}
@front_vhost{$container:
source => 'motion/nginx.epp',
- args => {container => $container, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"},
+ args => {container => $container, name => $container, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"},
crt => "motion/${container}",
tag => [nginx]
}
+ @file{'/etc/nginx/conf.d/bucket_size.conf':
+ content => "map_hash_bucket_size 256;log_format motion-cert '\$date_gmt \$host:\$ssl_client_serial:\$ssl_client_i_dn;\$motion_user_role';\n",
+ ensure => 'file',
+ before => Service['nginx'],
+ tag => [nginx]
+ }
+ @file{'/etc/nginx/conf.d/motion_map.conf':
+ content => inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {name => $name}),
+ ensure => 'file',
+ before => Service['nginx'],
+ tag => [nginx]
+ }
+
@postgresql::server::db { $container:
user => $container,
tag => [primary]
}
}
+
+define motion::frontend($domain, $container, $roots = 'puppet:///modules/motion/motion-roots.pem'){
+ @file{"/etc/ssl/${name}-roots.pem":
+ ensure => 'file',
+ source => [$roots, 'puppet:///modules/nre/config/ca/root.crt'],
+ tag => [nginx]
+ }
+ @front_vhost{"${container}-${domain}":
+ source => 'motion/nginx.epp',
+ args => {container => $container, name => $name, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"},
+ crt => "motion/${container}",
+ tag => [nginx]
+ }
+}
root /data/challenge;
}
}
-<%=inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {container => $container})%>
-log_format <%=$container%>-cert '$date_gmt $ssl_client_serial:$ssl_client_i_dn;$<%=$container%>_user_role';
server {
+
listen 0.0.0.0:443 ssl;
server_name <%=$domain%>;
gzip on;
ssl_certificate <%=$cert_stem%>.crt;
ssl_certificate_key <%=$cert_stem%>.key;
- ssl_client_certificate /etc/ssl/<%=$container%>-roots.pem;
+ ssl_client_certificate /etc/ssl/<%=$name%>-roots.pem;
ssl_verify_client on;
ssl_verify_depth 4;
- access_log /tmp/<%=$container%>-certs.log <%=$container%>-cert;
+ access_log /tmp/<%=$name%>-certs.log motion-cert;
location / {
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SERVER_NAME $host;
fastcgi_param SERVER_PORT '443';
fastcgi_param SERVER_PROTOCOL 'https';
- fastcgi_param USER_ROLES $<%=$container%>_user_role;
+ fastcgi_param USER_ROLES $motion_user_role;
fastcgi_pass <%=$socket%>;
<% if($protected != 'no') { %>