1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
# @summary A concourse web node.
# @param service
# The name of the system service.
# This service WILL be managed by us.
# @param service_unit
# Exact unit name (in terms of systemd) of the service.
# @param conf_file
# Where configuration environment variables will be stored.
# Currently hard-coded in the service file.
# @param conf_dir
# Where additional environment files will be stored. Used (at
# least) by each auth resource.
# @param purge_conf_dir
# Should the directory mentioned in `conf_dir` be purged. If this
# is true then decomissioning sub-configurations are done by simply
# removing that resource.
# @param ensure
# @param cluster
# If this web node is part of a cluster of web nodes, name that
# cluster. This will create an `nginx::resoruce::upstream::member`
# resource for this node, which should be realized by
# `concourse::proxy::nginx`
#
# Also requires `peer_address` to be set
#
# @param peer_address
# Peer address used when used in a cluster
#
# Also requires `cluster` to be set.
#
# Remaining keys maps directly to concourse configurations.
class concourse::web (
String $postgres_user = lookup("concourse::${cluster}::postgres_user"),
Variant[String, Sensitive[String]] $postgres_password = lookup("concourse::${cluster}::postgres_password"),
Variant[String, Sensitive[String]] $session_signing_key = lookup("concourse::${cluster}::session_signing_key"),
Variant[String, Sensitive[String]] $tsa_private_key = lookup("concourse::${cluster}::tsa_private_key"),
Variant[String, Sensitive[String]] $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"),
Array[String] $worker_public_keys = [],
String $key_dir = '/usr/lib/concourse',
String $session_signing_key_file = "${key_dir}/session_signing_key",
String $tsa_host_key_file = "${key_dir}/tsa_host_key",
String $tsa_authorized_keys_file = "${key_dir}/authorized_worker_keys",
String $cluster = 'default',
Optional[String] $peer_address = undef,
Optional[String] $postgres_host = undef,
Optional[String] $postgres_port = undef,
Optional[Stdlib::Unixpath] $postgres_socket = undef,
Optional[String] $postgres_database = undef,
Optional[String] $external_url = undef,
Optional[Integer] $api_max_conns = undef,
Optional[Integer] $backend_max_conns = undef,
String $service = 'concourse',
String $service_unit = "${service}.service",
Std::AbsolutePath $conf_file = '/etc/conf.d/concourse',
Std::AbsolutePath $conf_dir = '/etc/conf.d/concourse.d',
Boolean $purge_conf_dir = true,
Enum['absent', 'present'] $ensure = 'present',
Array[String] $packages = [
'concourse',
'councourse-resource-types',
],
) {
include concourse
ensure_packages($packages, {
ensure => $ensure,
})
$env = {
'CONCOURSE_SESSION_SIGNING_KEY' => $session_signing_key_file,
'CONCOURSE_TSA_HOST_KEY' => $tsa_host_key_file,
'CONCOURSE_TSA_AUTHORIZED_KEYS' => $tsa_authorized_keys_file,
'CONCOURSE_POSTGRES_USER' => $postgres_user,
'CONCOURSE_POSTGRES_PASSWORD' => $postgres_password ? {
String => $postgres_password,
default => $postgres_password.unwrap,
},
'CONCOURSE_CLUSTER' => $cluster,
'CONCOURSE_PEER_ADDRESS' => $peer_address,
'CONCOURSE_POSTGRES_HOST' => $postgres_host,
'CONCOURSE_POSTGRES_PORT' => $postgres_port,
'CONCOURSE_POSTGRES_SOCKET' => $postgres_socket,
'CONCOURSE_POSTGRES_DATABASE' => $postgres_database,
'CONCOURSE_EXTERNAL_URL' => $external_url,
'CONCOURSE_API_MAX_CONNS' => $api_max_conns,
'CONCOURSE_BACKEND_MAX_CONNS' => $backend_max_conns,
}
file { $conf_file:
ensure => $ensure,
mode => '0600',
show_diff => false,
content => epp("${module_name}/env.epp", $env),
}
file { $conf_dir:
ensure => if $ensure == 'present' { 'directory' } else { 'absent' },
purge => $purge_conf_dir,
recurse => true,
notify => Service[$service],
}
file { $key_dir:
ensure => if $ensure == 'present' { 'directory' } else { 'absent' },
mode => '0700',
recurse => true,
forge => true,
}
file {
default:
ensure => $ensure,
mode => '0600',
;
$session_signing_key_file:
content => $session_signing_key,
;
$tsa_host_key_file:
conent => $tsa_private_key,
;
"${tsa_host_key_file}.pub":
content => $tsa_public_key,
;
}
concat { "authorized_workers_key - ${cluster}":
target => $tsa_authorized_keys_file,
warning => '# File managed by puppet, local changes WILL be overwritten',
ensure_newline => true,
}
$worker_public_keys.each |$key| {
concat::fragment { sha1($key):
content => $key,
target => "authorized_worker_keys - ${cluster}",
}
}
Worker_key <<| cluster == $cluster |>>
systemd::unit_file { $service_unit:
ensure => $ensure,
source => "puppet:///modules/${module_name}/concourse-web.service",
} ~> service { $service:
ensure => if $ensure == 'present' { 'running' } else { 'stopped' },
enable => true,
}
if $peer_address {
@@nginx::resource::upstream::member { $facts['trusted']['certname']:
ensure => $ensure,
upstream => "concourse - ${cluster}",
server => $peer_address,
}
}
}
|
