From 4d7283e361702a498cca3eb490cafd97928c234b Mon Sep 17 00:00:00 2001
From: Patrik Lundin <patlu@sunet.se>
Date: Fri, 11 Oct 2024 13:49:04 +0200
Subject: [PATCH] Allow haproxy to bind to ports 80/443

This way we can run haproxy as an unprivileged user and still use what
is normally considered privileged ports.
---
 .../etc/puppet/modules/cdn/manifests/cache.pp      | 14 ++++++++++++++
 .../puppet/modules/cdn/templates/cache/sysctl.erb  |  2 ++
 2 files changed, 16 insertions(+)
 create mode 100644 global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb

diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
index b600bdd..3103944 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@@ -39,6 +39,20 @@ class cdn::cache(
     content => template('cdn/cache/varnish-slash-seccomp.json.erb'),
   }
 
+  $sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf'
+  file { $sysctl_file:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/cache/sysctl.erb'),
+  }
+  # Load the sysctl file if it has changed
+  exec { "sysctl -p ${sysctl_file}":
+    subscribe   => File[$sysctl_file],
+    refreshonly => true,
+  }
+
   if $cache_secrets {
     $customers.each |String $customer, Integer $customer_uid| {
       if $cache_secrets['customers'][$customer] {
diff --git a/global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb b/global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb
new file mode 100644
index 0000000..e0eb1a4
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb
@@ -0,0 +1,2 @@
+# Allow haproxy to bind to port 80 and 443 when running as unprivileged user
+net.ipv4.ip_unprivileged_port_start=80