From c79ca1077d05211f01609b82fb04f81ea9d59794 Mon Sep 17 00:00:00 2001 From: Yury Bushmelev Date: Fri, 7 Jul 2023 15:31:41 +0400 Subject: [PATCH 1/2] Remove duplicated contexts Those contexts were checking for different data types while ago (integer, string) --- spec/defines/resource_mailhost_spec.rb | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index c2608b50e..8f9757a88 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -744,15 +744,6 @@ it { is_expected.to contain_concat__fragment("#{title}-header") } end - context 'when listen_port != "ssl_port"' do - let :params do - default_params.merge(listen_port: 80, - ssl_port: 443) - end - - it { is_expected.to contain_concat__fragment("#{title}-header") } - end - context 'when listen_port == ssl_port' do let :params do default_params.merge(listen_port: 80, @@ -762,15 +753,6 @@ it { is_expected.not_to contain_concat__fragment("#{title}-header") } end - context 'when listen_port == "ssl_port"' do - let :params do - default_params.merge(listen_port: 80, - ssl_port: 80) - end - - it { is_expected.not_to contain_concat__fragment("#{title}-header") } - end - context 'when ssl => true' do let :params do default_params.merge(ensure: 'absent', From 38e2edb6fe048579ff3f4552773c504d228b6a8e Mon Sep 17 00:00:00 2001 From: Yury Bushmelev Date: Sun, 9 Jul 2023 13:12:37 +0400 Subject: [PATCH 2/2] Convert mailhost templates to EPP --- REFERENCE.md | 32 ++++-- manifests/resource/mailhost.pp | 107 +++++++++++++++++-- spec/default_module_facts.yml | 2 - spec/defines/resource_mailhost_spec.rb | 79 ++++++++++++-- templates/mailhost/mailhost.epp | 35 ++++++ templates/mailhost/mailhost.erb | 67 ------------ templates/mailhost/mailhost_common.epp | 63 +++++++++++ templates/mailhost/mailhost_common.erb | 43 -------- templates/mailhost/mailhost_ssl.epp | 31 ++++++ templates/mailhost/mailhost_ssl.erb | 65 ----------- templates/mailhost/mailhost_ssl_settings.epp | 56 ++++++++++ templates/mailhost/mailhost_ssl_settings.erb | 38 ------- templates/prepend_append.epp | 22 ++++ 13 files changed, 400 insertions(+), 240 deletions(-) delete mode 100644 spec/default_module_facts.yml create mode 100644 templates/mailhost/mailhost.epp delete mode 100644 templates/mailhost/mailhost.erb create mode 100644 templates/mailhost/mailhost_common.epp delete mode 100644 templates/mailhost/mailhost_common.erb create mode 100644 templates/mailhost/mailhost_ssl.epp delete mode 100644 templates/mailhost/mailhost_ssl.erb create mode 100644 templates/mailhost/mailhost_ssl_settings.epp delete mode 100644 templates/mailhost/mailhost_ssl_settings.erb create mode 100644 templates/prepend_append.epp diff --git a/REFERENCE.md b/REFERENCE.md index 8188c1057..1564eb84a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -3005,41 +3005,57 @@ Default value: `[$name]` ##### `raw_prepend` -Data type: `Optional[Variant[Array, String]]` +Data type: `Variant[Array[String], String]` A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one. -Default value: `undef` +Default value: `[]` ##### `raw_append` -Data type: `Optional[Variant[Array, String]]` +Data type: `Variant[Array[String], String]` A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one. -Default value: `undef` +Default value: `[]` ##### `mailhost_cfg_append` -Data type: `Optional[Hash]` +Data type: + +```puppet +Hash[String, Variant[ + String, + Array[String], + Hash[String, Variant[String, Array[String]]], + ]] +``` It expects a hash with custom directives to put after everything else inside server -Default value: `undef` +Default value: `{}` ##### `mailhost_cfg_prepend` -Data type: `Optional[Hash]` +Data type: + +```puppet +Hash[String, Variant[ + String, + Array[String], + Hash[String, Variant[String, Array[String]]], + ]] +``` It expects a hash with custom directives to put before everything else inside server -Default value: `undef` +Default value: `{}` ##### `auth_http_header` diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp index fcf764ce9..6c6fe651d 100644 --- a/manifests/resource/mailhost.pp +++ b/manifests/resource/mailhost.pp @@ -72,9 +72,9 @@ # for authorization. # @param xclient # Whether to use xclient for smtp -# @param proxy_protocol +# @param proxy_protocol # Wheter to use proxy_protocol -# @param proxy_smtp_auth +# @param proxy_smtp_auth # Wheter to use proxy_smtp_auth # @param imap_auth # Sets permitted methods of authentication for IMAP clients. @@ -170,12 +170,20 @@ Optional[Array] $pop3_capabilities = undef, Optional[String] $smtp_auth = undef, Optional[Array] $smtp_capabilities = undef, - Optional[Variant[Array, String]] $raw_prepend = undef, - Optional[Variant[Array, String]] $raw_append = undef, - Optional[Hash] $mailhost_cfg_prepend = undef, - Optional[Hash] $mailhost_cfg_append = undef, String $proxy_pass_error_message = 'off', - Array $server_name = [$name] + Array $server_name = [$name], + Variant[Array[String], String] $raw_prepend = [], + Variant[Array[String], String] $raw_append = [], + Hash[String, Variant[ + String, + Array[String], + Hash[String, Variant[String, Array[String]]], + ]] $mailhost_cfg_prepend = {}, + Hash[String, Variant[ + String, + Array[String], + Hash[String, Variant[String, Array[String]]], + ]] $mailhost_cfg_append = {}, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') @@ -183,10 +191,17 @@ # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled # and support does not exist for it in the kernel. - if ($ipv6_enable and !$facts['networking']['ip6']) { + $has_ipaddress6 = ($facts.get('networking.ip6') =~ Stdlib::IP::Address::V6) + if ($ipv6_enable and !$has_ipaddress6) { warning('nginx: IPv6 support is not enabled or configured properly') } + if $ipv6_enable and $has_ipaddress6 { + $_ipv6_listen_ip = Array($ipv6_listen_ip, true) + } else { + $_ipv6_listen_ip = [] + } + # Check to see if SSL Certificates are properly defined. if ($ssl or $starttls == 'on' or $starttls == 'only') { if ($ssl_cert == undef) or ($ssl_key == undef) { @@ -197,6 +212,53 @@ $config_dir = "${nginx::conf_dir}/conf.mail.d" $config_file = "${config_dir}/${name}.conf" + # Pre-render some common parts + $mailhost_prepend = epp('nginx/prepend_append.epp', { + cfg_xpend => $mailhost_cfg_prepend, + raw_xpend => Array($raw_prepend, true), + }) + $mailhost_append = epp('nginx/prepend_append.epp', { + cfg_xpend => $mailhost_cfg_append, + raw_xpend => Array($raw_append, true), + }) + + $mailhost_ssl_settings = epp('nginx/mailhost/mailhost_ssl_settings.epp', { + ssl_cert => $ssl_cert, + ssl_ciphers => $ssl_ciphers, + ssl_client_cert => $ssl_client_cert, + ssl_crl => $ssl_crl, + ssl_dhparam => $ssl_dhparam, + ssl_ecdh_curve => $ssl_ecdh_curve, + ssl_key => $ssl_key, + ssl_password_file => $ssl_password_file, + ssl_prefer_server_ciphers => $ssl_prefer_server_ciphers, + ssl_protocols => $ssl_protocols, + ssl_session_cache => $ssl_session_cache, + ssl_session_ticket_key => $ssl_session_ticket_key, + ssl_session_tickets => $ssl_session_tickets, + ssl_session_timeout => $ssl_session_timeout, + ssl_trusted_cert => $ssl_trusted_cert, + ssl_verify_depth => $ssl_verify_depth, + }) + + $mailhost_common = epp('nginx/mailhost/mailhost_common.epp', { + auth_http => $auth_http, + auth_http_header => $auth_http_header, + imap_auth => $imap_auth, + imap_capabilities => $imap_capabilities, + imap_client_buffer => $imap_client_buffer, + pop3_auth => $pop3_auth, + pop3_capabilities => $pop3_capabilities, + protocol => $protocol, + proxy_pass_error_message => $proxy_pass_error_message, + proxy_protocol => $proxy_protocol, + proxy_smtp_auth => $proxy_smtp_auth, + server_name => $server_name, + smtp_auth => $smtp_auth, + smtp_capabilities => $smtp_capabilities, + xclient => $xclient, + }) + concat { $config_file: ensure => $ensure, owner => 'root', @@ -210,8 +272,21 @@ if $ssl_port == undef or $listen_port != $ssl_port { concat::fragment { "${name}-header": target => $config_file, - content => template('nginx/mailhost/mailhost.erb'), order => '001', + content => epp('nginx/mailhost/mailhost.epp', { + ipv6_listen_ip => $_ipv6_listen_ip, + ipv6_listen_options => $ipv6_listen_options, + ipv6_listen_port => $ipv6_listen_port, + listen_ip => Array($listen_ip, true), + listen_options => $listen_options, + listen_port => $listen_port, + mailhost_append => $mailhost_append, + mailhost_common => $mailhost_common, + mailhost_prepend => $mailhost_prepend, + mailhost_ssl_settings => $mailhost_ssl_settings, + nginx_version => $nginx::nginx_version, + starttls => $starttls, + }), } } @@ -219,8 +294,20 @@ if $ssl { concat::fragment { "${name}-ssl": target => $config_file, - content => template('nginx/mailhost/mailhost_ssl.erb'), order => '700', + content => epp('nginx/mailhost/mailhost_ssl.epp', { + ipv6_listen_ip => $_ipv6_listen_ip, + ipv6_listen_options => $ipv6_listen_options, + ipv6_listen_port => $ipv6_listen_port, + listen_ip => Array($listen_ip, true), + listen_options => $listen_options, + mailhost_append => $mailhost_append, + mailhost_common => $mailhost_common, + mailhost_prepend => $mailhost_prepend, + mailhost_ssl_settings => $mailhost_ssl_settings, + nginx_version => $nginx::nginx_version, + ssl_port => $ssl_port, + }), } } } diff --git a/spec/default_module_facts.yml b/spec/default_module_facts.yml deleted file mode 100644 index 6c7303fb0..000000000 --- a/spec/default_module_facts.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -ipaddress6: '::' diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index 8f9757a88..86be065ed 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -6,7 +6,8 @@ on_supported_os.each do |os, facts| context "on #{os} with Facter #{facts[:facterversion]} and Puppet #{facts[:puppetversion]}" do let(:facts) do - facts + # Explicitly define the IPv6 address facts + override_facts(facts, networking: { ip6: '2001:db8::c0:ffee' }) end let(:title) { 'www.rspec.example.com' } let :default_params do @@ -152,7 +153,19 @@ notmatch: %r{ ssl_session_timeout 5m;} }, { - title: 'should contain raw_prepend directives', + title: 'should contain raw_prepend directives (String)', + attr: 'raw_prepend', + value: 'test value;', + match: [' test value;'] + }, + { + title: 'should contain raw_append directives (String)', + attr: 'raw_append', + value: 'test value;', + match: [' test value;'] + }, + { + title: 'should contain raw_prepend directives (Array)', attr: 'raw_prepend', value: [ 'if (a) {', @@ -162,7 +175,7 @@ match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { - title: 'should contain raw_append directives', + title: 'should contain raw_append directives (Array)', attr: 'raw_append', value: [ 'if (a) {', @@ -174,23 +187,45 @@ { title: 'should contain ordered prepended directives', attr: 'mailhost_cfg_prepend', - value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' }, + value: { + 'test1' => 'test value 1', + 'test2' => ['test value 2a', 'test value 2b'], + 'test3' => { + 'subkey 3a' => 'subvalue 3a', + 'subkey 3b' => ['subvalue 3b1', 'subvalue 3b2'], + }, + 'test4' => 'test value 4', + }, match: [ ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;', - ' test3 