cdn-ops/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp

# Configure a SUNET CDN CA server
class cdn::cache(
  Hash[String, Integer] $customers = {
    customer1 => 1000000000,
  }
)
{
  include sunet::packages::certbot
  include cdn::ca_trust

  $cache_secrets = lookup({ 'name' => 'cdn::cache-secrets', 'default_value' => undef })

  file { '/opt/sunet-cdn':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  file { '/opt/sunet-cdn/customers':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  file { '/opt/sunet-cdn/conf':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  file { '/opt/sunet-cdn/conf/varnish-slash-seccomp.json':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('cdn/cache/varnish-slash-seccomp.json.erb'),
  }

  file { '/etc/systemd/network/cdn-dummy.netdev':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('cdn/cache/cdn-dummy.netdev.erb'),
  }

  file { '/etc/systemd/network/cdn-dummy.network':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('cdn/cache/cdn-dummy.network.erb'),
  }
  # Reload the network config if it has changed
  exec { "networkctl reload":
    subscribe   => File['/etc/systemd/network/cdn-dummy.network'],
    refreshonly => true,
  }

  $sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf'
  file { $sysctl_file:
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('cdn/cache/sysctl.erb'),
  }
  # Load the sysctl file if it has changed
  exec { "sysctl -p ${sysctl_file}":
    subscribe   => File[$sysctl_file],
    refreshonly => true,
  }

  if $cache_secrets {
    $customers.each |String $customer, Integer $customer_uid| {
      if $cache_secrets['customers'][$customer] {
        file { "/opt/sunet-cdn/customers/${customer}":
          ensure => directory,
          owner  => $customer_uid,
          group  => $customer_uid,
          mode   => '0750',
        }

        file { "/opt/sunet-cdn/customers/${customer}/conf":
          ensure => directory,
          owner  => $customer_uid,
          group  => $customer_uid,
          mode   => '0750',
        }

        file { "/opt/sunet-cdn/customers/${customer}/shared":
          ensure => directory,
          owner  => $customer_uid,
          group  => $customer_uid,
          mode   => '0750',
        }

        file { "/opt/sunet-cdn/customers/${customer}/cache":
          ensure => directory,
          owner  => $customer_uid,
          group  => $customer_uid,
          mode   => '0750',
        }

        file { "/opt/sunet-cdn/customers/${customer}/certs-private":
          ensure => directory,
          owner  => $customer_uid,
          group  => $customer_uid,
          mode   => '0750',
        }

        $combined_pem = "/opt/sunet-cdn/customers/${customer}/certs-private/combined.pem"

        concat { $combined_pem:
          ensure => present,
          owner  => $customer_uid,
          group  => $customer_uid,
          mode   => '0640',
        }

        concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
          target => $combined_pem,
          source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
          order  => '01',
        }

        concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
          target => $combined_pem,
          source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
          order  => '02',
        }

        file { "/opt/sunet-cdn/customers/${customer}/conf/haproxy.cfg":
          ensure  => file,
          owner   => $customer_uid,
          group   => $customer_uid,
          mode    => '0440',
          content => template('cdn/cache/haproxy.cfg.erb'),
        }

        file { "/opt/sunet-cdn/customers/${customer}/conf/varnish.vcl":
          ensure  => file,
          owner   => $customer_uid,
          group   => $customer_uid,
          mode    => '0440',
          content => template('cdn/cache/varnish.vcl.erb'),
        }

        sunet::docker_compose { "sunet-cdn-cache-${customer}":
          content          => template('cdn/cache/docker-compose.yml.erb'),
          service_name     => "cdn-cache-${customer}",
          compose_dir      => "/opt/sunet-cdn/compose/${customer}",
          compose_filename => 'docker-compose.yml',
          description      => "SUNET CDN CA ${customer}",
        }
      }
    }
  }
}
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`# Configure a SUNET CDN CA server`
Fix manifest name 2024-10-10 13:28:23 +00:00			`class cdn::cache(`
Add missing $ 2024-10-10 13:27:06 +00:00			`Hash[String, Integer] $customers = {`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`customer1 => 1000000000,`
			`}`
			`)`
			`{`
			`include sunet::packages::certbot`
			`include cdn::ca_trust`

			`$cache_secrets = lookup({ 'name' => 'cdn::cache-secrets', 'default_value' => undef })`

			`file { '/opt/sunet-cdn':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0755',`
			`}`

			`file { '/opt/sunet-cdn/customers':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0755',`
			`}`

			`file { '/opt/sunet-cdn/conf':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0755',`
			`}`

