# script heavy (say the bug tracking system), set this
# to reduce the number of worker threads.
# @param rlimitnproc A resource limit for number of processes. The default is usually fine.
+# @param rlimitmem A resource limit for memory usage. The default is usually fine.
+# @param public Whether this host's apache should be accessible from the public internet.
+# Sets appropriate firewall rules and optionally rate limits.
+# @param mpm Which Multi-Processing Modules to use. Defaults to worker;
+# the alternative is prefork.
class apache2(
Boolean $smaller_number_of_threads = false,
Integer $rlimitnproc = 256,
+ Integer $rlimitmem = 192 * 1024 * 1024,
+ Boolean $public = true,
+ Enum['prefork','worker'] $mpm = 'worker',
) {
include webserver
if has_role('udd') {
$memlimit = 512 * 1024 * 1024
- } elsif has_role('dgit_git') {
- $memlimit = 512 * 1024 * 1024
- } elsif has_role('sso') {
- $memlimit = 512 * 1024 * 1024
} elsif has_role('popcon') {
$memlimit = 512 * 1024 * 1024
- } elsif has_role('qamaster') {
- $memlimit = 300 * 1024 * 1024
} else {
- $memlimit = 192 * 1024 * 1024
+ $memlimit = $rlimitmem
}
apache2::config { 'resource-limits':
}
apache2::module { 'mpm_event': ensure => absent }
- if has_role('apache_prefork') {
- apache2::module { 'mpm_worker': ensure => absent }
- apache2::module { 'mpm_prefork': }
- } else {
- apache2::module { 'mpm_prefork': ensure => absent }
- apache2::module { 'mpm_worker': }
- }
+ apache2::module { 'mpm_worker' : ensure => ($mpm == 'worker' ) ? { true => 'present', default => absent } }
+ apache2::module { 'mpm_prefork': ensure => ($mpm == 'prefork') ? { true => 'present', default => absent } }
+
file { '/etc/apache2/mods-available/mpm_worker.conf':
content => template('apache2/mpm_worker.erb'),
}
ensure => installed,
}
- if (! has_role('apache_not_public')) {
+ if $public {
if has_role('apache_ratelimited') {
include apache2::dynamic
} else {
ferm::rule { 'dsa-http':
- prio => '23',
- description => 'Allow web access',
- rule => '&SERVICE(tcp, (http https))'
- }
-
- ferm::rule { 'dsa-http-v6':
- domain => '(ip6)',
+ domain => '(ip ip6)',
prio => '23',
description => 'Allow web access',
rule => '&SERVICE(tcp, (http https))'