add support for nginx/unicorn

modified puppet::master class for using $webserver.
this can be httpd for apache/passanger or nginx for nginx/unicorn.
nginx is currently only tested on centos7, but should work on evers OS with systemd

the nginx vhost definition is currently a simple file ressource, this should be changed
to nginx::resource:vhost in the future

Author: Tim Meusel

files/puppetmaster

@@ -0,0 +1,32 @@
+# define the new unicorn backend
+upstream puppetmaster_unicorn {
+  server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=0;
+}
+
+# define our proxy for breaking up SSL
+server {
+  ssl on; 
+  ssl_certificate /var/lib/puppet/ssl/certs/puppet.vps.hosteurope.de.pem;
+  ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.vps.hosteurope.de.pem;
+  ssl_verify_client optional;
+  ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
+  ssl_protocols TLSv1.2;
+  ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+  proxy_set_header    Host            $host;
+  proxy_set_header    X-Real-IP       $remote_addr;
+  proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header    X-Scheme        $scheme;
+  proxy_set_header    X-Client-Verify $ssl_client_verify;
+  proxy_set_header    X-Client-DN     $ssl_client_s_dn;
+  proxy_set_header    X-SSL-Subject   $ssl_client_s_dn;
+  proxy_set_header    X-SSL-Issuer    $ssl_client_i_dn;
+  listen 10.111.2.250:8140 ssl;
+  root /var/empty;
+  location / { 
+    proxy_pass http://puppetmaster_unicorn;
+    proxy_redirect off;
+  }
+  access_log /var/log/nginx/puppetmaster-access.log;
+  error_log  /var/log/nginx/puppetmaster-error.log;
+}
+

files/unicorn-puppetmaster.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Puppet master served by Unicorn
+
+[Service]
+ExecStart=/usr/local/bin/unicorn -c /etc/puppet/unicorn.conf
+ExecReload=/usr/bin/kill -s HUP $MAINPID
+PrivateTmp=yes
+# this would be cool, but then the puppetmaster can't reach the puppetdb
+#PrivateNetwork=yes
+User=puppet
+Group=puppet
+
+[Install]
+WantedBy=multi-user.target

files/unicorn.conf

@@ -0,0 +1,26 @@
+worker_processes 16
+working_directory "/etc/puppet"
+listen '/var/run/puppet/puppetmaster_unicorn.sock', :backlog => 512 
+timeout 180 
+pid "/var/run/puppet/puppetmaster_unicorn.pid"
+
+# prevent caching of puppetmaster. sucks for auto deployment
+preload_app false
+if GC.respond_to?(:copy_on_write_friendly=)
+  GC.copy_on_write_friendly = true
+end
+
+before_fork do |server, worker|
+  old_pid = "#{server.config[:pid]}.oldbin"
+  if File.exists?(old_pid) && server.pid != old_pid
+    begin
+      Process.kill("QUIT", File.read(old_pid).to_i)
+    rescue Errno::ENOENT, Errno::ESRCH
+      # someone else did our job for us
+    end 
+  end 
+end
+
+# disable default logging
+stdout_path "/dev/null"
+stderr_path "/dev/null"

manifests/master.pp

@@ -137,7 +137,8 @@
     }
     nginx: {
       Anchor['puppet::master::begin'] ->
-        class {'puppet::unicorn':}
+      class {'puppet::unicorn':} ->
+      Anchor['puppet::master::end']
     }
   }
   service { $puppet_master_service:

manifests/unicorn.pp

@@ -1,7 +1,54 @@
-# this class installs nginx with unicorn infront of puppetmaster
+# this class installs nginx with unicorn in front of puppetmaster
+# tested only on centos 7
+
 class puppet::unicorn () {
   include nginx
-#  nginx::resource::vhost {'puppetmaster':
-#    www_root => '/var/empty',
-#  }
+  # install unicorn
+  package {['unicorn', 'rack']:
+    ensure    => 'latest',
+    provider  => 'gem',
+  } ->
+  file {'copy-config':
+    path    => '/etc/puppet/config.ru',
+    source  => '/usr/share/puppet/ext/rack/config.ru',
+  } ->
+  file {'unicorn-conf':
+    path    => '/etc/puppet/unicorn.conf',
+    source  => 'puppet:///modules/puppet/unicorn.conf',
+    
+  } ->
+  file {'unicorn-service':
+    path    => '/usr/lib/systemd/system/unicorn-puppetmaster.service',
+    source  => 'puppet:///modules/puppet/unicorn-puppetmaster.service',
+    notify  => Exec['systemd-reload'],
+  }
+  exec{'systemd-reload':
+    exec        => 'systemctl daemon-reload',
+    refreshonly => 'true',
+    notify      => Service['unicorn-puppetmaster'],
+  }
+  unless defined(Service['unicorn-puppetmaster']) {
+    service{'unicorn-puppetmaster':
+      ensure  => 'running',
+      enable  => 'enable',
+    }
+  }
+  # hacky vhost
+  file {'puppetmaster-vhost':
+    path    => '/etc/nginx/sites-available/puppetmaster',
+    source  => 'puppet:///puppet/puppetmaster',
+  } ->
+  file {'enable-puppetmaster-vhost':
+    path    => '/etc/nginx/sites-enabled/puppetmaster',
+    ensure  => 'link',
+    target  => '/etc/nginx/sites-available/puppetmaster',
+    notify  => Service['nginx'],
+  }
+  unless defined(Service['nginx']) {
+    service{'nginx':
+      ensure  => 'running',
+      enable  => 'enable',
+    }
+  }
 }
+