Merge branch 'master' of /home/hugo/puppet into production

1 files changed, 334 insertions, 12 deletions

diff --git a/manifests/site.pp b/manifests/site.pp
index 430e3c6..8ba8b9a 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1,15 +1,3 @@
-node 'gandalf.adrift.space' {
-  notify { 'anything':
-    message => 'Will this be shown',
-  }
-}
-
-node 'hornquist.se' {
-  notify { 'anything':
-    message => 'Hello, World!',
-  }
-}
-
 node 'busting.adrift.space' {
 
   file_line { 'hosts ourself':
@@ -81,4 +69,338 @@ node 'busting.adrift.space' {
     port       => 80,
   }
 
+node 'gandalf.adrift.space' {
+  profiles::remarkable { 'any name':
+    addr => '3',
+  }
+
+  include ::losetup
+  include ::profiles::xmonad
+  include ::profiles::workstation
+
+  include ::profiles::dolphin
+  include ::profiles::imagemagick
+
+  systemd_mount { '/usr/net':
+    what      => 'elrond:/files',
+    where     => '/usr/net',
+    wantedBy  => 'remote-fs.target',
+    automount => true,
+  }
+
+  class { '::profiles::syncthing':
+    enable_for => [ 'hugo', ],
+  }
+
+  $certname = 'adrift.space'
+
+  class { '::profiles::gandalf_web':
+    certname => $certname,
+  }
+
+  nginx::resource::location { '/varselklotet':
+    server         => 'gandalf',
+    location_alias => '/home/hugo/wiki/varselklotet',
+    try_files      => ['$uri', '$uri/', '=404'],
+    autoindex      => 'on',
+    ssl            => true,
+    ssl_only       => true,
+    index_files    => [],
+  }
+
+  class { 'profiles::transmission':
+    nginx_server => 'gandalf',
+  }
+
+  class { 'shiori':
+    port          => 8081,
+    group_members => [
+      'hugo',
+    ],
+    nginx         => {
+      server_name => "bookmark.${facts['fqdn']}",
+      certname    => $certname,
+    }
+  }
+
+  profiles::webdav_server { '/dav':
+    file_path    => '/var/www/webdav',
+    users        => [['hugo', pass('adrift.space/gandalf/dav/hugo')]],
+    nginx_server => 'gandalf'
+  }
+
+}
+
+node 'hornquist.se' {
+
+	include ::profiles::firewall
+
+	ensure_packages([
+		'cowsay',
+	], { ensure => installed })
+
+	nsupdate { 'hornquist.se':
+		ensure     => present,
+		nameserver => 'ns2.adrift.space',
+		iface      => 'eth0',
+		records    => [
+			{ type => 'A', ttl => 3600, domain => 'hornquist.se' },
+			{ type => 'A', ttl => 3600, domain => '*.hornquist.se' },
+		],
+	}
+
+	$cgit_root = '/var/www/cgit'
+	$blog_root = '/var/www/blog'
+
+	class { '::cgit':
+		root => $cgit_root,
+		root_title    => 'Hornquist Git Repositiories',
+		root_desc     => 'ᛏᚨᚾᛞᛖᛋ᛫ᛖᚾᛞᚨᛋᛏ᛫ᛗᛟᛏ᛫ᛚᚨᛞᚨᚾᛋ᛫ᛈᛚᚨᚾ',
+		about_filter  => 'hugo-pre.sh',
+		auth_filter   => 'hugo-authentication.lua',
+		source_filter => 'hugo-highlighting.sh',
+		scan_path     => '/home/git/git',
+		clone_url     => [
+			'https://git.hornquist.se/$CGIT_REPO_URL',
+			'git@hornquist.se:git/$CGIT_REPO_URL.git',
+			'(HTTP_only_for_public_repos)',
+		],
+	}
+
+	# https://buddy.works/blog/how-deploy-projects-with-git
+	blog { 'Hugos blog':
+		root => "${blog_root}/hugo",
+	}
+
+	service { 'php7.4-fpm':
+		ensure => running,
+		enable => true,
+	}
+
+	service { 'fcgiwrap.socket':
+		ensure => running,
+		enable => true,
+	}
+
+	file { '/etc/systemd/system/php7.4-fpm.service.d':
+		ensure => directory,
+	}
+
+	file { '/etc/systemd/system/php7.4-fpm.service.d/override.conf':
+		ensure => file,
+		notify => Service['php7.4-fpm'],
+		content => @(EOF)
+		[Service]
+		RuntimeDirectory=php
+		| EOF
+	}
+
+	# include apt
+	class { '::nginx':
+		manage_repo => false,
+		server_purge => true,
+		service_config_check => true,
+	}
+
+	$certname = 'hornquist'
+
+	class { '::letsencrypt':
+      config => {
+		email => 'hugo.hornquist@gmail.com',
+      }
+      # renew_cron_ensure => present,
+	}
+
+    ensure_packages(['python3-certbot-nginx'],
+      { ensure => installed })
+
+	letsencrypt::certonly { $certname:
+      ensure             => present,
+      manage_cron        => true,
+      plugin             => 'nginx',
+      additional_args    => [ '--quiet', ],
+      post_hook_commands => [ 'systemctl reload nginx.service', ],
+      domains            => [
+			'blog.hornquist.se',
+			'blogg.hornquist.se',
+			'www.hornquist.se',
+			'hornquist.se',
+			'git.hornquist.se',
+			'wiki.hornquist.se',
+		],
+	}
+
+	nginx::resource::server { 'blogg':
+		server_name => [ 'blogg.hornquist.se', ],
+		access_log           => 'absent',
+		error_log            => 'absent',
+		ssl                  => true,
