diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2021-12-13 23:49:02 +0100 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2021-12-13 23:49:02 +0100 |
commit | 74d5d27d77291654b15c1faffea6fb5f628d7aa7 (patch) | |
tree | b7eacda64d2ca262dda8c4fc142a4fc16b30bdd6 | |
parent | hornquist.se reword letsencrypt (diff) | |
parent | Raspi setup was a bad idea. (diff) | |
download | webdav_server-74d5d27d77291654b15c1faffea6fb5f628d7aa7.tar.gz webdav_server-74d5d27d77291654b15c1faffea6fb5f628d7aa7.tar.xz |
Merge branch 'raspi'
-rw-r--r-- | manifests/site.pp | 9 | ||||
-rwxr-xr-x | modules/cgit/files/filters/hugo-pre.sh | 4 | ||||
-rw-r--r-- | modules/exports/manifests/init.pp | 21 | ||||
-rw-r--r-- | modules/losetup/files/dismantle-loop-device | 15 | ||||
-rw-r--r-- | modules/losetup/files/loop@.service | 12 | ||||
-rwxr-xr-x | modules/losetup/files/setup-loop-device | 16 | ||||
-rw-r--r-- | modules/losetup/manifests/init.pp | 24 | ||||
-rw-r--r-- | modules/overlay/manifests/init.pp | 17 | ||||
-rw-r--r-- | modules/profiles/manifests/gandalf_web.pp | 54 |
9 files changed, 166 insertions, 6 deletions
diff --git a/manifests/site.pp b/manifests/site.pp index 5db60b7..e64145c 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -3,9 +3,14 @@ node 'gandalf.adrift.space' { addr => '3', } + include ::losetup include ::profiles::workstation - include ::profiles::gandalf_web + $certname = 'adrift.space' + + class { '::profiles::gandalf_web': + certname => $certname, + } nginx::resource::location { '/varselklotet': server => 'gandalf', @@ -28,7 +33,7 @@ node 'gandalf.adrift.space' { ], nginx => { server_name => "bookmark.${facts['fqdn']}", - certname => 'bookmark.gandalf.adrift.space', + certname => $certname, } } diff --git a/modules/cgit/files/filters/hugo-pre.sh b/modules/cgit/files/filters/hugo-pre.sh index de94b26..b716525 100755 --- a/modules/cgit/files/filters/hugo-pre.sh +++ b/modules/cgit/files/filters/hugo-pre.sh @@ -2,10 +2,10 @@ name=$1 -extension=${1: -3} +extension=${name: -3} case $extension in - .md) markdown ;; + .md) pandoc -f gfm -t html ;; *) cat <<- EOF <pre>$(cat -)</pre> diff --git a/modules/exports/manifests/init.pp b/modules/exports/manifests/init.pp new file mode 100644 index 0000000..8280c71 --- /dev/null +++ b/modules/exports/manifests/init.pp @@ -0,0 +1,21 @@ +# Setup export item. +# Should be be callable multiple times +define exports ( + Hash[String,Array[String]] $options, + String $dir = $name, + String $exports_file = '/etc/exports', +) { + + $fixed_opts = $options.map |$key, $val| { + $joined_vals = $val.join(',') + "${key}(${joined_vals})" + }.join(' ') + + file_line { "Export ${exports_file} ${dir}": + ensure => present, + path => $exports_file, + match => "^${dir}", + line => "${dir} ${fixed_opts}" + } + +} diff --git a/modules/losetup/files/dismantle-loop-device b/modules/losetup/files/dismantle-loop-device new file mode 100644 index 0000000..be3f3a0 --- /dev/null +++ b/modules/losetup/files/dismantle-loop-device @@ -0,0 +1,15 @@ +#!/bin/bash + +target_file="$1" +safe_name="$(systemd-escape "$target_file")" + +set +x + +loop_device=$(readlink "/dev/loop-by-name/${safe_name}") +rm "/dev/loop-by-name/${safe_name}" + +for part in "/dev/loop-by-name/${safe_name}"-p*; do + rm "$part" +done + +losetup -d $loop_device diff --git a/modules/losetup/files/loop@.service b/modules/losetup/files/loop@.service new file mode 100644 index 0000000..e9dc008 --- /dev/null +++ b/modules/losetup/files/loop@.service @@ -0,0 +1,12 @@ +[Unit] +Description=Loopback device for %I + +[Service] +ExecStart=/usr/libexec/setup-loop-device "%I" +ExecStop=/usr/libexec/dismantle-loop-device "%I" +#ExecStopPost=rm /dev/loop-by-name/"%i"* +#ExecStart=echo %I +ExecStartPre=mkdir -p /dev/loop-by-name +# Cant't have any dashes in filename, due to escaping rules +# ExecStartPre=/bin/sh -c "grep -vq '-' <<< "%i"" +RemainAfterExit=yes diff --git a/modules/losetup/files/setup-loop-device b/modules/losetup/files/setup-loop-device new file mode 100755 index 0000000..4215273 --- /dev/null +++ b/modules/losetup/files/setup-loop-device @@ -0,0 +1,16 @@ +#!