add nginx/unicorn support for puppet master on centos

this is a huge commit which adds support to install nginx on a centos7 node with unicorn backend. You can run an all-in-one node with puppet master/ca on it, or use it to configure a central ssl offloading proxy with puppet ca on it and several master backends and backups.

Author: Tim Meusel

README.markdown

@@ -13,6 +13,7 @@ as this module requires the passenger apache module.
 
 Requires the following modules from puppetforge: [stdlib](https://forge.puppetlabs.com/puppetlabs/stdlib), [apache](https://forge.puppetlabs.com/puppetlabs/apache), [concat](https://forge.puppetlabs.com/puppetlabs/concat), [inifile](https://forge.puppetlabs.com/puppetlabs/inifile)
 
+
 ## Usage Note ##
 
 If you are using this module to install a puppetmaster and serving the manifest of 
@@ -52,6 +53,13 @@ Puppet 3.5 introduced a new way of handling Puppet environments known as _Direct
 
 Optionally, an `environmentpath` parameter can be supplied to configure the base root of Puppet environments, this defaults to `$confdir/environments`
 
+### Support for httpd and nginx ###
+
+    class { 'puppet::master':
+      webserver => 'nginx'
+    }
+
+The default installed webserver is httpd with passenger, but via the webserver param you can switch to nginx with unicorn (nginx is currently only tested on centos7, testers are welcome). Note that if you have selinux enabled, you must have [this](https://github.com/gavinrogers/puppet-selinux) selinux module installed.
 
 ## Agent ##
     class { 'puppet::agent':

files/nginx.selmodule

@@ -31,6 +31,8 @@
 #   ['templatedir']           - Template dir, if unset it will remove the setting.
 #   ['configtimeout']         - How long the client should wait for the configuration to be retrieved before considering it a failure
 #   ['stringify_facts']       - Wether puppet transforms structured facts in strings or no. Defaults to true in puppet < 4, deprecated in puppet >=4 (and will default to false)
+#   ['serialization_format']  - defaults to undef, otherwise it sets the preferred_serialization_format param (currently only msgpack is supported)
+#   ['serialization_package'] - defaults to undef, if provided, we install this package, otherwise we fall back to the gem from 'serialization_format'
 #   ['cron_hour']             - What hour to run if puppet_run_style is cron
 #   ['cron_minute']           - What minute to run if puppet_run_style is cron
 #   ['serialization_format']  - defaults to undef, otherwise it sets the preferred_serialization_format param (currently only msgpack is supported)
@@ -454,3 +456,4 @@
     }
   }
 }
+

manifests/agent.pp

@@ -22,7 +22,8 @@
 #  ['puppet_ssldir']            - Puppet sll directory
 #  ['puppet_docroot']           - Doc root to be configured in apache vhost
 #  ['puppet_vardir']            - Vardir used by puppet
-#  ['puppet_passenger_port']    - Port to configure passenger on default 8140
+#  ['puppet_proxy_port']        - Port to configure the proxy on - default 8140
+#  ['puppet_conf']              - Path to the puppet main/agent/master config
 #  ['puppet_master_package']    - Puppet master package
 #  ['puppet_master_service']    - Puppet master service
 #  ['version']                  - Version of the puppet master package to install
@@ -37,6 +38,15 @@
 #  ['always_cache_features']    - if false (default), always try to load a feature even if a previous load failed
 #  ['serialization_format']     - defaults to undef, otherwise it sets the preferred_serialization_format param (currently only msgpack is supported)
 #  ['serialization_package']    - defaults to undef, if provided, we install this package, otherwise we fall back to the gem from 'serialization_format'
+#  ['webserver']                - install 'nginx' (with unicorn) or 'httpd' (with passenger) - httpd is default
+#  ['listen_address']           - IP for binding the webserver, defaults to *
+#  ['disable_ssl']              - Disables SSL on the webserver. usefull if you use this master behind a loadbalancer. currently only supported by nginx, defaults to undef
+#  ['backup_upstream']          - specify another puppet master as fallback. currently only supported by nginx
+#  ['unicorn_package']          - package name of a unicorn rpm. if provided we install it, otherwise we built it via gem/gcc
+#  ['unicorn_path']             - custom path to the unicorn binary
+#  ['disable_master']           - this disables the normal master, the server will only act as a CA, currently only supported by nginx
+#  ['upstream']                 - define additional masters reachable via tcp as an array, currently only supported by nginx
+#  ['backend_process_number']   - number of processes to start on the backebd webserver (unicorn/passenger), currently only supported by unicorn
 #
 # Requires:
 #
@@ -77,7 +87,7 @@
   $puppet_ssldir                = $::puppet::params::puppet_ssldir,
   $puppet_docroot               = $::puppet::params::puppet_docroot,
   $puppet_vardir                = $::puppet::params::puppet_vardir,
-  $puppet_passenger_port        = $::puppet::params::puppet_passenger_port,
+  $puppet_proxy_port            = $::puppet::params::puppet_proxy_port,
   $puppet_passenger_tempdir     = false,
   $puppet_passenger_cfg_addon   = '',
   $puppet_master_package        = $::puppet::params::puppet_master_package,
@@ -99,7 +109,17 @@
   $passenger_max_requests       = 10000,
   $passenger_stat_throttle_rate = 30,
   $serialization_format         = undef,
-  $serialization_package        = undef,
+  $serialization_package        = undef, 
+  $webserver                    = $::puppet::params::default_webserver,
+  $listen_address               = $::puppet::params::listen_address,
+  $disable_ssl                  = $::puppet::params::disable_ssl,
+  $backup_upstream              = $::puppet::params::backup_upstream,
+  $unicorn_path                 = $::puppet::params::unicorn_path,
+  $unicorn_package              = $::puppet::params::unicorn_package,
+  $disable_master               = $::puppet::params::disable_master,
+  $upstream                     = $::puppet::params::upstream,
+  $backend_process_number       = $::puppet::params::backend_process_number,
+
 ) inherits puppet::params {
 
