diff options
Diffstat (limited to '')
-rw-r--r-- | modules/profiles/manifests/gandalf_web.pp | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp new file mode 100644 index 0000000..1295d83 --- /dev/null +++ b/modules/profiles/manifests/gandalf_web.pp @@ -0,0 +1,102 @@ +class profiles::gandalf_web ( + String $certname, +) { + + class { '::nginx': + manage_repo => false, + # server_purge => true, + package_name => 'nginx-mainline', + service_config_check => true, + http_cfg_append => { + 'charset' => 'utf-8', + }, + mime_types_preserve_defaults => true, + mime_types => { + 'text/plain' => 'wiki txt', + }, + include_modules_enabled => true, + server_purge => true, + } + + file { '/etc/nginx/modules-enabled': + ensure => directory, + purge => true, + recurse => true, + } + + # TODO this fails at bootstrapping, since letsencrypt requires nginx + # to be enabled, but nginx can't be enabled if any cert file is + # missing + # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |> + + $domains = [ + 'bookmark.gandalf.adrift.space', + 'calendar.gandalf.adrift.space', + 'repo.gandalf.adrift.space', + 'gandalf.adrift.space', + 'hack.adrift.space', + 'adrift.space', + ] + + ensure_packages (['cronie',], { ensure => installed }) + + ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed }) + class { '::letsencrypt': + config => { + email => 'hugo@hornquist.se', + # server => 'https://acme-staging-v02.api.letsencrypt.org/directory', + server => 'https://acme-v02.api.letsencrypt.org/directory', + }, + manage_install => false, + } + + letsencrypt::certonly { $certname: + ensure => present, + domains => $domains, + manage_cron => true, + plugin => 'nginx', + additional_args => [ '--quiet', ], + # pre_hook_commands => [ 'systemctl stop nginx.service', ], + post_hook_commands => [ 'systemctl restart nginx.service', ], + } + + + nginx::resource::server { 'gandalf': + ipv6_enable => true, + listen_options => 'default_server', + ipv6_listen_options => 'default_server', + server_name => [ '_' ], + access_log => absent, + error_log => absent, + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/var/www/adrift.space', + use_default_location => false, + } + + nginx::resource::location { '/': + try_files => ['$uri', '$uri/', '=404'], + index_files => [], + ssl => true, + ssl_only => true, + autoindex => on, + server => 'gandalf', + } + + nginx::resource::server { 'repo.gandalf.adrift.space': + ipv6_enable => true, + ipv6_listen_options => '', + server_name => [ 'repo.gandalf.adrift.space', ], + ssl => true, + ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", + ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", + ssl_redirect => true, + index_files => [ 'index.html', ], + www_root => '/usr/net/repo/', + use_default_location => true, + } + +} |