At $WORK I started using Nginx a while ago, first as a front end to my mongrel instances for puppet. Recently I began to use it for one of its most know features : reverse proxy (and caching too). Of course this work had to be puppetized !
This is a summary of what I’ve done :
- Basic setup
- Automatic setup of the status page, exploited by a munin plugin
- An “include” directory, can be specific to a host through the usual $fqdn source selection system (as well as the nginx.conf file).
- A “reverse proxy” specific class that uses a template embedding some ruby (see the previous post). My cache dir is under tmpfs, to speed up the whole thing.
This setup is mostly inspired by this post. I use a local dnsmasq setup to resolve both internal & external requests. This way I can manage vhosts being accessible from inside ou outside our network. It’s incredibly flexible and allows you to get the most from your infrastructure.
The puppet class :
# @name : nginx
# @desc : classe de base pour nginx
# @info : nil
class nginx
{
package { "nginx":
ensure => installed
}
service { "nginx":
ensure => running
}
file { "nginx.conf":
name => "/etc/nginx/nginx.conf",
owner => root,
group => root,
source => [ "puppet://$fileserver/files/apps/nginx/$fqdn/nginx-rp-secure.conf", "puppet://$fileserver/files/apps/nginx/nginx-rp-secure.conf"],
ensure => present,
notify => Service["nginx"]
}
# status is installed on all nginx boxens
file { "nginx-status":
name => "/etc/nginx/sites-enabled/nginx-status",
owner => root,
group => root,
source => [ "puppet://$fileserver/files/apps/nginx/nginx-status", "puppet://$fileserver/files/apps/nginx/$fqdn/nginx-status"],
ensure => present,
notify => Service["nginx"]
}
# include dir, get the freshness here
file { "include_dir":
name => "/etc/nginx/includes",
owner => root,
group => root,
source => [ "puppet://$fileserver/files/apps/nginx/includes.$fqdn", "puppet://$fileserver/files/apps/nginx/includes"],
ensure => directory,
recurse => true,
notify => Service["nginx"],
ignore => ".svn*"
}
# files managed by hand, no matter if it breaks
file { "sites-managed":
name => "/etc/nginx/sites-managed",
owner => root,
group => root,
ensure => directory
}
}
# @name : nginx::reverseproxy
# @desc : config nginx pour reverse proxy
# @info : utilisée en conjonction avec dnsmasq local
class nginx::reverseproxy
{
include nginx
include dnsmasq::reverseproxy
# Vars used by the template below
$mysqldatabase=extlookup("mysqldatabase")
$mysqllogin=extlookup("mysqllogin")
$mysqlpassword=extlookup("mysqlpassword")
$mysqlserver=extlookup("mysqlserver")
file { "nginx-cachedir":
name => "/dev/shm/nginx-cache",
owner => www-data,
group => www-data,
ensure => directory
}
file { "site_reverse-proxy":
name => "/etc/nginx/sites-enabled/reverse-proxy",
owner => root,
group => root,
content => template("nginx/$fqdn/reverse-proxy.erb"),
ensure => present,
notify => Service["nginx"],
require => File["nginx-cachedir"]
}
}This is the munin plugins that are automatically distributed with the box.
One of the generated graphs :
On my Solaris machines at $WORK I use iMil’s pkgin to install additional software. But until today, I add to do it by hand, on every machine… Not really what I like to do after a little more than a year using puppet. So I wrote a provider to manage packages with pkgin. It was very informative on puppet internals and I learned more about my favorite config management system.