Switch to using nginx puppet resources to manage the stackstorm nginx config

CHANGELOG.md

@@ -25,6 +25,16 @@
   repo support previously. (Bugfix)
   Contributed by @nmaludy
 
+- Change the way we handle the `nginx` config from just copying a config file to
+  using the native resource types provided by the `puppet-nginx` module.
+  Users can now configure the utilized SSL protocol and ciphers along with client
+  max body size directly from the `st2` class using the following new parameters:
+   - `nginx_client_max_body_size`
+   - `nginx_ssl_ciphers`
+   - `nginx_ssl_port`
+   - `nginx_ssl_protocols`
+  Contributed by @nmaludy
+
 ## 1.7.0 (Jun 26, 2020)
 
 - Refactored the system StackStorm repository handling. This replaces the `PackageCloud`

REFERENCE.md

@@ -553,6 +553,55 @@ Set this to false when you have your own repositories for nginx
 
 Default value: `true`
 
+##### `nginx_ssl_ciphers`
+
+Data type: `Any`
+
+String or list of strings of acceptable SSL ciphers to configure nginx with.
+@see http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+Note: the defaults are setup to restrict to TLSv1.2 and TLSv1.3 secure ciphers only
+      (secure by default). The secure ciphers for each protocol were obtained via:
+      @see https://wiki.mozilla.org/Security/Server_Side_TLS
+
+Default value: $::st2::params::nginx_ssl_ciphers
+
+##### `nginx_ssl_protocols`
+
+Data type: `Any`
+
+String or list of strings of acceptable SSL protocols to configure nginx with.
+@see http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+Note: the defaults are setup to restrict to TLSv1.2 and TLSv1.3 only (secure by default)
+
+Default value: $::st2::params::nginx_ssl_protocols
+
+##### `nginx_ssl_port`
+
+Data type: `Any`
+
+What port should nginx listen on publicly for new connections (default: 443)
+
+Default value: $::st2::params::nginx_ssl_port
+
+##### `nginx_client_max_body_size`
+
+Data type: `Any`
+
+The maximum size of the body for a request allow through nginx.
+We default this to '0' to allow for large messages/payloads/inputs/results
+to be passed through nginx as is normal in the StackStorm context.
+@see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+
+Default value: $::st2::params::nginx_client_max_body_size
+
+##### `web_root`
+
+Data type: `Any`
+
+Directory where the StackStorm WebUI site lives on the filesystem
+
+Default value: $::st2::params::web_root
+
 ##### `timersengine_enabled`
 
