diff options
Diffstat (limited to 'manifests/web.pp')
-rw-r--r-- | manifests/web.pp | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/manifests/web.pp b/manifests/web.pp new file mode 100644 index 0000000..f89ac4e --- /dev/null +++ b/manifests/web.pp @@ -0,0 +1,165 @@ +# @summary A concourse web node. +# @param service +# The name of the system service. +# This service WILL be managed by us. +# @param service_unit +# Exact unit name (in terms of systemd) of the service. +# @param conf_file +# Where configuration environment variables will be stored. +# Currently hard-coded in the service file. +# @param conf_dir +# Where additional environment files will be stored. Used (at +# least) by each auth resource. +# @param purge_conf_dir +# Should the directory mentioned in `conf_dir` be purged. If this +# is true then decomissioning sub-configurations are done by simply +# removing that resource. +# @param ensure +# @param cluster +# If this web node is part of a cluster of web nodes, name that +# cluster. This will create an `nginx::resoruce::upstream::member` +# resource for this node, which should be realized by +# `concourse::proxy::nginx` +# +# Also requires `peer_address` to be set +# +# @param peer_address +# Peer address used when used in a cluster +# +# Also requires `cluster` to be set. +# +# Remaining keys maps directly to concourse configurations. +class concourse::web ( + String $postgres_user = lookup("concourse::${cluster}::postgres_user"), + Variant[String, Sensitive[String]] $postgres_password = lookup("concourse::${cluster}::postgres_password"), + + Variant[String, Sensitive[String]] $session_signing_key = lookup("concourse::${cluster}::session_signing_key"), + Variant[String, Sensitive[String]] $tsa_private_key = lookup("concourse::${cluster}::tsa_private_key"), + Variant[String, Sensitive[String]] $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"), + Array[String] $worker_public_keys = [], + + String $key_dir = '/usr/lib/concourse', + String $session_signing_key_file = "${key_dir}/session_signing_key", + String $tsa_host_key_file = "${key_dir}/tsa_host_key", + String $tsa_authorized_keys_file = "${key_dir}/authorized_worker_keys", + + String $cluster = 'default', + Optional[String] $peer_address = undef, + + Optional[String] $postgres_host = undef, + Optional[String] $postgres_port = undef, + Optional[Stdlib::Unixpath] $postgres_socket = undef, + + Optional[String] $postgres_database = undef, + + Optional[String] $external_url = undef, + + Optional[Integer] $api_max_conns = undef, + Optional[Integer] $backend_max_conns = undef, + + String $service = 'concourse', + String $service_unit = "${service}.service", + Std::AbsolutePath $conf_file = '/etc/conf.d/concourse', + Std::AbsolutePath $conf_dir = '/etc/conf.d/concourse.d', + Boolean $purge_conf_dir = true, + Enum['absent', 'present'] $ensure = 'present', + + Array[String] $packages = [ + 'concourse', + 'councourse-resource-types', + ], +) { + include concourse + + ensure_packages($packages, { + ensure => $ensure, + }) + + $env = { + 'CONCOURSE_SESSION_SIGNING_KEY' => $session_signing_key_file, + 'CONCOURSE_TSA_HOST_KEY' => $tsa_host_key_file, + 'CONCOURSE_TSA_AUTHORIZED_KEYS' => $tsa_authorized_keys_file, + 'CONCOURSE_POSTGRES_USER' => $postgres_user, + 'CONCOURSE_POSTGRES_PASSWORD' => $postgres_password ? { + String => $postgres_password, + default => $postgres_password.unwrap, + }, + 'CONCOURSE_CLUSTER' => $cluster, + 'CONCOURSE_PEER_ADDRESS' => $peer_address, + 'CONCOURSE_POSTGRES_HOST' => $postgres_host, + 'CONCOURSE_POSTGRES_PORT' => $postgres_port, + 'CONCOURSE_POSTGRES_SOCKET' => $postgres_socket, + 'CONCOURSE_POSTGRES_DATABASE' => $postgres_database, + 'CONCOURSE_EXTERNAL_URL' => $external_url, + 'CONCOURSE_API_MAX_CONNS' => $api_max_conns, + 'CONCOURSE_BACKEND_MAX_CONNS' => $backend_max_conns, + } + + file { $conf_file: + ensure => $ensure, + mode => '0600', + show_diff => false, + content => epp("${module_name}/env.epp", $env), + } + + file { $conf_dir: + ensure => if $ensure == 'present' { 'directory' } else { 'absent' }, + purge => $purge_conf_dir, + recurse => true, + notify => Service[$service], + } + + file { $key_dir: + ensure => if $ensure == 'present' { 'directory' } else { 'absent' }, + mode => '0700', + recurse => true, + forge => true, + } + + file { + default: + ensure => $ensure, + mode => '0600', + ; + $session_signing_key_file: + content => $session_signing_key, + ; + $tsa_host_key_file: + conent => $tsa_private_key, + ; + "${tsa_host_key_file}.pub": + content => $tsa_public_key, + ; + } + + concat { "authorized_workers_key - ${cluster}": + target => $tsa_authorized_keys_file, + warning => '# File managed by puppet, local changes WILL be overwritten', + ensure_newline => true, + } + + $worker_public_keys.each |$key| { + concat::fragment { sha1($key): + content => $key, + target => "authorized_worker_keys - ${cluster}", + } + } + + Worker_key <<| cluster == $cluster |>> + + systemd::unit_file { $service_unit: + ensure => $ensure, + source => "puppet:///modules/${module_name}/concourse-web.service", + } ~> service { $service: + ensure => if $ensure == 'present' { 'running' } else { 'stopped' }, + enable => true, + } + + if $peer_address { + @@nginx::resource::upstream::member { $facts['trusted']['certname']: + ensure => $ensure, + upstream => "concourse - ${cluster}", + server => $peer_address, + } + } +} |