   anchor { 'puppet::master::begin': }
@@ -135,28 +155,49 @@
       ensure         => $version,
     }
   }
+  case $webserver {
+    nginx: {
+      Anchor['puppet::master::begin'] ->
+      class {'puppet::unicorn':
+        certname               => $certname,
+        puppet_conf            => $puppet_conf,
+        puppet_ssldir          => $puppet_ssldir,
+        dns_alt_names          => $dns_alt_names,
+        listen_address         => $listen_address,
+        puppet_proxy_port      => $puppet_proxy_port,
+        disable_ssl            => $disable_ssl,
+        backup_upstream        => $backup_upstream,
+        unicorn_package        => $unicorn_package,
+        unicorn_path           => $unicorn_path,
+        disable_master         => $disable_master,
+        upstream               => $upstream,
+        backend_process_number => $backend_process_number,
+      } ->
+      Anchor['puppet::master::end']
+    }
+    default: {
+      Anchor['puppet::master::begin'] ->
+      class {'puppet::passenger':
+        puppet_proxy_port             => $puppet_proxy_port,
+        puppet_docroot                => $puppet_docroot,
+        apache_serveradmin            => $apache_serveradmin,
+        puppet_conf                   => $::puppet::params::puppet_conf,
+        puppet_ssldir                 => $puppet_ssldir,
+        certname                      => $certname,
+        conf_dir                      => $::puppet::params::confdir,
+        dns_alt_names                 => join($dns_alt_names,','),
+        generate_ssl_certs            => $generate_ssl_certs,
+        puppet_passenger_tempdir      => $puppet_passenger_tempdir,
+        config_addon                  => $puppet_passenger_cfg_addon,
+        passenger_max_pool_size       => $passenger_max_pool_size,
+        passenger_high_performance    => $passenger_high_performance,
+        passenger_max_requests        => $passenger_max_requests,
+        passenger_stat_throttle_rate  => $passenger_stat_throttle_rate,
 
-  Anchor['puppet::master::begin'] ->
-  class {'puppet::passenger':
-    puppet_passenger_port        => $puppet_passenger_port,
-    puppet_docroot               => $puppet_docroot,
-    apache_serveradmin           => $apache_serveradmin,
-    puppet_conf                  => $::puppet::params::puppet_conf,
-    puppet_ssldir                => $puppet_ssldir,
-    certname                     => $certname,
-    conf_dir                     => $::puppet::params::confdir,
-    dns_alt_names                => join($dns_alt_names,','),
-    generate_ssl_certs           => $generate_ssl_certs,
-    puppet_passenger_tempdir     => $puppet_passenger_tempdir,
-    config_addon                 => $puppet_passenger_cfg_addon,
-    passenger_max_pool_size      => $passenger_max_pool_size,
-    passenger_high_performance   => $passenger_high_performance,
-    passenger_max_requests       => $passenger_max_requests,
-    passenger_stat_throttle_rate => $passenger_stat_throttle_rate,
-
-  } ->
-  Anchor['puppet::master::end']
-
+      } ->
+      Anchor['puppet::master::end']
+    }
+  }
   service { $puppet_master_service:
     ensure  => stopped,
     enable  => false,
@@ -170,12 +211,12 @@
       require => File[$::puppet::params::confdir],
       owner   => $::puppet::params::puppet_user,
       group   => $::puppet::params::puppet_group,
-      notify  => Service['httpd'],
+      notify  => Service[$webserver],
     }
   }
   else {
     File<| title == $::puppet::params::puppet_conf |> {
-      notify  => Service['httpd'],
+      notify  => Service[$webserver],
     }
   }
 
