From 79658fbaa4f35fe4cdc44e0772a503abeb188dfb Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 17 Jun 2016 15:31:45 -0300
Subject: Adds site templates

---
 manifests/init.pp        |  9 +++++----
 manifests/site/config.pp |  8 +++++---
 templates/site-ssl.erb   | 27 +++++++++++++++++++++++++++
 templates/site.erb       | 12 ++++++++++++
 4 files changed, 49 insertions(+), 7 deletions(-)
 create mode 100644 templates/site-ssl.erb
 create mode 100644 templates/site.erb

diff --git a/manifests/init.pp b/manifests/init.pp
index a17f847..d1966d8 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -21,10 +21,11 @@ class nginx inherits nginx::base {
 
   # Default site
   nginx::site { "default":
-    ensure  => present,
-    ssl     => absent,
-    source  => 'template',
-    certbot => false,
+    ensure   => present,
+    ssl      => absent,
+    source   => 'template',
+    template => 'default',
+    certbot  => false,
   }
 
   # Domain site
diff --git a/manifests/site/config.pp b/manifests/site/config.pp
index 991a70b..8e1f71b 100644
--- a/manifests/site/config.pp
+++ b/manifests/site/config.pp
@@ -1,6 +1,8 @@
 define nginx::site::config(
-  $ensure  = present,
-  $source  = 'file',
+  $ensure   = present,
+  $source   = 'file',
+  $template = 'site',
+  $backend  = 'weblocal',
 ){
   case $source {
     'file': {
@@ -16,7 +18,7 @@ define nginx::site::config(
     }
     'template': {
       file { "/etc/nginx/sites-available/$name":
-        content => template("nginx/$name.erb"),
+        content => template("nginx/${template}.erb"),
         owner   => "root",
         group   => "root",
         mode    => 0644,
diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb
new file mode 100644
index 0000000..888c969
--- /dev/null
+++ b/templates/site-ssl.erb
@@ -0,0 +1,27 @@
+server {
+  listen      443 ssl http2;
+  server_name *.<%= name %> <%= name %>;
+
+  ssl on;
+  ssl_certificate     /etc/letsencrypt/live/<%= name %>/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/<%= name %>/privkey.pem;
+
+  ssl_session_timeout 5m;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;
+  ssl_prefer_server_ciphers on;
+  ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;
+
+  # enable HSTS header
+  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
+
+  location / {
+    # preserve http header and set forwarded proto
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Proto https;
+
+    # default proxy pass
+    proxy_pass       http://<%= backend %>:80;
+  }
+}
diff --git a/templates/site.erb b/templates/site.erb
new file mode 100644
index 0000000..15d1600
--- /dev/null
+++ b/templates/site.erb
@@ -0,0 +1,12 @@
+server {
+  listen       80;
+  server_name  *.<%= name %> <%= name %>;
+
+  location /.well-known/acme-challenge {
+    root /var/spool/certbot/<%= name %>;
+  }
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
-- 
cgit v1.2.3