1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# File 'modules/dynamicproxy/manifests/api.pp', line 1
class dynamicproxy::api (
Stdlib::HTTPUrl $keystone_api_url,
String[1] $dns_updater_username,
String[1] $dns_updater_password,
String[1] $dns_updater_project,
String[1] $token_validator_username,
String[1] $token_validator_password,
String[1] $token_validator_project,
Stdlib::IP::Address::V4::Nosubnet $proxy_dns_ipv4,
Hash[String, Dynamicproxy::Zone] $supported_zones,
Optional[String] $acme_certname = undef,
Optional[Array[String]] $ssl_settings = undef,
Boolean $read_only = false,
) {
# for new enough python3-keystonemiddleware versions
debian::codename::require('bullseye', '>=')
file { '/usr/local/bin/invisible-unicorn.py':
source => 'puppet:///modules/dynamicproxy/invisible-unicorn.py',
owner => 'root',
group => 'root',
mode => '0555',
}
ensure_packages([
'python3-flask',
'python3-redis',
'python3-flask-sqlalchemy',
'python3-flask-keystone', # this one is built and maintained by us
'python3-oslo.context',
'python3-oslo.policy',
'sqlite3'
])
uwsgi::app { 'invisible-unicorn':
settings => {
uwsgi => {
plugins => 'python3',
master => true,
socket => '/run/uwsgi/invisible-unicorn.sock',
mount => '/dynamicproxy-api=/usr/local/bin/invisible-unicorn.py',
callable => 'app',
manage-script-name => true,
workers => 4,
},
},
subscribe => File['/usr/local/bin/invisible-unicorn.py'],
}
file { '/etc/dynamicproxy-api':
ensure => directory,
owner => 'www-data',
group => 'www-data',
}
file { '/etc/dynamicproxy-api/zones.json':
content => $supported_zones.to_json_pretty(),
owner => 'root',
group => 'root',
mode => '0444',
notify => Uwsgi::App['invisible-unicorn'],
}
file { '/etc/dynamicproxy-api/config.ini':
content => template('dynamicproxy/invisible-unicorn.ini.erb'),
owner => 'root',
group => 'root',
mode => '0444',
show_diff => false,
notify => Uwsgi::App['invisible-unicorn'],
}
cinderutils::ensure { 'db_backups':
min_gb => 1,
max_gb => 20,
mount_point => '/srv/backup',
before => File['/srv/backup/README'],
}
file { '/srv/backup/README':
source => 'puppet:///modules/dynamicproxy/BackupReadme',
owner => 'root',
group => 'root',
mode => '0644',
}
file { '/usr/local/sbin/proxydb-bak.sh':
mode => '0555',
owner => 'root',
group => 'root',
source => 'puppet:///modules/dynamicproxy/proxydb-bak.sh',
}
systemd::timer::job { 'proxydb-backup':
ensure => present,
user => 'root',
description => 'run proxydb-bak.sh',
command => '/usr/local/sbin/proxydb-bak.sh',
interval => {'start' => 'OnUnitInactiveSec', 'interval' => '24h'},
monitoring_enabled => false,
logging_enabled => false,
}
# Create initial db file if it doesn't exist, but don't clobber if it does.
file { '/etc/dynamicproxy-api/data.db':
ensure => file,
source => 'puppet:///modules/dynamicproxy/initial-data.db',
replace => false,
require => File['/etc/dynamicproxy-api'],
owner => 'www-data',
group => 'www-data',
}
nginx::site { 'invisible-unicorn':
content => template('dynamicproxy/api.conf.erb'),
require => Uwsgi::App['invisible-unicorn'],
}
# This is a GET-only front end that sits on port 5669. We can
# open this up to the public even though the actual API has no
# auth protections.
nginx::site { 'proxygetter':
source => 'puppet:///modules/dynamicproxy/proxygetter.conf',
}
}
|