From a1001fbf0c24008fd7cbff94653d2ad5c359f057 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Thu, 10 Jan 2019 16:11:57 -0500 Subject: [PATCH] chg: allow domain-vhosts of motion container This change allows to define new domains that the nginx will route to the motions container. Additionally you can have separate users and configurations per domain. Change-Id: I6ea69d84ba36423d1fc375e7391194c327077f24 --- modules/motion/files/user_map.template.epp | 4 +-- modules/motion/manifests/virtual.pp | 29 +++++++++++++++++++++- modules/motion/templates/nginx.epp | 9 +++---- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/modules/motion/files/user_map.template.epp b/modules/motion/files/user_map.template.epp index 064f5be..0ea8f53 100644 --- a/modules/motion/files/user_map.template.epp +++ b/modules/motion/files/user_map.template.epp @@ -1,6 +1,4 @@ -map_hash_bucket_size 128; - # user map -map "$ssl_client_serial:$ssl_client_i_dn" $<%=$container%>_user_role { +map "$host:$ssl_client_serial:$ssl_client_i_dn" $<%=$name%>_user_role { default "/"; } diff --git a/modules/motion/manifests/virtual.pp b/modules/motion/manifests/virtual.pp index ccc379d..a2f601c 100644 --- a/modules/motion/manifests/virtual.pp +++ b/modules/motion/manifests/virtual.pp @@ -25,11 +25,24 @@ define motion::virtual ($domain = "motion.${systemDomain}", $container = $name) } @front_vhost{$container: source => 'motion/nginx.epp', - args => {container => $container, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"}, + args => {container => $container, name => $container, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"}, crt => "motion/${container}", tag => [nginx] } + @file{'/etc/nginx/conf.d/bucket_size.conf': + content => "map_hash_bucket_size 256;log_format motion-cert '\$date_gmt \$host:\$ssl_client_serial:\$ssl_client_i_dn;\$motion_user_role';\n", + ensure => 'file', + before => Service['nginx'], + tag => [nginx] + } + @file{'/etc/nginx/conf.d/motion_map.conf': + content => inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {name => $name}), + ensure => 'file', + before => Service['nginx'], + tag => [nginx] + } + @postgresql::server::db { $container: user => $container, @@ -46,3 +59,17 @@ define motion::virtual ($domain = "motion.${systemDomain}", $container = $name) tag => [primary] } } + +define motion::frontend($domain, $container, $roots = 'puppet:///modules/motion/motion-roots.pem'){ + @file{"/etc/ssl/${name}-roots.pem": + ensure => 'file', + source => [$roots, 'puppet:///modules/nre/config/ca/root.crt'], + tag => [nginx] + } + @front_vhost{"${container}-${domain}": + source => 'motion/nginx.epp', + args => {container => $container, name => $name, cert_stem => "/etc/ssl/private/${container}", domain => $domain, socket => "unix:/${container}-socket/motion.fcgi"}, + crt => "motion/${container}", + tag => [nginx] + } +} diff --git a/modules/motion/templates/nginx.epp b/modules/motion/templates/nginx.epp index 36dbfa6..1bcee0d 100644 --- a/modules/motion/templates/nginx.epp +++ b/modules/motion/templates/nginx.epp @@ -22,19 +22,18 @@ server { root /data/challenge; } } -<%=inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {container => $container})%> -log_format <%=$container%>-cert '$date_gmt $ssl_client_serial:$ssl_client_i_dn;$<%=$container%>_user_role'; server { + listen 0.0.0.0:443 ssl; server_name <%=$domain%>; gzip on; ssl_certificate <%=$cert_stem%>.crt; ssl_certificate_key <%=$cert_stem%>.key; - ssl_client_certificate /etc/ssl/<%=$container%>-roots.pem; + ssl_client_certificate /etc/ssl/<%=$name%>-roots.pem; ssl_verify_client on; ssl_verify_depth 4; - access_log /tmp/<%=$container%>-certs.log <%=$container%>-cert; + access_log /tmp/<%=$name%>-certs.log motion-cert; location / { fastcgi_param QUERY_STRING $query_string; @@ -48,7 +47,7 @@ server { fastcgi_param SERVER_NAME $host; fastcgi_param SERVER_PORT '443'; fastcgi_param SERVER_PROTOCOL 'https'; - fastcgi_param USER_ROLES $<%=$container%>_user_role; + fastcgi_param USER_ROLES $motion_user_role; fastcgi_pass <%=$socket%>; <% if($protected != 'no') { %> -- 2.39.2