node 'gandalf.adrift.space' { include ::rss_filter include ::networking nspawn::machine { 'busting': os => 'debian', enable => true, os_opts => { os_version => 'buster', } } # busting 10.0.0.42/23 nspawn::machine { 'yoursql': os => 'arch', enable => true, } class { '::dns': forwarders => [ '8.8.8.8', '8.8.4.4', ], dnssec_enable => 'no', dnssec_validation => 'no', # allow_query_cache => [ 'localnets', ], allow_recursion => [ 'localnets', ], empty_zones_enable => 'no', acls => { slaves => [ '83.250.160.195', ], }, config_check => false, manage_service => false, } $rev_zone = dns::reverse_dns($facts['networking']['network6'])[32,-1] dns::zone { default: manage_file => false, manage_file_name => true, ; 'hugo': ; 'hornquist.se': update_policy => { 'hornquist.se' => { action => 'grant', matchtype => 'zonesub', rr => 'ANY', } }, ; 'adrift.space': update_policy => { 'hornquist.se' => { action => 'grant', matchtype => 'zonesub', rr => 'ANY', }, 'hornquist.se' => { action => 'grant', matchtype => 'name', tname => 'dyntest.adrift.space', rr => 'TXT', }, }, allow_transfer => [ slaves, ], ; 'sub.adrift.space': ; '0.0.10.in-addr.arpa': reverse => true, ; '1.0.10.in-addr.arpa': reverse => true, zonetype => 'forward', forward => 'only', forwarders => [ '10.0.0.1', ], ; $rev_zone: reverse => true, ; } $key = lookup('nsupdate::secrets."hornquist.se"') dns::key { 'hornquist.se': algorithm => $key['algorithm'], secret => $key['secret'], } dns::logging::channel { 'xfer-log': log_type => 'file', file_path => '/var/log/named/log', print_category => 'yes', print_severity => 'yes', severity => 'info', file_size => '500K', file_versions => 5, } dns::logging::channel { 'default_syslog': log_type => 'syslog', syslog_facility => 'local2', severity => 'info', } dns::logging::category { [ 'xfer-in', 'xfer-out', 'notify', ]: channels => [ 'xfer-log', ], } # TODO restart named profiles::remarkable { 'any name': addr => '3', } include ::profiles::common include ::profiles::client include ::losetup include ::profiles::xmonad include ::profiles::workstation include ::profiles::dolphin include ::profiles::imagemagick systemd_mount { '/usr/net': what => 'elrond:/files', where => '/usr/net', wantedBy => 'remote-fs.target', automount => true, } class { '::profiles::syncthing': enable_for => [ 'hugo', ], } $certname = 'adrift.space' class { '::profiles::gandalf_web': certname => $certname, } nginx::resource::location { '/varselklotet': server => 'gandalf', location_alias => '/home/hugo/wiki/varselklotet', try_files => ['$uri', '$uri/', '=404'], autoindex => 'on', ssl => true, ssl_only => true, index_files => [], } class { 'profiles::transmission': nginx_server => 'gandalf', } class { 'shiori': port => 8081, group_members => [ 'hugo', ], nginx => { server_name => "bookmark.${facts['fqdn']}", certname => $certname, } } profiles::webdav_server { '/dav': file_path => '/var/www/webdav', nginx_server => 'gandalf', users => lookup('profiles::webdav_server::users'), } } node 'hornquist.se' { include ::profiles::common include ::profiles::client include ::profiles::firewall ensure_packages([ 'cowsay', ], { ensure => installed }) nsupdate { 'hornquist.se': ensure => present, nameserver => 'ns2.adrift.space', iface => 'eth0', records => [ { type => 'A', ttl => 3600, domain => 'hornquist.se' }, { type => 'A', ttl => 3600, domain => '*.hornquist.se' }, ], } $blog_root = '/var/www/blog' $certname = 'hornquist' class { '::cgit': root => '/var/www/cgit', root_title => 'Hornquist Git Repositiories', root_desc => 'ᛏᚨᚾᛞᛖᛋ᛫ᛖᚾᛞᚨᛋᛏ᛫ᛗᛟᛏ᛫ᛚᚨᛞᚨᚾᛋ᛫ᛈᛚᚨᚾ', about_filter => 'hugo-pre.sh', auth_filter => 'hugo-authentication.lua', source_filter => 'hugo-highlighting.sh', scan_path => '/home/git/git', enable_http_clone => false, clone_url => [ 'https://git.hornquist.se/$CGIT_REPO_URL.git', 'git@hornquist.se:git/$CGIT_REPO_URL.git', ], manage_server => 'nginx', server_name => 'git.hornquist.se', certname => $certname, } # https://buddy.works/blog/how-deploy-projects-with-git blog { 'Hugos blog': root => "${blog_root}/hugo", } service { 