@@ -186,12 +227,12 @@
       require => Package[$puppet_master_package],
       owner   => $::puppet::params::puppet_user,
       group   => $::puppet::params::puppet_group,
-      notify  => Service['httpd'],
+      notify  => Service[$webserver],
     }
   }
   else {
     File<| title == $::puppet::params::confdir |> {
-      notify  +> Service['httpd'],
+      notify  +> Service[$webserver],
       require +> Package[$puppet_master_package],
     }
   }
@@ -200,7 +241,7 @@
     ensure  => directory,
     owner   => $::puppet::params::puppet_user,
     group   => $::puppet::params::puppet_group,
-    notify  => Service['httpd'],
+    notify  => Service[$webserver],
     require => Package[$puppet_master_package]
   }
 
@@ -209,7 +250,7 @@
     class { 'puppet::storeconfigs':
       dbserver                   => $storeconfigs_dbserver,
       dbport                     => $storeconfigs_dbport,
-      puppet_service             => Service['httpd'],
+      puppet_service             => Service[$webserver],
       puppet_confdir             => $::puppet::params::confdir,
       puppet_conf                => $::puppet::params::puppet_conf,
       puppet_master_package      => $puppet_master_package,
@@ -223,7 +264,7 @@
   Ini_setting {
       path    => $::puppet::params::puppet_conf,
       require => File[$::puppet::params::puppet_conf],
-      notify  => Service['httpd'],
+      notify  => Service[$webserver],
       section => 'master',
   }
 
@@ -332,21 +373,6 @@
     setting => 'digest_algorithm',
     value   => $digest_algorithm,
   }
-
-  if $strict_variables != undef {
-    validate_bool(str2bool($strict_variables))
-    ini_setting {'puppetmasterstrictvariables':
-      ensure  => present,
-      setting => 'strict_variables',
-      value   => $strict_variables,
-    }
-  }
-  validate_bool(str2bool($always_cache_features))
-  ini_setting { 'puppetmasteralwayscachefeatures':
-    ensure  => present,
-    setting => 'always_cache_features',
-    value   => $always_cache_features,
-  }
   if $serialization_format != undef {
     if $serialization_package != undef {
       package { $serialization_package:
@@ -356,18 +382,18 @@
       if $serialization_format == 'msgpack' {
         unless defined(Package[$::puppet::params::ruby_dev]) {
           package {$::puppet::params::ruby_dev:
-            ensure  => 'latest',
+            ensure  => latest,
           }
         }
         unless defined(Package['gcc']) {
           package {'gcc':
-            ensure  => 'latest',
+            ensure  => latest,
           }
         }
         unless defined(Package['msgpack']) {
           package {'msgpack':
-            ensure   => 'latest',
-            provider => 'gem',
+            ensure   => latest,
+            provider => gem,
             require  => Package[$::puppet::params::ruby_dev, 'gcc'],
           }
         }
@@ -378,5 +404,19 @@
       value   => $serialization_format,
     }
   }
+  if $strict_variables != undef {
+    validate_bool(str2bool($strict_variables))
+    ini_setting {'puppetmasterstrictvariables':
+      ensure  => present,
+      setting => 'strict_variables',
+      value   => $strict_variables,
+    }
+  }
+  validate_bool(str2bool($always_cache_features))
+  ini_setting { 'puppetmasteralwayscachefeatures':
+    ensure  => present,
+    setting => 'always_cache_features',
+    value   => $always_cache_features,
+  }
   anchor { 'puppet::master::end': }
 }

