Merge pull request #41 from oxilion/jfryman-add-mail-support

add support for mail module
voxpupuli · Apr 10, 2013 · bd0c5c5 · bd0c5c5
2 parents 6d2be48 + 4d05075
commit bd0c5c5
Show file tree

Hide file tree

Showing 9 changed files with 206 additions and 2 deletions.
diff --git a/README.markdown b/README.markdown
@@ -45,3 +45,24 @@ Add a Proxy Server(s)
      }
    } 
 </pre>
+
+Add an smtp proxy
+<pre>
+   node default {
+     class { 'nginx':
+       mail => true,
+     }
+     nginx::resource::mailhost { 'domain1.example':
+       ensure      => present,
+       auth_http   => 'server2.example/cgi-bin/auth',
+       protocol    => 'smtp',
+       listen_port => 587,
+       ssl_port    => 465,
+       starttls    => 'only',
+       xclient     => 'off',
+       ssl         => 'true',
+       ssl_cert    => '/tmp/server.crt',
+       ssl_key     => '/tmp/server.pem',
+     }
+   }
+</pre>
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -40,6 +40,17 @@
     }
   }
 
+  file { "${nginx::params::nx_conf_dir}/conf.mail.d":
+    ensure => directory,
+  }
+  if $confd_purge == true {
+    File["${nginx::params::nx_conf_dir}/conf.mail.d"] {
+      ignore => "vhost_autogen.conf",
+      purge => true,
+      recurse => true,
+    }
+  }
+
 
   file { "${nginx::config::nx_run_dir}":
     ensure => directory,
@@ -74,4 +85,10 @@
     purge   => true,
     recurse => true,
   }
+
+  file { "${nginx::config::nx_temp_dir}/nginx.mail.d":
+    ensure  => directory,
+    purge   => true,
+    recurse => true,
+  }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -34,7 +34,8 @@
   $proxy_set_header   = $nginx::params::nx_proxy_set_header,
   $confd_purge        = $nginx::params::nx_confd_purge,
   $configtest_enable  = $nginx::params::nx_configtest_enable,
-  $service_restart    = $nginx::params::nx_service_restrart
+  $service_restart    = $nginx::params::nx_service_restrart,
+  $mail               = $nginx::params::nx_mail
 ) inherits nginx::params {
 
   include stdlib

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -61,4 +61,6 @@
   $nx_configtest_enable	 = false
   $nx_service_restart = "/etc/init.d/nginx configtest && /etc/init.d/nginx restart"
 