/bin/bash + +target_file="$1" +safe_name="$(systemd-escape "$target_file")" + +set +x + +loop_device=$(losetup --find --show "$target_file") + +ln -s $loop_device "/dev/loop-by-name/${safe_name}" + +for part in "${loop_device}"p*; do + last_two=${part:$[${#part}-2]} + ln -s $part \ + "/dev/loop-by-name/${safe_name}-${last_two}" +done diff --git a/modules/losetup/manifests/init.pp b/modules/losetup/manifests/init.pp new file mode 100644 index 0000000..8d7f8d8 --- /dev/null +++ b/modules/losetup/manifests/init.pp @@ -0,0 +1,24 @@ +class losetup { + file { '/etc/systemd/system/loop@.service': + ensure => file, + source => "puppet:///modules/${module_name}/loop@.service", + } + + # ensure_resource ('file', { path => '/usr/libexec', ensure => directory }) + file { '/usr/libexec': + ensure => directory, + } + + file { + default: + ensure => file, + mode => '0555', + ; +'/usr/libexec/setup-loop-device': + source => "puppet:///modules/${module_name}/setup-loop-device", + ; +'/usr/libexec/dismantle-loop-device': + source => "puppet:///modules/${module_name}/dismantle-loop-device", + ; + } +} diff --git a/modules/overlay/manifests/init.pp b/modules/overlay/manifests/init.pp new file mode 100644 index 0000000..a85683d --- /dev/null +++ b/modules/overlay/manifests/init.pp @@ -0,0 +1,17 @@ +define overlay ( +) { + + { + lowerdir => "${dir}/root/base", + upperdir => "${dir}/root/overlays/${name}", + workdir => "${dir}/root/workdirs/${name}", + nfs_export => 'on', + } + + file_line { + ensure => present, + path => "${dir}/fstab" + line => "overlay root/export/${name} + } + +} diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp index 810064b..1295d83 100644 --- a/modules/profiles/manifests/gandalf_web.pp +++ b/modules/profiles/manifests/gandalf_web.pp @@ -1,4 +1,6 @@ -class profiles::gandalf_web { +class profiles::gandalf_web ( + String $certname, +) { class { '::nginx': manage_repo => false, @@ -13,6 +15,7 @@ class profiles::gandalf_web { 'text/plain' => 'wiki txt', }, include_modules_enabled => true, + server_purge => true, } file { '/etc/nginx/modules-enabled': @@ -21,7 +24,41 @@ class profiles::gandalf_web { recurse => true, } - $certname = 'bookmark.gandalf.adrift.space' + # TODO this fails at bootstrapping, since letsencrypt requires nginx + # to be enabled, but nginx can't be enabled if any cert file is + # missing + # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |> + + $domains = [ + 'bookmark.gandalf.adrift.space', + 'calendar.gandalf.adrift.space', + 'repo.gandalf.adrift.space', + 'gandalf.adrift.space', + 'hack.adrift.space', + 'adrift.space', + ] + + ensure_packages (['cronie',], { ensure => installed }) + + ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed }) + class { '::letsencrypt': + config => { + email => 'hugo@hornquist.se', + # server => 'https://acme-staging-v02.api.letsencrypt.org/directory', + server => 'https://acme-v02.api.letsencrypt.org/directory', + }, + manage_install => false, + } + + letsencrypt::certonly { $certname: + ensure => present, + domains => $domains, + manage_cron => true, + plugin => 'nginx', + additional_args => [ '--quiet', ], + # pre_hook_commands => [ 'systemctl stop nginx.service', ], + post_hook_commands => [ 'systemctl restart nginx.service', ], + } nginx::resource::server { 'gandalf': @@ -49,4 +86,17 @@ class profiles::gandalf_web { server => 'gandalf', } + nginx::resource::server { 'repo.gandalf.adrift.space': + ipv6_enable => true, + ipv6_listen_options => '', + server_name => [ 'repo.gandalf.adrift.space', ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/usr/net/repo/', + use_default_location => true, + } + } |