Puppet Class: profile::ncredir

Defined in:
modules/profile/manifests/ncredir.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • http_port (Stdlib::Port) (defaults to: lookup('profile::ncredir::http_port', {default_value => 80}))
  • https_port (Stdlib::Port) (defaults to: lookup('profile::ncredir::https_port', {default_value => 443}))
  • shared_acme_certificates (Hash[String, Hash[String, Any]]) (defaults to: lookup('certificates::acme_chief'))
  • acme_chief_cert_prefix (String) (defaults to: lookup('profile::ncredir::acme_chief_cert_prefix', {default_value => 'non-canonical-redirect-'}))
  • monitoring (Boolean) (defaults to: lookup('profile::ncredir::monitoring', {default_value => false}))
  • hsts_max_age (Integer[0]) (defaults to: lookup('profile::ncredir::hsts_max_age', {default_value => 106384710}))
  • benthos_address (String) (defaults to: lookup('profile::ncredir::benthos_address', {default_value => '127.0.0.1:1221'}))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'modules/profile/manifests/ncredir.pp', line 2

class profile::ncredir(
    Stdlib::Port $http_port = lookup('profile::ncredir::http_port', {default_value                               => 80}),
    Stdlib::Port $https_port = lookup('profile::ncredir::https_port', {default_value                             => 443}),
    Hash[String, Hash[String, Any]] $shared_acme_certificates = lookup('certificates::acme_chief'),
    String $acme_chief_cert_prefix = lookup('profile::ncredir::acme_chief_cert_prefix', {default_value           => 'non-canonical-redirect-'}),
    Boolean $monitoring = lookup('profile::ncredir::monitoring', {default_value                                  => false}),
    Integer[0] $hsts_max_age = lookup('profile::ncredir::hsts_max_age', {default_value                           => 106384710}),
    String $benthos_address = lookup('profile::ncredir::benthos_address', {default_value                         => '127.0.0.1:1221'}),
) {

    class { '::sslcert::dhparam': }

    include ::profile::benthos

    class { '::ncredir':
        ssl_settings           => ssl_ciphersuite('nginx', 'strong'),
        redirection_maps       => wmflib::compile_redirects(file('ncredir/nc_redirects.dat'), 'nginx'),
        acme_certificates      => $shared_acme_certificates,
        acme_chief_cert_prefix => $acme_chief_cert_prefix,
        http_port              => $http_port,
        https_port             => $https_port,
        hsts_max_age           => $hsts_max_age,
        benthos_address        => $benthos_address,
    }

    $shared_acme_certificates.each |String $cert_name, Hash[String, Any] $cert_details| {
        if $cert_name =~ $acme_chief_cert_prefix {
            acme_chief::cert { $cert_name:
                puppet_rsc => Exec['nginx-reload'],
                before     => Service['nginx'],
            }

            if $monitoring {
                # Common name could be a wildcard
                $check_hostname = regsubst($cert_details['CN'], '^\*', 'www')

                monitoring::service { "https_ncredir_${cert_name}":
                    description   => "HTTPS ${cert_name}",
                    check_command => "check_ssl_http_letsencrypt_ocsp!${check_hostname}",
                    notes_url     => 'https://wikitech.wikimedia.org/wiki/Ncredir',
                }
            }
        }
    }

    # Firewall
    ferm::service { 'ncredir_http':
        proto => 'tcp',
        port  => $http_port,
    }
    ferm::service { 'ncredir_https':
        proto => 'tcp',
        port  => $https_port,
    }
}