Unbrand nginx types from e-Durable

type/__nginx/man.rst

@@ -0,0 +1,41 @@
+cdist-type__nginx(7)
+===================================
+
+NAME
+----
+cdist-type__nginx - Serve web content with NGINX
+
+
+DESCRIPTION
+-----------
+Leverages `__nginx_vhost` to serve web content.
+
+REQUIRED PARAMETERS
+-------------------
+domain
+  Domain name to be served.
+
+OPTIONAL PARAMETERS
+-------------------
+config
+  Custom NGINX logic, templated within a standard `server` section with
+  `server_name` and TLS parameters set. Defaults to simple static hosting.
+
+altdomains
+  Alternative domain names for this vhost and related TLS certificate.
+
+uacme-hookscript
+  Custom hook passed to the __uacme_obtain type: useful to integrate the
+  dns-01 challenge with third-party DNS providers.
+
+AUTHORS
+-------
+Timothée Floure <timothee.floure@posteo.net>
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

type/__nginx/manifest

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+os="$(cat "${__global:?}"/explorer/os)"
+case "$os" in
+	alpine)
+		nginx_user=nginx
+		nginx_certdir=/etc/nginx/ssl
+		;;
+	debian|ubuntu)
+		nginx_user=www-data
+		nginx_certdir=/etc/nginx/ssl
+		;;
+	*)
+		echo "This type does not support $os yet. Aborting." >&2;
+		exit 1;
+		;;
+esac
+
+if [ -f "${__object:?}/parameter/domain" ];
+then
+	domain="$(cat "${__object:?}/parameter/domain")"
+else
+	domain="${__object_id:?}"
+fi
+
+altdomains=
+if [ -f "${__object:?}/parameter/altdomains" ];
+then
+	altdomains="$(cat "${__object:?}/parameter/altdomains")"
+fi
+
+set_custom_uacme_hookscript=
+if [ -f "${__object:?}/parameter/uacme-hookscript" ];
+then
+	uacme_hookscript="$(cat "${__object:?}/parameter/uacme-hookscript")"
+	set_custom_uacme_hookscript="--hookscript $uacme_hookscript"
+fi
+
+# Deploy simple HTTP vhost, allowing to serve ACME challenges.
+__nginx_vhost "301-to-https-$domain" \
+	--domain "$domain" --altdomains "$altdomains" --to-https
+
+# Obtaining TLS cert.
+cert_ownership=$nginx_user
+if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then
+	cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to")
+fi
+
+__uacme_account
+# shellcheck disable=SC2086
+require="__nginx_vhost/301-to-https-$domain __uacme_account" \
+	__uacme_obtain "$domain" \
+		--altdomains "$altdomains" \
+		$set_custom_uacme_hookscript \
+		--owner "$cert_ownership" \
+		--install-key-to "$nginx_certdir/$domain/privkey.pem" \
+		--install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \
+		--renew-hook "service nginx reload"
+
+# Deploy HTTPS nginx vhost.
+if [ -f "${__object:?}/parameter/config" ]; then
+	if [ "$(cat "${__object:?}/parameter/config")" = "-" ]; then
+		nginx_logic="${__object:?}/stdin"
+	else
+		nginx_logic="${__object:?}/parameter/config"
+	fi
+
+	mkdir -p "${__object:?}/files"
+	cat "$nginx_logic" > "${__object:?}/files/config"
+
+	require="__uacme_obtain/$domain" __nginx_vhost "$domain" \
+		--altdomains "$altdomains" --config "${__object:?}/files/config"
+else
+	require="__uacme_obtain/$domain" __nginx_vhost "$domain" \
+		--altdomains "$altdomains"
+fi

type/__nginx/parameter/default/http-port

@@ -0,0 +1 @@
+80

type/__nginx/parameter/default/https-port

@@ -0,0 +1 @@
+443

type/__nginx/parameter/optional

@@ -0,0 +1,5 @@
+config
+domain
+altdomains
+uacme-hookscript
+force-cert-ownership-to