manifests/master.pp

@@ -23,7 +23,8 @@
   $manifest                         = '/etc/puppet/manifests/site.pp'
   $hiera_config                     = '/etc/puppet/hiera.yaml'
   $puppet_docroot                   = '/etc/puppet/rack/public/'
-  $puppet_passenger_port            = '8140'
+  $puppet_proxy_port                = '8140'
+  $puppet_passenger_tempdir         = '/var/run/rubygem-passenger'
   $puppet_server_port               = '8140'
   $puppet_agent_enabled             = true
   $apache_serveradmin               = 'root'
@@ -34,6 +35,15 @@
   $puppet_run_interval              = 30
   $classfile                        = '$statedir/classes.txt'
   $package_provider                 = undef # falls back to system default
+  $listen_address                   = '*'
+  $default_webserver                = 'httpd'
+  $disable_ssl                      = undef
+  $backup_upstream                  = []
+  $unicorn_package                  = undef
+  $unicorn_path                     = '/usr/local/bin/unicorn'
+  $disable_master                   = false
+  $upstream                         = []
+  $backend_process_number           = $::processorcount
 
   # Only used when environments == directory
   $environmentpath                  = "${confdir}/environments"
@@ -90,6 +100,17 @@
       $puppet_vardir                = '/var/lib/puppet'
       $puppet_ssldir                = '/etc/puppet/ssl'
     }
+    'Archlinux': {
+      $puppet_master_package        = 'puppet'
+      $puppet_agent_service         = 'puppet.service'
+      $puppet_agent_package         = 'puppet'
+      $puppet_conf                  = '/etc/puppet/puppet.conf'
+      $puppet_vardir                = '/var/lib/puppet'
+      $puppet_ssldir                = '/var/lib/puppet/ssl'
+      $passenger_package            = 'passenger'
+      $rack_package                 = 'ruby-rack'
+      $ruby_dev                     = 'ruby'
+    }
     default: {
       err('The Puppet module does not support your os')
     }

manifests/params.pp

@@ -3,14 +3,14 @@
 # This class installs and configures the puppetdb terminus pacakge
 #
 # Parameters:
-#   ['generate_ssl_certs']       - Generate ssl certs (false to disable)
-#   ['puppet_passenger_port']    - The port for the virtual host
-#   ['puppet_docroot']           - Apache documnet root
-#   ['apache_serveradmin']       - The apache server admin
-#   ['puppet_conf']              - The puppet config dir
-#   ['puppet_ssldir']            - The pupet ssl dir
-#   ['certname']                 - The puppet certname
-#   [conf_dir]                   - The configuration directory of the puppet install
+#   ['puppet_proxy_port']   - The port for the virtual host
+#   ['generate_ssl_certs']  - Generate ssl certs (false to disable)
+#   ['puppet_docroot']      - Apache documnet root
+#   ['apache_serveradmin']  - The apache server admin
+#   ['puppet_conf']         - The puppet config dir
+#   ['puppet_ssldir']       - The pupet ssl dir
+#   ['certname']            - The puppet certname
+#   [conf_dir]              - The configuration directory of the puppet install
 #
 # Actions:
 # - Configures apache and passenger for puppet master use.
@@ -22,18 +22,18 @@
 #
 # Sample Usage:
 #   class { 'puppet::passenger':
-#           puppet_passenger_port  => 8140,
-#           puppet_docroot         => '/etc/puppet/docroot',
-#           apache_serveradmin     => 'wibble',
-#           puppet_conf            => '/etc/puppet/puppet.conf',
-#           puppet_ssldir          => '/var/lib/puppet/ssl',
-#           certname               => 'puppet.example.com',
-#           conf_dir               => '/etc/puppet',
+#           puppet_proxy_port   => 8140,
+#           puppet_docroot      => '/etc/puppet/docroot',
+#           apache_serveradmin  => 'wibble',
+#           puppet_conf         => '/etc/puppet/puppet.conf',
+#           puppet_ssldir       => '/var/lib/puppet/ssl',
+#           certname            => 'puppet.example.com',
+#           conf_dir            => '/etc/puppet',
 #   }
 #
 class puppet::passenger(
   $generate_ssl_certs = true,
-  $puppet_passenger_port,
+  $puppet_proxy_port,
   $puppet_passenger_tempdir = false,
   $puppet_docroot,
   $apache_serveradmin,
@@ -110,7 +110,7 @@
   }
 
   apache::vhost { "puppet-${certname}":
-    port                 => $puppet_passenger_port,
+    port                 => $puppet_proxy_port,
     priority             => '40',
     docroot              => $puppet_docroot,
     serveradmin          => $apache_serveradmin,
@@ -181,3 +181,4 @@
     require => File[$puppet_conf],
   }
 }
+