node 'busting.adrift.space' { file_line { 'hosts ourself': ensure => present, line => "::1\t${::fqdn}\t${facts['name']}", path => '/etc/hosts', } class { 'ssh': permit_root_login => true, } ensure_packages(['ruby']) class { 'puppet': server => true, # agent => false, server_foreman => false, server_reports => 'puppetdb', server_storeconfigs => true, server_git_repo => true, server_git_repo_path => '/var/lib/puppet.git', server_external_nodes => '', } # class { 'puppet::server::puppetdb': # port => 8080, # } # exec { 'puppetdb ssl-setup': # creates => '/etc/puppetlabs/puppetdb/ssl/{ca,private,public}.pem' # } class { 'puppetdb': listen_address => '::', disable_ssl => false, } # class { 'puppetdb::master::config': } # https://forge.puppet.com/modules/puppet/puppetboard/readme # Configure Apache class { 'apache': default_vhost => false, purge_configs => true, } $wsgi = $facts['os']['family'] ? { 'Debian' => { package_name => 'libapache2-mod-wsgi-py3', mod_path => '/usr/lib/apache2/modules/mod_wsgi.so', }, default => {} } class { 'apache::mod::wsgi': * => $wsgi, } # Configure puppetboard class { 'puppetboard': manage_git => true, manage_virtualenv => true, require => Class['puppetdb'], puppetdb_port => 8080, python_loglevel => 'debug', } class { 'puppetboard::apache::vhost': vhost_name => $::fqdn, port => 80, } } node 'gandalf.adrift.space' { profiles::remarkable { 'any name': addr => '3', } include ::losetup include ::profiles::xmonad include ::profiles::workstation include ::profiles::dolphin include ::profiles::imagemagick systemd_mount { '/usr/net': what => 'elrond:/files', where => '/usr/net', wantedBy => 'remote-fs.target', automount => true, } class { '::profiles::syncthing': enable_for => [ 'hugo', ], } $certname = 'adrift.space' class { '::profiles::gandalf_web': certname => $certname, } nginx::resource::location { '/varselklotet': server => 'gandalf', location_alias => '/home/hugo/wiki/varselklotet', try_files => ['$uri', '$uri/', '=404'], autoindex => 'on', ssl => true, ssl_only => true, index_files => [], } class { 'profiles::transmission': nginx_server => 'gandalf', } class { 'shiori': port => 8081, group_members => [ 'hugo', ], nginx => { server_name => "bookmark.${facts['fqdn']}", certname => $certname, } } profiles::webdav_server { '/dav': file_path => '/var/www/webdav', users => [['hugo', pass('adrift.space/gandalf/dav/hugo')]], nginx_server => 'gandalf' } } node 'hornquist.se' { include ::profiles::firewall ensure_packages([ 'cowsay', ], { ensure => installed }) nsupdate { 'hornquist.se': ensure => present, nameserver => 'ns2.adrift.space', iface => 'eth0', records => [ { type => 'A', ttl => 3600, domain => 'hornquist.se' }, { type => 'A', ttl => 3600, domain => '*.hornquist.se' }, ], } $cgit_root = '/var/www/cgit' $blog_root = '/var/www/blog' class { '::cgit': root => $cgit_root, root_title => 'Hornquist Git Repositiories', root_desc => 'ᛏᚨᚾᛞᛖᛋ᛫ᛖᚾᛞᚨᛋᛏ᛫ᛗᛟᛏ᛫ᛚᚨᛞᚨᚾᛋ᛫ᛈᛚᚨᚾ', about_filter => 'hugo-pre.sh', auth_filter => 'hugo-authentication.lua', source_filter => 'hugo-highlighting.sh', scan_path => '/home/git/git', clone_url => [ 'https://git.hornquist.se/$CGIT_REPO_URL', 'git@hornquist.se:git/$CGIT_REPO_URL.git', '(HTTP_only_for_public_repos)', ], } # https://buddy.works/blog/how-deploy-projects-with-git blog { 'Hugos blog': root => "${blog_root}/hugo", } service { 'php7.4-fpm': ensure => running, enable => true, } service { 'fcgiwrap.socket': ensure => running, enable => true, } file { '/etc/systemd/system/php7.4-fpm.service.d': ensure => directory, } file { '/etc/systemd/system/php7.4-fpm.service.d/override.conf': ensure => file, notify => Service['php7.4-fpm'], content => @(EOF) [Service] RuntimeDirectory=php | EOF } # include apt class { '::nginx': manage_repo => false, server_purge => true, service_config_check => true, } $certname = 'hornquist' class { '::letsencrypt': config => { email => 'hugo.hornquist@gmail.com', } # renew_cron_ensure => present, } ensure_packages(['python3-certbot-nginx'], { ensure => installed }) letsencrypt::certonly { $certname: ensure => present, manage_cron => true, plugin => 'nginx', additional_args => [ '--quiet', ], post_hook_commands => [ 'systemctl reload nginx.service', ], domains => [ 'blog.hornquist.se', 'blogg.hornquist.se', 'www.hornquist.se', 'hornquist.se', 'git.hornquist.se', 'wiki.hornquist.se', ], } nginx::resource::server { 'blogg': server_name => [ 'blogg.hornquist.se', ], access_log => 'absent', error_log => 'absent', ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, server_cfg_append => { 'return' => '301 $scheme://blog.hornquist.se$request_uri', } } nginx::resource::server { 'blog': server_name => [ 'blog.hornquist.se', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.php', 'index.html', 'index.htm', ], ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, www_root => $blog_root, } nginx::resource::server { 'hornquist': server_name => [ 'hornquist.se', 'www.hornquist.se', '_', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.php', 'index.html', 'index.htm', ], listen_options => 'default_server', ssl => true, ssl_cert => '/etc/letsencrypt/live/hornquist/fullchain.pem', ssl_key => '/etc/letsencrypt/live/hornquist/privkey.pem', use_default_location => false, www_root => '/var/www/html', # autoindex => 'on', } nginx::resource::server { 'userdir': server_name => [ '~^(?P[a-z][-a-z0-9]*)\.hornquist\.se', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.cgi', 'index.php', 'index.html', 'index.htm', ], # SSL sites for userdir lack a cert due to wildcard certificates being # "problematic". However, it's enabled here since a ::location with # ssl => true WILL generate locations, even when server is missing. ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, www_root => '/home/$uname/.public', # autoindex => 'on', } nginx::resource::server { 'wiki': server_name => [ 'wiki.hornquist.se', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.html', ], ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => true, www_root => '/var/www/wiki/public/html', } nginx::resource::server { 'cgit': server_name => [ 'git.hornquist.se', ], access_log => 'absent', error_log => 'absent', index_files => [], try_files => [ '$uri', '@cgit' ], ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => true, www_root => $cgit_root, ssl_redirect => true, # /usr/lib/cgit/cgit.cgi # /usr/share/cgit/cgit.css } nginx::resource::location { '@cgit': fastcgi_params => 'fastcgi_params', fastcgi_param => { 'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi', 'PATH_INFO' => '$fastcgi_script_name', 'QUERY_STRING' => '$args', }, ssl_only => true, fastcgi => 'unix:/run/fcgiwrap.socket', server => [ 'cgit', ], } # TODO extra locations for dumb git clones? nginx::resource::location { '/': try_files => ['$uri', '$uri/', '=404'], index_files => [], ssl => true, autoindex => on, server => [ 'blog', 'hornquist', 'userdir', ] } nginx::resource::location { '/nyar': location_custom_cfg => { return => '307 http://www.lysator.liu.se/~hugo/song/2018.html' }, ssl => true, index_files => [], server => [ 'hornquist', ], } nginx::resource::location { '= /': # temprory redirect location_custom_cfg => { return => '307 /hugo' }, ssl => true, index_files => [], server => [ 'blog', ], } nginx::resource::location { '~ \.php$': fastcgi_params => 'snippets/fastcgi-php.conf', fastcgi => 'unix:/run/php/php-fpm.sock', ssl => true, server => [ 'blog', 'hornquist', 'userdir', ], } nginx::resource::location { '~ \.cgi$': fastcgi_params => 'fastcgi_params', fastcgi_param => { # 'SCRIPT_FILENAME' => '$document_root/*.cgi', 'PATH_INFO' => '$fastcgi_script_name', 'QUERY_STRING' => '$args', }, fastcgi => 'unix:/run/fcgiwrap.socket', server => [ 'userdir', ], } nginx::resource::location { '~ /\.ht': location_cfg_append => { deny => 'all' }, index_files => [], ssl => true, server => [ 'blog', 'hornquist', 'userdir', ], } }