abusesa: Add support for AbuseSA services

2015-06-16 12:41:51 +03:00 · 2015-06-16 12:41:51 +03:00 · 73c505981a
commit 73c505981a
parent b77decaf8a
2 changed files with 87 additions and 0 deletions
--- a/abusesa/manifests/services.pp
+++ b/abusesa/manifests/services.pp
@ -0,0 +1,54 @@
 # Configure AbuseSA services.
 #
 class abusesa::services(
  $services=[],
  $socketdir="/var/lib/abuserv/run",
 ) {
  include user::system
  realize(User['abuserv'], Group['abuserv'])
  exec { 'usermod-abusesa-abuserv':
    path    => '/bin:/usr/bin:/sbin:/usr/sbin',
    command => 'usermod -a -G abuserv abusesa',
    unless  => 'id -n -G abusesa | grep \'\babuserv\b\'',
    require => [
      User['abusesa'],
      Group['abuserv'],
    ],
  }
  exec { 'usermod-nginx-abuserv':
    path    => '/bin:/usr/bin:/sbin:/usr/sbin',
    command => 'usermod -a -G abuserv nginx',
    unless  => 'id -n -G nginx | grep \'\babuserv\b\'',
    require => [
      Class['nginx'],
      Group['abuserv'],
    ],
  }
  file { [
    '/var/lib/abuserv',
    '/var/lib/abuserv/run',
  ]:
    ensure => directory,
    mode   => '2770',
    owner  => 'abuserv',
    group  => 'abuserv',
  }
  file { '/var/lib/abuserv/.profile':
    ensure  => present,
    mode    => '0600',
    owner   => 'abuserv',
    group   => 'abuserv',
    content => "umask 007\n",
  }
  include nginx
  nginx::config { 'abusesa.conf':
    content => template('abusesa/services/nginx.conf.erb'),
  }
 }
--- a/abusesa/templates/services/nginx.conf.erb
+++ b/abusesa/templates/services/nginx.conf.erb
@ -0,0 +1,33 @@
 log_format abusesa '$remote_addr - $http_x_remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent"';
 server {
    listen 8443;
    access_log <%= scope.lookupvar('nginx::logdir') %>/abusesa.log abusesa;
    ssl on;
    ssl_verify_client on;
    ssl_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem;
    ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem;
    ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem;
    proxy_buffering off;
 <% @services.each do |service|
     dir, sep, sock = service.rpartition('/')
     dir = @socketdir if dir.empty?
     sockpath = File.join(dir, sock)
     location = sock.gsub('.', '/')
 -%>
    location /<%= location %>/ {
        proxy_pass http://unix:<%= sockpath %>:/;
    }
 <% end -%>
    location / {
        deny all;
    }
 }