203 lines
5.9 KiB
Plaintext
203 lines
5.9 KiB
Plaintext
# Arguments
|
|
ACME_DOMAIN="$(cat "${__object}/parameter/acme_domain" || true)"
|
|
|
|
if [ -z "${ACME_DOMAIN}" ]; then
|
|
ACME_DOMAIN="${__target_host}"
|
|
fi
|
|
|
|
|
|
# Install needed stuffz
|
|
|
|
## TODO: consider not depending on nginx? It is... practical though.
|
|
## TODO: Maybe just move this out to a sepecial type?
|
|
__package "nginx"
|
|
|
|
NGINX_ETC="/usr/local/etc/nginx"
|
|
|
|
# Setup the acme-challenge snippet
|
|
require="__package/nginx" __directory "${NGINX_ETC}/snippets" --state present
|
|
require="__directory${NGINX_ETC}/snippets" __file "${NGINX_ETC}/snippets/acme-challenge.conf" \
|
|
--mode 644 \
|
|
--source - << EOF
|
|
# This file is managed remotely, all changes will be lost
|
|
|
|
# This was heavily inspired by debops.org.
|
|
|
|
# Automatic Certificate Management Environment (ACME) support.
|
|
# https://tools.ietf.org/html/draft-ietf-acme-acme-01
|
|
# https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment
|
|
|
|
|
|
# Return the ACME challenge present in the server public root.
|
|
# If not found, switch to global web server root.
|
|
location ^~ /.well-known/acme-challenge/ {
|
|
default_type "text/plain";
|
|
try_files \$uri @well-known-acme-challenge;
|
|
}
|
|
|
|
# Return the ACME challenge present in the global server public root.
|
|
# If not present, redirect request to a specified domain.
|
|
location @well-known-acme-challenge {
|
|
root /srv/www/sites/acme/public;
|
|
default_type "text/plain";
|
|
try_files \$uri @redirect-acme-challenge;
|
|
}
|
|
|
|
# Redirect the ACME challenge to a different host. If a redirect loop is
|
|
# detected, return 404.
|
|
location @redirect-acme-challenge {
|
|
if (\$arg_redirect) {
|
|
return 404;
|
|
}
|
|
return 307 \$scheme://${ACME_DOMAIN}\$request_uri?redirect=yes;
|
|
}
|
|
|
|
# Return 404 if ACME challenge well known path is accessed directly.
|
|
location = /.well-known/acme-challenge/ {
|
|
return 404;
|
|
}
|
|
EOF
|
|
|
|
require="__package/nginx" __directory "${NGINX_ETC}/sites-enabled" --state present
|
|
require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/nginx.conf" \
|
|
--mode 644 \
|
|
--source - << EOF
|
|
# This file is managed remotely, all changes will be lost
|
|
|
|
worker_processes 1;
|
|
|
|
# This default error log path is compiled-in to make sure configuration parsing
|
|
# errors are logged somewhere, especially during unattended boot when stderr
|
|
# isn't normally logged anywhere. This path will be touched on every nginx
|
|
# start regardless of error log location configured here. See
|
|
# https://trac.nginx.org/nginx/ticket/147 for more info.
|
|
#
|
|
#error_log /var/log/nginx/error.log;
|
|
#
|
|
|
|
#pid logs/nginx.pid;
|
|
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
|
|
http {
|
|
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
server_tokens off;
|
|
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 5m;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
types_hash_max_size 2048;
|
|
gzip on;
|
|
gzip_disable "msie6";
|
|
gzip_comp_level 5;
|
|
gzip_min_length 256;
|
|
gzip_proxied any;
|
|
gzip_vary on;
|
|
gzip_types
|
|
application/atom+xml
|
|
application/javascript
|
|
application/json
|
|
application/ld+json
|
|
application/manifest+json
|
|
application/rss+xml
|
|
application/vnd.geo+json
|
|
application/vnd.ms-fontobject
|
|
application/x-font-ttf
|
|
application/x-web-app-manifest+json
|
|
application/xhtml+xml
|
|
application/xml
|
|
font/opentype
|
|
image/bmp
|
|
image/svg+xml
|
|
image/x-icon
|
|
text/cache-manifest
|
|
text/css
|
|
text/plain
|
|
text/vcard
|
|
text/vnd.rim.location.xloc
|
|
text/vtt
|
|
text/x-component
|
|
text/x-cross-domain-policy;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
#add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
|
|
|
# Virtual Hosts Configs
|
|
include ${NGINX_ETC}/sites-enabled/*.conf;
|
|
}
|
|
EOF
|
|
|
|
require="__directory${NGINX_ETC}/sites-enabled" __file "${NGINX_ETC}/sites-enabled/welcome.conf" \
|
|
--mode 644 \
|
|
--source - << EOF
|
|
# This file is managed remotely, all changes will be lost
|
|
|
|
# nginx server configuration for:
|
|
# - https://welcome/
|
|
|
|
server {
|
|
|
|
listen [::]:80;
|
|
|
|
server_name welcome;
|
|
|
|
root /srv/www/sites/welcome/public;
|
|
|
|
include snippets/acme-challenge.conf;
|
|
|
|
location / {
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
## TODO: this is kinda bad, don't restart every time.
|
|
## Otherwise this isn't idempotent.
|
|
require="__package/nginx" __service nginx --action onerestart
|
|
require="__package/nginx" __start_on_boot nginx
|
|
|
|
|
|
__package "acme-tiny"
|
|
|
|
# Create acme-tiny user and secure home dir
|
|
ACME_TINY_HOME="/var/acme-tiny"
|
|
require="__package/acme-tiny" __user acme-tiny --system --home ${ACME_TINY_HOME} --comment "acme-tiny client"
|
|
require="__user/acme-tiny" __directory "${ACME_TINY_HOME}" --state present --mode 0750 --owner acme-tiny --group acme-tiny
|
|
|
|
# Create ACME challenge dirs to be served by nginx
|
|
ACME_PUBLIC_DIR="/srv/www/sites/acme/public"
|
|
ACME_WELLKNOWN_DIR="${ACME_PUBLIC_DIR}/.well-known"
|
|
ACME_CHALLENGE_DIR="${ACME_WELLKNOWN_DIR}/acme-challenge"
|
|
__directory "${ACME_PUBLIC_DIR}" \
|
|
--parents \
|
|
--state present \
|
|
--owner acme-tiny --group www \
|
|
--mode 2750 # TODO: check whether this does require gid?
|
|
require="__directory${ACME_PUBLIC_DIR}" __directory "${ACME_WELLKNOWN_DIR}" \
|
|
--state present \
|
|
--owner acme-tiny --group www \
|
|
--mode 0750
|
|
require="__directory${ACME_WELLKNOWN_DIR}" __directory "${ACME_CHALLENGE_DIR}" \
|
|
--state present \
|
|
--owner acme-tiny --group www \
|
|
--mode 0750
|
|
|
|
__package doas
|
|
DOAS_CONF="/usr/local/etc/doas.conf"
|
|
require="__package/doas" __file "${DOAS_CONF}" --mode 0640
|
|
require="__file${DOAS_CONF}" __line "${DOAS_CONF}" \
|
|
--regex 'root as acme-tiny' \
|
|
--line 'permit nopass root as acme-tiny'
|