1 files changed, 165 insertions, 0 deletions

diff --git a/manifests/web.pp b/manifests/web.pp
new file mode 100644
index 0000000..f89ac4e
--- /dev/null
+++ b/manifests/web.pp
@@ -0,0 +1,165 @@
+# @summary A concourse web node.
+# @param service
+#   The name of the system service.
+#   This service WILL be managed by us.
+# @param service_unit
+#   Exact unit name (in terms of systemd) of the service.
+# @param conf_file
+#   Where configuration environment variables will be stored.
+#   Currently hard-coded in the service file.
+# @param conf_dir
+#   Where additional environment files will be stored. Used (at
+#   least) by each auth resource.
+# @param purge_conf_dir
+#   Should the directory mentioned in `conf_dir` be purged. If this
+#   is true then decomissioning sub-configurations are done by simply
+#   removing that resource.
+# @param ensure
+# @param cluster
+#   If this web node is part of a cluster of web nodes, name that
+#   cluster. This will create an `nginx::resoruce::upstream::member`
+#   resource for this node, which should be realized by
+#   `concourse::proxy::nginx`
+#
+#   Also requires `peer_address` to be set
+#
+# @param peer_address
+#   Peer address used when used in a cluster
+#
+#   Also requires `cluster` to be set.
+#
+# Remaining keys maps directly to concourse configurations.
+class concourse::web (
+  String $postgres_user                                   = lookup("concourse::${cluster}::postgres_user"),
+  Variant[String, Sensitive[String]] $postgres_password   = lookup("concourse::${cluster}::postgres_password"),
+
+  Variant[String, Sensitive[String]] $session_signing_key = lookup("concourse::${cluster}::session_signing_key"),
+  Variant[String, Sensitive[String]] $tsa_private_key     = lookup("concourse::${cluster}::tsa_private_key"),
+  Variant[String, Sensitive[String]] $tsa_public_key      = lookup("concourse::${cluster}::tsa_public_key"),
+  Array[String] $worker_public_keys                       = [],
+
+  String $key_dir                                         = '/usr/lib/concourse',
+  String $session_signing_key_file                        = "${key_dir}/session_signing_key",
+  String $tsa_host_key_file                               = "${key_dir}/tsa_host_key",
+  String $tsa_authorized_keys_file                        = "${key_dir}/authorized_worker_keys",
+
+  String $cluster                                         = 'default',
+  Optional[String] $peer_address                          = undef,
+
+  Optional[String] $postgres_host                         = undef,
+  Optional[String] $postgres_port                         = undef,
+  Optional[Stdlib::Unixpath] $postgres_socket             = undef,
+
+  Optional[String] $postgres_database                     = undef,
+
+  Optional[String] $external_url                          = undef,
+
+  Optional[Integer] $api_max_conns                        = undef,
+  Optional[Integer] $backend_max_conns                    = undef,
+
+  String $service                                         = 'concourse',
+  String $service_unit                                    = "${service}.service",
+  Std::AbsolutePath $conf_file                            = '/etc/conf.d/concourse',
+  Std::AbsolutePath $conf_dir                             = '/etc/conf.d/concourse.d',
+  Boolean $purge_conf_dir                                 = true,
+  Enum['absent', 'present'] $ensure                       = 'present',
+
+  Array[String] $packages                                 = [
+    'concourse',
+    'councourse-resource-types',
+  ],
+) {
+  include concourse
+
+  ensure_packages($packages, {
+    ensure => $ensure,
+  })
+
+  $env = {
+    'CONCOURSE_SESSION_SIGNING_KEY' => $session_signing_key_file,
+    'CONCOURSE_TSA_HOST_KEY'        => $tsa_host_key_file,
+    'CONCOURSE_TSA_AUTHORIZED_KEYS' => $tsa_authorized_keys_file,
+    'CONCOURSE_POSTGRES_USER'       => $postgres_user,
+    'CONCOURSE_POSTGRES_PASSWORD'   => $postgres_password ? {
+      String  => $postgres_password,
+      default => $postgres_password.unwrap,
+    },
+    'CONCOURSE_CLUSTER'             => $cluster,
+    'CONCOURSE_PEER_ADDRESS'        => $peer_address,
+    'CONCOURSE_POSTGRES_HOST'       => $postgres_host,
+    'CONCOURSE_POSTGRES_PORT'       => $postgres_port,
+    'CONCOURSE_POSTGRES_SOCKET'     => $postgres_socket,
+    'CONCOURSE_POSTGRES_DATABASE'   => $postgres_database,
+    'CONCOURSE_EXTERNAL_URL'        => $external_url,
+    'CONCOURSE_API_MAX_CONNS'       => $api_max_conns,
+    'CONCOURSE_BACKEND_MAX_CONNS'   => $backend_max_conns,
+  }
+
+  file { $conf_file:
+    ensure    => $ensure,
+    mode      => '0600',
+    show_diff => false,
+    content   => epp("${module_name}/env.epp", $env),
+  }
+
+  file { $conf_dir:
+    ensure  => if $ensure == 'present' { 'directory' } else { 'absent' },
+    purge   => $purge_conf_dir,
+    recurse => true,
+    notify  => Service[$service],
+  }
+
+  file { $key_dir:
+    ensure  => if $ensure == 'present' { 'directory' } else { 'absent' },
+    mode    => '0700',
+    recurse => true,
+    forge   => true,
+  }
+
+  file {
+    default:
+      ensure => $ensure,
+      mode   => '0600',
+      ;
+    $session_signing_key_file:
+      content => $session_signing_key,
+      ;
+    $tsa_host_key_file:
+      conent => $tsa_private_key,
+      ;
+    "${tsa_host_key_file}.pub":
+      content => $tsa_public_key,
+      ;
+  }
+
+  concat { "authorized_workers_key - ${cluster}":
+    target         => $tsa_authorized_keys_file,
+    warning        => '# File managed by puppet, local changes WILL be overwritten',
+    ensure_newline => true,
+  }
+
+  $worker_public_keys.each |$key| {
+    concat::fragment { sha1($key):
+      content => $key,
+      target  => "authorized_worker_keys - ${cluster}",
+    }
+  }
+
+  Worker_key <<| cluster == $cluster |>>
+
+  systemd::unit_file { $service_unit:
+    ensure => $ensure,
+    source => "puppet:///modules/${module_name}/concourse-web.service",
+  } ~> service { $service:
+    ensure => if $ensure == 'present' { 'running' } else { 'stopped' },
+    enable => true,
+  }
+
+  if $peer_address {
+    @@nginx::resource::upstream::member { $facts['trusted']['certname']:
+      ensure   => $ensure,
+      upstream => "concourse - ${cluster}",
+      server   => $peer_address,
+    }
+  }
+}