test value 3;' + ' test3 subkey 3a subvalue 3a;', + ' test3 subkey 3b subvalue 3b1;', + ' test3 subkey 3b subvalue 3b2;', + ' test4 test value 4;', ] }, { title: 'should contain ordered appended directives', attr: 'mailhost_cfg_append', - value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' }, + value: { + 'test1' => 'test value 1', + 'test2' => ['test value 2a', 'test value 2b'], + 'test3' => { + 'subkey 3a' => 'subvalue 3a', + 'subkey 3b' => ['subvalue 3b1', 'subvalue 3b2'], + }, + 'test4' => 'test value 4', + }, match: [ ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;', - ' test3 test value 3;' + ' test3 subkey 3a subvalue 3a;', + ' test3 subkey 3b subvalue 3b1;', + ' test3 subkey 3b subvalue 3b2;', + ' test4 test value 4;', ] } ].each do |param| @@ -641,6 +676,7 @@ end end end + context 'on nginx 1.16' do let(:params) do { @@ -775,6 +811,35 @@ it { is_expected.not_to contain_concat__fragment("#{title}-ssl") } end end + + context 'without IPv6 address present' do + let(:params) do + { + listen_port: 25, + ssl_port: 587, + ipv6_enable: true, + ssl: true, + ssl_cert: 'dummy.crt', + ssl_key: 'dummy.key' + } + end + let(:facts) do + facts.reject do |k, v| + (k == :ipaddress6) or + (k == :networking and v.keys.include? 'ip6') + end + end + + it do + is_expected.to contain_concat__fragment("#{title}-header"). + without_content(%r{^ listen \[::\]:25 default ipv6only=on;}) + end + + it do + is_expected.to contain_concat__fragment("#{title}-ssl"). + without_content(%r{^ listen \[::\]:587 default ipv6only=on;}) + end + end end end end diff --git a/templates/mailhost/mailhost.epp b/templates/mailhost/mailhost.epp new file mode 100644 index 000000000..8a9c4fb58 --- /dev/null +++ b/templates/mailhost/mailhost.epp @@ -0,0 +1,35 @@ +<%- | + Array[String] $ipv6_listen_ip, + String $ipv6_listen_options, + Stdlib::Port $ipv6_listen_port, + Array[String] $listen_ip, + Optional[String] $listen_options, + Stdlib::Port $listen_port, + String $mailhost_append, + String[1] $mailhost_common, + String $mailhost_prepend, + String[1] $mailhost_ssl_settings, + String[1] $nginx_version, + Enum['on', 'off', 'only'] $starttls, +| -%> +# MANAGED BY PUPPET +server { +<%= $mailhost_prepend -%> +<%- $listen_ip.each |$ip| { -%> + listen <%= $ip %>:<%= $listen_port %><% if $listen_options { %> <%= $listen_options %><% } %>; +<%- } -%> +<%- $ipv6_listen_ip.each |$ipv6| { -%> + listen [<%= $ipv6 %>]:<%= $ipv6_listen_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>; +<%- } -%> +<%= $mailhost_common -%> + +<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%> + ssl off; +<% } %> + starttls <%= $starttls %>; + +<% if $starttls != 'off' { %> +<%= $mailhost_ssl_settings -%> +<%- } -%> +<%= $mailhost_append -%> +} diff --git a/templates/mailhost/mailhost.erb b/templates/mailhost/mailhost.erb deleted file mode 100644 index 468a64be4..000000000 --- a/templates/mailhost/mailhost.erb +++ /dev/null @@ -1,67 +0,0 @@ -# MANAGED BY PUPPET -server { -<% if @mailhost_cfg_prepend -%> - <%- @mailhost_cfg_prepend.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_prepend).each do |line| -%> - <%= line %> -<% end -%> -<%- if @listen_ip.is_a?(Array) then -%> - <%- @listen_ip.each do |ip| -%> - listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; - <%- end -%> -<%- else -%> - listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; -<%- end -%> -<%# check to see if ipv6 support exists in the kernel before applying -%> -<%# FIXME this logic is duplicated all over the place -%> -<%- if @ipv6_enable && (defined? @ipaddress6) -%> - <%- if @ipv6_listen_ip.is_a?