Adding the nginx-plus Repository to apt-mirror and Puppet

Nginx Inc. provides access to the nginx-plus package and repository using SSL certificates. Their instructions include the configuration of apt for Ubuntu, but for people using apt-mirror and Puppet to manage their internal servers, additional custom configurations are required.

The standard apt configuration for nginx-plus might look like this:

The connection to the nginx-plus repository must be made using HTTPS and authentication is handled by client certificates. As provided, apt-mirror is not able to manage SSL certificates, so two sections in the apt-mirror script must be modified. The %config_variables array defines the settings read from its configuration files. We will add the ‘certificate’, ‘private_key’, and ‘ca_certificate’ settings to the array.

If these configuration settings are found, we must pass them to wget.

Here is an example template for Puppet to create the apt-mirror configuration files, including the optional SSL certificate paths.

And here is an example Puppet module, with an apt::mirror class and apt::mirror::repository definition, to generate the configuration files from that template. This module also includes a scheduling feature to automate mirror updates, though this feature may not be useful for most production environments (where more stringent processes may be required for controlled mirror updates).

A practical example, using the apt-mirror Puppet module above, may look like this (assuming your Puppet configurations use ‘role’ and ‘application’ based classes).

The ‘deploy’ role includes the role::deploy::apt::mirror class, which then includes the apt::mirror module class, and calls the apps::apt::mirror::nginx::plus definition for all three supported environments — production, staging, and development (each environment has its own mirror, which can be updated and tested independently).

The apps::apt::mirror::nginx::plus definition is located within an apt-mirror ‘application’ manifest. It executes the apt::mirror::repository module definition for each of the environment names we provide.

The resulting apt-mirror configuration files may look like this.