+  $nx_mail = false
+
 }
diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp
@@ -0,0 +1,106 @@
+# define: nginx::resource::mailhost
+#
+# This definition creates a virtual host
+#
+# Parameters:
+#   [*ensure*]              - Enables or disables the specified mailhost (present|absent)
+#   [*listen_ip*]           - Default IP Address for NGINX to listen with this vHost on. Defaults to all interfaces (*)
+#   [*listen_port*]         - Default IP Port for NGINX to listen with this vHost on. Defaults to TCP 80
+#   [*listen_options*]      - Extra options for listen directive like 'default' to catchall. Undef by default.
+#   [*ipv6_enable*]         - BOOL value to enable/disable IPv6 support (false|true). Module will check to see if IPv6
+#                             support exists on your system before enabling.
+#   [*ipv6_listen_ip*]      - Default IPv6 Address for NGINX to listen with this vHost on. Defaults to all interfaces (::)
+#   [*ipv6_listen_port*]    - Default IPv6 Port for NGINX to listen with this vHost on. Defaults to TCP 80
+#   [*ipv6_listen_options*] - Extra options for listen directive like 'default' to catchall. Template will allways add ipv6only=on.
+#                             While issue jfryman/puppet-nginx#30 is discussed, default value is 'default'.
+#   [*index_files*]         - Default index files for NGINX to read when traversing a directory
+#   [*ssl*]                 - Indicates whether to setup SSL bindings for this mailhost.
+#   [*ssl_cert*]            - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_key*]             - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module.
+#   [*ssl_port*]            - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443
+#   [*starttls*]            - enable STARTTLS support: (on|off|only)
+#   [*protocol*]            - Mail protocol to use: (imap|pop3|smtp)
+#   [*auth_http*]           - With this directive you can set the URL to the external HTTP-like server for authorization.
+#   [*xclient*]             - wheter to use xclient for smtp (on|off)
+#   [*server_name*]         - List of mailhostnames for which this mailhost will respond. Default [$name].
+#
+# Actions:
+#
+# Requires:
+#
+# Sample Usage:
+#  nginx::resource::mailhost { 'domain1.example':
+#    ensure      => present,
+#    auth_http   => 'server2.example/cgi-bin/auth',
+#    protocol    => 'smtp',
+#    listen_port => 587,
+#    ssl_port    => 465,
+#    starttls    => 'only',
+#    xclient     => 'off',
+#    ssl         => 'true',
+#    ssl_cert    => '/tmp/server.crt',
+#    ssl_key     => '/tmp/server.pem',
+#  }
+define nginx::resource::mailhost(
+  $ensure                 = 'enable',
+  $listen_ip              = '*',
+  $listen_port,
+  $listen_options         = undef,
+  $ipv6_enable            = false,
+  $ipv6_listen_ip         = '::',
+  $ipv6_listen_port       = '80',
+  $ipv6_listen_options    = 'default',
+  $ssl                    = false,
+  $ssl_cert               = undef,
+  $ssl_key                = undef,
+  $ssl_port               = undef,
+  $starttls               = 'off',
+  $protocol               = undef,
+  $auth_http              = undef,
+  $xclient                = 'on',
+  $server_name            = [$name]
+) {
+  File {
+    owner => 'root',
+    group => 'root',
+    mode  => '0644',
+  }
+
+  # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled
+  # and support does not exist for it in the kernel.
+  if ($ipv6_enable and !$::ipaddress6)  {
+    warning('nginx: IPv6 support is not enabled or configured properly')
+  }
+
+  # Check to see if SSL Certificates are properly defined.
+  if ($ssl or $starttls == 'on' or $starttls == 'only') {
+    if ($ssl_cert == undef) or ($ssl_key == undef) {
+      fail('nginx: SSL certificate/key (ssl_cert/ssl_cert) and/or SSL Private must be defined and exist on the target system(s)')
+    }
+  }
+
+  # Use the File Fragment Pattern to construct the configuration files.
+  # Create the base configuration file reference.
+  if ($listen_port != $ssl_port) {
+    file { "${nginx::config::nx_temp_dir}/nginx.mail.d/${name}-001":
+      ensure  => $ensure ? {
+        'absent' => absent,
+        default  => 'file',
+      },
+      content => template('nginx/mailhost/mailhost.erb'),
+      notify => Class['nginx::service'],
+    }
+  }
+
+  # Create SSL File Stubs if SSL is enabled
+  if ($ssl) {
+    file { "${nginx::config::nx_temp_dir}/nginx.mail.d/${name}-700-ssl":
+      ensure => $ensure ? {
+        'absent' => absent,
+        default  => 'file',
+      },
+      content => template('nginx/mailhost/mailhost_ssl.erb'),
+      notify => Class['nginx::service'],
+    }
+  }
+}
diff --git a/manifests/service.pp b/manifests/service.pp
@@ -23,12 +23,18 @@
     unless	=> "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.d/*",
     subscribe   => File["${nginx::params::nx_temp_dir}/nginx.d"],
   }
+  exec { 'rebuild-nginx-mailhosts':
+    command     => "/bin/cat ${nginx::params::nx_temp_dir}/nginx.mail.d/* > ${nginx::params::nx_conf_dir}/conf.mail.d/vhost_autogen.conf",
+    refreshonly => true,
+    unless	=> "/usr/bin/test ! -f ${nginx::params::nx_temp_dir}/nginx.mail.d/*",
+    subscribe   => File["${nginx::params::nx_temp_dir}/nginx.mail.d"],
+  }
   service { "nginx":
     ensure     => running,
     enable     => true,
     hasstatus  => true,
     hasrestart => true,
-    subscribe  => Exec['rebuild-nginx-vhosts'],
+    subscribe  => Exec['rebuild-nginx-vhosts', 'rebuild-nginx-mailhosts'],
   }
   if $configtest_enable == true {
     Service["nginx"] {

diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb
@@ -31,3 +31,8 @@ http {
 
   include /etc/nginx/conf.d/*.conf;
 }
+<% if scope.lookupvar('nginx::mail') %>
+mail {
+  include /etc/nginx/conf.mail.d/*.conf;
+}
+<% end -%>
diff --git a/templates/mailhost/mailhost.erb b/templates/mailhost/mailhost.erb
@@ -0,0 +1,23 @@
+
+server {
+  listen                <%= listen_ip %>:<%= listen_port %> <% if @listen_options %><%= listen_options %><% end %>;
+  <% # check to see if ipv6 support exists in the kernel before applying %>
+  <% if ipv6_enable && (defined? @ipaddress6) %>
+  listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on;
+  <% end %>
+  server_name           <%= server_name.join(" ") %>;
+  protocol              <%= protocol %>;
+  xclient               <%= xclient %>;
+  auth_http             <%= auth_http %>;
+  starttls              <%= starttls %>;
+  <% if starttls == 'on' || starttls == 'only' %>
+  ssl_certificate      <%= ssl_cert %>;
+  ssl_certificate_key  <%= ssl_key %>;
+
+  ssl_session_timeout  5m;
+
+  ssl_protocols  SSLv3 TLSv1;
+  ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+  ssl_prefer_server_ciphers   on;
+  <%- end -%>
+}
diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb
@@ -0,0 +1,23 @@
+
+server {
+  listen       <%= ssl_port %>;
+  <% # check to see if ipv6 support exists in the kernel before applying %>
+  <% if ipv6_enable && (defined? @ipaddress6) %>
+  listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on;
+  <% end %>
+  server_name           <%= server_name.join(" ") %>;
+  protocol              <%= protocol %>;
+  xclient               <%= xclient %>;
+  auth_http             <%= auth_http %>;
+
+  ssl on;
+  ssl_certificate      <%= ssl_cert %>;
+  ssl_certificate_key  <%= ssl_key %>;
+
+  ssl_session_timeout  5m;
+
+  ssl_protocols  SSLv3 TLSv1;
+  ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+  ssl_prefer_server_ciphers   on;
+
+}