From cad8f107bf7e81ab143cc7a2cb9660761589eb3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Wed, 5 Jan 2022 05:07:25 +0100 Subject: Move remaining out of site.pp. --- manifests/site.pp | 60 ------------------------------- modules/blog/manifests/init.pp | 38 +++++++++++++++++++- modules/blog/manifests/instance.pp | 35 +----------------- modules/nsupdate/manifests/init.pp | 66 +++------------------------------- modules/nsupdate/manifests/instance.pp | 64 +++++++++++++++++++++++++++++++++ modules/profiles/manifests/fcgiwrap.pp | 8 +++++ modules/profiles/manifests/phpfpm.pp | 21 +++++++++++ 7 files changed, 135 insertions(+), 157 deletions(-) delete mode 100644 manifests/site.pp create mode 100644 modules/nsupdate/manifests/instance.pp create mode 100644 modules/profiles/manifests/fcgiwrap.pp create mode 100644 modules/profiles/manifests/phpfpm.pp diff --git a/manifests/site.pp b/manifests/site.pp deleted file mode 100644 index 03e8438..0000000 --- a/manifests/site.pp +++ /dev/null @@ -1,60 +0,0 @@ - -node 'hornquist.se' { - - include ::profiles::common - include ::profiles::client - - include ::profiles::firewall - - include ::nginx - - # https://buddy.works/blog/how-deploy-projects-with-git - include ::blog - - nsupdate { 'hornquist.se': - ensure => present, - nameserver => 'ns2.adrift.space', - iface => 'eth0', - records => [ - { type => 'A', ttl => 3600, domain => 'hornquist.se' }, - { type => 'A', ttl => 3600, domain => '*.hornquist.se' }, - ], - } - - service { 'php7.4-fpm': - ensure => running, - enable => true, - } - - service { 'fcgiwrap.socket': - ensure => running, - enable => true, - } - - file { '/etc/systemd/system/php7.4-fpm.service.d': - ensure => directory, - } - - file { '/etc/systemd/system/php7.4-fpm.service.d/override.conf': - ensure => file, - notify => Service['php7.4-fpm'], - content => @(EOF) - [Service] - RuntimeDirectory=php - | EOF - } - - include ::profiles::letsencrypt - - - - nginx::resource::location { '= /': - # temprory redirect - location_custom_cfg => { return => '307 /hugo' }, - ssl => true, - index_files => [], - server => [ 'blog', ], - } -} - -node default {} diff --git a/modules/blog/manifests/init.pp b/modules/blog/manifests/init.pp index 9b5f050..1ecce39 100644 --- a/modules/blog/manifests/init.pp +++ b/modules/blog/manifests/init.pp @@ -1,6 +1,42 @@ class blog ( String $blog_root, - Hash[String,Hash] $blogs = {} + Hash[String,Hash] $blogs = {}, + Optional[String] $domain = undef, + Optional[Array[String]] $domain_aliases = undef, ) { create_resources(blog::instance, $blogs) + + if $domain { + $default = { + access_log => 'absent', + error_log => 'absent', + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + use_default_location => false, + } + $domain_conf = { + server_name => [ $domain, ], + index_files => [ 'index.php', 'index.html', 'index.htm', ], + www_root => $blog::blog_root, + } + + $main_conf = { + "${safe_title} - server" => $default + $domain_conf, + } + + create_resources(nginx::resource::server, $main_conf) + + if $domain_aliases { + $alias_conf = { + "${safe_title} - aliases" => $default + { + server_name => $domain_aliases, + server_cfg_append => { + 'return' => '301 $scheme://blog.hornquist.se$request_uri', + }, + }, + } + create_resources(nginx::resource::server, $alias_conf) + } + } } diff --git a/modules/blog/manifests/instance.pp b/modules/blog/manifests/instance.pp index 0bbdb32..adaa30d 100644 --- a/modules/blog/manifests/instance.pp +++ b/modules/blog/manifests/instance.pp @@ -4,8 +4,6 @@ define blog::instance ( Boolean $has_comments = false, String $subtitle = '', Optional[String] $vcs_repo = undef, - Optional[String] $domain = undef, - Optional[Array[String]] $domain_aliases = undef, ) { $root = "${blog::blog_root}/${title}" @@ -71,38 +69,7 @@ define blog::instance ( $certname = lookup('certname') - if $domain { - $default = { - access_log => 'absent', - error_log => 'absent', - ssl => true, - ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", - ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", - use_default_location => false, - } - $domain_conf = { - server_name => [ $domain, ], - index_files => [ 'index.php', 'index.html', 'index.htm', ], - www_root => $blog::blog_root, - } - - $main_conf = { - "${safe_title} - server" => $default + $domain_conf, - } - - create_resources(nginx::resource::server, $main_conf) - - if $domain_aliases { - $alias_conf = { - "${safe_title} - aliases" => $default + { - server_name => $domain_aliases, - server_cfg_append => { - 'return' => '301 $scheme://blog.hornquist.se$request_uri', - }, - }, - } - create_resources(nginx::resource::server, $alias_conf) - } + if $blog::domain { nginx::resource::location { "${safe_title} - server - /": location => '/', diff --git a/modules/nsupdate/manifests/init.pp b/modules/nsupdate/manifests/init.pp index 8141f5a..08c5080 100644 --- a/modules/nsupdate/manifests/init.pp +++ b/modules/nsupdate/manifests/init.pp @@ -1,64 +1,6 @@ -# type DNSRecordType = ['A', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS', -# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', -# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', -# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG', -# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA', -# 'TSIG', 'TXT', 'URI', 'ZA', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS', -# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', -# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', -# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG', -# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA', -# 'TSIG', 'TXT', 'URI', 'ZONEMD'] - -type DNSRecordType = Enum['A'] - -type DNSRecord = Struct[{ - domain => String, - type => DNSRecordType, - ttl => Integer, -}] - -# Sets up a single instance of a reoccuring nsupdate. -# Note that nsupdate::secret.$keyname needs to be made available through hiera -# /etc/puppetlabs/code/environments/production/data/nodes/hornquist.se.yaml -define nsupdate ( - String $nameserver, - Array[DNSRecord] $records, - String $iface = $facts['networking']['primary'], - Enum['present', 'absent'] $ensure = present, - String $keyname = $name, +class nsupdate ( + Hash[String,Hash] $instances, + Hash[String,Hash] $secrets, ) { - - require ::nsupdate::setup - - file { "/usr/libexec/nsupdate/${name}": - ensure => $ensure, - mode => '0555', - content => epp('nsupdate/nsupdate.epp', { - iface => $iface, - nameserver => $nameserver, - records => $records, - keyname => $keyname, - }) - } - - $key = lookup("nsupdate::secrets.\"${keyname}\"") - $secret = Sensitive($key['secret']) - file { "/var/lib/nsupdate/${keyname}.key": - ensure => file, - mode => '0400', - show_diff => false, - content => @("EOF") - key "${keyname}" { - algorithm ${key['algorithm']}; - secret "${secret.unwrap}"; - }; - | EOF - } - - cron { "nsupdate ${name}": - ensure => $ensure, - command => "/usr/libexec/nsupdate/${name}", - minute => 0, - } + create_resources(nsupdate::instance, $instances) } diff --git a/modules/nsupdate/manifests/instance.pp b/modules/nsupdate/manifests/instance.pp new file mode 100644 index 0000000..7f2f3ff --- /dev/null +++ b/modules/nsupdate/manifests/instance.pp @@ -0,0 +1,64 @@ +# type DNSRecordType = ['A', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS', +# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', +# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', +# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG', +# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA', +# 'TSIG', 'TXT', 'URI', 'ZA', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS', +# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', +# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', +# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG', +# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA', +# 'TSIG', 'TXT', 'URI', 'ZONEMD'] + +type DNSRecordType = Enum['A'] + +type DNSRecord = Struct[{ + domain => String, + type => DNSRecordType, + ttl => Integer, +}] + +# Sets up a single instance of a reoccuring nsupdate. +# Note that nsupdate::secret.$keyname needs to be made available through hiera +# /etc/puppetlabs/code/environments/production/data/nodes/hornquist.se.yaml +define nsupdate::instance ( + String $nameserver, + Array[DNSRecord] $records, + String $iface = $facts['networking']['primary'], + Enum['present', 'absent'] $ensure = present, + String $keyname = $name, +) { + + require ::nsupdate::setup + + file { "/usr/libexec/nsupdate/${name}": + ensure => $ensure, + mode => '0555', + content => epp('nsupdate/nsupdate.epp', { + iface => $iface, + nameserver => $nameserver, + records => $records, + keyname => $keyname, + }) + } + + $key = $nsupdate::secrets[$keyname] + $secret = Sensitive($key['secret']) + file { "/var/lib/nsupdate/${keyname}.key": + ensure => file, + mode => '0400', + show_diff => false, + content => @("EOF") + key "${keyname}" { + algorithm ${key['algorithm']}; + secret "${secret.unwrap}"; + }; + | EOF + } + + cron { "nsupdate ${name}": + ensure => $ensure, + command => "/usr/libexec/nsupdate/${name}", + minute => 0, + } +} diff --git a/modules/profiles/manifests/fcgiwrap.pp b/modules/profiles/manifests/fcgiwrap.pp new file mode 100644 index 0000000..fa667d1 --- /dev/null +++ b/modules/profiles/manifests/fcgiwrap.pp @@ -0,0 +1,8 @@ +class profiles::fcgiwrap { + ensure_packages(['fcgiwrap']) + + service { 'fcgiwrap.socket': + ensure => running, + enable => true, + } +} diff --git a/modules/profiles/manifests/phpfpm.pp b/modules/profiles/manifests/phpfpm.pp new file mode 100644 index 0000000..2aaf0df --- /dev/null +++ b/modules/profiles/manifests/phpfpm.pp @@ -0,0 +1,21 @@ +class profiles::phpfpm ( + String $version = '7.4', +) { + + # The packageg php-fpm also exists, which simply pulls in php7.4-fpm + + ensure_packages(["php${version}-fpm"]) + + service { "php${version}-fpm": + ensure => running, + enable => true, + } + + systemd::dropin_file { 'runtime-dir.conf': + unit => 'php${version}-fpm.service', + content => @(EOF) + [Service] + RuntimeDirectory=php + | EOF + } +} -- cgit v1.2.3