Tim Landscheidt has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/340462 )
Change subject: puppetdb: Allow to use Apache as frontend ...................................................................... puppetdb: Allow to use Apache as frontend Bug: T154105 Change-Id: I7a0605d03d6307d50ce27840515121c14d4f5b14 --- M modules/puppetmaster/manifests/puppetdb.pp A modules/puppetmaster/templates/apache-puppetdb.conf.erb 2 files changed, 60 insertions(+), 16 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/62/340462/1 diff --git a/modules/puppetmaster/manifests/puppetdb.pp b/modules/puppetmaster/manifests/puppetdb.pp index de2b5cb..697d4bf 100644 --- a/modules/puppetmaster/manifests/puppetdb.pp +++ b/modules/puppetmaster/manifests/puppetdb.pp @@ -1,29 +1,54 @@ # Class puppetmaster::puppetdb # # Sets up a puppetdb instance and the corresponding database server. -class puppetmaster::puppetdb($master, $port=443, $jetty_port=8080) { +class puppetmaster::puppetdb($master, $port=443, $jetty_port=8080, $webfrontend='nginx') { requires_os('Debian >= jessie') $puppetdb_pass = hiera('puppetdb::password::rw') ## TLS Termination - # Set up nginx as a reverse-proxy - ::base::expose_puppet_certs { '/etc/nginx': - ensure => present, - provide_private => true, - require => Class['nginx'], - } + case $webfrontend { + 'apache': { + # Set up Apache as a reverse-proxy. + include ::apache::mod::headers + include ::apache::mod::proxy + include ::apache::mod::proxy_http + include ::apache::mod::ssl - $ssl_settings = ssl_ciphersuite('nginx', 'mid') - include ::sslcert::dhparam - ::nginx::site { 'puppetdb': - ensure => present, - content => template('puppetmaster/nginx-puppetdb.conf.erb'), - require => Class['::sslcert::dhparam'], - } + $ssl_settings = ssl_ciphersuite('apache', 'mid', true) + include ::sslcert::dhparam + ::apache::site { 'puppetdb': + ensure => present, + content => template('puppetmaster/apache-puppetdb.conf.erb'), + require => Class['::sslcert::dhparam'], + } - diamond::collector::nginx{ $::fqdn: - port => 10080, + } + + 'nginx': { + # Set up nginx as a reverse-proxy. + ::base::expose_puppet_certs { '/etc/nginx': + ensure => present, + provide_private => true, + require => Class['nginx'], + } + + $ssl_settings = ssl_ciphersuite('nginx', 'mid') + include ::sslcert::dhparam + ::nginx::site { 'puppetdb': + ensure => present, + content => template('puppetmaster/nginx-puppetdb.conf.erb'), + require => Class['::sslcert::dhparam'], + } + + diamond::collector::nginx{ $::fqdn: + port => 10080, + } + } + + default: { + fail("Unknown webfrontend '${webfrontend}'") + } } ## PuppetDB installation diff --git a/modules/puppetmaster/templates/apache-puppetdb.conf.erb b/modules/puppetmaster/templates/apache-puppetdb.conf.erb new file mode 100644 index 0000000..da94b31 --- /dev/null +++ b/modules/puppetmaster/templates/apache-puppetdb.conf.erb @@ -0,0 +1,19 @@ +# This file is managed by Puppet! + +<VirtualHost *:<%= @port %>> + ServerName <%= @fqdn %> + + SSLEngine on + <%= @ssl_settings.join("\n ") %> + SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem + SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem + SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem + SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem + + DocumentRoot /dev/null + + RequestHeader set X-Real-IP %{REMOTE_ADDR}s + ProxyPass / http://localhost:<%= @jetty_port %>/ + + CustomLog /var/log/apache2/puppetdb.log wmf +</VirtualHost> -- To view, visit https://gerrit.wikimedia.org/r/340462 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7a0605d03d6307d50ce27840515121c14d4f5b14 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Tim Landscheidt <t...@tim-landscheidt.de> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits