voxpupuli / puppet-puppetboard

Puppet module to install and manage puppetboard
https://forge.puppet.com/puppet/puppetboard
Apache License 2.0
53 stars 166 forks source link

Append vhost includes #283

Open jza34 opened 4 years ago

jza34 commented 4 years ago

Hi, I try to add an include statements to the puppetboard vhost with no luck. Is there a way to do it?

My last attempt, based on your code digging is:

  class { 'puppetboard::apache::vhost':
    vhost_name => $::fqdn,
    port       => 9080,
    custom_apache_parameters => {
      additional_includes +> ['/etc/httpd/10-auth_openidc.conf']
    }
  }

My wish is to add this include "/etc/httpd/10-auth_openidc.conf" in the Vhost definition created by the module right before closing the Virtualhost definition

You notice I use the (+>) instead of (=>) but with error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Syntax error at '+>' (file: /etc/puppetlabs/code/environments/production/modules/webreport/manifests/init.pp, line: 65, column: 27

And with (=>) instead I get this error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: The attribute 'additional_includes' has already been set (file: /etc/puppetlabs/code/environments/production/modules/puppetboard/manifests/apache/vhost.pp, line: 144, column: 3)

I hope you can help me to do this :) Thank you

SiteDesignUSA commented 2 years ago

Same here. I've tried in the past to set this up but to no avail. All I (and you) want to do is add some configs to apache conf. Just some way to amend the virtualhost.

Back in 2014, nibalizer said in https://github.com/voxpupuli/puppet-puppetboard/issues/19#issuecomment-44161759 that "I don't think its in scope for us to pass in a ton of apache options. The module can set up a basic puppetboard for you if you like, and if you don't like to do that, include everything but the Apache section. And roll your own apache configuration."

I've tried "rolling my own" and tried just copying out the apache conf file to set up and puppetboard goes to the docroot but its without a index page and just show the directory content. It's a mess.

Back in 2019 I tried this and got some feedback (a year after I asked). The reason I know is I just stumbled upon my question again now that I'm trying to get this working again.

vchepkov gave me code (and I'm going to try) which uses erb file.

THe link is https://github.com/voxpupuli/puppet-puppetboard/issues/243#issuecomment-609116274

b4ldr gave me code too (which I will also try) and documentation link that uses variable, heredoc idea.

https://github.com/voxpupuli/puppet-puppetboard/issues/243#issuecomment-609730611

smortex commented 2 years ago

"amending" is an anti-pattern in Puppet, and custom_apache_parameters is rather limited. If you have "advanced" requirements, do not use this built-in VHost and provide your own in your puppetboard profile. I also think the module should probably not ship with such a VHost or insist on the fact it is only a starter/example you will not use in a real world scenario.

Here is my profile for reference (it use passenger to serve the application and rely on puppet PKI to grant access to the dashboard):

class profile::puppetboard (
  String[1] $hostname = 'puppetboard.example.com',
) {
  include profile::apache
  include profile::python

  $puppetboard_path = '/srv/puppetboard/puppetboard/'

  class { 'puppetboard':
    revision       => 'v3.3.0',
    puppetdb_port  => 8079,
    offline_mode   => true,
    extra_settings => {
      'DAILY_REPORTS_CHART_DAYS' => 14,
      'GRAPH_FACTS'              => [
        'aio_agent_version',
        'apache_version',
        'apt_has_updates',
        'apt_reboot_required',
        'architecture',
        'augeasversion',
        'bios_vendor',
        'bios_version',
        'boardmanufacturer',
        'clientversion',
        'collectd_version',
        'customer',
        'docker_client_version',
        'docker_server_version',
        'domain',
        'facterversion',
        'freebsd_reboot_required',
        'hardwareisa',
        'hardwaremodel',
        'is_pe',
        'is_virtual',
        'kernel',
        'kernelmajversion',
        'kernelrelease',
        'kernelversion',
        'lsbcodename',
        'lsbdistcodename',
        'lsbdistid',
        'lsbdistrelease',
        'lsbmajdistrelease',
        'manufacturer',
        'netmask',
        'operatingsystem',
        'operatingsystemmajrelease',
        'operatingsystemrelease',
        'osfamily',
        'package_provider',
        'physicalprocessorcount',
        'pip_version',
        'pkg_has_updates',
        'pkg_has_vulnerabilities',
        'processorcount',
        'puppetversion',
        'python2_version',
        'python3_version',
        'python_version',
        'rubyplatform',
        'rubyversion',
        'selinux',
        'service_provider',
        'syslog_ng_version',
        'systemd',
        'systemd_version',
        'timezone',
        'type',
        'virtual',
        'virtualbox_version',
        'virtualenv_version',
        'zfs_version',
        'zpool_version',
      ],
      'INVENTORY_FACTS'          => "[('Hostname', 'fqdn'), ('Customer', 'customer'), ('Role', 'role'), ('OS', 'lsbdistdescription'), ('Kernel Version', 'kernelrelease'), ('Puppet Version', 'puppetversion')]",
    },
  }

