1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
class profiles::gandalf_web (
String $certname,
) {
class { '::nginx':
manage_repo => false,
# server_purge => true,
package_name => 'nginx-mainline',
service_config_check => true,
http_cfg_append => {
'charset' => 'utf-8',
},
mime_types_preserve_defaults => true,
mime_types => {
'text/plain' => 'wiki txt',
},
include_modules_enabled => true,
server_purge => true,
}
file { '/etc/nginx/modules-enabled':
ensure => directory,
purge => true,
recurse => true,
}
# TODO this fails at bootstrapping, since letsencrypt requires nginx
# to be enabled, but nginx can't be enabled if any cert file is
# missing
# Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |>
$domains = [
'bookmark.gandalf.adrift.space',
'calendar.gandalf.adrift.space',
'repo.gandalf.adrift.space',
'gandalf.adrift.space',
'hack.adrift.space',
'adrift.space',
]
ensure_packages (['cronie',], { ensure => installed })
ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed })
class { '::letsencrypt':
config => {
email => 'hugo@hornquist.se',
# server => 'https://acme-staging-v02.api.letsencrypt.org/directory',
server => 'https://acme-v02.api.letsencrypt.org/directory',
},
manage_install => false,
}
letsencrypt::certonly { $certname:
ensure => present,
domains => $domains,
manage_cron => true,
plugin => 'nginx',
additional_args => [ '--quiet', ],
# pre_hook_commands => [ 'systemctl stop nginx.service', ],
post_hook_commands => [ 'systemctl restart nginx.service', ],
}
nginx::resource::server { 'gandalf':
ipv6_enable => true,
listen_options => 'default_server',
ipv6_listen_options => 'default_server',
server_name => [ '_' ],
access_log => absent,
error_log => absent,
ssl => true,
ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem",
ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem",
ssl_redirect => true,
index_files => [ 'index.html', ],
www_root => '/var/www/adrift.space',
use_default_location => false,
}
nginx::resource::location { '/':
try_files => ['$uri', '$uri/', '=404'],
index_files => [],
ssl => true,
ssl_only => true,
autoindex => on,
server => 'gandalf',
}
nginx::resource::server { 'repo.gandalf.adrift.space':
ipv6_enable => true,
ipv6_listen_options => '',
server_name => [ 'repo.gandalf.adrift.space', ],
ssl => true,
ssl_cert => "/etc/letsencrypt/live/${certname}/fullchain.pem",
ssl_key => "/etc/letsencrypt/live/${certname}/privkey.pem",
ssl_redirect => true,
index_files => [ 'index.html', ],
www_root => '/usr/net/repo/',
use_default_location => true,
}
}
|
