From 487fbcf8ea850fdedb1ea3bbf43c814b52f6d282 Mon Sep 17 00:00:00 2001
From: moep <mail@moep.name>
Date: Wed, 12 Jul 2017 23:25:32 +0200
Subject: [PATCH] - improve cdist type - support for basic Nginx config under
 Centos and Debian - improve security feature under Nginx - support for Let's
 Encrypt - support for SSL

---
 files/base_config/centos.conf        | 44 +++++++++++++++
 files/base_config/debian.conf        | 50 +++++++++++++++++
 files/nginx-footer                   |  1 +
 files/nginx-header                   |  3 +
 files/nginx-header-generic           | 12 ++++
 files/nginx-header-https             |  6 ++
 files/nginx-header-https-letsencrypt | 25 +++++++++
 files/nginx-header-server_name       |  0
 gencode-remote                       | 13 ++++-
 manifest                             | 83 +++++++++++++++++++++++++++-
 parameter/boolean                    |  3 +
 parameter/optional                   |  2 +-
 parameter/required                   |  2 +
 13 files changed, 239 insertions(+), 5 deletions(-)
 create mode 100644 files/base_config/centos.conf
 create mode 100644 files/base_config/debian.conf
 create mode 100644 files/nginx-footer
 create mode 100644 files/nginx-header
 create mode 100644 files/nginx-header-generic
 create mode 100644 files/nginx-header-https
 create mode 100644 files/nginx-header-https-letsencrypt
 create mode 100644 files/nginx-header-server_name
 create mode 100644 parameter/boolean
 create mode 100644 parameter/required

diff --git a/files/base_config/centos.conf b/files/base_config/centos.conf
new file mode 100644
index 0000000..b926731
--- /dev/null
+++ b/files/base_config/centos.conf
@@ -0,0 +1,44 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log;
+#error_log  /var/log/nginx/error.log  notice;
+#error_log  /var/log/nginx/error.log  info;
+
+pid        /run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    index   index.html index.htm;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/files/base_config/debian.conf b/files/base_config/debian.conf
new file mode 100644
index 0000000..a911806
--- /dev/null
+++ b/files/base_config/debian.conf
@@ -0,0 +1,50 @@
+user www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+    # multi_accept on;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+
+    access_log	/var/log/nginx/access.log;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+    tcp_nodelay        on;
+
+    gzip  on;
+    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+
+# mail {
+#     # See sample authentication script at:
+#     # http://wiki.nginx.org/NginxImapAuthenticateWithApachePhpScript
+# 
+#     # auth_http localhost/auth.php;
+#     # pop3_capabilities "TOP" "USER";
+#     # imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#     server {
+#         listen     localhost:110;
+#         protocol   pop3;
+#         proxy      on;
+#     }
+# 
+#     server {
+#         listen     localhost:143;
+#         protocol   imap;
+#         proxy      on;
+#     }
+# }
diff --git a/files/nginx-footer b/files/nginx-footer
new file mode 100644
index 0000000..5c34318
--- /dev/null
+++ b/files/nginx-footer
@@ -0,0 +1 @@
+}
diff --git a/files/nginx-header b/files/nginx-header
new file mode 100644
index 0000000..7dc5024
--- /dev/null
+++ b/files/nginx-header
@@ -0,0 +1,3 @@
+#
+# cdist maintained configuration - do not overwrite
+#
diff --git a/files/nginx-header-generic b/files/nginx-header-generic
new file mode 100644
index 0000000..f63030f
--- /dev/null
+++ b/files/nginx-header-generic
@@ -0,0 +1,12 @@
+    # Compress everything [tm]
+    gzip on;
+    gzip_static on;
+    gzip_proxied any;
+
+    # Not for silly ie
+    gzip_disable  "MSIE [1-6]\.";
+    gzip_http_version 1.0;
+    gzip_types text/plain text/xml text/css
+               text/comma-separated-values
+               text/javascript application/x-javascript
+               application/atom+xml;
diff --git a/files/nginx-header-https b/files/nginx-header-https
new file mode 100644
index 0000000..1ae4fbc
--- /dev/null
+++ b/files/nginx-header-https
@@ -0,0 +1,6 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate         /etc/nginx/ssl.crt;
+    ssl_certificate_key     /etc/nginx/ssl.key;
+
diff --git a/files/nginx-header-https-letsencrypt b/files/nginx-header-https-letsencrypt
new file mode 100644
index 0000000..20bc934
--- /dev/null
+++ b/files/nginx-header-https-letsencrypt
@@ -0,0 +1,25 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate         /etc/nginx/ssl.crt;
+    ssl_certificate_key     /etc/nginx/ssl.key;
+    ssl_dhparam             /etc/nginx/dhparam.pem;
+
+    # OCSP 
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/nginx/chain.pem;
+
+    # Chipers    
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; 
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve secp384r1;
+    
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    
+    # Session resumption
+    ssl_session_timeout 10m;
+    ssl_session_cache off;
+    ssl_session_tickets on;
+    ssl_session_ticket_key /etc/nginx/nginx-ticketkey;
diff --git a/files/nginx-header-server_name b/files/nginx-header-server_name
new file mode 100644
index 0000000..e69de29
diff --git a/gencode-remote b/gencode-remote
index 3bcf822..6665c34 100755
--- a/gencode-remote
+++ b/gencode-remote
@@ -24,6 +24,7 @@ db_pass=$(cat "$__object/parameter/db-pass")
 admin_user=$(cat "$__object/parameter/admin-user")
 admin_pass=$(cat "$__object/parameter/admin-pass")
 domain=$(cat "$__object/parameter/domain")
+INSTALL_STATE="$([ -d /var/www/nextcloud ] && cd /var/www/nextcloud && sudo -u www-data php occ status| grep -o true)"
 
