voxpupuli · bastelfreak · Aug 31, 2023 · Jul 7, 2023 · Jul 9, 2023 · bastelfreak
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -3005,41 +3005,57 @@ Default value: `[$name]`
 
 ##### <a name="-nginx--resource--mailhost--raw_prepend"></a>`raw_prepend`
 
-Data type: `Optional[Variant[Array, String]]`
+Data type: `Variant[Array[String], String]`
 
 A single string, or an array of strings to prepend to the server directive
 (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a
 semicolon on each line that requires one.
 
-Default value: `undef`
+Default value: `[]`
 
 ##### <a name="-nginx--resource--mailhost--raw_append"></a>`raw_append`
 
-Data type: `Optional[Variant[Array, String]]`
+Data type: `Variant[Array[String], String]`
 
 A single string, or an array of strings to append to the server directive
 (after mailhost_cfg_append directive). NOTE: YOU are responsible for a
 semicolon on each line that requires one.
 
-Default value: `undef`
+Default value: `[]`
 
 ##### <a name="-nginx--resource--mailhost--mailhost_cfg_append"></a>`mailhost_cfg_append`
 
-Data type: `Optional[Hash]`
+Data type:
+
+```puppet
+Hash[String, Variant[
+      String,
+      Array[String],
+      Hash[String, Variant[String, Array[String]]],
+  ]]
+```
 
 It expects a hash with custom directives to put after everything else
 inside server
 
-Default value: `undef`
+Default value: `{}`
 
 ##### <a name="-nginx--resource--mailhost--mailhost_cfg_prepend"></a>`mailhost_cfg_prepend`
 
-Data type: `Optional[Hash]`
+Data type:
+
+```puppet
+Hash[String, Variant[
+      String,
+      Array[String],
+      Hash[String, Variant[String, Array[String]]],
+  ]]
+```
 
 It expects a hash with custom directives to put before everything else
 inside server
 
-Default value: `undef`
+Default value: `{}`
 
 ##### <a name="-nginx--resource--mailhost--auth_http_header"></a>`auth_http_header`
 

diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
@@ -72,9 +72,9 @@
 #   for authorization.
 # @param xclient
 #   Whether to use xclient for smtp
-# @param proxy_protocol 
+# @param proxy_protocol
 #   Wheter to use proxy_protocol
-# @param proxy_smtp_auth     
+# @param proxy_smtp_auth
 #   Wheter to use proxy_smtp_auth
 # @param imap_auth
 #   Sets permitted methods of authentication for IMAP clients.
@@ -170,23 +170,38 @@
   Optional[Array] $pop3_capabilities             = undef,
   Optional[String] $smtp_auth                    = undef,
   Optional[Array] $smtp_capabilities             = undef,
-  Optional[Variant[Array, String]] $raw_prepend  = undef,
-  Optional[Variant[Array, String]] $raw_append   = undef,
-  Optional[Hash] $mailhost_cfg_prepend           = undef,
-  Optional[Hash] $mailhost_cfg_append            = undef,
   String $proxy_pass_error_message               = 'off',
-  Array $server_name                             = [$name]
+  Array $server_name                             = [$name],
+  Variant[Array[String], String] $raw_prepend    = [],
+  Variant[Array[String], String] $raw_append     = [],
+  Hash[String, Variant[
+      String,
+      Array[String],
+      Hash[String, Variant[String, Array[String]]],
+  ]] $mailhost_cfg_prepend                       = {},
+  Hash[String, Variant[
+      String,
+      Array[String],
+      Hash[String, Variant[String, Array[String]]],
+  ]] $mailhost_cfg_append                        = {},
 ) {
   if ! defined(Class['nginx']) {
     fail('You must include the nginx base class before using any defined resources')
   }
 
   # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled
   # and support does not exist for it in the kernel.
-  if ($ipv6_enable and !$facts['networking']['ip6']) {
+  $has_ipaddress6 = ($facts.get('networking.ip6') =~ Stdlib::IP::Address::V6)
+  if ($ipv6_enable and !$has_ipaddress6) {
     warning('nginx: IPv6 support is not enabled or configured properly')
   }
 
+  if $ipv6_enable and $has_ipaddress6 {
+    $_ipv6_listen_ip = Array($ipv6_listen_ip, true)
+  } else {
+    $_ipv6_listen_ip = []
+  }
+
   # Check to see if SSL Certificates are properly defined.
   if ($ssl or $starttls == 'on' or $starttls == 'only') {
     if ($ssl_cert == undef) or ($ssl_key == undef) {
@@ -197,6 +212,53 @@
   $config_dir  = "${nginx::conf_dir}/conf.mail.d"
   $config_file = "${config_dir}/${name}.conf"
 
