# limitations under the License.
#
+require "ipaddr"
+
+certificate = node[:tilecache][:ssl][:certificate]
+node.default[:ssl][:certificates] = node[:ssl][:certificates] | [certificate]
+
+include_recipe "ssl"
include_recipe "squid"
+include_recipe "nginx"
+
+package "apache2" do
+ action :remove
+end
+
+package "xz-utils"
tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] }
+tilerenders = search(:node, "roles:tile").sort_by { |n| n[:hostname] }
tilecaches.each do |cache|
cache.ipaddresses(:family => :inet, :role => :external).sort.each do |address|
dest "fw"
proto "udp"
dest_ports "3130"
- source_ports "1024:"
+ source_ports "3130"
+ end
+ firewall_rule "accept-squid-icp-reply" do
+ action :accept
+ family "inet"
+ source "fw"
+ dest "net:#{address}"
+ proto "udp"
+ dest_ports "3130"
+ source_ports "3130"
end
end
end
squid_fragment "tilecache" do
template "squid.conf.erb"
- variables :caches => tilecaches
+ variables :caches => tilecaches, :renders => tilerenders
end
template "/etc/logrotate.d/squid" do
mode 0644
end
+nginx_site "default" do
+ action [:delete]
+end
+
+resolvers = node[:networking][:nameservers].map do |resolver|
+ IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
+end
+
+nginx_site "tile-ssl" do
+ template "nginx_tile_ssl.conf.erb"
+ variables :certificate => certificate, :resolvers => resolvers
+end
+
+service "nginx-certificate-restart" do
+ service_name "nginx"
+ action :nothing
+ subscribes :restart, "cookbook_file[/etc/ssl/certs/rapidssl.pem]"
+ subscribes :restart, "cookbook_file[/etc/ssl/certs/#{certificate}.pem]"
+ subscribes :restart, "file[/etc/ssl/private/#{certificate}.key]"
+end
+
+tilerenders.each do |render|
+ munin_plugin "ping_#{render[:fqdn]}" do
+ target "ping_"
+ conf "munin.ping.erb"
+ conf_variables :host => render[:fqdn]
+ end
+end