# Configure a SUNET CDN CA server class cdn::cache( Hash[String, Integer] $customers = { customer1 => 1000000000, } ) { include sunet::packages::certbot include cdn::ca_trust $cache_secrets = lookup({ 'name' => 'cdn::cache-secrets', 'default_value' => undef }) file { '/opt/sunet-cdn': ensure => directory, owner => 'root', group => 'root', mode => '0755', } file { '/opt/sunet-cdn/customers': ensure => directory, owner => 'root', group => 'root', mode => '0755', } file { '/opt/sunet-cdn/conf': ensure => directory, owner => 'root', group => 'root', mode => '0755', } file { '/opt/sunet-cdn/conf/varnish-slash-seccomp.json': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/cache/varnish-slash-seccomp.json.erb'), } file { '/etc/systemd/network/10-cdn-dummy.netdev': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/cache/10-cdn-dummy.netdev.erb'), } file { '/etc/systemd/network/10-cdn-dummy.network': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/cache/10-cdn-dummy.network.erb'), } file { '/etc/systemd/network/10-cdn-ipip.netdev': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/cache/10-cdn-ipip.netdev.erb'), } file { '/etc/systemd/network/10-cdn-ipip.network': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/cache/10-cdn-ipip.network.erb'), } # Reload the network config if it has changed exec { 'networkctl reload': subscribe => [File['/etc/systemd/network/10-cdn-dummy.network'], File['/etc/systemd/network/10-cdn-ipip.network']], refreshonly => true, } $sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf' file { $sysctl_file: ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/cache/sysctl.erb'), } # Load the sysctl file if it has changed exec { "sysctl -p ${sysctl_file}": subscribe => File[$sysctl_file], refreshonly => true, } # Allow tunnel packets arriving from l4lb nodes sunet::nftables::rule { 'sunet_cdn_tunnel4': rule => 'add rule inet filter input ip saddr { 130.242.64.233, 130.242.64.235 } ip protocol ipencap counter accept comment "sunet-cdn-tunnel4"' } # Allow decapsulated tunnel packets targeting the service IP range to reach # local service ports sunet::nftables::rule { 'sunet_cdn_service4': rule => 'add rule inet filter input meta iifname tunl0 ip daddr 188.240.152.0/24 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service4"' } if $cache_secrets { $customers.each |String $customer, Integer $customer_uid| { if $cache_secrets['customers'][$customer] { file { "/opt/sunet-cdn/customers/${customer}": ensure => directory, owner => $customer_uid, group => $customer_uid, mode => '0750', } file { "/opt/sunet-cdn/customers/${customer}/conf": ensure => directory, owner => $customer_uid, group => $customer_uid, mode => '0750', } file { "/opt/sunet-cdn/customers/${customer}/shared": ensure => directory, owner => $customer_uid, group => $customer_uid, mode => '0750', } file { "/opt/sunet-cdn/customers/${customer}/cache": ensure => directory, owner => $customer_uid, group => $customer_uid, mode => '0750', } file { "/opt/sunet-cdn/customers/${customer}/certs-private": ensure => directory, owner => $customer_uid, group => $customer_uid, mode => '0750', } $combined_pem = "/opt/sunet-cdn/customers/${customer}/certs-private/combined.pem" concat { $combined_pem: ensure => present, owner => $customer_uid, group => $customer_uid, mode => '0640', } concat::fragment { "${customer}-fullchain-${cache_secrets['customers'][$customer]['host']}": target => $combined_pem, source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/fullchain.pem", order => '01', } concat::fragment { "${customer}-privkey-${cache_secrets['customers'][$customer]['host']}": target => $combined_pem, source => "/etc/letsencrypt/live/${cache_secrets['customers'][$customer]['host']}/privkey.pem", order => '02', } file { "/opt/sunet-cdn/customers/${customer}/conf/haproxy.cfg": ensure => file, owner => $customer_uid, group => $customer_uid, mode => '0440', content => template('cdn/cache/haproxy.cfg.erb'), } file { "/opt/sunet-cdn/customers/${customer}/conf/varnish.vcl": ensure => file, owner => $customer_uid, group => $customer_uid, mode => '0440', content => template('cdn/cache/varnish.vcl.erb'), } sunet::docker_compose { "sunet-cdn-cache-${customer}": content => template('cdn/cache/docker-compose.yml.erb'), service_name => "cdn-cache-${customer}", compose_dir => "/opt/sunet-cdn/compose/${customer}", compose_filename => 'docker-compose.yml', description => "SUNET CDN CA ${customer}", } } } } }