+  # Pre-render some common parts
+  $mailhost_prepend = epp('nginx/prepend_append.epp', {
+      cfg_xpend => $mailhost_cfg_prepend,
+      raw_xpend => Array($raw_prepend, true),
+  })
+  $mailhost_append = epp('nginx/prepend_append.epp', {
+      cfg_xpend => $mailhost_cfg_append,
+      raw_xpend => Array($raw_append, true),
+  })
+
+  $mailhost_ssl_settings = epp('nginx/mailhost/mailhost_ssl_settings.epp', {
+      ssl_cert                  => $ssl_cert,
+      ssl_ciphers               => $ssl_ciphers,
+      ssl_client_cert           => $ssl_client_cert,
+      ssl_crl                   => $ssl_crl,
+      ssl_dhparam               => $ssl_dhparam,
+      ssl_ecdh_curve            => $ssl_ecdh_curve,
+      ssl_key                   => $ssl_key,
+      ssl_password_file         => $ssl_password_file,
+      ssl_prefer_server_ciphers => $ssl_prefer_server_ciphers,
+      ssl_protocols             => $ssl_protocols,
+      ssl_session_cache         => $ssl_session_cache,
+      ssl_session_ticket_key    => $ssl_session_ticket_key,
+      ssl_session_tickets       => $ssl_session_tickets,
+      ssl_session_timeout       => $ssl_session_timeout,
+      ssl_trusted_cert          => $ssl_trusted_cert,
+      ssl_verify_depth          => $ssl_verify_depth,
+  })
+
+  $mailhost_common = epp('nginx/mailhost/mailhost_common.epp', {
+      auth_http                => $auth_http,
+      auth_http_header         => $auth_http_header,
+      imap_auth                => $imap_auth,
+      imap_capabilities        => $imap_capabilities,
+      imap_client_buffer       => $imap_client_buffer,
+      pop3_auth                => $pop3_auth,
+      pop3_capabilities        => $pop3_capabilities,
+      protocol                 => $protocol,
+      proxy_pass_error_message => $proxy_pass_error_message,
+      proxy_protocol           => $proxy_protocol,
+      proxy_smtp_auth          => $proxy_smtp_auth,
+      server_name              => $server_name,
+      smtp_auth                => $smtp_auth,
+      smtp_capabilities        => $smtp_capabilities,
+      xclient                  => $xclient,
+  })
+
   concat { $config_file:
     ensure  => $ensure,
     owner   => 'root',
@@ -210,17 +272,42 @@
   if $ssl_port == undef or $listen_port != $ssl_port {
     concat::fragment { "${name}-header":
       target  => $config_file,
-      content => template('nginx/mailhost/mailhost.erb'),
       order   => '001',
+      content => epp('nginx/mailhost/mailhost.epp', {
+          ipv6_listen_ip        => $_ipv6_listen_ip,
+          ipv6_listen_options   => $ipv6_listen_options,
+          ipv6_listen_port      => $ipv6_listen_port,
+          listen_ip             => Array($listen_ip, true),
+          listen_options        => $listen_options,
+          listen_port           => $listen_port,
+          mailhost_append       => $mailhost_append,
+          mailhost_common       => $mailhost_common,
+          mailhost_prepend      => $mailhost_prepend,
+          mailhost_ssl_settings => $mailhost_ssl_settings,
+          nginx_version         => $nginx::nginx_version,
+          starttls              => $starttls,
+      }),
     }
   }
 