 # TODO check shasum of tar ball 
 cat <<eof
@@ -31,9 +32,17 @@ curl -s -L ${nextcloud_uri} -o /tmp/nextcloud.tar.bz2
 tar -C /var/www -xvjf /tmp/nextcloud.tar.bz2 
 rm -f /tmp/nextcloud.tar.bz2 
 chown -R www-data:www-data /var/www/nextcloud 
+eof
+
+if [ ! "$INSTALL_STATE" ] ; then
+#if [ "$INSTALL_STATE" == "false" ] ; then
+cat <<eof
 cd /var/www/nextcloud
 sudo -u www-data php occ maintenance:install --database \
 "pgsql" --database-name "$db_name"  --database-user "$db_user" --database-pass \
-"$db_pass" --admin-user "$admin_user" --admin-pass "$admin_pass"
-sudo -u www-data php occ config:system:set trusted_domains 2 --value="$domain" 
+$db_pass" --admin-user "$admin_user" --admin-pass "$admin_pass"
+sudo -u www-data php occ config:system:set trusted_domains 2 --value="$domain"
 eof
+
+fi
+
diff --git a/manifest b/manifest
index 8d24c7d..2c85380 100755
--- a/manifest
+++ b/manifest
@@ -38,6 +38,8 @@ esac
 db_pass=$(cat "$__object/parameter/db-pass")
 db_user=$(cat "$__object/parameter/db-user")
 db_name=$(cat "$__object/parameter/db-name")
+domain="$(cat "$__object/parameter/domain")"
+dh="$(cat "$__object/parameter/dh")"
 
 
 