  dehydrated::certificate { $hostname:
  }

  apache::vhost { $hostname:
    port                   => 443,
    docroot                => "${puppetboard_path}/public",
    aliases                => [
      {
        alias => '/static',
        path  => "${puppetboard_path}/puppetboard/static",
      },
    ],
    manage_docroot         => false,
    setenv                 => [
      "PUPPETBOARD_SETTINGS ${puppetboard_path}/settings.py",
    ],
    ssl                    => true,
    ssl_ca                 => "${settings::ssldir}/certs/ca.pem",
    ssl_crl                => "${settings::ssldir}/crl.pem",
    ssl_verify_client      => 'require',
    passenger_app_root     => $puppetboard_path,
    passenger_app_type     => 'wsgi',
    passenger_startup_file => 'wsgi.py',
    passenger_python       => '/srv/puppetboard/virtenv-puppetboard/bin/python',
    passenger_user         => 'puppetboard',
    *                      => dehydrated::apache::vhost_attributes($hostname),
  }

  Class['puppetboard'] ~> Class['apache::service']
}
SiteDesignUSA commented 2 years ago

@smortex

"amending" is an anti-pattern in Puppet, and custom_apache_parameters is rather limited. If you have "advanced" requirements, do not use this built-in VHost and provide your own in your puppetboard profile. I also think the module should probably not ship with such a VHost or insist on the fact it is only a starter/example you will not use in a real world scenario.

Yes. I'm not that quick and sharp as others on this so I struggle. All I want to do is get rid of the preconfigured "Require all granted" in the puppetboard/templates/apache/conf.erb:12: file. I then can just make my own directory section, but with the hard code, I can't get basic auth or any security working.

I just need to add:

$directory_frag = @(CONFIG)
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthBasicProvider file
AuthName "Restricted Content"
AuthType Basic
AuthUserFile "/home/puppetboard/.htpasswd/.pass"
Require valid-user
| CONFIG

  class { 'puppetboard::apache::vhost':
    vhost_name               => "$tj_vhost_name",
    port                     => $tj_vhost_port,
    ssl                      => true,
    ssl_cert                 => "$tj_ssl_cert_path",
    ssl_key                  => "$tj_ssl_key_path",
    custom_apache_parameters => {
      directories => [{
        provider        => 'directory',
        path            => '/srv/puppetboard/puppetboard',
        custom_fragment => $directory_frag,
      }, ],
    },
  }

and somehow get rid of the preconfigured "Require all granted"

SiteDesignUSA commented 2 years ago

@smortex I should also mention that I (and I'm sure others) are very grateful to your help and config. There is so much to know.

The other problem with this is I don't know python and there is some sort of "magic" that allows puppetboard to work correctly if I use his "out of the box" setup. If I try to use puppet apache to emulate the .conf file, it just lists files in "/srv/puppetboard/puppetboard" instead of serving Puppetboard. If I let class { 'puppetboard::apache::vhost': remain, do a puppet agent -t and then paste in the correct config, it works.

Soooo, right now I'm looking at some sort of post hook to just overwrite the %!@## apache .conf file.

I guess that's hacking! Pieces of code everywhere.