cdn-ops/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp

191 lines
5.6 KiB
ObjectPascal
Raw Normal View History

2024-10-10 13:22:11 +00:00
# Configure a SUNET CDN CA server
2024-10-10 13:28:23 +00:00
class cdn::cache(
2024-10-10 13:27:06 +00:00
Hash[String, Integer] $customers = {
2024-10-10 13:22:11 +00:00
customer1 => 1000000000,
}
)
{
include sunet::packages::certbot
include cdn::ca_trust
$cache_secrets = lookup({ 'name' => 'cdn::cache-secrets', 'default_value' => undef })
file { '/opt/sunet-cdn':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/opt/sunet-cdn/customers':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/opt/sunet-cdn/conf':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/opt/sunet-cdn/conf/varnish-slash-seccomp.json':
2024-10-10 13:22:11 +00:00
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/varnish-slash-seccomp.json.erb'),
}
file { '/etc/systemd/network/10-cdn-dummy.netdev':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/10-cdn-dummy.netdev.erb'),
}
file { '/etc/systemd/network/10-cdn-dummy.network':
2024-10-11 16:52:53 +00:00
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/10-cdn-dummy.network.erb'),
2024-10-11 16:52:53 +00:00
}
file { '/etc/systemd/network/10-cdn-ipip.netdev':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/10-cdn-ipip.netdev.erb'),
}
file { '/etc/systemd/network/10-cdn-ipip.network':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/10-cdn-ipip.network.erb'),
}
2024-10-11 20:10:50 +00:00
# Reload the network config if it has changed
exec { 'networkctl reload':
2024-10-11 20:12:05 +00:00
subscribe => [File['/etc/systemd/network/10-cdn-dummy.network'], File['/etc/systemd/network/10-cdn-ipip.network']],
refreshonly => true,
}
$sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf'
file { $sysctl_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/sysctl.erb'),
}
# Load the sysctl file if it has changed
exec { "sysctl -p ${sysctl_file}":
subscribe => File[$sysctl_file],
refreshonly => true,
}
# Allow tunnel packets arriving from l4lb nodes
sunet::nftables::rule { 'sunet_cdn_tunnel4':
rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"'
}
# Allow decapsulated tunnel packets targeting the service IP range to reach
# local service ports
2024-10-13 12:31:23 +00:00
sunet::nftables::rule { 'sunet_cdn_service4':
rule => 'add rule inet filter input meta iifname tunl0 ip daddr 188.240.152.0/24 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service4'
}
2024-10-10 13:22:11 +00:00
if $cache_secrets {
2024-10-10 13:29:50 +00:00
$customers.each |String $customer, Integer $customer_uid| {
2024-10-10 13:22:11 +00:00
if $cache_secrets['customers'][$customer] {
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}":
2024-10-10 13:22:11 +00:00
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}/conf":
2024-10-10 13:31:54 +00:00
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}/shared":
2024-10-10 13:22:11 +00:00
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}/cache":
2024-10-10 13:22:11 +00:00
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}/certs-private":
2024-10-11 09:38:58 +00:00
ensure => directory,
owner => $customer_uid,
group => $customer_uid,
mode => '0750',
}
2024-10-11 09:46:06 +00:00
$combined_pem = "/opt/sunet-cdn/customers/${customer}/certs-private/combined.pem"
2024-10-11 09:38:58 +00:00
concat { $combined_pem:
ensure => present,
owner => $customer_uid,
group => $customer_uid,
mode => '0640',
2024-10-11 09:38:58 +00:00
}
2024-10-11 09:47:44 +00:00
concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}":
2024-10-11 09:46:06 +00:00
target => $combined_pem,
2024-10-11 09:51:36 +00:00
source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem",
order => '01',
2024-10-11 09:38:58 +00:00
}
2024-10-11 09:47:44 +00:00
concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}":
2024-10-11 09:46:06 +00:00
target => $combined_pem,
2024-10-11 09:51:36 +00:00
source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem",
order => '02',
2024-10-11 09:38:58 +00:00
}
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}/conf/haproxy.cfg":
2024-10-10 13:22:11 +00:00
ensure => file,
owner => $customer_uid,
group => $customer_uid,
mode => '0440',
content => template('cdn/cache/haproxy.cfg.erb'),
}
2024-10-11 09:46:06 +00:00
file { "/opt/sunet-cdn/customers/${customer}/conf/varnish.vcl":
2024-10-10 18:39:35 +00:00
ensure => file,
owner => $customer_uid,
group => $customer_uid,
mode => '0440',
content => template('cdn/cache/varnish.vcl.erb'),
}
2024-10-11 09:46:06 +00:00
sunet::docker_compose { "sunet-cdn-cache-${customer}":
2024-10-10 13:22:11 +00:00
content => template('cdn/cache/docker-compose.yml.erb'),
2024-10-11 09:46:06 +00:00
service_name => "cdn-cache-${customer}",
compose_dir => "/opt/sunet-cdn/compose/${customer}",
2024-10-10 13:22:11 +00:00
compose_filename => 'docker-compose.yml',
2024-10-11 09:46:06 +00:00
description => "SUNET CDN CA ${customer}",
2024-10-10 13:22:11 +00:00
}
}
}
}
}