added manage_webserver param

Author: Tim Meusel

Modulefile

@@ -11,3 +11,4 @@ dependency 'puppetlabs/inifile', '>= 1.0.0'
 dependency 'puppetlabs/apache', '>= 1.0.1'
 dependency 'puppetlabs/puppetdb', '>= 2.0.0'
 dependency 'puppetlabs/stdlib', '>= 3.0.0'
+dependency 'jfryman/nginx', '>= 0.1.1'

README.markdown

@@ -52,6 +52,13 @@ Puppet 3.5 introduced a new way of handling Puppet environments known as _Direct
 
 Optionally, an `environmentpath` parameter can be supplied to configure the base root of Puppet environments, this defaults to `$confdir/environments`
 
+### Support for httpd and nginx ###
+
+    class { 'puppet::master':
+      webserver => 'nginx'
+    }
+
+The default installed webserver is httpd with passenger, but via the webserver param you can switch to nginx with unicorn (nginx is currently only tested on centos7, testers are welcome)
 
 ## Agent ##
     class { 'puppet::agent':

files/nginx.selmodule

@@ -22,7 +22,7 @@
 #  ['puppet_ssldir']            - Puppet sll directory
 #  ['puppet_docroot']           - Doc root to be configured in apache vhost
 #  ['puppet_vardir']            - Vardir used by puppet
-#  ['puppet_passenger_port']    - Port to configure passenger on default 8140
+#  ['puppet_proxy_port']        - Port to configure the proxy on - default 8140
 #  ['puppet_master_package']    - Puppet master package
 #  ['puppet_master_service']    - Puppet master service
 #  ['version']                  - Version of the puppet master package to install
@@ -32,7 +32,8 @@
 #  ['puppetdb_startup_timeout'] - The timeout for puppetdb
 #  ['dns_alt_names']            - Comma separated list of alternative DNS names
 #  ['digest_algorithm']         - The algorithm to use for file digests.
-#  ['webserver']                - install 'nginx' (with unicorn) or 'httpd' (with passanger)
+#  ['webserver']                - install 'nginx' (with unicorn) or 'httpd' (with passenger) - httpd is default
+#  ['listen_address']           - IP for binding the webserver, defaults to *
 #
 # Requires:
 #
@@ -73,7 +74,7 @@
   $puppet_ssldir              = $::puppet::params::puppet_ssldir,
   $puppet_docroot             = $::puppet::params::puppet_docroot,
   $puppet_vardir              = $::puppet::params::puppet_vardir,
-  $puppet_passenger_port      = $::puppet::params::puppet_passenger_port,
+  $puppet_proxy_port          = $::puppet::params::puppet_proy_port,
   $puppet_master_package      = $::puppet::params::puppet_master_package,
   $puppet_master_service      = $::puppet::params::puppet_master_service,
   $version                    = 'present',
@@ -84,12 +85,8 @@
   $puppetdb_strict_validation = $::puppet::params::puppetdb_strict_validation,
   $dns_alt_names              = ['puppet'],
   $digest_algorithm           = $::puppet::params::digest_algorithm,
-<<<<<<< HEAD
-  $webserver                  = 'httpd',
-  $manage_webserver           = false,
-=======
-  $manage_webserver           = undef,
->>>>>>> trying to remove service[http] deps
+  $webserver                  = $::puppet::params::default_webserver,
+  $listen_address             = $::puppet::params::listen_address,
 ) inherits puppet::params {
 
   anchor { 'puppet::master::begin': }
@@ -126,25 +123,29 @@
     }
   }
   case $webserver {
-    httpd: {
+    nginx: {
       Anchor['puppet::master::begin'] ->
-      class {'puppet::passenger':
-        puppet_passenger_port  => $puppet_passenger_port,
-        puppet_docroot         => $puppet_docroot,
-        apache_serveradmin     => $apache_serveradmin,
-        puppet_conf            => $::puppet::params::puppet_conf,
-        puppet_ssldir          => $puppet_ssldir,
-        certname               => $certname,
-        conf_dir               => $::puppet::params::confdir,
-        dns_alt_names          => join($dns_alt_names,','),
+      class {'puppet::unicorn':
+        listen_address    => $listen_address,
+        puppet_proxy_port => $puppet_proxy_port,
       } ->
       Anchor['puppet::master::end']
     }
-    nginx: {
+    default: {
       Anchor['puppet::master::begin'] ->
-      class {'puppet::unicorn':} ->
+      class {'puppet::passenger':
+        puppet_proxy_port   => $puppet_proxy_port,
+        puppet_docroot      => $puppet_docroot,
+        apache_serveradmin  => $apache_serveradmin,
+        puppet_conf         => $::puppet::params::puppet_conf,
+        puppet_ssldir       => $puppet_ssldir,
+        certname            => $certname,
+        conf_dir            => $::puppet::params::confdir,
+        dns_alt_names       => join($dns_alt_names,','),
+      } ->
       Anchor['puppet::master::end']
     }
+
   }
   service { $puppet_master_service:
     ensure    => stopped,

