Puppet Class: profile::tlsproxy::instance

Defined in:
modules/profile/manifests/tlsproxy/instance.pp

Overview

This defines the actual nginx daemon/instance which tlsproxy “sites” belong to

Parameters:

  • nginx_ssl_dyn_rec (Boolean) (defaults to: hiera('cache::ssl_dyn_rec', false))
  • nginx_tune_for_media (Boolean) (defaults to: hiera('cache::tune_for_media', false))
  • nginx_client_max_body_size (String) (defaults to: hiera('tlsproxy::nginx_client_max_body_size', '100m'))
  • bootstrap_protection (Boolean) (defaults to: hiera('profile::tlsproxy::instance::bootstrap_protection', false))
  • nginx_variant (Enum['full', 'extras', 'light']) (defaults to: hiera('profile::tlsproxy::instance::nginx_variant', 'full'))
  • ssl_compatibility_mode (Enum['strong', 'mid', 'compat']) (defaults to: hiera('profile::tlsproxy::instance::ssl_compatibility_mode', 'compat'))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# File 'modules/profile/manifests/tlsproxy/instance.pp', line 2

class profile::tlsproxy::instance(
    Boolean $nginx_ssl_dyn_rec = hiera('cache::ssl_dyn_rec', false),
    Boolean $nginx_tune_for_media = hiera('cache::tune_for_media', false),
    String $nginx_client_max_body_size = hiera('tlsproxy::nginx_client_max_body_size', '100m'),
    Boolean $bootstrap_protection = hiera('profile::tlsproxy::instance::bootstrap_protection', false),
    Enum['full', 'extras', 'light'] $nginx_variant = hiera('profile::tlsproxy::instance::nginx_variant', 'full'),
    Enum['strong', 'mid', 'compat'] $ssl_compatibility_mode = hiera('profile::tlsproxy::instance::ssl_compatibility_mode', 'compat')
) {
    # Enable client/server TCP Fast Open (TFO)
    require ::profile::tcp_fast_open

    $nginx_worker_connections = '131072'
    $nginx_ssl_conf = ssl_ciphersuite('nginx', $ssl_compatibility_mode)

    # If numa_networking is turned on, use interface_primary for NUMA hinting,
    # otherwise use 'lo' for this purpose.  Assumes NUMA data has "lo" interface
    # mapped to all cpu cores in the non-NUMA case.  The numa_iface variable is
    # in turn consumed by the systemd unit and config templates.
    if $::numa_networking != 'off' {
        $numa_iface = $facts['interface_primary']
    } else {
        $numa_iface = 'lo'
    }

    # If nginx will be installed on a system where apache is already
    # running, the postinst script will fail to start it with the default
    # configuration as port 80 is already in use. This is considered working
    # as designed by Debian, see
    #    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754407
    # However, we need the installation to complete correctly for puppet to
    # work as expected, hence we pre-install a configuration that will make
    # that possible. Note this file will be overwritten by puppet when
    # the nginx configuration gets installed properly.
    if $bootstrap_protection {
        exec { 'Dummy nginx.conf for installation':
            command => '/bin/mkdir -p /etc/nginx && /bin/echo -e "events { worker_connections 1; }\nhttp{ server{ listen 666; }}\n" > /etc/nginx/nginx.conf',
            creates => '/etc/nginx/nginx.conf',
            before  => Class['nginx'],
        }
    }

    # Make sure nginx.service is not automatically started upon package install
    systemd::mask { 'nginx.service':
        unless => "/usr/bin/dpkg -s nginx-${nginx_variant} | /bin/grep -q '^Status: install ok installed$'",
    }

    systemd::unmask { 'nginx.service': }

    # Ensure systemctl mask happens before the package is installed, and that
    # package installation triggers service unmask
    Systemd::Mask['nginx.service'] -> Package["nginx-${nginx_variant}"] ~> Systemd::Unmask['nginx.service']

    class { 'nginx':
        variant => $nginx_variant,
        managed => false,
    }

    file { '/etc/nginx/nginx.conf':
        content => template('profile/tlsproxy/nginx.conf.erb'),
        tag     => 'nginx',
    }

    logrotate::conf { 'nginx':
        ensure => present,
        source => 'puppet:///modules/profile/tlsproxy/logrotate',
        tag    => 'nginx',
    }

    # systemd unit fragments for NUMA and security
    $sysd_nginx_dir = '/etc/systemd/system/nginx.service.d'
    $sysd_numa_conf = "${sysd_nginx_dir}/numa.conf"
    $sysd_sec_conf = "${sysd_nginx_dir}/security.conf"

    file { $sysd_nginx_dir:
        ensure => directory,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
    }

    file { $sysd_numa_conf:
        ensure  => present,
        mode    => '0444',
        owner   => 'root',
        group   => 'root',
        content => template('profile/tlsproxy/nginx-numa.conf.erb'),
        before  => Class['nginx'],
        require => File[$sysd_nginx_dir],
    }

    file { $sysd_sec_conf:
        ensure  => present,
        mode    => '0444',
        owner   => 'root',
        group   => 'root',
        source  => 'puppet:///modules/profile/tlsproxy/nginx-security.conf',
        before  => Class['nginx'],
        require => File[$sysd_nginx_dir],
    }

    exec { 'systemd reload for nginx systemd fragments':
        refreshonly => true,
        command     => '/bin/systemctl daemon-reload',
        subscribe   => [File[$sysd_numa_conf],File[$sysd_sec_conf]],
    }
}