oranenj · April 21, 2017 20:02
diff --git a/dockerregistry.pp b/dockerregistry.pp
 class dockerregistry (
  String $data_disk, 
  String $thinpool_disk,
  String $registry_vhost,
  String $certificate_pem_path,
  Array[String] $acl_write_allowed = [],
 ){
  validate_re($data_disk, '^/dev/(s|v)d[a-z][0-9]?$', "'$data_disk' does not look like a disk device")
  validate_re($thinpool_disk, '^/dev/(s|v)d[a-z][0-9]?$', "'$thinpool_disk' disk does not look like a disk device")
  class {"docker":
    use_upstream_package_source => true,
    repo_opt                    => '',
    storage_driver              => 'devicemapper',
    dm_thinpooldev              => '/dev/mapper/docker_pool-docker_thinpool'
  }
  physical_volume {$thinpool_disk:
    ensure => present,
  }
  volume_group {'docker_pool':
    ensure            => 'present',
    physical_volumes  => [$thinpool_disk],
    createonly        => true,
    notify            => Exec['create-thin-pool']
  }
  exec {'create-thin-pool':
    onlyif      => '/usr/bin/test ! -f /dev/mapper/docker_pool-docker_thinpool',
    refreshonly => true,
    command     => '/usr/sbin/lvcreate --thinpool docker_pool/docker_thinpool -l100%FREE'
  }
  lvm::volume {"data":
    ensure => 'present',
    vg => "docker_registry",
    pv => $data_disk,
    fstype => 'xfs',
  }
  file {["/srv/docker_registry/", "/srv/docker_registry/data"]:
    ensure => directory,
    owner => 'root',
    group => 'root',
  }
  mount {"/srv/docker_registry/data":
    ensure => mounted,
    device => "/dev/docker_registry/data",
    fstype => 'xfs',
  }

  docker::image {'registry':}
  docker::run {'registry': 
    image => 'registry:2',
    ports => ['127.0.0.1:5000:5000'],
    volumes => ['/srv/docker_registry/data:/var/lib/registry'],
    require => Mount["/srv/docker_registry/data"]
  }
  docker::run {'registry-frontend':
    image => 'konradkleine/docker-registry-frontend:v2',
    env   => ["ENV_DOCKER_REGISTRY_PORT=5000", "ENV_DOCKER_REGISTRY_HOST=registry", "ENV_BROWSE_MODE_ONLY=true"],
    ports => ["80:80"],
    links => ['registry'],
  }
  exec {"/usr/sbin/setsebool -P httpd_can_network_connect 1":
    refreshonly => true,
    subscribe => Nginx::Resource::Upstream['docker-registry']   
  }
  include nginx

  nginx::resource::upstream {'docker-registry':
    ensure  => 'present',
    members => ['127.0.0.1:5000'], 
  }
  # Limit write access to specific nets:
  $readonly_limits = $acl_write_allowed.map | $ip | {
    "allow ${ip};"
  }
  $limit_get = ["limit_except GET {"] + $readonly_limits + ["deny all;", "}"]
  nginx::resource::vhost { $registry_vhost:
    use_default_location => false,
    proxy => 'http://docker-registry',
    ssl => true,
    listen_port => '443',
    ssl_cert => $certificate_pem_path,
    ssl_key  => $certificate_pem_path,
    vhost_cfg_append => {
      'chunked_transfer_encoding' => 'on',
      'client_max_body_size' => '0',
    },
    locations =>
    { "/" => {
      raw_prepend      => $limit_get,
      proxy            => 'http://docker-registry',
      vhost            => $registry_vhost,
      proxy_set_header => [
        'Host               $http_host',
        'X-Real-IP          $remote_addr',
        'X-Forwarded-For    $proxy_add_x_forwarded_for',
        'X-Forwarded-Proto  $scheme',
      ]
    }
    }
  }
 }
	class dockerregistry (
	String $data_disk,
	String $thinpool_disk,
	String $registry_vhost,
	String $certificate_pem_path,
	Array[String] $acl_write_allowed = [],
	){
	validate_re($data_disk, '^/dev/(s\|v)d[a-z][0-9]?$', "'$data_disk' does not look like a disk device")
	validate_re($thinpool_disk, '^/dev/(s\|v)d[a-z][0-9]?$', "'$thinpool_disk' disk does not look like a disk device")
	class {"docker":
	use_upstream_package_source => true,
	repo_opt => '',
	storage_driver => 'devicemapper',
	dm_thinpooldev => '/dev/mapper/docker_pool-docker_thinpool'
	}
	physical_volume {$thinpool_disk:
	ensure => present,
	}
	volume_group {'docker_pool':
	ensure => 'present',
	physical_volumes => [$thinpool_disk],
	createonly => true,
	notify => Exec['create-thin-pool']
	}
	exec {'create-thin-pool':
	onlyif => '/usr/bin/test ! -f /dev/mapper/docker_pool-docker_thinpool',
	refreshonly => true,
	command => '/usr/sbin/lvcreate --thinpool docker_pool/docker_thinpool -l100%FREE'
	}
	lvm::volume {"data":
	ensure => 'present',
	vg => "docker_registry",
	pv => $data_disk,
	fstype => 'xfs',
	}
	file {["/srv/docker_registry/", "/srv/docker_registry/data"]:
	ensure => directory,
	owner => 'root',
	group => 'root',
	}
	mount {"/srv/docker_registry/data":
	ensure => mounted,
	device => "/dev/docker_registry/data",
	fstype => 'xfs',
	}

	docker::image {'registry':}
	docker::run {'registry':
	image => 'registry:2',
	ports => ['127.0.0.1:5000:5000'],
	volumes => ['/srv/docker_registry/data:/var/lib/registry'],
	require => Mount["/srv/docker_registry/data"]
	}
	docker::run {'registry-frontend':
	image => 'konradkleine/docker-registry-frontend:v2',
	env => ["ENV_DOCKER_REGISTRY_PORT=5000", "ENV_DOCKER_REGISTRY_HOST=registry", "ENV_BROWSE_MODE_ONLY=true"],
	ports => ["80:80"],
	links => ['registry'],
	}
	exec {"/usr/sbin/setsebool -P httpd_can_network_connect 1":
	refreshonly => true,
	subscribe => Nginx::Resource::Upstream['docker-registry']
	}
	include nginx

	nginx::resource::upstream {'docker-registry':
	ensure => 'present',
	members => ['127.0.0.1:5000'],
	}
	# Limit write access to specific nets:
	$readonly_limits = $acl_write_allowed.map \| $ip \| {
	"allow ${ip};"
	}
	$limit_get = ["limit_except GET {"] + $readonly_limits + ["deny all;", "}"]
	nginx::resource::vhost { $registry_vhost:
	use_default_location => false,
	proxy => 'http://docker-registry',
	ssl => true,
	listen_port => '443',
	ssl_cert => $certificate_pem_path,
	ssl_key => $certificate_pem_path,
	vhost_cfg_append => {
	'chunked_transfer_encoding' => 'on',
	'client_max_body_size' => '0',
	},
	locations =>
	{ "/" => {
	raw_prepend => $limit_get,
	proxy => 'http://docker-registry',
	vhost => $registry_vhost,
	proxy_set_header => [
	'Host $http_host',
	'X-Real-IP $remote_addr',
	'X-Forwarded-For $proxy_add_x_forwarded_for',
	'X-Forwarded-Proto $scheme',
	]
	}
	}
	}
	}