aboutsummaryrefslogtreecommitdiff
path: root/manifests/proxy/nginx.pp
blob: 6328d3d1ea2fed11179909d206a2dd809a1ed22e (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# @summary Revproxy for concourse
#
# Rev-proxy, which also gathers all web nodes in a cluster, into a
# single web endpoint
#
# This also manages the TLS certificate for the load balancer.
#
# @param server_name
#   Name of the nginx server, will also be used for rev-proxy routing.
# @param cluster
#   Name of the concourse cluster.
# @param upstream_members
#   Members of this cluster. If puppetdb is available then these are
#   collected automatically from each instance of `concourse::web`.
#   But if that is not an option then they can be specified manually.
# @param ensure
define concourse::proxy::nginx (
  String $server_name = $name,
  String $cluster = $concourse::default_cluster,
  Optional[Nginx::UpstreamMembers] $upstream_members = undef,
  Enum['absent', 'present'] $ensure = 'present',
) {
  include concourse
  include letsencrypt

  nginx::resource::upstream { "concourse_${cluster}":
    ensure  => $ensure,
    members => $upstream_members,
  }

  letsencrypt::cert { $server_name:
    include_self  => true,
    authenticator => 'nginx',
    config        => {
      'post-hook' => 'nginx -s reload',
    },
  }

  nginx::resource::server { $server_name:
    ipv6_enable          => true,
    ipv6_listen_options  => '',
    use_default_location => false,
    *                    => letsencrypt::conf::nginx($server_name),
  }

  # TODO the connection from nginx to each web instance is unencrypted.
  # Concourse's documentation only mentions TLS through letsencrypt,
  # which works less than ideal with internal nodes.
  # Running unencrypted is however a bad idea, since web nodes are
  # assumed to be on different machines. Either figure out how to use
  # a custom certificate internally, or configure a segregated network.

  # TODO proxy to upstream
  nginx::resource::streamhost { "${server_name}-stream":
    listen_port         => 2222,
    ipv6_enable         => true,
    ipv6_listen_options => '',
    proxy               => $server_name,
  }

  nginx::resource::location { "${server_name} - /":
    server   => $server_name,
    location => '/',
    proxy    => "http://concourse_${cluster}",
    *        => letsencrypt::conf::nginx::location($server_name),
  }

  nginx::resource::location { "${server_name} - ~ /hijack$":
    server           => $server_name,
    location         => '~ /hijack$',
    proxy            => "http://concourse_${cluster}",
    proxy_set_header => [
      'Host $host',
      'X-Real-IP $remote_addr',
      'X-Forwarded-For $proxy_add_x_forwarded_for',
      'X-Forwarded-Host $host',
      'X-Forwarded-Proto $scheme',
      'Proxy ""',
      'Upgrade $http_upgrade',
      'Connection "upgrade"',
    ],
    *                => letsencrypt::conf::nginx::location($server_name),
  }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 17:37:50 +0200