Puppet Class: profile::wmcs::novaproxy

Defined in:
modules/profile/manifests/wmcs/novaproxy.pp

Overview

Parameters:

  • all_proxies (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::wmcs::novaproxy::all_proxies', {default_value => ['localhost']}))
  • active_proxy (Stdlib::Fqdn) (defaults to: lookup('profile::wmcs::novaproxy::active_proxy', {default_value => 'localhost'}))
  • use_ssl (Boolean) (defaults to: lookup('profile::wmcs::novaproxy::use_ssl', {default_value => true}))
  • acme_certname (String) (defaults to: lookup('profile::wmcs::novaproxy::use_ssl', {default_value => ''}))
  • banned_ips (Array[Stdlib::Ipv4]) (defaults to: lookup('profile::wmcs::novaproxy::banned_ips', {default_value => []}))
  • block_ua_re (String) (defaults to: lookup('profile::wmcs::novaproxy::block_ua_re', {default_value => ''}))
  • block_ref_re (String) (defaults to: lookup('profile::wmcs::novaproxy::block_ref_re', {default_value => ''}))
  • xff_fqdns (Array[Stdlib::Fqdn]) (defaults to: lookup('profile::wmcs::novaproxy::xff_fqdns', {default_value => []}))
  • use_wmflabs_root (Boolean) (defaults to: lookup('profile::wmcs::novaproxy::use_ssl', {default_value => true}))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# File 'modules/profile/manifests/wmcs/novaproxy.pp', line 1

class profile::wmcs::novaproxy(
    Array[Stdlib::Fqdn] $all_proxies      = lookup('profile::wmcs::novaproxy::all_proxies',  {default_value => ['localhost']}),
    Stdlib::Fqdn        $active_proxy     = lookup('profile::wmcs::novaproxy::active_proxy', {default_value => 'localhost'}),
    Boolean             $use_ssl          = lookup('profile::wmcs::novaproxy::use_ssl',      {default_value => true}),
    String              $acme_certname    = lookup('profile::wmcs::novaproxy::use_ssl',      {default_value => ''}),
    Array[Stdlib::Ipv4] $banned_ips       = lookup('profile::wmcs::novaproxy::banned_ips',   {default_value => []}),
    String              $block_ua_re      = lookup('profile::wmcs::novaproxy::block_ua_re',  {default_value => ''}),
    String              $block_ref_re     = lookup('profile::wmcs::novaproxy::block_ref_re', {default_value => ''}),
    Array[Stdlib::Fqdn] $xff_fqdns        = lookup('profile::wmcs::novaproxy::xff_fqdns',    {default_value => []}),
    Boolean             $use_wmflabs_root = lookup('profile::wmcs::novaproxy::use_ssl',      {default_value => true}),
) {
    $proxy_nodes = join($all_proxies, ' ')
    # Open up redis to all proxies!
    ferm::service { 'redis-replication':
        proto  => 'tcp',
        port   => '6379',
        srange => "@resolve((${proxy_nodes}))",
    }

    ferm::service { 'http':
        proto => 'tcp',
        port  => '80',
        desc  => 'HTTP webserver for the entire world',
    }

    ferm::service { 'https':
        proto => 'tcp',
        port  => '443',
        desc  => 'HTTPS webserver for the entire world',
    }

    ferm::service { 'dynamicproxy-api-http':
        port  => '5668',
        proto => 'tcp',
        desc  => 'API for adding / removing proxies from dynamicproxy domainproxy'
    }

    ferm::service { 'dynamicproxy-api-http-readonly':
        port  => '5669',
        proto => 'tcp',
        desc  => 'read-only API for viewing proxies from dynamicproxy domainproxy'
    }

    if $::hostname != $active_proxy {
        $redis_replication = {
            "${::hostname}" => $active_proxy
        }
    } else {
        $redis_replication = undef
    }

    if $acme_certname != '' {
        acme_chief::cert { $acme_certname:
            puppet_rsc => Exec['nginx-reload'],
        }
        $ssl_settings  = ssl_ciphersuite('nginx', 'compat')
        $ssl_certificate_name = $acme_certname
        $use_acme_chief = true
    } elsif $use_ssl {
        sslcert::certificate { 'star.wmflabs.org':
            skip_private => true,
            before       => Class['dynamicproxy'],
        }
        $ssl_settings  = ssl_ciphersuite('nginx', 'compat')
        $ssl_certificate_name = 'star.wmflabs.org'
        $use_acme_chief = false
    } else {
        $ssl_settings  = undef
        $ssl_certificate_name = false
        $use_acme_chief = false
    }

    class { '::dynamicproxy':
        ssl_certificate_name     => $ssl_certificate_name,
        ssl_settings             => $ssl_settings,
        xff_fqdns                => $xff_fqdns,
        luahandler               => 'domainproxy',
        redis_replication        => $redis_replication,
        banned_ips               => $banned_ips,
        blocked_user_agent_regex => $block_ua_re,
        blocked_referer_regex    => $block_ref_re,
        use_acme_chief           => $use_acme_chief,
    }

    class { '::dynamicproxy::api': }

    if $use_wmflabs_root {
        nginx::site { 'wmflabs.org':
            content => template('profile/wmcs/novaproxy-wmflabs.org.conf')
        }
    }
}