1 files changed, 102 insertions, 0 deletions

diff --git a/modules/profiles/manifests/gandalf_web.pp b/modules/profiles/manifests/gandalf_web.pp
new file mode 100644
index 0000000..1295d83
--- /dev/null
+++ b/modules/profiles/manifests/gandalf_web.pp
@@ -0,0 +1,102 @@
+class profiles::gandalf_web (
+  String $certname,
+) {
+
+  class { '::nginx':
+    manage_repo          => false,
+    # server_purge       => true,
+    package_name         => 'nginx-mainline',
+    service_config_check => true,
+    http_cfg_append      => {
+      'charset'          => 'utf-8',
+    },
+    mime_types_preserve_defaults => true,
+    mime_types => {
+      'text/plain' => 'wiki txt',
+    },
+    include_modules_enabled => true,
+    server_purge            => true,
+  }
+
+  file { '/etc/nginx/modules-enabled':
+    ensure  => directory,
+    purge   => true,
+    recurse => true,
+  }
+
+  # TODO this fails at bootstrapping, since letsencrypt requires nginx
+  # to be enabled, but nginx can't be enabled if any cert file is
+  # missing
+  # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |>
+
+  $domains = [
+    'bookmark.gandalf.adrift.space',
+    'calendar.gandalf.adrift.space',
+    'repo.gandalf.adrift.space',
+    'gandalf.adrift.space',
+    'hack.adrift.space',
+    'adrift.space',
+  ]
+
+  ensure_packages (['cronie',], { ensure => installed })
+
+  ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed })
+  class { '::letsencrypt':
+    config   => {
+      email  => 'hugo@hornquist.se',
+      # server => 'https://acme-staging-v02.api.letsencrypt.org/directory',
+      server => 'https://acme-v02.api.letsencrypt.org/directory',
+    },
+    manage_install => false,
+  }
+
+  letsencrypt::certonly { $certname:
+    ensure             => present,
+    domains            => $domains,
+    manage_cron        => true,
+    plugin             => 'nginx',
+    additional_args    => [ '--quiet', ],
+    # pre_hook_commands  => [ 'systemctl stop nginx.service', ],
+    post_hook_commands => [ 'systemctl restart nginx.service', ],
+  }
+
+
+  nginx::resource::server { 'gandalf':
+    ipv6_enable          => true,
+    listen_options       => 'default_server',
+    ipv6_listen_options  => 'default_server',
+    server_name          => [ '_' ],
+    access_log           => absent,
+    error_log            => absent,
+    ssl                  => true,
+    ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+    ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+    ssl_redirect         => true,
+    index_files          => [ 'index.html', ],
+    www_root             => '/var/www/adrift.space',
+    use_default_location => false,
+  }
+
+  nginx::resource::location { '/':
+    try_files   => ['$uri', '$uri/', '=404'],
+    index_files => [],
+    ssl         => true,
+    ssl_only    => true,
+    autoindex   => on,
+    server      => 'gandalf',
+  }
+
+  nginx::resource::server { 'repo.gandalf.adrift.space':
+    ipv6_enable         => true,
+    ipv6_listen_options => '',
+    server_name         => [ 'repo.gandalf.adrift.space', ],
+    ssl                 => true,
+    ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
+    ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
+    ssl_redirect         => true,
+    index_files          => [ 'index.html', ],
+    www_root             => '/usr/net/repo/',
+    use_default_location => true,
+  }
+
+}