manifests/master.pp

@@ -23,14 +23,16 @@
   $manifest                         = '/etc/puppet/manifests/site.pp'
   $hiera_config                     = '/etc/puppet/hiera.yaml'
   $puppet_docroot                   = '/etc/puppet/rack/public/'
-  $puppet_passenger_port            = '8140'
+  $puppet_proxy_port                = '8140'
   $puppet_server_port               = '8140'
   $puppet_agent_enabled             = true
   $apache_serveradmin               = 'root'
   $parser                           = 'current'
   $puppetdb_strict_validation       = true
   $environments                     = 'config'
   $digest_algorithm                 = 'md5'
+  $listen_address                   = '*'
+  $default_webserver                = 'httpd'
 
   # Only used when environments == directory
   $environmentpath                  = '$confdir/environments'

manifests/params.pp

@@ -3,7 +3,7 @@
 # This class installs and configures the puppetdb terminus pacakge
 #
 # Parameters:
-#   ['puppet_passenger_port']    - The port for the virtual host
+#   ['puppet_proxy_port']    - The port for the virtual host
 #   ['puppet_docroot']           - Apache documnet root
 #   ['apache_serveradmin']       - The apache server admin
 #   ['puppet_conf']              - The puppet config dir
@@ -21,17 +21,17 @@
 #
 # Sample Usage:
 #   class { 'puppet::passenger':
-#           puppet_passenger_port  => 8140,
-#           puppet_docroot         => '/etc/puppet/docroot',
-#           apache_serveradmin     => 'wibble',
-#           puppet_conf            => '/etc/puppet/puppet.conf',
-#           puppet_ssldir          => '/var/lib/puppet/ssl',
-#           certname               => 'puppet.example.com',
-#           conf_dir               => '/etc/puppet',
+#           puppet_proxyr_port  => 8140,
+#           puppet_docroot      => '/etc/puppet/docroot',
+#           apache_serveradmin  => 'wibble',
+#           puppet_conf         => '/etc/puppet/puppet.conf',
+#           puppet_ssldir       => '/var/lib/puppet/ssl',
+#           certname            => 'puppet.example.com',
+#           conf_dir            => '/etc/puppet',
 #   }
 #
 class puppet::passenger(
-  $puppet_passenger_port,
+  $puppet_proxy_port,
   $puppet_docroot,
   $apache_serveradmin,
   $puppet_conf,
@@ -99,7 +99,7 @@
   }
 
   apache::vhost { "puppet-${certname}":
-    port              => $puppet_passenger_port,
+    port              => $puppet_proxy_port,
     priority          => '40',
     docroot           => $puppet_docroot,
     serveradmin       => $apache_serveradmin,

manifests/passenger.pp

@@ -1,12 +1,42 @@
-# this class installs nginx with unicorn in front of puppetmaster
-# tested only on centos 7
+# Class: puppet::unicorn
+#
+# Parameters:
+#  ['listen_address']     - IP for binding the nginx
+#  ['puppet_proxy_port']  - The port for the virtual host
+#
+# Actions:
+# - Configures nginx and unicorn for puppet master use. Tested only on CentOS 7
+#
+# Requires:
+# - nginx
+#
+# Sample Usage:
+#   class {'puppet::unicorn':
+#     listen_address    => '10.250.250.1',
+#     puppet_proxy_port => '8140',
+#   }
+#
+# written by Tim 'bastelfreak' Meusel
+# with big help from Rob 'rnelson0' Nelson
 
