diff --git a/files/nextcloud.nginx b/files/nextcloud.nginx index 623c265..7dbaa1c 100644 --- a/files/nextcloud.nginx +++ b/files/nextcloud.nginx @@ -2,19 +2,12 @@ upstream php-handler { server unix:/run/php/php7.0-fpm.sock; } -server { - listen [::]:80; - server_name cloud.ungleich.ch; - # enforce https - return 301 https://$server_name$request_uri; -} - server { listen [::]:443 ssl; - server_name cloud.ungleich.ch; + server_name DOMAIN; - ssl_certificate /etc/ssl/certs/star.ungleich.ch.crt; - ssl_certificate_key /etc/ssl/private/star.ungleich.ch.key; + ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this diff --git a/manifest b/manifest index 59ae7e7..ab770df 100755 --- a/manifest +++ b/manifest @@ -1,6 +1,7 @@ #!/bin/sh # # 2017 ungleich GmbH (cdist at ungleich.ch) +# 2018 ungleich glarus ag (cdist at ungleich.ch) # # This file is part of cdist. # @@ -43,6 +44,8 @@ db_user=$(cat "$__object/parameter/db-user") db_name=$(cat "$__object/parameter/db-name") domain=$(cat "$__object/parameter/domain") +tmpdir="$__object/files" +mkdir "$tmpdir" __apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \ @@ -64,19 +67,34 @@ __package curl --state=present # Configure packages ## PHP 7 - - require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \ --owner root --group root --mode 644 --source "$__type/files/fpm.conf" ## Nginx -require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \ - --group www-data --mode 755 --source "$__type/files/nextcloud.nginx" +### HTTP only server to allow access +__ungleich_http_server_ssl_redirect_letsencrypt --webroot /var/www/html/ "$domain" + +### Get the certificates +require="__ungleich_http_server_ssl_redirect_letsencrypt/$domain" \ + __letsencrypt_cert --admin-email technik@ungleich.ch \ + --webroot /var/www/html/ \ + --renew-hook "service nginx reload" \ + --domain "$domain" --automatic-renewal \ + "$domain" + +### The SSL configuration +sed "s/DOMAIN/$domain/" "$__type/files/nextcloud.nginx" > "$tmpdir/nginx" +require="__letsencrypt_cert/$domain __package/nginx" __file /etc/nginx/sites-enabled/nextcloud \ + --owner www-data \ + --group www-data \ + --mode 755 \ + --source "$tmpdir/nginx" + ## Postgres -require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}"\ +require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}" \ --login --createdb require="__package/postgresql __postgres_role/${db_user}" __postgres_database "${db_name}"\