'php7.4-fpm': ensure => running, enable => true, } service { 'fcgiwrap.socket': ensure => running, enable => true, } file { '/etc/systemd/system/php7.4-fpm.service.d': ensure => directory, } file { '/etc/systemd/system/php7.4-fpm.service.d/override.conf': ensure => file, notify => Service['php7.4-fpm'], content => @(EOF) [Service] RuntimeDirectory=php | EOF } # include apt class { '::nginx': manage_repo => false, server_purge => true, service_config_check => true, http_format_log => 'my_format', log_format => { 'nginx_default' => '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"', 'my_format' => '$remote_addr - $remote_user [$time_local] "$request_method $server_name$request_uri" $status $body_bytes_sent "$http_referer" "$http_user_agent"', }, # default 'error' nginx_error_log_severity => 'notice', http_cfg_append => { rewrite_log => 'on', }, } class { '::letsencrypt': config => { email => 'hugo.hornquist@gmail.com', } # renew_cron_ensure => present, } ensure_packages(['python3-certbot-nginx'], { ensure => installed }) letsencrypt::certonly { $certname: ensure => present, manage_cron => true, plugin => 'nginx', additional_args => [ '--quiet', ], post_hook_commands => [ 'systemctl reload nginx.service', ], domains => [ 'blog.hornquist.se', 'blogg.hornquist.se', 'www.hornquist.se', 'hornquist.se', 'git.hornquist.se', 'wiki.hornquist.se', ], } nginx::resource::server { default: access_log => 'absent', error_log => 'absent', ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, ; 'blogg': server_name => [ 'blogg.hornquist.se', ], server_cfg_append => { 'return' => '301 $scheme://blog.hornquist.se$request_uri', }, ; 'blog': server_name => [ 'blog.hornquist.se', ], index_files => [ 'index.php', 'index.html', 'index.htm', ], www_root => $blog_root, } nginx::resource::server { 'hornquist': server_name => [ 'hornquist.se', 'www.hornquist.se', '_', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.php', 'index.html', 'index.htm', ], listen_options => 'default_server', ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, www_root => '/var/www/html', # autoindex => 'on', } nginx::resource::server { 'userdir': server_name => [ '~^(?P[a-z][-a-z0-9]*)\.hornquist\.se', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.cgi', 'index.php', 'index.html', 'index.htm', ], # SSL sites for userdir lack a cert due to wildcard certificates being # "problematic". However, it's enabled here since a ::location with # ssl => true WILL generate locations, even when server is missing. ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, www_root => '/home/$uname/.public', # autoindex => 'on', } nginx::resource::server { 'wiki': server_name => [ 'wiki.hornquist.se', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.html', ], ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => true, www_root => '/var/www/wiki/public/html', } nginx::resource::location { '/': try_files => ['$uri', '$uri/', '=404'], index_files => [], ssl => true, autoindex => on, server => [ 'blog', 'hornquist', 'userdir', ] } nginx::resource::location { '/nyar': location_custom_cfg => { return => '307 http://www.lysator.liu.se/~hugo/song/2018.html' }, ssl => true, index_files => [], server => [ 'hornquist', ], } nginx::resource::location { '= /': # temprory redirect location_custom_cfg => { return => '307 /hugo' }, ssl => true, index_files => [], server => [ 'blog', ], } nginx::resource::location { '~ \.php$': fastcgi_params => 'snippets/fastcgi-php.conf', fastcgi => 'unix:/run/php/php-fpm.sock', ssl => true, server => [ 'blog', 'hornquist', 'userdir', ], } nginx::resource::location { '~ \.cgi$': fastcgi_params => 'fastcgi_params', fastcgi_param => { # 'SCRIPT_FILENAME' => '$document_root/*.cgi', 'PATH_INFO' => '$fastcgi_script_name', 'QUERY_STRING' => '$args', }, fastcgi => 'unix:/run/fcgiwrap.socket', server => [ 'userdir', ], } nginx::resource::location { '~ /\.ht': location_cfg_append => { deny => 'all' }, index_files => [], ssl => true, server => [ 'blog', 'hornquist', 'userdir', ], } } node default {}