   # Create SSL File Stubs if SSL is enabled
   if $ssl {
     concat::fragment { "${name}-ssl":
       target  => $config_file,
-      content => template('nginx/mailhost/mailhost_ssl.erb'),
       order   => '700',
+      content => epp('nginx/mailhost/mailhost_ssl.epp', {
+          ipv6_listen_ip        => $_ipv6_listen_ip,
+          ipv6_listen_options   => $ipv6_listen_options,
+          ipv6_listen_port      => $ipv6_listen_port,
+          listen_ip             => Array($listen_ip, true),
+          listen_options        => $listen_options,
+          mailhost_append       => $mailhost_append,
+          mailhost_common       => $mailhost_common,
+          mailhost_prepend      => $mailhost_prepend,
+          mailhost_ssl_settings => $mailhost_ssl_settings,
+          nginx_version         => $nginx::nginx_version,
+          ssl_port              => $ssl_port,
+      }),
     }
   }
 }
diff --git a/spec/default_module_facts.yml b/spec/default_module_facts.yml
diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb
@@ -6,7 +6,8 @@
   on_supported_os.each do |os, facts|
     context "on #{os} with Facter #{facts[:facterversion]} and Puppet #{facts[:puppetversion]}" do
       let(:facts) do
-        facts
+        # Explicitly define the IPv6 address facts
+        override_facts(facts, networking: { ip6: '2001:db8::c0:ffee' })
       end
       let(:title) { 'www.rspec.example.com' }
       let :default_params do
@@ -152,7 +153,19 @@
               notmatch: %r{  ssl_session_timeout  5m;}
             },
             {
-              title: 'should contain raw_prepend directives',
+              title: 'should contain raw_prepend directives (String)',
+              attr: 'raw_prepend',
+              value: 'test value;',
+              match: ['  test value;']
+            },
+            {
+              title: 'should contain raw_append directives (String)',
+              attr: 'raw_append',
+              value: 'test value;',
+              match: ['  test value;']
+            },
+            {
+              title: 'should contain raw_prepend directives (Array)',
               attr: 'raw_prepend',
               value: [
                 'if (a) {',
@@ -162,7 +175,7 @@
               match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}}
             },
             {
-              title: 'should contain raw_append directives',
+              title: 'should contain raw_append directives (Array)',
               attr: 'raw_append',
               value: [
                 'if (a) {',
@@ -174,23 +187,45 @@
             {
               title: 'should contain ordered prepended directives',
               attr: 'mailhost_cfg_prepend',
-              value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' },
+              value: {
+                'test1' => 'test value 1',
+                'test2' => ['test value 2a', 'test value 2b'],
+                'test3' => {
+                  'subkey 3a' => 'subvalue 3a',
+                  'subkey 3b' => ['subvalue 3b1', 'subvalue 3b2'],
+                },
+                'test4' => 'test value 4',
+              },
               match: [
                 '  test1 test value 1;',
                 '  test2 test value 2a;',
                 '  test2 test value 2b;',
-                '  test3 test value 3;'
+                '  test3 subkey 3a subvalue 3a;',
+                '  test3 subkey 3b subvalue 3b1;',
+                '  test3 subkey 3b subvalue 3b2;',
+                '  test4 test value 4;',
               ]
             },
             {
               title: 'should contain ordered appended directives',
               attr: 'mailhost_cfg_append',
-              value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' },
+              value: {
+                'test1' => 'test value 1',
+                'test2' => ['test value 2a', 'test value 2b'],
+                'test3' => {
+                  'subkey 3a' => 'subvalue 3a',
+                  'subkey 3b' => ['subvalue 3b1', 'subvalue 3b2'],
+                },
+                'test4' => 'test value 4',
+              },
               match: [
                 '  test1 test value 1;',
                 '  test2 test value 2a;',
                 '  test2 test value 2b;',
-                '  test3 test value 3;'
+                '  test3 subkey 3a subvalue 3a;',
+                '  test3 subkey 3b subvalue 3b1;',
+                '  test3 subkey 3b subvalue 3b2;',
+                '  test4 test value 4;',
               ]
             }
           ].each do |param|
@@ -641,6 +676,7 @@
               end
             end
           end
+
           context 'on nginx 1.16' do
             let(:params) do
               {
@@ -744,15 +780,6 @@
             it { is_expected.to contain_concat__fragment("#{title}-header") }
           end
 
-          context 'when listen_port != "ssl_port"' do
-            let :params do
-              default_params.merge(listen_port: 80,
-                                   ssl_port: 443)
-            end
-
-            it { is_expected.to contain_concat__fragment("#{title}-header") }
-          end
-
           context 'when listen_port == ssl_port' do
             let :params do
               default_params.merge(listen_port: 80,
@@ -762,15 +789,6 @@
             it { is_expected.not_to contain_concat__fragment("#{title}-header") }
           end
 
-          context 'when listen_port == "ssl_port"' do
-            let :params do
-              default_params.merge(listen_port: 80,
-                                   ssl_port: 80)
-            end
-
-            it { is_expected.not_to contain_concat__fragment("#{title}-header") }
-          end
-
           context 'when ssl => true' do
             let :params do
               default_params.merge(ensure: 'absent',
@@ -793,6 +811,35 @@
             it { is_expected.not_to contain_concat__fragment("#{title}-ssl") }
           end
         end
+
+        context 'without IPv6 address present' do
+          let(:params) do
+            {
+              listen_port: 25,
+              ssl_port: 587,
+              ipv6_enable: true,
+              ssl: true,
+              ssl_cert: 'dummy.crt',
+              ssl_key: 'dummy.key'
+            }
+          end
+          let(:facts) do
+            facts.reject do |k, v|
+              (k == :ipaddress6) or
+                (k == :networking and v.keys.include? 'ip6')
+            end
+          end
+
+          it do
+            is_expected.to contain_concat__fragment("#{title}-header").
+              without_content(%r{^  listen                \[::\]:25 default ipv6only=on;})
+          end
+
+          it do
+            is_expected.to contain_concat__fragment("#{title}-ssl").
+              without_content(%r{^  listen                \[::\]:587 default ipv6only=on;})
+          end
+        end
       end
     end
   end