-    path              => $::puppet::params::puppet_confdir,
-    unicorn_socket    => $unicorn_socket,
-    ssl               => true,
-    sslonly           => true,
-    ssl_port          => '8140',
-    ssl_cert          => "${::puppet::ssldir}/certs/${servername}.pem",
-    ssl_key           => "${::puppet::ssldir}/private_keys/${servername}.pem",
-    ssl_ca            => "${::puppet::ssldir}/certs/ca.pem",
-    ssl_crl_path      => "${::puppet::ssldir}/crl.pem",
-    ssl_ciphers       => $::puppet::server::ssl_ciphers,
-    ssl_protocols     => $::puppet::server::ssl_protocols,
-    ssl_verify_client => 'optional',
-    magic             => "proxy_connect_timeout 300s;\n  proxy_read_timeout 300s;",
+  nginx::resource::vhost { 'puppetmaster':
+    server_name           => [$servername],
+    ssl                   => true,
+    ssl_port              => '8140',
+    listen_port           => '8140', # force ssl_only by matching ssl_port
+    ssl_cert              => "${::puppet::ssldir}/certs/${servername}.pem",
+    ssl_key               => "${::puppet::ssldir}/private_keys/${servername}.pem",
+    ssl_ciphers           => $::puppet::server::ssl_ciphers,
+    ssl_protocols         => $::puppet::server::ssl_protocols,
+    proxy_read_timeout    => '300',
+    proxy                 => "http://puppetmaster_unicorn",
+    vhost_cfg_append      => {
+      ssl_crl                => "${::puppet::ssldir}/crl.pem",
+      ssl_client_certificate => "${::puppet::ssldir}/certs/ca.pem",
+      ssl_verify_client      => 'optional',
+      proxy_connect_timeout  => '300',
+      proxy_set_header       => [ 'Host $host', 'X-Real-IP $remote_addr', 'X-Forwarded-For $proxy_add_x_forwarded_for', 'X-Client-Verify $ssl_client_verify', 'X-Client-DN $ssl_client_s_dn', 'X-SSL-Issuer $ssl_client_i_dn'],
+      root                   => '/usr/share/empty',
+    }
+  }
+
+  nginx::resource::upstream { 'puppetmaster_unicorn':
+    members => [
+      $unicorn_socket
+    ],
   }
 
   unicorn::app { 'puppetmaster':
-    approot         => $::puppet::params::puppet_confdir,
-    config_file     => "${::puppet::params::puppet_confdir}/unicorn.conf",
-    pidfile         => "${::puppet::params::puppet_rundir}/puppetmaster_unicorn.pid",
-    socket          => $unicorn_socket,
-    logdir          => $::puppet::params::puppet_logdir,
-    user            => 'puppet',
-    group           => 'puppet',
-    before          => Service['nginx'],
-    subscribe       => Concat["${::puppet::params::puppet_confdir}/config.ru"],
+    approot     => $::puppet::params::puppet_confdir,
+    config_file => "${::puppet::params::puppet_confdir}/unicorn.conf",
+    pidfile     => "${::puppet::params::puppet_rundir}/puppetmaster_unicorn.pid",
+    socket      => $unicorn_socket,
+    logdir      => $::puppet::params::puppet_logdir,
+    user        => 'puppet',
+    group       => 'puppet',
+    before      => Service['nginx'],
+#    export_home => $::confdir, # uncomment pending https://github.com/puppetlabs-operations/puppet-unicorn/pull/14
   }
 }
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
@@ -47,7 +47,7 @@
 mod 'unicorn',        :git => 'git://github.com/puppetlabs-operations/puppet-unicorn.git'
 mod 'rack',           :git => 'git://github.com/puppetlabs-operations/puppet-rack.git'
 mod 'bundler',        :git => 'git://github.com/puppetlabs-operations/puppet-bundler.git'
-mod 'nginx',          :git => 'git://github.com/puppetlabs-operations/puppet-nginx.git'
+mod 'nginx',          :git => 'git://github.com/jfryman/puppet-nginx.git'
 mod 'inifile',        :git => 'git://github.com/puppetlabs/puppetlabs-inifile.git'
 mod 'apache',         :git => 'git://github.com/puppetlabs/puppetlabs-apache.git'
 mod 'portage',        :git => 'git://github.com/gentoo/puppet-portage.git'
diff --git a/templates/unicorn_puppetmaster b/templates/unicorn_puppetmaster
diff --git a/tests/thin.pp b/tests/thin.pp
@@ -1,3 +1,9 @@
+host { 'puppet':
+  ensure => 'present',
+  ip     => $::ipaddress,
+  target => '/etc/hosts',
+}
+
 class { 'puppet::server':
   servertype   => 'thin',
   ca           => true,
diff --git a/tests/unicorn.pp b/tests/unicorn.pp
@@ -0,0 +1,5 @@
+class { 'puppet::server':
+  servertype => 'unicorn',
+  ca         => true,
+}
+
