3 files changed, 188 insertions, 0 deletions

diff --git a/puppet/templates/etc/aliases.erb b/puppet/templates/etc/aliases.erb
new file mode 100644
index 0000000..f520f68
--- /dev/null
+++ b/puppet/templates/etc/aliases.erb
@@ -0,0 +1,15 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+reprepro: root
+root: <%= first_user_email %>
diff --git a/puppet/templates/etc/nagios3/htpasswd.users.erb b/puppet/templates/etc/nagios3/htpasswd.users.erb
new file mode 100644
index 0000000..c21d493
--- /dev/null
+++ b/puppet/templates/etc/nagios3/htpasswd.users.erb
@@ -0,0 +1 @@
+nagiosadmin:0FCabjvUTHvxF
diff --git a/puppet/templates/etc/nginx/domain.erb b/puppet/templates/etc/nginx/domain.erb
new file mode 100644
index 0000000..4e9fa7d
--- /dev/null
+++ b/puppet/templates/etc/nginx/domain.erb
@@ -0,0 +1,172 @@
+# <%= domain %> proxy config
+
+# Set the max size for file uploads
+client_max_body_size 100M;
+
+# SNI Configuration
+server {
+  listen              443 default;
+  server_name         _;
+  ssl                 on;
+  ssl_certificate     /etc/ssl/certs/blank.crt;
+  ssl_certificate_key /etc/ssl/private/blank.pem;
+  return              403;
+}
+
+server {
+  # see config tips at
+  # http://blog.taragana.com/index.php/archive/nginx-hacking-tips/
+
+  # Don't log anything
+  access_log /dev/null;
+  error_log  /dev/null;
+
+  # simple reverse-proxy
+  listen       80;
+  server_name  *.<%= domain %> <%= domain %>
+
+  # enable HSTS header
+  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
+
+  # https redirection by default
+  rewrite ^(.*)      https://$host$1 redirect;
+
+  # rewrite rules for backups.<%= domain %>
+  #if ($host ~* ^backups\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for admin.<%= domain %>
+  #if ($host ~* ^admin\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for munin.<%= domain %>
+  #if ($host ~* ^munin\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for trac.<%= domain %>
+  #if ($host ~* ^trac\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for nagios.<%= domain %>
+  #if ($host ~* ^nagios\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for htpasswd.<%= domain %>
+  #if ($host ~* ^htpasswd\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for postfixadmin.<%= domain %>
+  #if ($host ~* ^postfixadmin\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for mail.<%= domain %>
+  #if ($host ~* ^mail\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # rewrite rules for lists.<%= domain %>
+  #if ($host ~* ^lists\.<%= domain %>$) {
+  #  rewrite ^(.*)    https://$host$1 redirect;
+  #  break;
+  #}
+
+  # pass requests for dynamic content
+  location / {
+    proxy_set_header Host $http_host;
+    proxy_pass       http://weblocal:80;
+  }
+
+}
+
+server {
+  # https reverse proxy
+  listen      443;
+  server_name *.<%= domain %> <%= domain %>;
+
+  # Don't log anything
+  access_log /dev/null;
+  error_log  /dev/null;
+
+  ssl on;
+  ssl_certificate     /etc/ssl/certs/cert.crt;
+  ssl_certificate_key /etc/ssl/private/cert.pem;
+
+  ssl_session_timeout 5m;
+
+  ssl_protocols SSLv3 TLSv1;
+  ssl_ciphers HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH;
+  ssl_prefer_server_ciphers on;
+
+  # Set the max size for file uploads
+  client_max_body_size 100M;
+
+  location / {
+    # preserve http header and set forwarded proto
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Proto https;  
+
+    proxy_read_timeout 120;
+    proxy_connect_timeout 120;
+
+    # rewrite rules for admin.<%= domain %>
+    if ($host ~* ^admin\.<%= domain %>$) {
+      proxy_pass       http://admin:80;
+      break;
+    }
+
+    # rewrite rules for munin.<%= domain %>
+    if ($host ~* ^munin\.<%= domain %>$) {
+      proxy_pass       http://admin:80;
+      break;
+    }
+
+    # rewrite rules for trac.<%= domain %>
+    if ($host ~* ^trac\.<%= domain %>$) {
+      proxy_pass       http://admin:80;
+      break;
+    }
+
+    # rewrite rules for nagios.<%= domain %>
+    if ($host ~* ^nagios\.<%= domain %>$) {
+      proxy_pass       http://admin:80;
+      break;
+    }
+
+    # rewrite rules for postfixadmin.<%= domain %>
+    if ($host ~* ^postfixadmin\.<%= domain %>$) {
+      proxy_pass       http://mail:80;
+      break;
+    }
+
+    # rewrite rules for mail.<%= domain %>
+    if ($host ~* ^mail\.<%= domain %>$) {
+      proxy_pass       http://mail:80;
+      break;
+    }
+
+    # rewrite rules for lists.<%= domain %>
+    if ($host ~* ^lists\.<%= domain %>$) {
+      proxy_pass       http://mail:80;
+      break;
+    }
+
+    # default proxy pass
+    proxy_pass       http://weblocal:80;
+  }
+
+}