Puppet Class: profile::ncredir

Defined in:
modules/profile/manifests/ncredir.pp

Overview

Parameters:

  • http_port (Stdlib::Port) (defaults to: lookup('profile::ncredir::http_port', {default_value => 80}))
  • https_port (Stdlib::Port) (defaults to: lookup('profile::ncredir::https_port', {default_value => 443}))
  • shared_acme_certificates (Hash[String, Hash[String, Any]]) (defaults to: lookup('shared_acme_certificates'))
  • acme_chief_cert_prefix (String) (defaults to: lookup('profile::ncredir::acme_chief_cert_prefix', {default_value => 'non-canonical-redirect-'}))
  • monitoring (Boolean) (defaults to: lookup('profile::ncredir::monitoring', {default_value => false}))
  • mtail_access_log_port (Wmflib::UserIpPort) (defaults to: lookup('profile::ncredir::mtail_access_log_port', {default_value => 3904}))
  • mtail_args (String) (defaults to: lookup('profile::ncredir::mtail_args', {default_value => ''}))
  • prometheus_nodes (Array[String]) (defaults to: lookup('prometheus_nodes', {default_value => []}))
  • hsts_max_age (Integer[0]) (defaults to: lookup('profile::ncredir::hsts_max_age', {default_value => 106384710}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'modules/profile/manifests/ncredir.pp', line 1

class profile::ncredir(
    Stdlib::Port $http_port = lookup('profile::ncredir::http_port', {default_value => 80}),
    Stdlib::Port $https_port = lookup('profile::ncredir::https_port', {default_value => 443}),
    Hash[String, Hash[String, Any]] $shared_acme_certificates = lookup('shared_acme_certificates'),
    String $acme_chief_cert_prefix = lookup('profile::ncredir::acme_chief_cert_prefix', {default_value => 'non-canonical-redirect-'}),
    Boolean $monitoring = lookup('profile::ncredir::monitoring', {default_value => false}),
    Wmflib::UserIpPort $mtail_access_log_port = lookup('profile::ncredir::mtail_access_log_port', {default_value => 3904}),
    String $mtail_args = lookup('profile::ncredir::mtail_args', {default_value => ''}),
    Array[String] $prometheus_nodes = lookup('prometheus_nodes', {default_value => []}),
    Integer[0] $hsts_max_age = lookup('profile::ncredir::hsts_max_age', {default_value => 106384710}),
) {

    class { '::sslcert::dhparam': }
    class { 'nginx':
        variant => 'light',
    }

    mtail::program { 'ncredir':
        source      => 'puppet:///modules/mtail/programs/ncredir.mtail',
        destination => '/etc/ncredir.mtail',
        notify      => Service['ncredirmtail@access_log'],
    }

    profile::ncredir::log { 'access_log':
        ncredirmtail_port => $mtail_access_log_port,
        ncredirmtail_args => $mtail_args,
    }

    class { '::ncredir':
        ssl_settings           => ssl_ciphersuite('nginx', 'mid'),
        redirection_maps       => compile_redirects('puppet:///modules/ncredir/nc_redirects.dat', 'nginx'),
        acme_certificates      => $shared_acme_certificates,
        acme_chief_cert_prefix => $acme_chief_cert_prefix,
        http_port              => $http_port,
        https_port             => $https_port,
        hsts_max_age           => $hsts_max_age,
        require                => File['/var/log/nginx/ncredir.access_log.pipe'],
    }

    $shared_acme_certificates.each |String $cert_name, Hash[String, Any] $cert_details| {
        if $cert_name =~ $acme_chief_cert_prefix {
            acme_chief::cert { $cert_name:
                puppet_rsc => Exec['nginx-reload'],
                before     => Service['nginx'],
            }

            if $monitoring {
                # Common name could be a wildcard
                $check_hostname = regsubst($cert_details['CN'], '^\*', 'www')

                monitoring::service { "https_ncredir_${cert_name}":
                    description   => "HTTPS ${cert_name}",
                    check_command => "check_ssl_http_letsencrypt_ocsp!${check_hostname}",
                    notes_url     => 'https://wikitech.wikimedia.org/wiki/Ncredir',
                }
            }
        }
    }

    # Firewall
    ferm::service { 'ncredir_http':
        proto => 'tcp',
        port  => $http_port,
    }
    ferm::service { 'ncredir_https':
        proto => 'tcp',
        port  => $https_port,
    }

    $prometheus_nodes_ferm = join($prometheus_nodes, ' ')
    ferm::service { 'mtail':
      proto  => 'tcp',
      port   => '3904',
      srange => "(@resolve((${prometheus_nodes_ferm})) @resolve((${prometheus_nodes_ferm}), AAAA))",
    }
}