 Data type: `Any`
@@ -2479,21 +2528,74 @@ class { 'st2::profile::web':
 }
 ```
 
+##### Change the SSL protocols and ciphers
+
+```puppet
+class { 'st2::profile::web':
+  nginx_ssl_protocols => ['TLSv1.2'],
+  nginx_ssl_ciphers => [
+    'ECDHE-ECDSA-AES256-GCM-SHA384',
+    'ECDHE-ECDSA-AES256-SHA384',
+  ],
+}
+```
+
 #### Parameters
 
 The following parameters are available in the `st2::profile::web` class.
 
+##### `nginx_ssl_ciphers`
+
+Data type: `Variant[Array[String], String]`
+
+String or list of strings of acceptable SSL ciphers to configure nginx with.
+@see http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+Note: the defaults are setup to restrict to TLSv1.2 and TLSv1.3 secure ciphers only
+      (secure by default). The secure ciphers for each protocol were obtained via:
+      @see https://wiki.mozilla.org/Security/Server_Side_TLS
+
+Default value: $::st2::nginx_ssl_ciphers
+
+##### `nginx_ssl_protocols`
+
+Data type: `Variant[Array[String], String]`
+
+String or list of strings of acceptable SSL protocols to configure nginx with.
+@see http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+Note: the defaults are setup to restrict to TLSv1.2 and TLSv1.3 only (secure by default)
+
+Default value: $::st2::nginx_ssl_protocols
+
+##### `nginx_ssl_port`
+
+Data type: `Stdlib::Port`
+
+What port should nginx listen on publicly for new connections (default: 443)
+
+Default value: $::st2::nginx_ssl_port
+
+##### `nginx_client_max_body_size`
+
+Data type: `String`
+
+The maximum size of the body for a request allow through nginx.
+We default this to '0' to allow for large messages/payloads/inputs/results
+to be passed through nginx as is normal in the StackStorm context.
+@see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+
+Default value: $::st2::nginx_client_max_body_size
+
 ##### `ssl_cert_manage`
 
-Data type: `Any`
+Data type: `Boolean`
 
 Boolean to determine if this module should manage the SSL certificate used by nginx.
 
 Default value: $::st2::ssl_cert_manage
 
 ##### `ssl_dir`
 
-Data type: `Any`
+Data type: `Stdlib::Absolutepath`
 
 Directory where st2web will look for its SSL info.
 (default: /etc/ssl/st2)
@@ -2502,7 +2604,7 @@ Default value: $::st2::ssl_dir
 
 ##### `ssl_cert`
 
-Data type: `Any`
+Data type: `String`
 
 Path to the file where the StackStorm SSL cert will
 be generated. (default: /etc/ssl/st2/st2.crt)
@@ -2511,7 +2613,7 @@ Default value: $::st2::ssl_cert
 
 ##### `ssl_key`
 
-Data type: `Any`
+Data type: `String`
 
 Path to the file where the StackStorm SSL key will
 be generated. (default: /etc/ssl/st2/st2.key)
@@ -2520,12 +2622,20 @@ Default value: $::st2::ssl_key
 
 ##### `version`
 
-Data type: `Any`
+Data type: `String`
 
 Version of StackStorm WebUI to install
 
 Default value: $::st2::version
 
+##### `web_root`
+
+Data type: `String`
+
+Directory where the StackStorm WebUI site lives on the filesystem
+
+Default value: $::st2::web_root
+
 ### st2::repo
 
 Manages the installation of st2 required repos for installing the StackStorm packages.

manifests/init.pp

@@ -125,6 +125,25 @@
 # @param nginx_manage_repo
 #   Set this to false when you have your own repositories for nginx
 #   (default: true)
+# @param nginx_ssl_ciphers
+#   String or list of strings of acceptable SSL ciphers to configure nginx with.
+#   @see http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+#   Note: the defaults are setup to restrict to TLSv1.2 and TLSv1.3 secure ciphers only
+#         (secure by default). The secure ciphers for each protocol were obtained via:
+#         @see https://wiki.mozilla.org/Security/Server_Side_TLS
+# @param nginx_ssl_protocols
+#   String or list of strings of acceptable SSL protocols to configure nginx with.
+#   @see http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+#   Note: the defaults are setup to restrict to TLSv1.2 and TLSv1.3 only (secure by default)
+# @param nginx_ssl_port
+#   What port should nginx listen on publicly for new connections (default: 443)
+# @param nginx_client_max_body_size
+#   The maximum size of the body for a request allow through nginx.
+#   We default this to '0' to allow for large messages/payloads/inputs/results
+#   to be passed through nginx as is normal in the StackStorm context.
+#   @see http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+# @param web_root
+#    Directory where the StackStorm WebUI site lives on the filesystem
 # @param timersengine_enabled
 #   Set to true if the st2timersengine service should be enabled
 #   on this node (default: true)
@@ -277,6 +296,11 @@
   $datastore_keys_dir       = $::st2::params::datstore_keys_dir,
   $datastore_key_path       = "${::st2::params::datstore_keys_dir}/datastore_key.json",
   $nginx_manage_repo        = true,
+  $nginx_client_max_body_size = $::st2::params::nginx_client_max_body_size,
+  $nginx_ssl_ciphers        = $::st2::params::nginx_ssl_ciphers,
+  $nginx_ssl_port           = $::st2::params::nginx_ssl_port,
+  $nginx_ssl_protocols      = $::st2::params::nginx_ssl_protocols,
+  $web_root                 = $::st2::params::web_root,
   $rabbitmq_username        = $::st2::params::rabbitmq_username,
   $rabbitmq_password        = $::st2::params::rabbitmq_password,
   $rabbitmq_hostname        = $::st2::params::rabbitmq_hostname,

manifests/params.pp

@@ -43,6 +43,9 @@
   # API settings
   $api_port = 9101
 
+  # stream settings
+  $stream_port = 9102
+
   # Non-user configurable parameters
   $repository = 'stable'
   $conf_dir = '/etc/st2'
@@ -119,23 +122,34 @@
   $scheduler_gc_interval = 10
   $scheduler_pool_size = 10
 
-  ## nginx default config
-  $nginx_default_conf = $::osfamily ? {
-    'Debian' => '/etc/nginx/conf.d/default.conf',
-    'RedHat' => '/etc/nginx/conf.d/default.conf',
-  }
-  ## nginx conf.d directory in /etc
-  $nginx_conf_d = $::osfamily ? {
-    'Debian' => '/etc/nginx/conf.d',
-    'RedHat' => '/etc/nginx/conf.d',
-  }
-  # nginx config for StackStorm (installed with the st2 packages)
-  $nginx_st2_conf = '/usr/share/doc/st2/conf/nginx/st2.conf'
+  ## nginx
+  $nginx_ssl_port = 443
+  $nginx_ssl_protocols = [
+    'TLSv1.2',
+    'TLSv1.3',
+  ]
+  $nginx_ssl_ciphers = [
+    # TLSv1.3
+    'TLS_AES_128_GCM_SHA256',
+    'TLS_AES_256_GCM_SHA384',
+    'TLS_CHACHA20_POLY1305_SHA256',
+    # TLSv1.2
+    'ECDHE-ECDSA-AES128-GCM-SHA256',
+    'ECDHE-ECDSA-AES128-SHA256',
+    'ECDHE-ECDSA-AES256-GCM-SHA384',
+    'ECDHE-ECDSA-AES256-SHA384',
+    'ECDHE-ECDSA-CHACHA20-POLY1305',
+    'ECDHE-RSA-AES128-GCM-SHA256',
+    'ECDHE-RSA-AES128-SHA256',
+    'ECDHE-RSA-AES256-GCM-SHA384',
+    'ECDHE-RSA-AES256-SHA384',
+    'ECDHE-RSA-CHACHA20-POLY1305',
+  ]
+  # no max on the body size for large workflow support
+  $nginx_client_max_body_size = '0'
 
-  # st2web certs
-  $st2web_ssl_dir = '/etc/ssl/st2'
-  $st2web_ssl_cert = "${st2web_ssl_dir}/st2.crt"
-  $st2web_ssl_key = "${st2web_ssl_dir}/st2.key"
+  # st2web
+  $web_root = '/opt/stackstorm/static/webui/'
 
   ## MongoDB Data
   $mongodb_admin_username = 'admin'

manifests/profile/nginx.pp

@@ -6,11 +6,16 @@
 # @example Basic Usage
 #  include st2::profile::nginx
 #
+# @example Disable manging the nginx repo so you can manage it yourself
+#  class { 'st2::profile::nginx':
+#    manage_repo => false,
+#  }
+#
 class st2::profile::nginx (
   $manage_repo = $::st2::nginx_manage_repo
 ) inherits st2 {
   class { 'nginx':
     manage_repo => $manage_repo,
-    confd_purge => false,
+    confd_purge => true,
   }
 }