Skip to content

Commit

Permalink
Adds new SSL && protocol specific directives to mailhost setup (voxpu…
Browse files Browse the repository at this point in the history 
…puli#769)

* Adds new SSL && protocol specific directives to mailhost setup

The SSL setup customisation of a mailhost is very limited. To allow
more directives to be set, the ssl configuration was extracted and
arranged like the setup for a vhost.
The setup was also expanded to customize protocol specific authentication
method and capabilities.

* Extended test cases to include newly introduced ssl and protocol specific options in mailhost setup

* support raw_prepend, raw_append, mailhost_cfg_append, mailhost_cfg_prepend, in mailhost

* Fixes rubocop issues

* Render template without a new line

* Fixes typo in mailhost.pp

* Fix inlining after merge and dropping newlines when rendering a template
  • Loading branch information
@dol @jyaworski
dol authored and jyaworski committed Nov 7, 2016
1 parent e3ea14a commit 91938a5
Show file tree
Hide file tree
Showing 6 changed files with 626 additions and 114 deletions.
208 changes: 165 additions & 43 deletions manifests/resource/mailhost.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,28 +3,54 @@
# This definition creates a virtual host
#
# Parameters:
# [*ensure*] - Enables or disables the specified mailhost (present|absent)
# [*listen_ip*] - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
# [*listen_port*] - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
# support exists on your system before enabling.
# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80
# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::config::ssl_protocols
# [*ssl_ciphers*] - Override default SSL ciphers (defaults to nginx::config::ssl_ciphers)
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
# [*starttls*] - Enable STARTTLS support: (on|off|only)
# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
# [*xclient*] - Whether to use xclient for smtp (on|off)
# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
# [*ensure*] - Enables or disables the specified mailhost (present|absent)
# [*listen_ip*] - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
# [*listen_port*] - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
# [*listen_options*] - Extra options for listen directive like 'default' to catchall. Undef by default.
# [*ipv6_enable*] - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
# support exists on your system before enabling.
# [*ipv6_listen_ip*] - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
# [*ipv6_listen_port*] - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80
# [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
# While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
# [*index_files*] - Default index files for NGINX to read when traversing a directory
# [*ssl*] - Indicates whether to setup SSL bindings for this mailhost.
# [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
# [*ssl_ciphers*] - Override default SSL ciphers. Defaults to nginx::ssl_ciphers
# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference for client verify SSL Support. This is not generated by this module.
# [*ssl_crl*] - String: Specifies CRL path in file system
# [*ssl_dhparam*] - This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM
# format, utilized for exchanging session keys between server and client.
# [*ssl_ecdh_curve*] - This directive specifies a curve for ECDHE ciphers.
# [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
# [*ssl_password_file*] - This directive specifies a file containing passphrases for secret keys.
# [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
# [*ssl_protocols*] - SSL protocols enabled. Defaults to nginx::ssl_protocols
# [*ssl_session_cache*] - Sets the type and size of the session cache.
# [*ssl_session_ticket_key*] - This directive specifies a file containing secret key used to encrypt and decrypt TLS session tickets.
# [*ssl_session_tickets*] - Whether to enable or disable session resumption through TLS session tickets.
# [*ssl_session_timeout*] - String: Specifies a time during which a client may reuse the session parameters stored in a cache.
# Defaults to 5m.
# [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client
# certificates and OCSP responses if ssl_stapling is enabled.
# [*ssl_verify_depth*] - Sets the verification depth in the client certificates chain.
# [*starttls*] - Enable STARTTLS support: (on|off|only)
# [*protocol*] - Mail protocol to use: (imap|pop3|smtp)
# [*auth_http*] - With this directive you can set the URL to the external HTTP-like server for authorization.
# [*xclient*] - Whether to use xclient for smtp (on|off)
# [*imap_auth*] - Sets permitted methods of authentication for IMAP clients.
# [*imap_capabilities*] - Sets the IMAP protocol extensions list that is passed to the client in response to the CAPABILITY command.
# [*imap_client_buffer*] - Sets the IMAP commands read buffer size.
# [*pop3_auth*] - Sets permitted methods of authentication for POP3 clients.
# [*pop3_capabilities*] - Sets the POP3 protocol extensions list that is passed to the client in response to the CAPA command.
# [*smtp_auth*] - Sets permitted methods of SASL authentication for SMTP clients.
# [*smtp_capabilities*] - Sets the SMTP protocol extensions list that is passed to the client in response to the EHLO command.
# [*proxy_pass_error_message*] - Indicates whether to pass the error message obtained during the authentication on the backend to the client.
# [*server_name*] - List of mailhostnames for which this mailhost will respond. Default [$name].
# [*raw_prepend*] - A single string, or an array of strings to prepend to the server directive (after mailhost_cfg_prepend directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
# [*raw_append*] - A single string, or an array of strings to append to the server directive (after mailhost_cfg_append directive). NOTE: YOU are responsible for a semicolon on each line that requires one.
# [*mailhost_cfg_append*] - It expects a hash with custom directives to put after everything else inside vhost
# [*mailhost_cfg_prepend*] - It expects a hash with custom directives to put before everything else inside vhost
#
# Actions:
#
Expand All @@ -45,25 +71,48 @@
# }
define nginx::resource::mailhost (
$listen_port,
$ensure = 'present',
$listen_ip = '*',
$listen_options = undef,
$ipv6_enable = false,
$ipv6_listen_ip = '::',
$ipv6_listen_port = 80,
$ipv6_listen_options = 'default ipv6only=on',
$ssl = false,
$ssl_cert = undef,
$ssl_protocols = $::nginx::ssl_protocols,
$ssl_ciphers = $::nginx::ssl_ciphers,
$ssl_key = undef,
$ssl_port = undef,
$starttls = 'off',
$protocol = undef,
$auth_http = undef,
$auth_http_header = undef,
$xclient = 'on',
$server_name = [$name]
$ensure = 'present',
$listen_ip = '*',
$listen_options = undef,
$ipv6_enable = false,
$ipv6_listen_ip = '::',
$ipv6_listen_port = 80,
$ipv6_listen_options = 'default ipv6only=on',
$ssl = false,
$ssl_cert = undef,
$ssl_ciphers = $::nginx::ssl_ciphers,
$ssl_client_cert = undef,
$ssl_crl = undef,
$ssl_dhparam = undef,
$ssl_ecdh_curve = undef,
$ssl_key = undef,
$ssl_password_file = undef,
$ssl_port = undef,
$ssl_protocols = $::nginx::ssl_protocols,
$ssl_session_cache = undef,
$ssl_session_ticket_key = undef,
$ssl_session_tickets = undef,
$ssl_session_timeout = '5m',
$ssl_trusted_cert = undef,
$ssl_verify_depth = undef,
$starttls = 'off',
$protocol = undef,
$auth_http = undef,
$auth_http_header = undef,
$xclient = 'on',
$imap_auth = undef,
$imap_capabilities = undef,
$imap_client_buffer = undef,
$pop3_auth = undef,
$pop3_capabilities = undef,
$smtp_auth = undef,
$smtp_capabilities = undef,
$raw_prepend = undef,
$raw_append = undef,
$mailhost_cfg_prepend = undef,
$mailhost_cfg_append = undef,
$proxy_pass_error_message = 'off',
$server_name = [$name]
) {