@@ -67,8 +69,85 @@ require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \
 
 
 ## Nginx
-require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \
-    --group www-data --mode 755 --source "$__type/files/nextcloud.nginx"
+#require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \
+#    --group www-data --mode 755 --source "$__type/files/nextcloud.nginx"
+
+################################################################################
+# create base / switch to type dir
+#
+mkdir "$__object/files"
+cd  "$__type/files"
+
+
+################################################################################
+# SSL / HTTPs configuration
+#
+if [ -f "$__object/parameter/ssl" ]; then
+    ssl_base="$__type/files/ssl"
+
+    # Select the ssl certificate + key
+    if [ -f "$__object/parameter/ssl-name" ]; then
+        ssl_name="$(cat "$__object/parameter/ssl-name")"
+    else
+        echo "Please select ssl certificate" >&2
+        exit 1
+    fi
+    
+    
+    ssl_cert="/etc/ssl/certs/${ssl_name}.crt"
+    ssl_key="/etc/ssl/private/${ssl_name}.key"
+
+    # Copy SSL certificates
+    require="__package/nginx" __link /etc/nginx/ssl.crt \
+        --source "$ssl_cert" --type symbolic
+
+    require="__package/nginx" __link /etc/nginx/ssl.key \
+        --source "$ssl_key" --type symbolic
+
+    cat nginx-header nginx-header-https nginx-header-server_name nginx-header-generic $config_file $custom_config nginx-footer > "$__object/files/nginx-https"
+
+    require="__package/nginx" __file "$nginx_https" \
+        --source "$__object/files/nginx-https"
+
+# SSL with Let's Encrypt
+# This only added LE to the configuration file. You need a LE cdist type,too.
+elif [ -f "$__object/parameter/letsencrypt" ]; then
+    ssl_base="$__type/files/letsencrypt"
+
+    if [ -f "$__object/parameter/domain" ]; then
+        domain="$(cat "$__object/parameter/domain")"
+    else
+        echo "Please add a valid domain" >&2
+        exit 1
+    fi
+    
+    # Copy SSL certificates
+    require="__package/nginx" __link /etc/nginx/ssl.crt \
+        --source /etc/letsencrypt/live/"$domain"/fullchain.pem --type symbolic
+
+    require="__package/nginx" __link /etc/nginx/ssl.key \
+        --source /etc/letsencrypt/live/"$domain"/privkey.pem --type symbolic
+
+    require="__package/nginx" __link /etc/nginx/chain.pem \
+        --source /etc/letsencrypt/live/"$domain"/cert.pem --type symbolic
+
+    cat nginx-header nginx-header-https-letsencrypt > "$__object/files/nginx-https"
+    echo "    server_name= "$domain";" >> "$__object/files/nginx-https" 
+    cat  nginx-header-generic $config_file $custom_config nginx-footer >> "$__object/files/nginx-https"
+
+    # create random 48 bit file as ticketkey    
+    head -c 48 /dev/urandom  |  __file /etc/nginx/nginx-ticketkey --source -
+
+    # create Diffie-Hellman key and store it under "$__files/pemfiles"
+
+    require="__package/nginx" __ungleich_dhparam --keysize $dh --destination "$__files/pemfiles" "$__target_host"
+    require="__ungleich_dhparam/$__target_host" __file /etc/nginx/dhparam.pem --source "$__files/pemfiles/"$__target_host"_dhparam.pem"
+
+    require=""__package/nginx" __file "$nginx_https" \
+        --owner www-data --group www-data --mode 755 \
+        --source "$__object/files/nginx-https""
+fi
+
 
 ## Postgres
 require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}"\
diff --git a/parameter/boolean b/parameter/boolean
new file mode 100644
index 0000000..3624b4e
--- /dev/null
+++ b/parameter/boolean
@@ -0,0 +1,3 @@
+ssl
+custom-config-from-stdin
+letsencrypt
diff --git a/parameter/optional b/parameter/optional
index 419e014..6ffdf4a 100644
--- a/parameter/optional
+++ b/parameter/optional
@@ -5,4 +5,4 @@ admin-user
 admin-pass
 uri
 version
-domain
+ssl-name
diff --git a/parameter/required b/parameter/required
new file mode 100644
index 0000000..f9aee89
--- /dev/null
+++ b/parameter/required
@@ -0,0 +1,2 @@
+dh
+domain