+		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+		use_default_location => false,
+		server_cfg_append => {
+			'return' => '301 $scheme://blog.hornquist.se$request_uri',
+		}
+	}
+
+	nginx::resource::server { 'blog':
+		server_name => [
+			'blog.hornquist.se',
+		],
+		access_log           => 'absent',
+		error_log            => 'absent',
+		index_files          => [ 'index.php', 'index.html', 'index.htm', ],
+		ssl                  => true,
+		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+		use_default_location => false,
+		www_root             => $blog_root,
+	}
+
+	nginx::resource::server { 'hornquist':
+		server_name => [
+			'hornquist.se',
+			'www.hornquist.se',
+			'_',
+		],
+		access_log           => 'absent',
+		error_log            => 'absent',
+		index_files          => [ 'index.php', 'index.html', 'index.htm', ],
+		listen_options       => 'default_server',
+		ssl                  => true,
+		ssl_cert             => '/etc/letsencrypt/live/hornquist/fullchain.pem',
+		ssl_key              => '/etc/letsencrypt/live/hornquist/privkey.pem',
+		use_default_location => false,
+		www_root             => '/var/www/html',
+		# autoindex => 'on',
+	}
+
+	nginx::resource::server { 'userdir':
+		server_name => [
+			'~^(?P<uname>[a-z][-a-z0-9]*)\.hornquist\.se',
+		],
+		access_log           => 'absent',
+		error_log            => 'absent',
+		index_files          => [ 'index.cgi', 'index.php', 'index.html', 'index.htm', ],
+		# SSL sites for userdir lack a cert due to wildcard certificates being
+		# "problematic". However, it's enabled here since a ::location with
+		# ssl => true WILL generate locations, even when server is missing.
+		ssl                  => true,
+		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+		use_default_location => false,
+		www_root             => '/home/$uname/.public',
+		# autoindex => 'on',
+	}
+
+
+	nginx::resource::server { 'wiki':
+		server_name => [
+			'wiki.hornquist.se',
+		],
+		access_log           => 'absent',
+		error_log            => 'absent',
+		index_files          => [ 'index.html', ],
+		ssl                  => true,
+		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+		use_default_location => true,
+		www_root             => '/var/www/wiki/public/html',
+	}
+
+	nginx::resource::server { 'cgit':
+		server_name => [
+			'git.hornquist.se',
+		],
+		access_log           => 'absent',
+		error_log            => 'absent',
+		index_files          => [],
+		try_files => [ '$uri', '@cgit' ],
+		ssl                  => true,
+		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+		use_default_location => true,
+		www_root             => $cgit_root,
+		ssl_redirect => true,
+		# /usr/lib/cgit/cgit.cgi
+		# /usr/share/cgit/cgit.css
+	}
+
+	nginx::resource::location { '@cgit':
+		fastcgi_params => 'fastcgi_params',
+		fastcgi_param => {
+			'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi',
+			'PATH_INFO' => '$fastcgi_script_name',
+			'QUERY_STRING' => '$args',
+		},
+		ssl_only => true,
+		fastcgi => 'unix:/run/fcgiwrap.socket',
+		server => [
+			'cgit',
+		],
+	}
+
+	# TODO extra locations for dumb git clones?
+
+	nginx::resource::location { '/':
+		try_files => ['$uri', '$uri/', '=404'],
+		index_files => [],
+		ssl => true,
+		autoindex => on,
+		server => [
+			'blog',
+			'hornquist',
+			'userdir',
+		]
+	}
+
+	nginx::resource::location { '/nyar':
+		location_custom_cfg => { return => '307 http://www.lysator.liu.se/~hugo/song/2018.html' },
+		ssl => true,
+		index_files => [],
+		server => [ 'hornquist', ],
+	}
+
+	nginx::resource::location { '= /':
+		# temprory redirect
+		location_custom_cfg => { return => '307 /hugo' },
+		ssl => true,
+		index_files => [],
+		server => [ 'blog', ],
+	}
+
+	nginx::resource::location { '~ \.php$':
+		fastcgi_params => 'snippets/fastcgi-php.conf',
+		fastcgi => 'unix:/run/php/php-fpm.sock',
+		ssl => true,
+		server => [
+			'blog',
+			'hornquist',
+			'userdir',
+		],
+	}
+
+	nginx::resource::location { '~ \.cgi$':
+		fastcgi_params => 'fastcgi_params',
+		fastcgi_param => {
+			# 'SCRIPT_FILENAME' => '$document_root/*.cgi',
+			'PATH_INFO' => '$fastcgi_script_name',
+			'QUERY_STRING' => '$args',
+		},
+		fastcgi => 'unix:/run/fcgiwrap.socket',
+		server => [
+			'userdir',
+		],
+	}
+
+	nginx::resource::location { '~ /\.ht':
+		location_cfg_append => { deny => 'all' },
+		index_files => [],
+		ssl => true,
+		server => [
+			'blog',
+			'hornquist',
+			'userdir',
+		],
+	}
 }