netmask: 255.255.255.0
network: 10.3.3.0/24
```
+
+## Proxy
+
+Class `proxmox::proxy` can handle proxying internal web servers.
+
+```
+class {'proxmox::proxy':
+ mail => lookup('mail.root_mail'),
+ base_hostname => lookup('network.public_hostname'),
+}
+```
+
+This uses the Apache HTTP Server and mod_md to obtain certificates.
+Your hostname must be publicly accessible, because http challenges are used.
+
+You receive mails to restart your server when required.
--- /dev/null
+class proxmox::proxy ($mail, $base_hostname) {
+ package {'apache2':}
+ ->
+ service {'apache2':
+ enable => true,
+ ensure => running,
+ require => File['/usr/local/bin/notify_md_renewal'],
+ }
+
+ $apache_dep = {
+ require => Package['apache2'],
+ notify => Service['apache2'],
+ }
+
+ ['md', 'ssl'].each |$mod| {
+ exec {"/usr/sbin/a2enmod $mod":
+ creates => "/etc/apache2/mods-enabled/$mod.load",
+ * => $apache_dep,
+ }
+ }
+
+ file {'/etc/apache2/sites-enabled/test.conf':
+ content => @("EOT")
+ MDomain $base_hostname
+ MDCertificateAgreement accepted
+ MDContactEmail $mail
+ MDNotifyCmd /usr/local/bin/notify_md_renewal
+
+ <VirtualHost *:443>
+ ServerName $base_hostname
+ SSLEngine on
+ </VirtualHost>
+ | EOT
+ ,
+ * => $apache_dep
+ }
+
+ file {'/usr/local/bin/notify_md_renewal':
+ content => @("EOT"/$)
+ #!/bin/sh
+
+ mail $mail -s "Restart apache2 on $base_hostname for certificate \$1" </dev/null
+ | EOT
+ ,
+ mode => '0755',
+ }
+}
node 'h1.pdp7.net' {
class {'proxmox::freeipa':}
+ class {'proxmox::proxy':
+ mail => lookup('mail.root_mail'),
+ base_hostname => lookup('network.public_hostname'),
+ }
class {'dns_dhcp':}
# TODO: ugly; tinc scripts require this :(
projects / alex.git / commitdiff