module-nginx/manifests/resource/mailhost.pp

150 lines
5.6 KiB
Puppet

# define: nginx::resource::mailhost
#
# This definition creates a virtual host
#
# Parameters:
# [*ensure*] - Enables or disables the specified mailhost (present|absent)
# [*listen_ip*] - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
# [*listen_port*] - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
# support exists on your system before enabling.
# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80
# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
# [*starttls*] - enable STARTTLS support: (on|off|only)
# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
# [*xclient*] - wheter to use xclient for smtp (on|off)
# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
#
# Actions:
#
# Requires:
#
# Sample Usage:
# nginx::resource::mailhost { 'domain1.example':
# ensure => present,
# auth_http => 'server2.example/cgi-bin/auth',
# protocol => 'smtp',
# listen_port => 587,
# ssl_port => 465,
# starttls => 'only',
# xclient => 'off',
# ssl => true,
# ssl_cert => '/tmp/server.crt',
# ssl_key => '/tmp/server.pem',
# }
define nginx::resource::mailhost (
$listen_port,
$ensure = 'present',
$listen_ip = '*',
$listen_options = undef,
$ipv6_enable = false,
$ipv6_listen_ip = '::',
$ipv6_listen_port = '80',
$ipv6_listen_options = 'default ipv6only=on',
$ssl = false,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_port = undef,
$starttls = 'off',
$protocol = undef,
$auth_http = undef,
$xclient = 'on',
$server_name = [$name]
) {
$root_group = $::nginx::config::root_group
File {
owner => 'root',
group => $root_group,
mode => '0644',
}
if !is_integer($listen_port) {
fail('$listen_port must be an integer.')
}
validate_re($ensure, '^(present|absent)$',
"${ensure} is not supported for ensure. Allowed values are 'present' and 'absent'.")
if !(is_array($listen_ip) or is_string($listen_ip)) {
fail('$listen_ip must be a string or array.')
}
if ($listen_options != undef) {
validate_string($listen_options)
}
validate_bool($ipv6_enable)
if !(is_array($ipv6_listen_ip) or is_string($ipv6_listen_ip)) {
fail('$ipv6_listen_ip must be a string or array.')
}
if !is_integer($ipv6_listen_port) {
fail('$ipv6_listen_port must be an integer.')
}
validate_string($ipv6_listen_options)
validate_bool($ssl)
if ($ssl_cert != undef) {
validate_string($ssl_cert)
}
if ($ssl_key != undef) {
validate_string($ssl_key)
}
if ($ssl_port != undef) and (!is_integer($ssl_port)) {
fail('$ssl_port must be an integer.')
}
validate_re($starttls, '^(on|only|off)$',
"${starttls} is not supported for starttls. Allowed values are 'on', 'only' and 'off'.")
if ($protocol != undef) {
validate_string($protocol)
}
if ($auth_http != undef) {
validate_string($auth_http)
}
validate_string($xclient)
validate_array($server_name)
$config_file = "${::nginx::config::conf_dir}/conf.mail.d/${name}.conf"
# Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled
# and support does not exist for it in the kernel.
if ($ipv6_enable and !$::ipaddress6) {
warning('nginx: IPv6 support is not enabled or configured properly')
}
# Check to see if SSL Certificates are properly defined.
if ($ssl or $starttls == 'on' or $starttls == 'only') {
if ($ssl_cert == undef) or ($ssl_key == undef) {
fail('nginx: SSL certificate/key (ssl_cert/ssl_cert) and/or SSL Private must be defined and exist on the target system(s)')
}
}
concat { $config_file:
owner => 'root',
group => $root_group,
mode => '0644',
notify => Class['::nginx::service'],
}
if ($listen_port != $ssl_port) {
concat::fragment { "${name}-header":
target => $config_file,
content => template('nginx/mailhost/mailhost.erb'),
order => '001',
}
}
# Create SSL File Stubs if SSL is enabled
if ($ssl) {
concat::fragment { "${name}-ssl":
target => $config_file,
content => template('nginx/mailhost/mailhost_ssl.erb'),
order => '700',
}
}
}