(Array) then -%> - <%- @ipv6_listen_ip.each do |ipv6| -%> - listen [<%= ipv6 %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; - <%- end -%> - <%- else -%> - listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; - <%- end -%> -<%- end -%> -<%= scope.function_template(["nginx/mailhost/mailhost_common.erb"]) -%> - -<% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) < 0 -%> - ssl off; -<% end -%> - starttls <%= @starttls %>; - -<% if @starttls == 'on' || @starttls == 'only' %> -<%= scope.function_template(["nginx/mailhost/mailhost_ssl_settings.erb"]) -%> -<%- end -%> -<% if @mailhost_cfg_append -%> - <%- @mailhost_cfg_append.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_append).each do |line| -%> - <%= line %> -<% end -%> -} diff --git a/templates/mailhost/mailhost_common.epp b/templates/mailhost/mailhost_common.epp new file mode 100644 index 000000000..2ec888375 --- /dev/null +++ b/templates/mailhost/mailhost_common.epp @@ -0,0 +1,63 @@ +<%- | + Optional[String] $auth_http, + Optional[String] $auth_http_header, + Optional[String] $imap_auth, + Optional[Array] $imap_capabilities, + Optional[String] $imap_client_buffer, + Optional[String] $pop3_auth, + Optional[Array] $pop3_capabilities, + Optional[Enum['imap', 'pop3', 'sieve', 'smtp']] + $protocol, + String $proxy_pass_error_message, + Enum['on', 'off'] $proxy_protocol, + Enum['on', 'off'] $proxy_smtp_auth, + Array $server_name, + Optional[String] $smtp_auth, + Optional[Array] $smtp_capabilities, + Enum['on', 'off'] $xclient, +| -%> + server_name <%= $server_name.join(" ") %>; +<%- if $protocol { -%> + protocol <%= $protocol %>; +<%- } -%> + xclient <%= $xclient %>; + proxy_protocol <%= $proxy_protocol %>; + proxy_smtp_auth <%= $proxy_smtp_auth %>; +<%- if $auth_http { -%> + auth_http <%= $auth_http %>; +<%- } -%> +<%- if $auth_http_header { -%> + auth_http_header <%= $auth_http_header %>; +<%- } -%> + + proxy_pass_error_message <%= $proxy_pass_error_message %>; + +<%- case $protocol { -%> +<%- 'imap': { -%> + <%- if $imap_auth { -%> + imap_auth <%= $imap_auth %>; + <%- } -%> + <%- if $imap_capabilities { -%> + imap_capabilities <%= $imap_capabilities.join(" ") %>; + <%- } -%> + <%- if $imap_client_buffer { -%> + imap_client_buffer <%= $imap_client_buffer %>; + <%- } -%> +<%- } -%> +<%- 'pop3': { -%> + <%- if $pop3_auth { -%> + pop3_auth <%= $pop3_auth %>; + <%- } -%> + <%- if $pop3_capabilities { -%> + pop3_capabilities <%= $pop3_capabilities.join(" ") %>; + <%- } -%> +<%- } -%> +<%- 'smtp': { -%> + <%- if $smtp_auth { -%> + smtp_auth <%= $smtp_auth %>; + <%- } -%> + <%- if $smtp_capabilities { -%> + smtp_capabilities <%= $smtp_capabilities.join(" ") %>; + <%- } -%> +<%- } -%> +<%- } -%> diff --git a/templates/mailhost/mailhost_common.erb b/templates/mailhost/mailhost_common.erb deleted file mode 100644 index 0de1b45d0..000000000 --- a/templates/mailhost/mailhost_common.erb +++ /dev/null @@ -1,43 +0,0 @@ - server_name <%= @server_name.join(" ") %>; -<% if defined? @protocol -%> - protocol <%= @protocol %>; -<% end -%> - xclient <%= @xclient %>; - proxy_protocol <%= @proxy_protocol %>; - proxy_smtp_auth <%= @proxy_smtp_auth %>; -<% if defined? @auth_http -%> - auth_http <%= @auth_http %>; -<% end -%> -<%- if @auth_http_header -%> - auth_http_header <%= @auth_http_header %>; -<%- end -%> - - proxy_pass_error_message <%= @proxy_pass_error_message %>; - -<% if @protocol == 'imap' %> -<% if defined? @imap_auth -%> - imap_auth <%= @imap_auth %>; -<% end -%> -<% if defined? @imap_capabilities -%> - imap_capabilities <%= @imap_capabilities.join(" ") %>; -<% end -%> -<% if defined? @imap_client_buffer -%> - imap_client_buffer <%= @imap_client_buffer %>; -<% end -%> -<%- end -%> -<% if @protocol == 'pop3' %> -<% if