Puppet Class: nginx

Defined in:
modules/nginx/manifests/init.pp

Overview

SPDX-License-Identifier: Apache-2.0

Class: nginx

Nginx is a popular, high-performance HTTP server and reverse proxy. This module is very small and simple, providing an 'nginx::site' resource type that takes an Nginx configuration file as input.

This also installs the nginx-common package by default explicitly, so other code can require that package to do things after install but potentially before the service starts.

Parameters

managed

If true (the default), changes to Nginx configuration files and site definition files will trigger a restart of the Nginx server. If false, the service will need to be manually restarted for the configuration changes to take effect.

variant

Which variant of the nginx package to install. Must be one of 'full', 'light' or 'extras', which respectively install one of 'nginx-full', 'nginx-light' or 'nginx-extras' packages on Stretch, Buster and Bullseye. Starting with Bookworm there is a single nginx and additional functionality can be installed via libnginx-mod-http-foo packages. Use “custom” and the modules parameter to configure that scheme.

*modules

When using the “custom” variant, install this list of additional modules. Only the module name needs to be passed, so e.g. echo to install the packaged libnginx-mod-http-echo module

Parameters:

  • lib_on_tmpfs (Boolean) (defaults to: true)

    Mount /var/lib/nginx on a tmpfs volume to reduce disk writes

  • tmpfs_size (String) (defaults to: '1g')

    The /var/lib/nginx tmpfs size

  • ensure (Wmflib::Ensure) (defaults to: 'present')
  • managed (Boolean) (defaults to: true)
  • variant (Enum['full', 'extras', 'light', 'custom']) (defaults to: 'full')
  • modules (Array[String]) (defaults to: [])


36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'modules/nginx/manifests/init.pp', line 36

class nginx(
    Wmflib::Ensure                            $ensure = 'present',
    Boolean                                   $managed = true,
    Enum['full', 'extras', 'light', 'custom'] $variant = 'full',
    Boolean                                   $lib_on_tmpfs = true,
    String                                    $tmpfs_size = '1g',
    Array[String]                             $modules = [],
){

    if $variant == 'custom' {
        $nginx_package_name = 'nginx'
        if debian::codename::lt('bookworm') {
            fail('The custom variant is only available for Bookworm and later')
        }

        ensure_packages ([$nginx_package_name], {'ensure' => $ensure})

        $modules.each |String $module| {
            ensure_packages (["libnginx-mod-http-${module}"], {'ensure' => $ensure})
        }
    } else {
        $nginx_package_name = "nginx-${variant}"
        ensure_packages ([$nginx_package_name,'nginx-common'], {'ensure' => $ensure})
    }

    # In the unmanaged case, this prevents the scenario where after the
    # initial puppet run that installs the package, the net resulting state is
    # a fully deployed configuration on disk, but the running instance still
    # running the default configuration from the package.  With this, it gets
    # stopped before the service clause checks->starts it with good config.
    if ! $managed and ($ensure == 'present') {
        exec { 'stop-default-nginx':
            command     => '/usr/sbin/service nginx stop',
            subscribe   => Package[$nginx_package_name],
            refreshonly => true,
            before      => Service['nginx'],
        }
    }

    service { 'nginx':
        ensure     => stdlib::ensure($ensure, 'service'),
        enable     => ($ensure == 'present'),
        hasrestart => true,
        require    => Package[$nginx_package_name],
    }

    exec { 'nginx-reload':
        command     => '/usr/sbin/service nginx reload',
        refreshonly => true,
    }

    file { '/etc/nginx':
        ensure  => directory,
        require => Package[$nginx_package_name],
    }
    file { [ '/etc/nginx/conf.d', '/etc/nginx/sites-available', '/etc/nginx/sites-enabled' ]:
        ensure  => stdlib::ensure($ensure, 'directory'),
        recurse => true,
        purge   => true,
        force   => true,
    }

    if $variant == 'extras' {
        file { '/etc/nginx/prometheus.lua':
            ensure => $ensure,
            source => 'puppet:///modules/nginx/prometheus.lua',
        }
    }

    # Order config -> service for all
    #  nginx-tagged config files (including all File resources
    #  declared within this module), and set up the
    #  notification for config~>service if $managed.
    # Also set up ssl tag -> service similarly, for certs
    if $managed {
        File <| tag == 'nginx' |> ~> Service['nginx']
        File <| tag == 'ssl' |> ~> Service['nginx']
    }
    else {
        File <| tag == 'nginx' |> -> Service['nginx']
        File <| tag == 'ssl' |> -> Service['nginx']
    }

    if $lib_on_tmpfs {
        # nginx will buffer e.g. large body content into this directory
        #  very briefly, so keep it off the disks.
        file { '/var/lib/nginx':
            ensure => directory,
        }
        mount { '/var/lib/nginx':
            ensure  => stdlib::ensure($ensure, 'mounted'),
            device  => 'tmpfs',
            fstype  => 'tmpfs',
            options => "defaults,noatime,uid=0,gid=0,mode=755,size=${tmpfs_size}",
            pass    => 0,
            dump    => 0,
            before  => Service['nginx'],
            require => File['/var/lib/nginx'],
        }
    }
}