-class puppet::unicorn () {
+class puppet::unicorn (
+  $listen_address,
+  $puppet_proxy_port,
+){
   include nginx
   # install unicorn
+  unless defined(Package['ruby-devel']) {
+    package {'ruby-devel':
+      ensure  => 'latest',
+    }
+  }
+  package {'gcc':
+    ensure  => 'latest',
+  } ->
   package {['unicorn', 'rack']:
     ensure    => 'latest',
     provider  => 'gem',
+    require   => Package['ruby-devel'],
   } ->
   file {'copy-config':
     path    => '/etc/puppet/config.ru',
@@ -15,39 +45,54 @@
   file {'unicorn-conf':
     path    => '/etc/puppet/unicorn.conf',
     source  => 'puppet:///modules/puppet/unicorn.conf',
-    
   } ->
   file {'unicorn-service':
     path    => '/usr/lib/systemd/system/unicorn-puppetmaster.service',
     source  => 'puppet:///modules/puppet/unicorn-puppetmaster.service',
     notify  => Exec['systemd-reload'],
-  }
+  } ->
   exec{'systemd-reload':
     command     => '/usr/bin/systemctl daemon-reload',
-    refreshonly => 'true',
+    refreshonly => true,
     notify      => Service['unicorn-puppetmaster'],
-  }
+  } ->
   unless defined(Service['unicorn-puppetmaster']) {
     service{'unicorn-puppetmaster':
       ensure  => 'running',
-      enable  => 'enable',
+      enable  => true,
+      require => Exec['systemd-reload'],
+    }
+  }
+  # update SELinux
+  if $::selinux_config_mode == 'enforcing' {
+    file{'get-SEL-policy':
+      path    => '/usr/share/selinux/targeted/nginx.pp',
+      source  => 'puppet:///modules/puppet/nginx.selmodule',
+    } ->
+    package {'policycoreutils':
+      ensure  => 'latest',
+    } ->
+    selmodule{'nginx':
+      ensure      => 'present',
+      syncversion => true,
     }
   }
   # hacky vhost
   file {'puppetmaster-vhost':
     path    => '/etc/nginx/sites-available/puppetmaster',
-    source  => 'puppet:///modules/puppet/puppetmaster',
+    content => template('puppet/puppetmaster'),
   } ->
   file {'enable-puppetmaster-vhost':
-    path    => '/etc/nginx/sites-enabled/puppetmaster',
     ensure  => 'link',
+    path    => '/etc/nginx/sites-enabled/puppetmaster',
     target  => '/etc/nginx/sites-available/puppetmaster',
     notify  => Service['nginx'],
-  }
+  } ->
   unless defined(Service['nginx']) {
     service{'nginx':
       ensure  => 'running',
-      enable  => 'enable',
+      enable  => true,
+      require => File['enable-puppetmaster-vhost'],
     }
   }
 }

manifests/unicorn.pp

@@ -3,7 +3,7 @@
 describe 'puppet::passenger', :type => :class do
       let (:params) do
             {
-                :puppet_passenger_port  => '8140',
+                :puppet_proxy_port  => '8140',
                 :puppet_docroot         => '/etc/puppet/rack/public/',
                 :apache_serveradmin     => 'root',
                 :puppet_conf            => '/etc/puppet/puppet.conf',

spec/classes/puppet_passenger_spec.rb

@@ -10,6 +10,11 @@
         :lsbdistid       => 'Ubuntu'
       }
     end
+    let :params do
+      {
+        :mirror => 'http://apt.puppetlabs.com',
+      }
+    end
     it 'should contain puppetlabs apt repos' do
       should contain_apt__source('puppetlabs').with(
         :repos      => 'main',
@@ -31,6 +36,12 @@
         :operatingsystem => 'Redhat'
       }
     end
+    let :params do
+      {
+        :mirror   => 'http://yum.puppetlabs.com',
+        :priority => '1',
+      }
+    end
     it 'should add the redhat specific repoos' do
       should contain_yumrepo('puppetlabs').with(
         :baseurl  => 'http://yum.puppetlabs.com/el/$releasever/products/$basearch'

spec/classes/puppet_repo_puppetlabs_spec.rb

@@ -6,8 +6,8 @@ upstream puppetmaster_unicorn {
 # define our proxy for breaking up SSL
 server {
   ssl on; 
-  ssl_certificate /var/lib/puppet/ssl/certs/puppet.vps.hosteurope.de.pem;
-  ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.vps.hosteurope.de.pem;
+  ssl_certificate /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem;
+  ssl_certificate_key /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem;
   ssl_verify_client optional;
   ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
   ssl_protocols TLSv1.2;
@@ -20,7 +20,7 @@ server {
   proxy_set_header    X-Client-DN     $ssl_client_s_dn;
   proxy_set_header    X-SSL-Subject   $ssl_client_s_dn;
   proxy_set_header    X-SSL-Issuer    $ssl_client_i_dn;
-  listen 10.111.2.250:8140 ssl;
+  listen <%= @listen_address %>:<%= @puppet_proxy_port %> ssl;
   root /var/empty;
   location / { 
     proxy_pass http://puppetmaster_unicorn;