From 79658fbaa4f35fe4cdc44e0772a503abeb188dfb Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 17 Jun 2016 15:31:45 -0300 Subject: Adds site templates --- manifests/init.pp | 9 +++++---- manifests/site/config.pp | 8 +++++--- templates/site-ssl.erb | 27 +++++++++++++++++++++++++++ templates/site.erb | 12 ++++++++++++ 4 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 templates/site-ssl.erb create mode 100644 templates/site.erb diff --git a/manifests/init.pp b/manifests/init.pp index a17f847..d1966d8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,10 +21,11 @@ class nginx inherits nginx::base { # Default site nginx::site { "default": - ensure => present, - ssl => absent, - source => 'template', - certbot => false, + ensure => present, + ssl => absent, + source => 'template', + template => 'default', + certbot => false, } # Domain site diff --git a/manifests/site/config.pp b/manifests/site/config.pp index 991a70b..8e1f71b 100644 --- a/manifests/site/config.pp +++ b/manifests/site/config.pp @@ -1,6 +1,8 @@ define nginx::site::config( - $ensure = present, - $source = 'file', + $ensure = present, + $source = 'file', + $template = 'site', + $backend = 'weblocal', ){ case $source { 'file': { @@ -16,7 +18,7 @@ define nginx::site::config( } 'template': { file { "/etc/nginx/sites-available/$name": - content => template("nginx/$name.erb"), + content => template("nginx/${template}.erb"), owner => "root", group => "root", mode => 0644, diff --git a/templates/site-ssl.erb b/templates/site-ssl.erb new file mode 100644 index 0000000..888c969 --- /dev/null +++ b/templates/site-ssl.erb @@ -0,0 +1,27 @@ +server { + listen 443 ssl http2; + server_name *.<%= name %> <%= name %>; + + ssl on; + ssl_certificate /etc/letsencrypt/live/<%= name %>/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/<%= name %>/privkey.pem; + + ssl_session_timeout 5m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem; + + # enable HSTS header + add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; + + location / { + # preserve http header and set forwarded proto + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; + + # default proxy pass + proxy_pass http://<%= backend %>:80; + } +} diff --git a/templates/site.erb b/templates/site.erb new file mode 100644 index 0000000..15d1600 --- /dev/null +++ b/templates/site.erb @@ -0,0 +1,12 @@ +server { + listen 80; + server_name *.<%= name %> <%= name %>; + + location /.well-known/acme-challenge { + root /var/spool/certbot/<%= name %>; + } + + location / { + return 301 https://$host$request_uri; + } +} -- cgit v1.2.3