487fbcf8ea
- support for basic Nginx config under Centos and Debian - improve security feature under Nginx - support for Let's Encrypt - support for SSL
163 lines
5.7 KiB
Bash
Executable file
163 lines
5.7 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# 2017 ungleich GmbH (cdist at ungleich.ch)
|
|
#
|
|
# This file is part of cdist.
|
|
#
|
|
# cdist is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# cdist is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
os=$(cat "$__global/explorer/os")
|
|
if [ ! "$os" = "debian" ]
|
|
then
|
|
echo "OS $os is currently not supported." >&2
|
|
exit 1
|
|
fi
|
|
os_version=$(cat "$__global/explorer/os_version")
|
|
case "$os_version" in
|
|
8*)
|
|
:
|
|
;;
|
|
*)
|
|
echo "Unsupported version $os_version of $os." >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
db_pass=$(cat "$__object/parameter/db-pass")
|
|
db_user=$(cat "$__object/parameter/db-user")
|
|
db_name=$(cat "$__object/parameter/db-name")
|
|
domain="$(cat "$__object/parameter/domain")"
|
|
dh="$(cat "$__object/parameter/dh")"
|
|
|
|
|
|
|
|
# Install packages
|
|
for package in php7.0-common php7.0-gd php7.0-json php7.0-pgsql php7.0-curl \
|
|
php7.0-intl php7.0-mcrypt php7.0-imagick \
|
|
php7.0-zip php7.0-apcu php7.0-mbstring php7.0-xml php7.0-fpm \
|
|
nginx
|
|
do require="__apt_update_index" __package $package --state=present
|
|
done
|
|
|
|
__package postgresql --state=present
|
|
__package curl --state=present
|
|
|
|
# Configure packages
|
|
## Php 7
|
|
__apt_key_uri dotdeb --uri https://www.dotdeb.org/dotdeb.gpg
|
|
require="__apt_key_uri/dotdeb" __apt_source dotdeb --uri http://packages.dotdeb.org \
|
|
--distribution jessie \
|
|
--component all
|
|
|
|
require="__apt_source/dotdeb" __apt_update_index
|
|
|
|
require="__package/php7.0-fpm" __file /etc/php/7.0/fpm/pool.d/www.conf \
|
|
--owner root --group root --mode 644 --source "$__type/files/fpm.conf"
|
|
|
|
|
|
|
|
## Nginx
|
|
#require="__package/nginx" __file /etc/nginx/sites-enabled/nextcloud --owner www-data \
|
|
# --group www-data --mode 755 --source "$__type/files/nextcloud.nginx"
|
|
|
|
################################################################################
|
|
# create base / switch to type dir
|
|
#
|
|
mkdir "$__object/files"
|
|
cd "$__type/files"
|
|
|
|
|
|
################################################################################
|
|
# SSL / HTTPs configuration
|
|
#
|
|
if [ -f "$__object/parameter/ssl" ]; then
|
|
ssl_base="$__type/files/ssl"
|
|
|
|
# Select the ssl certificate + key
|
|
if [ -f "$__object/parameter/ssl-name" ]; then
|
|
ssl_name="$(cat "$__object/parameter/ssl-name")"
|
|
else
|
|
echo "Please select ssl certificate" >&2
|
|
exit 1
|
|
fi
|
|
|
|
|
|
ssl_cert="/etc/ssl/certs/${ssl_name}.crt"
|
|
ssl_key="/etc/ssl/private/${ssl_name}.key"
|
|
|
|
# Copy SSL certificates
|
|
require="__package/nginx" __link /etc/nginx/ssl.crt \
|
|
--source "$ssl_cert" --type symbolic
|
|
|
|
require="__package/nginx" __link /etc/nginx/ssl.key \
|
|
--source "$ssl_key" --type symbolic
|
|
|
|
cat nginx-header nginx-header-https nginx-header-server_name nginx-header-generic $config_file $custom_config nginx-footer > "$__object/files/nginx-https"
|
|
|
|
require="__package/nginx" __file "$nginx_https" \
|
|
--source "$__object/files/nginx-https"
|
|
|
|
# SSL with Let's Encrypt
|
|
# This only added LE to the configuration file. You need a LE cdist type,too.
|
|
elif [ -f "$__object/parameter/letsencrypt" ]; then
|
|
ssl_base="$__type/files/letsencrypt"
|
|
|
|
if [ -f "$__object/parameter/domain" ]; then
|
|
domain="$(cat "$__object/parameter/domain")"
|
|
else
|
|
echo "Please add a valid domain" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Copy SSL certificates
|
|
require="__package/nginx" __link /etc/nginx/ssl.crt \
|
|
--source /etc/letsencrypt/live/"$domain"/fullchain.pem --type symbolic
|
|
|
|
require="__package/nginx" __link /etc/nginx/ssl.key \
|
|
--source /etc/letsencrypt/live/"$domain"/privkey.pem --type symbolic
|
|
|
|
require="__package/nginx" __link /etc/nginx/chain.pem \
|
|
--source /etc/letsencrypt/live/"$domain"/cert.pem --type symbolic
|
|
|
|
cat nginx-header nginx-header-https-letsencrypt > "$__object/files/nginx-https"
|
|
echo " server_name= "$domain";" >> "$__object/files/nginx-https"
|
|
cat nginx-header-generic $config_file $custom_config nginx-footer >> "$__object/files/nginx-https"
|
|
|
|
# create random 48 bit file as ticketkey
|
|
head -c 48 /dev/urandom | __file /etc/nginx/nginx-ticketkey --source -
|
|
|
|
# create Diffie-Hellman key and store it under "$__files/pemfiles"
|
|
|
|
require="__package/nginx" __ungleich_dhparam --keysize $dh --destination "$__files/pemfiles" "$__target_host"
|
|
require="__ungleich_dhparam/$__target_host" __file /etc/nginx/dhparam.pem --source "$__files/pemfiles/"$__target_host"_dhparam.pem"
|
|
|
|
require=""__package/nginx" __file "$nginx_https" \
|
|
--owner www-data --group www-data --mode 755 \
|
|
--source "$__object/files/nginx-https""
|
|
fi
|
|
|
|
|
|
## Postgres
|
|
require="__package/postgresql" __postgres_role "${db_user}" --password "${db_pass}"\
|
|
--login --createdb
|
|
|
|
require="__package/postgresql __postgres_role/${db_user}" __postgres_database "${db_name}"\
|
|
--owner "${db_user}" --state present
|
|
|
|
|
|
# Start on boot
|
|
require="__package/postgresql" __start_on_boot postgresql
|
|
require="__package/nginx" __start_on_boot nginx
|
|
require="__package/php7.0-fpm" __start_on_boot php7.0-fpm
|