Replace "." with "," While here fix some variable usage and puppet-lint complaints 2024-10-11 09:42:12 +00:00			`file { '/opt/sunet-cdn/conf/varnish-slash-seccomp.json':`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
			`content => template('cdn/cache/varnish-slash-seccomp.json.erb'),`
			`}`

Add dummy0 interface The netplan version we have is too old to do this so handle it manually. 2024-10-11 16:45:54 +00:00			`file { '/etc/systemd/network/cdn-dummy.netdev':`
			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
			`content => template('cdn/cache/cdn-dummy.netdev.erb'),`
			`}`

Add address config for dummy interface 2024-10-11 16:52:53 +00:00			`file { '/etc/systemd/network/cdn-dummy.network':`
			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
			`content => template('cdn/cache/cdn-dummy.network.erb'),`
			`}`
Add network reload support 2024-10-11 17:04:17 +00:00			`# Reload the network config if it has changed`
			`exec { "networkctl reload":`
Add '' 2024-10-11 17:05:29 +00:00			`subscribe => File['/etc/systemd/network/cdn-dummy.network'],`
Add network reload support 2024-10-11 17:04:17 +00:00			`refreshonly => true,`
			`}`
Add address config for dummy interface 2024-10-11 16:52:53 +00:00
Allow haproxy to bind to ports 80/443 This way we can run haproxy as an unprivileged user and still use what is normally considered privileged ports. 2024-10-11 11:49:04 +00:00			`$sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf'`
			`file { $sysctl_file:`
			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
			`content => template('cdn/cache/sysctl.erb'),`
			`}`
			`# Load the sysctl file if it has changed`
			`exec { "sysctl -p ${sysctl_file}":`
			`subscribe => File[$sysctl_file],`
			`refreshonly => true,`
			`}`

Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`if $cache_secrets {`
Missing $ 2024-10-10 13:29:50 +00:00			`$customers.each \|String $customer, Integer $customer_uid\| {`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`if $cache_secrets['customers'][$customer] {`
puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}":`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`ensure => directory,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0750',`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}/conf":`
Make sure customer conf dir is created 2024-10-10 13:31:54 +00:00			`ensure => directory,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0750',`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}/shared":`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`ensure => directory,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0750',`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}/cache":`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`ensure => directory,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0750',`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}/certs-private":`
Install certificate files 2024-10-11 09:38:58 +00:00			`ensure => directory,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0750',`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`$combined_pem = "/opt/sunet-cdn/customers/${customer}/certs-private/combined.pem"`
Install certificate files 2024-10-11 09:38:58 +00:00
			`concat { $combined_pem:`
			`ensure => present,`
Replace "." with "," While here fix some variable usage and puppet-lint complaints 2024-10-11 09:42:12 +00:00			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0640',`
Install certificate files 2024-10-11 09:38:58 +00:00			`}`

Syntax fixes 2024-10-11 09:47:44 +00:00			`concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":`
puppet-lint fixes 2024-10-11 09:46:06 +00:00			`target => $combined_pem,`
More tweaks 2024-10-11 09:51:36 +00:00			`source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",`
			`order => '01',`
Install certificate files 2024-10-11 09:38:58 +00:00			`}`

Syntax fixes 2024-10-11 09:47:44 +00:00			`concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":`
puppet-lint fixes 2024-10-11 09:46:06 +00:00			`target => $combined_pem,`
More tweaks 2024-10-11 09:51:36 +00:00			`source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",`
			`order => '02',`
Install certificate files 2024-10-11 09:38:58 +00:00			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}/conf/haproxy.cfg":`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`ensure => file,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0440',`
			`content => template('cdn/cache/haproxy.cfg.erb'),`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`file { "/opt/sunet-cdn/customers/${customer}/conf/varnish.vcl":`
Add basic varnish VCL for testing 2024-10-10 18:39:35 +00:00			`ensure => file,`
			`owner => $customer_uid,`
			`group => $customer_uid,`
			`mode => '0440',`
			`content => template('cdn/cache/varnish.vcl.erb'),`
			`}`

puppet-lint fixes 2024-10-11 09:46:06 +00:00			`sunet::docker_compose { "sunet-cdn-cache-${customer}":`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`content => template('cdn/cache/docker-compose.yml.erb'),`
puppet-lint fixes 2024-10-11 09:46:06 +00:00			`service_name => "cdn-cache-${customer}",`
			`compose_dir => "/opt/sunet-cdn/compose/${customer}",`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`compose_filename => 'docker-compose.yml',`
puppet-lint fixes 2024-10-11 09:46:06 +00:00			`description => "SUNET CDN CA ${customer}",`
Initial cdn::cache manifest 2024-10-10 13:22:11 +00:00			`}`
			`}`
			`}`
			`}`
			`}`