defined? @pop3_auth -%> - pop3_auth <%= @pop3_auth %>; -<% end -%> -<% if defined? @pop3_capabilities -%> - pop3_capabilities <%= @pop3_capabilities.join(" ") %>; -<% end -%> -<%- end -%> -<% if @protocol == 'smtp' %> -<% if defined? @smtp_auth -%> - smtp_auth <%= @smtp_auth %>; -<% end -%> -<% if defined? @smtp_capabilities -%> - smtp_capabilities <%= @smtp_capabilities.join(" ") %>; -<% end -%> -<%- end -%> diff --git a/templates/mailhost/mailhost_ssl.epp b/templates/mailhost/mailhost_ssl.epp new file mode 100644 index 000000000..3b0ef78fc --- /dev/null +++ b/templates/mailhost/mailhost_ssl.epp @@ -0,0 +1,31 @@ +<%- | + Array[String] $ipv6_listen_ip, + String $ipv6_listen_options, + Stdlib::Port $ipv6_listen_port, + Array[String] $listen_ip, + String $mailhost_append, + String[1] $mailhost_common, + String $mailhost_prepend, + String[1] $mailhost_ssl_settings, + String[1] $nginx_version, + Optional[Stdlib::Port] $ssl_port, +| -%> +# MANAGED BY PUPPET +server { +<%= $mailhost_prepend -%> +<%- $listen_ip.each |$ip| { -%> + listen <%= $ip %>:<%= $ssl_port %><% if versioncmp($nginx_version, '1.15.0') >= 0 { %> ssl<% } %>; +<%- } -%> +<%- $ipv6_listen_ip.each |$ipv6| { -%> + listen [<%= $ipv6 %>]:<%= $ssl_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>; +<%- } -%> +<%= $mailhost_common -%> + +<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%> + ssl on; +<% } %> + starttls off; + +<%= $mailhost_ssl_settings -%> +<%= $mailhost_append -%> +} diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb deleted file mode 100644 index 9592c4bff..000000000 --- a/templates/mailhost/mailhost_ssl.erb +++ /dev/null @@ -1,65 +0,0 @@ -# MANAGED BY PUPPET -server { -<% if @mailhost_cfg_prepend -%> - <%- @mailhost_cfg_prepend.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_prepend).each do |line| -%> - <%= line %> -<% end -%> -<%- if @listen_ip.is_a?(Array) then -%> - <%- @listen_ip.each do |ip| -%> - listen <%= ip %>:<%= @ssl_port %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) >= 0 -%> ssl<% end -%>; - <%- end -%> -<%- else -%> - listen <%= @listen_ip %>:<%= @ssl_port %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) >= 0 -%> ssl<% end -%>; -<%- end -%> -<%# check to see if ipv6 support exists in the kernel before applying -%> -<%# FIXME this logic is duplicated all over the place -%> -<%- if @ipv6_enable && (defined? @ipaddress6) -%> - <%- if @ipv6_listen_ip.is_a?(Array) then -%> - <%- @ipv6_listen_ip.each do |ipv6| -%> - listen [<%= ipv6 %>]:<%= @ssl_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; - <%- end -%> - <%- else -%> - listen [<%= @ipv6_listen_ip %>]:<%= @ssl_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; - <%- end -%> -<%- end -%> -<%= scope.function_template(["nginx/mailhost/mailhost_common.erb"]) -%> - -<% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) < 0 -%> - ssl on; -<% end -%> - starttls off; - -<%= scope.function_template(["nginx/mailhost/mailhost_ssl_settings.erb"]) -%> -<% if @mailhost_cfg_append -%> - <%- @mailhost_cfg_append.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_append).each do |line| -%> - <%= line %> -<% end -%> -} diff --git a/templates/mailhost/mailhost_ssl_settings.epp b/templates/mailhost/mailhost_ssl_settings.epp new file mode 100644 index 000000000..af791710b --- /dev/null +++ b/templates/mailhost/mailhost_ssl_settings.epp @@ -0,0 +1,56 @@ +<%- | + Optional[String] $ssl_cert, + String $ssl_ciphers, + Optional[String] $ssl_client_cert, + Optional[String] $ssl_crl, + Optional[String] $ssl_dhparam, + Optional[String] $ssl_ecdh_curve, + Optional[String] $ssl_key, + Optional[String] $ssl_password_file, + Enum['on', 