evilham
/
cdist
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
cdist/cdist/conf/type/__letsencrypt_acmetiny_base/manifest

203 lines
5.8 KiB
Plaintext
Raw Blame History

# Arguments
ACME_DOMAIN="$(cat $__object/parameter/acme_domain || true)"
if [ -z "${ACME_DOMAIN}" ]; then
ACME_DOMAIN="${__target_host}"
fi
# Install needed stuffz
## TODO: consider not depending on nginx? It is... practical though.
## TODO: Maybe just move this out to a sepecial type?
__package "nginx"
NGINX_ETC="/usr/local/etc/nginx"
# Setup the acme-challenge snippet
require="__package/nginx" __directory "${NGINX_ETC}/snippets" --state present
require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
# This was heavily inspired by debops.org.
# Automatic Certificate Management Environment (ACME) support.
# https://tools.ietf.org/html/draft-ietf-acme-acme-01
# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
# Return the ACME challenge present in the server public root.
# If not found, switch to global web server root.
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
try_files \$uri @well-known-acme-challenge;
}
# Return the ACME challenge present in the global server public root.
# If not present, redirect request to a specified domain.
location @well-known-acme-challenge {
root /srv/www/sites/acme/public;
default_type "text/plain";
try_files \$uri @redirect-acme-challenge;
}
# Redirect the ACME challenge to a different host. If a redirect loop is
# detected, return 404.
location @redirect-acme-challenge {
if (\$arg_redirect) {
return 404;
}
return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
}
# Return 404 if ACME challenge well known path is accessed directly.
location = /.well-known/acme-challenge/ {
return 404;
}
EOF
require="__package/nginx" __directory "${NGINX_ETC}/sites-enabled" --state present
require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/nginx.conf" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
gzip on;
gzip_disable "msie6";
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
#add_header X-Clacks-Overhead "GNU Terry Pratchett";
# Virtual Hosts Configs
include ${NGINX_ETC}/sites-enabled/*.conf;
}
EOF
require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/sites-enabled/welcome.conf" \
--mode 644 \
--source - << EOF
# This file is managed remotely, all changes will be lost
# nginx server configuration for:
# - https://welcome/
server {
listen [::]:80;
server_name welcome;
root /srv/www/sites/welcome/public;
include snippets/acme-challenge.conf;
location / {
return 301 https://$host$request_uri;
}
}
EOF
## TODO: this is kinda bad, don't restart every time.
## Otherwise this isn't idempotent.
require="__package/nginx" __service nginx --action onerestart
require="__package/nginx" __start_on_boot nginx
__package "acme-tiny"
# Create acme-tiny user and secure home dir
ACME_TINY_HOME="/var/acme-tiny"
require="__package/acme-tiny" __user acme-tiny --system --home ${ACME_TINY_HOME} --comment "acme-tiny client"
require="__user/acme-tiny" __directory "${ACME_TINY_HOME}" --state present --mode 0750 --owner acme-tiny --group acme-tiny
# Create ACME challenge dirs to be served by nginx
ACME_PUBLIC_DIR="/srv/www/sites/acme/public"
ACME_WELLKNOWN_DIR="${ACME_PUBLIC_DIR}/.well-known"
ACME_CHALLENGE_DIR="${ACME_WELLKNOWN_DIR}/acme-challenge"
__directory "${ACME_PUBLIC_DIR}" \
--parents \
--state present \
--owner acme-tiny --group www \
--mode 2750 # TODO: check whether this does require gid?
require="__directory${ACME_PUBLIC_DIR}" __directory "${ACME_WELLKNOWN_DIR}" \
--state present \
--owner acme-tiny --group www \
--mode 0750
require="__directory${ACME_WELLKNOWN_DIR}" __directory "${ACME_CHALLENGE_DIR}" \
--state present \
--owner acme-tiny --group www \
--mode 0750
__package doas
DOAS_CONF="/usr/local/etc/doas.conf"
require="__package/doas" __file "${DOAS_CONF}" --mode 0640
require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
--regex 'root as acme-tiny' \
--line 'permit nopass root as acme-tiny'
Reference in New Issue View Git Blame Copy Permalink