Puppet Class: puppet::server::unicorn

Defined in:
manifests/server/unicorn.pp

Overview

Private class



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'manifests/server/unicorn.pp', line 2

class puppet::server::unicorn {

  include puppet
  include puppet::server::rack
  include nginx

  class { 'puppet::server::standalone':
    enabled => false,
    before  => [
      Nginx::Resource::Vhost['puppetmaster'],
      Unicorn::App['puppetmaster'],
    ],
  }

  $unicorn_socket = "unix:${puppet::rundir}/puppetmaster_unicorn.sock"

  nginx::resource::vhost { 'puppetmaster':
    server_name          => [$puppet::server::servername],
    listen_ip            => $puppet::server::bindaddress,
    ssl                  => true,
    ssl_port             => '8140',
    listen_port          => '8140', # force ssl_only by matching ssl_port
    ssl_cert             => "${puppet::ssldir}/certs/${puppet::server::servername}.pem",
    ssl_key              => "${puppet::ssldir}/private_keys/${puppet::server::servername}.pem",
    ssl_ciphers          => $puppet::server::ssl_ciphers,
    ssl_protocols        => $puppet::server::ssl_protocols,
    use_default_location => false,
    vhost_cfg_append     => {
      ssl_crl                => "${puppet::ssldir}/crl.pem",
      ssl_client_certificate => "${puppet::ssldir}/certs/ca.pem",
      ssl_verify_client      => 'optional',
      proxy_set_header       => [ 'Host $host',
                                  'X-Real-IP $remote_addr',
                                  'X-Forwarded-For $proxy_add_x_forwarded_for',
                                  'X-Client-Verify $ssl_client_verify',
                                  'X-Client-DN $ssl_client_s_dn',
                                  'X-SSL-Issuer $ssl_client_i_dn'],
      root                   => '/usr/share/empty',
    }
  }
  nginx::resource::location { 'unicorn_upstream':
    ensure              => present,
    location            => '/',
    vhost               => 'puppetmaster',
    proxy_set_header    => [],
    location_custom_cfg => {
      proxy_pass            => 'http://puppetmaster_unicorn',
      proxy_redirect        => 'off',
      proxy_connect_timeout => '90',
      proxy_read_timeout    => '300',
    },
    # this priority sets concat order so that the location is created inside
    # the server block. This works around a possible bug in jfryman/nginx.
    priority            => 701,
  }
  nginx::resource::upstream { 'puppetmaster_unicorn':
    members => [
      $unicorn_socket
    ],
  }

  if ! empty( $::puppet::server::external_ca )
  {
    nginx::resource::location { 'external_certificate_authority_proxy':
      ensure              => present,
      location            => '~ ^/.*/certificate.*',
      vhost               => 'puppetmaster',
      proxy_set_header    => [],
      location_custom_cfg => {
        proxy_pass            => $puppet::server::external_ca,
        proxy_redirect        => 'off',
        proxy_connect_timeout => '90',
        proxy_read_timeout    => '300',
      },
      # this priority sets concat order so that the location is created inside
      # the server block. This works around a possible bug in jfryman/nginx.
      priority            => 701,
    }
  }

  unicorn::app { 'puppetmaster':
    approot     => $puppet::confdir,
    config_file => "${puppet::confdir}/unicorn.conf",
    pidfile     => "${puppet::rundir}/puppetmaster_unicorn.pid",
    socket      => $unicorn_socket,
    logdir      => $puppet::logdir,
    user        => $puppet::user,
    group       => $puppet::group,
    before      => Service['nginx'],
#    export_home => $::confdir, # uncomment pending https://github.com/puppetlabs-operations/puppet-unicorn/pull/14
  }
}