1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
class nginx::ssl(
$session_timeout = '5m'
) {
include ssl
# See https://weakdh.org/
ssl::dhparams { 'nginx-2048':
notify => Service['nginx'],
}
nginx::config {
# SSL
'ssl_session_timeout': value => "ssl_session_timeout ${session_timeout};";
'ssl_protocols': value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
'ssl_ciphers': value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;';
'ssl_prefer_server_ciphers': value => 'ssl_prefer_server_ciphers on;';
'ssl_dhparam': value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;';
}
# Certbot support
file { '/var/www/certbot':
ensure => directory,
owner => 'root',
group => 'www-data',
mode => '0750',
require => Package['nginx'],
}
package { 'certbot':
ensure => present,
require => File['/var/www/certbot'],
}
cron { 'certbot-renew':
command => 'certbot renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start"',
user => 'root',
weekday => 1,
hour => "05",
minute => "30",
ensure => present,
require => Package['certbot'],
}
}
|