- improve cdist type

- support for basic Nginx config under Centos and Debian - improve security feature under Nginx - support for Let's Encrypt - support for SSL
2017-07-12 23:25:32 +02:00 · 2017-07-12 23:25:32 +02:00 · 487fbcf8ea
parent 9e94ba36df
commit 487fbcf8ea
13 changed files with 239 additions and 5 deletions
--- a/files/base_config/centos.conf
+++ b/files/base_config/centos.conf
@ -0,0 +1,44 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log;
+#error_log  /var/log/nginx/error.log  notice;
+#error_log  /var/log/nginx/error.log  info;
+
+pid        /run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    index   index.html index.htm;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+}
--- a/files/base_config/debian.conf
+++ b/files/base_config/debian.conf
@ -0,0 +1,50 @@
+user www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+    # multi_accept on;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+
+    access_log	/var/log/nginx/access.log;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+    tcp_nodelay        on;
+
+    gzip  on;
+    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+
+# mail {
+#     # See sample authentication script at:
+#     # http://wiki.nginx.org/NginxImapAuthenticateWithApachePhpScript
+# 
+#     # auth_http localhost/auth.php;
+#     # pop3_capabilities "TOP" "USER";
+#     # imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#     server {
+#         listen     localhost:110;
+#         protocol   pop3;
+#         proxy      on;
+#     }
+# 
+#     server {
+#         listen     localhost:143;
+#         protocol   imap;
+#         proxy      on;
+#     }
+# }
--- a/files/nginx-footer
+++ b/files/nginx-footer
@ -0,0 +1 @@
+}
--- a/files/nginx-header
+++ b/files/nginx-header
@ -0,0 +1,3 @@
+#
+# cdist maintained configuration - do not overwrite
+#
--- a/files/nginx-header-generic
+++ b/files/nginx-header-generic
@ -0,0 +1,12 @@
+    # Compress everything [tm]
+    gzip on;
+    gzip_static on;
+    gzip_proxied any;
+
+    # Not for silly ie
+    gzip_disable  "MSIE [1-6]\.";
+    gzip_http_version 1.0;
+    gzip_types text/plain text/xml text/css
+               text/comma-separated-values
+               text/javascript application/x-javascript
+               application/atom+xml;
--- a/files/nginx-header-https
+++ b/files/nginx-header-https
@ -0,0 +1,6 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate         /etc/nginx/ssl.crt;
+    ssl_certificate_key     /etc/nginx/ssl.key;
+
--- a/files/nginx-header-https-letsencrypt
+++ b/files/nginx-header-https-letsencrypt
@ -0,0 +1,25 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate         /etc/nginx/ssl.crt;
+    ssl_certificate_key     /etc/nginx/ssl.key;
+    ssl_dhparam             /etc/nginx/dhparam.pem;
+
+    # OCSP 
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/nginx/chain.pem;
+
+    # Chipers    
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; 
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve secp384r1;
+    
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    
+    # Session resumption
+    ssl_session_timeout 10m;
+    ssl_session_cache off;
+    ssl_session_tickets on;
+    ssl_session_ticket_key /etc/nginx/nginx-ticketkey;
--- a/files/nginx-header-server_name
+++ b/files/nginx-header-server_name
--- a/13
+++ b/13
@ -24,6 +24,7 @@ db_pass=$(cat "$__object/parameter/db-pass")
 admin_user=$(cat "$__object/parameter/admin-user")
 admin_pass=$(cat "$__object/parameter/admin-pass")
 domain=$(cat "$__object/parameter/domain")
+INSTALL_STATE="$([ -d /var/www/nextcloud ] && cd /var/www/nextcloud && sudo -u www-data php occ status| grep -o true)"

 # TODO check shasum of tar ball 
 cat <<eof
@ -31,9 +32,17 @@ curl -s -L ${nextcloud_uri} -o /tmp/nextcloud.tar.bz2
 tar -C /var/www -xvjf /tmp/nextcloud.tar.bz2 
 rm -f /tmp/nextcloud.tar.bz2 
 chown -R www-data:www-data /var/www/nextcloud 
+eof
+
+if [ ! "$INSTALL_STATE" ] ; then
+#if [ "$INSTALL_STATE" == "false" ] ; then
+cat <<eof
 cd /var/www/nextcloud
 sudo -u www-data php occ maintenance:install --database \
 "pgsql" --database-name "$db_name"  --database-user "$db_user" --database-pass \
-"$db_pass" --admin-user "$admin_user" --admin-pass "$admin_pass"
-sudo -u www-data php occ config:system:set trusted_domains 2 --value="$domain" 
+$db_pass" --admin-user "$admin_user" --admin-pass "$admin_pass"
+sudo -u www-data php occ config:system:set trusted_domains 2 --value="$domain"
 eof
+
+fi
+
--- a/83
+++ b/83
@ -38,6 +38,8 @@ esac
 db_pass=$(cat "$__object/parameter/db-pass")
 db_user=$(cat "$__object/parameter/db-user")
 db_name=$(cat "$__object/parameter/db-name")
+domain="$(cat "$__object/parameter/domain")"
+dh="$(cat "$__object/parameter/dh")"