$root_group = $::nginx::root_group
Expand Down Expand Up @@ -104,7 +153,6 @@
validate_string($ssl_cert)
}
validate_string($ssl_protocols)
validate_string($ssl_ciphers)
if ($ssl_key != undef) {
validate_string($ssl_key)
}
Expand All @@ -113,9 +161,41 @@
warning('DEPRECATION: String $ssl_port must be converted to an integer. Integer string support will be removed in a future release.')
}
elsif !is_integer($ssl_port) {
fail('$ssl_port must be an integer.')
fail('$ssl_port must be an integer.')
}
}
validate_string($ssl_ciphers)
if ($ssl_client_cert != undef) {
validate_string($ssl_client_cert)
}
if ($ssl_crl != undef) {
validate_string($ssl_crl)
}
if ($ssl_dhparam != undef) {
validate_string($ssl_dhparam)
}
if ($ssl_ecdh_curve != undef) {
validate_string($ssl_ecdh_curve)
}
if ($ssl_session_cache != undef) {
validate_string($ssl_session_cache)
}
if ($ssl_session_ticket_key != undef) {
validate_string($ssl_session_ticket_key)
}
if ($ssl_session_tickets != undef) {
validate_string($ssl_session_tickets)
}
validate_string($ssl_session_timeout)
if ($ssl_password_file != undef) {
validate_string($ssl_password_file)
}
if ($ssl_trusted_cert != undef) {
validate_string($ssl_trusted_cert)
}
if ($ssl_verify_depth != undef) and (!is_integer($ssl_verify_depth)) {
fail('$ssl_verify_depth must be an integer.')
}
validate_re($starttls, '^(on|only|off)$',
"${starttls} is not supported for starttls. Allowed values are 'on', 'only' and 'off'.")
if ($protocol != undef) {
Expand All @@ -128,6 +208,48 @@
validate_string($auth_http_header)
}
validate_string($xclient)
if ($imap_auth != undef) {
validate_string($imap_auth)
}
if ($imap_capabilities != undef) {
validate_array($imap_capabilities)
}
if ($imap_client_buffer != undef) {
validate_string($imap_client_buffer)
}
if ($pop3_auth != undef) {
validate_string($pop3_auth)
}
if ($pop3_capabilities != undef) {
validate_array($pop3_capabilities)
}
if ($smtp_auth != undef) {
validate_string($smtp_auth)
}
if ($smtp_capabilities != undef) {
validate_array($smtp_capabilities)
}
if ($raw_prepend != undef) {
if (is_array($raw_prepend)) {
validate_array($raw_prepend)
} else {
validate_string($raw_prepend)
}
}
if ($raw_append != undef) {
if (is_array($raw_append)) {
validate_array($raw_append)
} else {
validate_string($raw_append)
}
}
if ($mailhost_cfg_prepend != undef) {
validate_hash($mailhost_cfg_prepend)
}
if ($mailhost_cfg_append != undef) {
validate_hash($mailhost_cfg_append)
}
validate_string($proxy_pass_error_message)
validate_array($server_name)

$config_dir = "${::nginx::conf_dir}/conf.mail.d"
Expand Down

0 comments on commit 91938a5

Please sign in to comment.