diff options
| -rw-r--r-- | personal_infra/puppet/modules/proxmox/README.md | 16 | ||||
| -rw-r--r-- | personal_infra/puppet/modules/proxmox/manifests/proxy.pp | 47 | ||||
| -rw-r--r-- | personal_infra/puppet/site/h1.pdp7.net.pp | 4 |
3 files changed, 67 insertions, 0 deletions
diff --git a/personal_infra/puppet/modules/proxmox/README.md b/personal_infra/puppet/modules/proxmox/README.md index 1600d224..42bf724c 100644 --- a/personal_infra/puppet/modules/proxmox/README.md +++ b/personal_infra/puppet/modules/proxmox/README.md @@ -16,3 +16,19 @@ network: netmask: 255.255.255.0 network: 10.3.3.0/24 ``` + +## Proxy + +Class `proxmox::proxy` can handle proxying internal web servers. + +``` +class {'proxmox::proxy': + mail => lookup('mail.root_mail'), + base_hostname => lookup('network.public_hostname'), +} +``` + +This uses the Apache HTTP Server and mod_md to obtain certificates. +Your hostname must be publicly accessible, because http challenges are used. + +You receive mails to restart your server when required. diff --git a/personal_infra/puppet/modules/proxmox/manifests/proxy.pp b/personal_infra/puppet/modules/proxmox/manifests/proxy.pp new file mode 100644 index 00000000..423d5cfa --- /dev/null +++ b/personal_infra/puppet/modules/proxmox/manifests/proxy.pp @@ -0,0 +1,47 @@ +class proxmox::proxy ($mail, $base_hostname) { + package {'apache2':} + -> + service {'apache2': + enable => true, + ensure => running, + require => File['/usr/local/bin/notify_md_renewal'], + } + + $apache_dep = { + require => Package['apache2'], + notify => Service['apache2'], + } + + ['md', 'ssl'].each |$mod| { + exec {"/usr/sbin/a2enmod $mod": + creates => "/etc/apache2/mods-enabled/$mod.load", + * => $apache_dep, + } + } + + file {'/etc/apache2/sites-enabled/test.conf': + content => @("EOT") + MDomain $base_hostname + MDCertificateAgreement accepted + MDContactEmail $mail + MDNotifyCmd /usr/local/bin/notify_md_renewal + + <VirtualHost *:443> + ServerName $base_hostname + SSLEngine on + </VirtualHost> + | EOT + , + * => $apache_dep + } + + file {'/usr/local/bin/notify_md_renewal': + content => @("EOT"/$) + #!/bin/sh + + mail $mail -s "Restart apache2 on $base_hostname for certificate \$1" </dev/null + | EOT + , + mode => '0755', + } +} diff --git a/personal_infra/puppet/site/h1.pdp7.net.pp b/personal_infra/puppet/site/h1.pdp7.net.pp index af66ab54..ef0ff1ea 100644 --- a/personal_infra/puppet/site/h1.pdp7.net.pp +++ b/personal_infra/puppet/site/h1.pdp7.net.pp @@ -1,5 +1,9 @@ node 'h1.pdp7.net' { class {'proxmox::freeipa':} + class {'proxmox::proxy': + mail => lookup('mail.root_mail'), + base_hostname => lookup('network.public_hostname'), + } class {'dns_dhcp':} # TODO: ugly; tinc scripts require this :( |