@ -67,8 +69,85 @@ require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \


 ## Nginx
-require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \
-    --group www-data --mode 755 --source "$__type/files/nextcloud.nginx"
+#require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \
+#    --group www-data --mode 755 --source "$__type/files/nextcloud.nginx"
+
+################################################################################
+# create base / switch to type dir
+#
+mkdir "$__object/files"
+cd  "$__type/files"
+
+
+################################################################################
+# SSL / HTTPs configuration
+#
+if [ -f "$__object/parameter/ssl" ]; then
+    ssl_base="$__type/files/ssl"
+
+    # Select the ssl certificate + key
+    if [ -f "$__object/parameter/ssl-name" ]; then
+        ssl_name="$(cat "$__object/parameter/ssl-name")"
+    else
+        echo "Please select ssl certificate" >&2
+        exit 1
+    fi
+    
+    
+    ssl_cert="/etc/ssl/certs/${ssl_name}.crt"
+    ssl_key="/etc/ssl/private/${ssl_name}.key"
+
+    # Copy SSL certificates
+    require="__package/nginx" __link /etc/nginx/ssl.crt \
+        --source "$ssl_cert" --type symbolic
+
+    require="__package/nginx" __link /etc/nginx/ssl.key \
+        --source "$ssl_key" --type symbolic
+
+    cat nginx-header nginx-header-https nginx-header-server_name nginx-header-generic $config_file $custom_config nginx-footer > "$__object/files/nginx-https"
+
+    require="__package/nginx" __file "$nginx_https" \
+        --source "$__object/files/nginx-https"
+
+# SSL with Let's Encrypt
+# This only added LE to the configuration file. You need a LE cdist type,too.
+elif [ -f "$__object/parameter/letsencrypt" ]; then
+    ssl_base="$__type/files/letsencrypt"
+
+    if [ -f "$__object/parameter/domain" ]; then
+        domain="$(cat "$__object/parameter/domain")"
+    else
+        echo "Please add a valid domain" >&2
+        exit 1
+    fi
+    
+    # Copy SSL certificates
+    require="__package/nginx" __link /etc/nginx/ssl.crt \
+        --source /etc/letsencrypt/live/"$domain"/fullchain.pem --type symbolic
+
+    require="__package/nginx" __link /etc/nginx/ssl.key \
+        --source /etc/letsencrypt/live/"$domain"/privkey.pem --type symbolic
+
+    require="__package/nginx" __link /etc/nginx/chain.pem \
+        --source /etc/letsencrypt/live/"$domain"/cert.pem --type symbolic
+
+    cat nginx-header nginx-header-https-letsencrypt > "$__object/files/nginx-https"
+    echo "    server_name= "$domain";" >> "$__object/files/nginx-https" 
+    cat  nginx-header-generic $config_file $custom_config nginx-footer >> "$__object/files/nginx-https"
+
+    # create random 48 bit file as ticketkey    
+    head -c 48 /dev/urandom  |  __file /etc/nginx/nginx-ticketkey --source -
+
+    # create Diffie-Hellman key and store it under "$__files/pemfiles"
+
+    require="__package/nginx" __ungleich_dhparam --keysize $dh --destination "$__files/pemfiles" "$__target_host"
+    require="__ungleich_dhparam/$__target_host" __file /etc/nginx/dhparam.pem --source "$__files/pemfiles/"$__target_host"_dhparam.pem"
+
+    require=""__package/nginx" __file "$nginx_https" \
+        --owner www-data --group www-data --mode 755 \
+        --source "$__object/files/nginx-https""
+fi
+

 ## Postgres
 require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}"\
--- a/parameter/boolean
+++ b/parameter/boolean
@ -0,0 +1,3 @@
+ssl
+custom-config-from-stdin
+letsencrypt
--- a/parameter/optional
+++ b/parameter/optional
@ -5,4 +5,4 @@ admin-user
 admin-pass
 uri
 version
-domain
+ssl-name
--- a/parameter/required
+++ b/parameter/required
@ -0,0 +1,2 @@
+dh
+domain