node '' { include ::profiles::common # to allow clone of repo as root class { 'ssh': permit_root_login => true, } include ::profiles::puppetserver include ::profiles::puppetdb include ::profiles::puppetboard } node '' { class { '::dns': forwarders => [ '', '', ], dnssec_enable => 'no', dnssec_validation => 'no', # allow_query_cache => [ 'localnets', ], allow_recursion => [ 'localnets', ], empty_zones_enable => 'no', acls => { slaves => [ '', ], }, config_check => false, zonefilepath => $dns::params::vardir, } $rev_zone = dns::reverse_dns($facts['networking']['network6'])[32,-1] dns::zone { default: manage_file => false, manage_file_name => true, ; 'hugo': # defaults to "db.${title}" filename => '', ; '': update_policy => { '' => { action => 'grant', matchtype => 'zonesub', rr => 'ANY', } }, filename => '', ; '': filename => '', update_policy => { '' => { action => 'grant', matchtype => 'zonesub', rr => 'ANY', }, '' => { action => 'grant', matchtype => 'name', tname => '', rr => 'TXT', }, }, allow_transfer => [ slaves, ], ; '': filename => '', ; '': filename => '', reverse => true, ; '': zonetype => 'forward', forward => 'only', forwarders => [ '', ], ; $rev_zone: filename => '', } $key = lookup('nsupdate::secrets.""') dns::key { '': algorithm => $key['algorithm'], secret => $key['secret'], } dns::logging::channel { 'xfer-log': log_type => 'file', file_path => '/var/log/named/log', print_category => 'yes', print_severity => 'yes', severity => 'info', file_size => '500K', file_versions => 5, } dns::logging::channel { 'default_syslog': log_type => 'syslog', syslog_facility => 'local2', severity => 'info', } dns::logging::category { [ 'xfer-in', 'xfer-out', 'notify', ]: channels => [ 'xfer-log', ], } profiles::remarkable { 'any name': addr => '3', } include ::profiles::common include ::profiles::client include ::losetup include ::profiles::xmonad include ::profiles::workstation include ::profiles::dolphin include ::profiles::imagemagick systemd_mount { '/usr/net': what => 'elrond:/files', where => '/usr/net', wantedBy => '', automount => true, } class { '::profiles::syncthing': enable_for => [ 'hugo', ], } $certname = '' class { '::profiles::gandalf_web': certname => $certname, } nginx::resource::location { '/varselklotet': server => 'gandalf', location_alias => '/home/hugo/wiki/varselklotet', try_files => ['$uri', '$uri/', '=404'], autoindex => 'on', ssl => true, ssl_only => true, index_files => [], } class { 'profiles::transmission': nginx_server => 'gandalf', } class { 'shiori': port => 8081, group_members => [ 'hugo', ], nginx => { server_name => "bookmark.${facts['fqdn']}", certname => $certname, } } profiles::webdav_server { '/dav': file_path => '/var/www/webdav', users => [['hugo', pass('')]], nginx_server => 'gandalf' } } node '' { include ::profiles::common include ::profiles::client include ::profiles::firewall ensure_packages([ 'cowsay', ], { ensure => installed }) nsupdate { '': ensure => present, nameserver => '', iface => 'eth0', records => [ { type => 'A', ttl => 3600, domain => '' }, { type => 'A', ttl => 3600, domain => '*' }, ], } $blog_root = '/var/www/blog' $certname = 'hornquist' class { '::cgit': root => '/var/www/cgit', root_title => 'Hornquist Git Repositiories', root_desc => 'ᛏᚨᚾᛞᛖᛋ᛫ᛖᚾᛞᚨᛋᛏ᛫ᛗᛟᛏ᛫ᛚᚨᛞᚨᚾᛋ᛫ᛈᛚᚨᚾ', about_filter => '', auth_filter => 'hugo-authentication.lua', source_filter => '', scan_path => '/home/git/git', enable_http_clone => false, clone_url => [ '$CGIT_REPO_URL.git', '$CGIT_REPO_URL.git', ], manage_server => 'nginx', server_name => '', certname => $certname, } # blog { 'Hugos blog': root => "${blog_root}/hugo", } service { 'php7.4-fpm': ensure => running, enable => true, } service { 'fcgiwrap.socket': ensure => running, enable => true, } file { '/etc/systemd/system/php7.4-fpm.service.d': ensure => directory, } file { '/etc/systemd/system/php7.4-fpm.service.d/override.conf': ensure => file, notify => Service['php7.4-fpm'], content => @(EOF) [Service] RuntimeDirectory=php | EOF } # include apt class { '::nginx': manage_repo => false, server_purge => true, service_config_check => true, http_format_log => 'my_format', log_format => { 'nginx_default' => '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"', 'my_format' => '$remote_addr - $remote_user [$time_local] "$request_method $server_name$request_uri" $status $body_bytes_sent "$http_referer" "$http_user_agent"', }, # default 'error' nginx_error_log_severity => 'notice', http_cfg_append => { rewrite_log => 'on', }, } class { '::letsencrypt': config => { email => '', } # renew_cron_ensure => present, } ensure_packages(['python3-certbot-nginx'], { ensure => installed }) letsencrypt::certonly { $certname: ensure => present, manage_cron => true, plugin => 'nginx', additional_args => [ '--quiet', ], post_hook_commands => [ 'systemctl reload nginx.service', ], domains => [ '', '', '', '', '', '', ], } nginx::resource::server { 'blogg': server_name => [ '', ], access_log => 'absent', error_log => 'absent', ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, server_cfg_append => { 'return' => '301 $scheme://$request_uri', } } nginx::resource::server { 'blog': server_name => [ '', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.php', 'index.html', 'index.htm', ], ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, www_root => $blog_root, } nginx::resource::server { 'hornquist': server_name => [ '', '', '_', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.php', 'index.html', 'index.htm', ], listen_options => 'default_server', ssl => true, ssl_cert => '/etc/letsencrypt/live/hornquist/fullchain.pem', ssl_key => '/etc/letsencrypt/live/hornquist/privkey.pem', use_default_location => false, www_root => '/var/www/html', # autoindex => 'on', } nginx::resource::server { 'userdir': server_name => [ '~^(?P[a-z][-a-z0-9]*)\.hornquist\.se', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.cgi', 'index.php', 'index.html', 'index.htm', ], # SSL sites for userdir lack a cert due to wildcard certificates being # "problematic". However, it's enabled here since a ::location with # ssl => true WILL generate locations, even when server is missing. ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => false, www_root => '/home/$uname/.public', # autoindex => 'on', } nginx::resource::server { 'wiki': server_name => [ '', ], access_log => 'absent', error_log => 'absent', index_files => [ 'index.html', ], ssl => true, ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem", ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem", use_default_location => true, www_root => '/var/www/wiki/public/html', } nginx::resource::location { '/': try_files => ['$uri', '$uri/', '=404'], index_files => [], ssl => true, autoindex => on, server => [ 'blog', 'hornquist', 'userdir', ] } nginx::resource::location { '/nyar': location_custom_cfg => { return => '307' }, ssl => true, index_files => [], server => [ 'hornquist', ], } nginx::resource::location { '= /': # temprory redirect location_custom_cfg => { return => '307 /hugo' }, ssl => true, index_files => [], server => [ 'blog', ], } nginx::resource::location { '~ \.php$': fastcgi_params => 'snippets/fastcgi-php.conf', fastcgi => 'unix:/run/php/php-fpm.sock', ssl => true, server => [ 'blog', 'hornquist', 'userdir', ], } nginx::resource::location { '~ \.cgi$': fastcgi_params => 'fastcgi_params', fastcgi_param => { # 'SCRIPT_FILENAME' => '$document_root/*.cgi', 'PATH_INFO' => '$fastcgi_script_name', 'QUERY_STRING' => '$args', }, fastcgi => 'unix:/run/fcgiwrap.socket', server => [ 'userdir', ], } nginx::resource::location { '~ /\.ht': location_cfg_append => { deny => 'all' }, index_files => [], ssl => true, server => [ 'blog', 'hornquist', 'userdir', ], } }