'off'] $ssl_prefer_server_ciphers, + String $ssl_protocols, + Optional[String] $ssl_session_cache, + Optional[String] $ssl_session_ticket_key, + Optional[String] $ssl_session_tickets, + String $ssl_session_timeout, + Optional[String] $ssl_trusted_cert, + Optional[Integer] $ssl_verify_depth, +| -%> + + ssl_certificate <%= $ssl_cert %>; + ssl_certificate_key <%= $ssl_key %>; + ssl_ciphers <%= $ssl_ciphers %>; +<%- if $ssl_client_cert { -%> + ssl_client_certificate <%= $ssl_client_cert %>; + ssl_verify_client on; +<%- } -%> +<%- if $ssl_verify_depth { -%> + ssl_verify_depth <%= $ssl_verify_depth %>; +<%- } -%> +<%- if $ssl_crl { -%> + ssl_crl <%= $ssl_crl %>; +<%- } -%> +<%- if $ssl_dhparam { -%> + ssl_dhparam <%= $ssl_dhparam %>; +<%- } -%> +<%- if $ssl_ecdh_curve { -%> + ssl_ecdh_curve <%= $ssl_ecdh_curve %>; +<%- } -%> +<%- if $ssl_password_file { -%> + ssl_password_file <%= $ssl_password_file %>; +<%- } -%> + ssl_prefer_server_ciphers <%= $ssl_prefer_server_ciphers %>; + ssl_protocols <%= $ssl_protocols %>; +<%- if $ssl_session_cache { -%> + ssl_session_cache <%= $ssl_session_cache %>; +<%- } -%> +<%- if $ssl_session_ticket_key { -%> + ssl_session_ticket_key <%= $ssl_session_ticket_key %>; +<%- } -%> +<%- if $ssl_session_tickets { -%> + ssl_session_tickets <%= $ssl_session_tickets %>; +<%- } -%> + ssl_session_timeout <%= $ssl_session_timeout %>; +<%- if $ssl_trusted_cert { -%> + ssl_trusted_certificate <%= $ssl_trusted_cert %>; +<%- } -%> diff --git a/templates/mailhost/mailhost_ssl_settings.erb b/templates/mailhost/mailhost_ssl_settings.erb deleted file mode 100644 index 551ed597f..000000000 --- a/templates/mailhost/mailhost_ssl_settings.erb +++ /dev/null @@ -1,38 +0,0 @@ - - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; - ssl_ciphers <%= @ssl_ciphers %>; -<% if defined? @ssl_client_cert -%> - ssl_client_certificate <%= @ssl_client_cert %>; - ssl_verify_client on; -<% end -%> -<%- if defined? @ssl_verify_depth -%> - ssl_verify_depth <%= @ssl_verify_depth %>; -<%- end -%> -<% if @ssl_crl -%> - ssl_crl <%= @ssl_crl %>; -<% end -%> -<% if defined? @ssl_dhparam -%> - ssl_dhparam <%= @ssl_dhparam %>; -<% end -%> -<%- if defined? @ssl_ecdh_curve -%> - ssl_ecdh_curve <%= @ssl_ecdh_curve %>; -<%- end -%> -<%- if defined? @ssl_password_file -%> - ssl_password_file <%= @ssl_password_file %>; -<%- end -%> - ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; - ssl_protocols <%= @ssl_protocols %>; -<% if defined? @ssl_session_cache -%> - ssl_session_cache <%= @ssl_session_cache %>; -<% end -%> -<%- if defined? @ssl_session_ticket_key -%> - ssl_session_ticket_key <%= @ssl_session_ticket_key %>; -<%- end -%> -<%- if defined? @ssl_session_tickets -%> - ssl_session_tickets <%= @ssl_session_tickets %>; -<%- end -%> - ssl_session_timeout <%= @ssl_session_timeout %>; -<%- if defined? @ssl_trusted_cert -%> - ssl_trusted_certificate <%= @ssl_trusted_cert %>; -<%- end -%> diff --git a/templates/prepend_append.epp b/templates/prepend_append.epp new file mode 100644 index 000000000..ddeefcd9e --- /dev/null +++ b/templates/prepend_append.epp @@ -0,0 +1,22 @@ +<%- | + Hash $cfg_xpend, + Array[String] $raw_xpend, +| -%> +<%- $cfg_xpend.keys.sort.each |$key| { -%> + <%- $value = $cfg_xpend.get($key, []) -%> + <%- if $value =~ Hash { -%> + <%- $value.keys.sort.each |$subkey| { -%> + <%- $subvalue = $value.get($subkey, []) -%> + <%- Array($subvalue, true).each |$asubvalue| { -%> + <%= $key %> <%= $subkey %> <%= $asubvalue %>; + <%- } -%> + <%- } -%> + <%- } else { -%> + <%- Array($value, true).each |$asubvalue| { -%> + <%= $key %> <%= $asubvalue %>; + <%- } -%> + <%- } -%> +<%- } -%> +<%- $raw_xpend.each |$line| { -%> + <%= $line %> +<%- } -%>