chg: allow domain-vhosts of motion container

This change allows to define new domains that the nginx will route to
the motions container. Additionally you can have separate users
and configurations per domain.

Change-Id: I6ea69d84ba36423d1fc375e7391194c327077f24

diff --git a/modules/motion/files/user_map.template.epp b/modules/motion/files/user_map.template.epp
index 064f5bef41fe0197de32b16ddd6dc4d6643868d1..0ea8f531129aa4e62c9136f1bcb750205674ab69 100644 (file)
--- a/modules/motion/files/user_map.template.epp
+++ b/modules/motion/files/user_map.template.epp
@@ -1,6 +1,4 @@
-map_hash_bucket_size 128;
-
 # user map
-map "$ssl_client_serial:$ssl_client_i_dn" $<%=$container%>_user_role {
+map "$host:$ssl_client_serial:$ssl_client_i_dn" $<%=$name%>_user_role {
     default     "<invalid>/";
 }

diff --git a/modules/motion/manifests/virtual.pp b/modules/motion/manifests/virtual.pp
index ccc379d35696035eac8730e3389aec69e560ae86..a2f601ca96863138f96a16957e21ad11b84c5681 100644 (file)
--- a/modules/motion/manifests/virtual.pp
+++ b/modules/motion/manifests/virtual.pp
@@ -25,11 +25,24 @@ define motion::virtual ($domain = "motion.${systemDomain}", $container = $name)
   }
   @front_vhost{$container:
     source => 'motion/nginx.epp',
-    args => {container => $container, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"},
+    args => {container => $container, name => $container, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"},
     crt => "motion/${container}",
     tag => [nginx]
   }
 
+  @file{'/etc/nginx/conf.d/bucket_size.conf':
+    content => "map_hash_bucket_size 256;log_format motion-cert '\$date_gmt \$host:\$ssl_client_serial:\$ssl_client_i_dn;\$motion_user_role';\n",
+    ensure => 'file',
+    before => Service['nginx'],
+    tag => [nginx]
+  }
+  @file{'/etc/nginx/conf.d/motion_map.conf':
+    content => inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {name => $name}),
+    ensure => 'file',
+    before => Service['nginx'],
+    tag => [nginx]
+  }
+
 
   @postgresql::server::db { $container:
     user     => $container,
@@ -46,3 +59,17 @@ define motion::virtual ($domain = "motion.${systemDomain}", $container = $name)
     tag => [primary]
   }
 }
+
+define motion::frontend($domain, $container, $roots = 'puppet:///modules/motion/motion-roots.pem'){
+  @file{"/etc/ssl/${name}-roots.pem":
+    ensure => 'file',
+    source => [$roots, 'puppet:///modules/nre/config/ca/root.crt'],
+    tag => [nginx]
+  }
+  @front_vhost{"${container}-${domain}":
+    source => 'motion/nginx.epp',
+    args => {container => $container, name => $name, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"},
+    crt => "motion/${container}",
+    tag => [nginx]
+  }
+}

diff --git a/modules/motion/templates/nginx.epp b/modules/motion/templates/nginx.epp
index 36dbfa6b708998f49a7901d027cefc75697d8a9f..1bcee0d65798e2eafbe4b8945e3744173c407253 100644 (file)
--- a/modules/motion/templates/nginx.epp
+++ b/modules/motion/templates/nginx.epp
@@ -22,19 +22,18 @@ server {
         root /data/challenge;
     }
 }
-<%=inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {container => $container})%>
-log_format <%=$container%>-cert '$date_gmt $ssl_client_serial:$ssl_client_i_dn;$<%=$container%>_user_role';
 server {
+
     listen       0.0.0.0:443 ssl;
     server_name  <%=$domain%>;
     gzip         on;
     ssl_certificate <%=$cert_stem%>.crt;
     ssl_certificate_key <%=$cert_stem%>.key;
 
-    ssl_client_certificate /etc/ssl/<%=$container%>-roots.pem;
+    ssl_client_certificate /etc/ssl/<%=$name%>-roots.pem;
     ssl_verify_client on;
     ssl_verify_depth 4;
-    access_log /tmp/<%=$container%>-certs.log <%=$container%>-cert;
+    access_log /tmp/<%=$name%>-certs.log motion-cert;
 
     location / {
         fastcgi_param  QUERY_STRING       $query_string;
@@ -48,7 +47,7 @@ server {
         fastcgi_param  SERVER_NAME        $host;
         fastcgi_param  SERVER_PORT        '443';
         fastcgi_param  SERVER_PROTOCOL    'https';
-        fastcgi_param  USER_ROLES         $<%=$container%>_user_role;
+        fastcgi_param  USER_ROLES         $motion_user_role;
         fastcgi_pass  <%=$socket%>;
 
     <% if($protected != 'no') { %>