2021-06-22 11:46:32 +00:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# 2020 Joachim Desroches <joachim.desroches@epfl.ch>
|
2021-06-22 11:50:48 +00:00
|
|
|
# 2021 Timothée Floure <timothee.floure@posteo.net>
|
2021-06-22 11:46:32 +00:00
|
|
|
#
|
|
|
|
# This file is part of cdist.
|
|
|
|
#
|
|
|
|
# cdist is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# cdist is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
|
|
# Create NGINX vhosts
|
|
|
|
|
|
|
|
os="$(cat "${__global:?}"/explorer/os)"
|
|
|
|
mkdir -p "${__object:?}/files"
|
|
|
|
|
|
|
|
case "$os" in
|
|
|
|
alpine)
|
|
|
|
__package nginx
|
|
|
|
|
|
|
|
nginx_confdir="/etc/nginx"
|
|
|
|
install_reqs="__package/nginx"
|
|
|
|
|
|
|
|
require="$install_reqs" __start_on_boot nginx
|
|
|
|
|
|
|
|
export NGINX_SITEDIR="$nginx_confdir/conf.d"
|
|
|
|
export NGINX_CERTDIR="$nginx_confdir/ssl"
|
|
|
|
export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
|
|
|
|
export NGINX_WEBROOT="/var/www"
|
|
|
|
export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/"
|
|
|
|
;;
|
|
|
|
debian|ubuntu)
|
|
|
|
__package nginx
|
|
|
|
|
|
|
|
nginx_confdir="/etc/nginx"
|
|
|
|
install_reqs="__package/nginx"
|
|
|
|
|
|
|
|
export NGINX_SITEDIR="$nginx_confdir/sites-enabled"
|
|
|
|
export NGINX_CERTDIR="$nginx_confdir/ssl"
|
|
|
|
export NGINX_SNIPPETSDIR="$nginx_confdir/snippets"
|
|
|
|
export NGINX_WEBROOT="/var/www"
|
|
|
|
export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "This type does not support $os yet. Aborting." >&2;
|
|
|
|
exit 1;
|
|
|
|
esac
|
|
|
|
|
|
|
|
# Domain
|
|
|
|
if [ -f "${__object:?}/parameter/domain" ];
|
|
|
|
then
|
|
|
|
DOMAIN="$(cat "${__object:?}/parameter/domain")"
|
|
|
|
else
|
|
|
|
DOMAIN="${__object_id:?}"
|
|
|
|
fi
|
|
|
|
export DOMAIN
|
|
|
|
|
|
|
|
ALTDOMAINS=
|
|
|
|
if [ -f "${__object:?}/parameter/altdomains" ];
|
|
|
|
then
|
|
|
|
ALTDOMAINS="$(cat "${__object:?}/parameter/altdomains")"
|
|
|
|
fi
|
|
|
|
export ALTDOMAINS
|
|
|
|
|
|
|
|
# Use TLS ?
|
|
|
|
if [ -f "${__object:?}/parameter/no-tls" ];
|
|
|
|
then
|
|
|
|
TLS=
|
|
|
|
echo "WARNING: you have disabled TLS for vhost $DOMAIN" >&2
|
|
|
|
else
|
|
|
|
TLS=ssl
|
|
|
|
fi
|
|
|
|
export TLS
|
|
|
|
|
|
|
|
# Use HSTS ?
|
|
|
|
if [ -f "${__object:?}/parameter/no-hsts" ];
|
|
|
|
then
|
|
|
|
HSTS=
|
|
|
|
else
|
|
|
|
HSTS=true
|
|
|
|
fi
|
|
|
|
export HSTS
|
|
|
|
|
|
|
|
# Redirect to HTTPS ?
|
|
|
|
if [ -f "${__object:?}/parameter/to-https" ];
|
|
|
|
then
|
|
|
|
TO_HTTPS=true
|
|
|
|
else
|
|
|
|
TO_HTTPS=
|
|
|
|
fi
|
|
|
|
export HSTS
|
|
|
|
|
|
|
|
# Port to listen on
|
|
|
|
if [ -f "${__object:?}/parameter/lport" ];
|
|
|
|
then
|
|
|
|
LPORT="$(cat "${__object:?}/parameter/lport")"
|
|
|
|
else
|
|
|
|
if [ -n "$TLS" ] && [ -z "$TO_HTTPS" ];
|
|
|
|
then
|
|
|
|
LPORT=443
|
|
|
|
else
|
|
|
|
LPORT=80
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
export LPORT
|
|
|
|
|
|
|
|
# Server definition
|
|
|
|
if [ -n "$TO_HTTPS" ];
|
|
|
|
then
|
|
|
|
# Ignore configuration, simply serve ACME challenge and redirect to HTTPS.
|
|
|
|
"${__type:?}/files/to-https.conf.sh" > "${__object:?}/files/vhost.conf"
|
|
|
|
vhost_conf="${__object:?}/files/vhost.conf"
|
|
|
|
elif [ -f "${__object:?}/parameter/config" ];
|
|
|
|
then
|
|
|
|
# Extract nginx config from type parameter.
|
|
|
|
if [ "$(cat "${__object:?}/parameter/config")" = "-" ];
|
|
|
|
then
|
|
|
|
vhost_partial="${__object:?}/stdin"
|
|
|
|
else
|
|
|
|
vhost_partial=$(cat "${__object:?}/parameter/config")
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Either use config as-in or template it in generic vhost structure.
|
|
|
|
if [ -f "${__object:?}/parameter/standalone-config" ]; then
|
|
|
|
vhost_conf=$vhost_partial
|
|
|
|
else
|
|
|
|
NGINX_LOGIC=$(cat "$vhost_partial") "${__type:?}/files/generic.conf.sh" \
|
|
|
|
> "${__object:?}/files/vhost.conf"
|
|
|
|
|
|
|
|
vhost_conf="${__object:?}/files/vhost.conf"
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
# Default to simple static configuration.
|
|
|
|
"${__type:?}/files/static.conf.sh" > "${__object:?}/files/vhost.conf"
|
|
|
|
vhost_conf="${__object:?}/files/vhost.conf"
|
|
|
|
|
|
|
|
require="$install_reqs" __directory "$NGINX_WEBROOT/$DOMAIN"
|
|
|
|
require="__directory$NGINX_WEBROOT/$DOMAIN" \
|
|
|
|
__file "$NGINX_WEBROOT/$DOMAIN/index.html" --state exists \
|
|
|
|
--source "${__type:?}/files/index.html" \
|
|
|
|
--mode 0644
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Install snippets.
|
|
|
|
require="$install_reqs" __directory "$NGINX_SNIPPETSDIR"
|
|
|
|
for snippet in hsts 301-to-https; do
|
|
|
|
require="__directory/$NGINX_SNIPPETSDIR" __file \
|
|
|
|
"$NGINX_SNIPPETSDIR/$snippet" --source "${__type:?}/files/$snippet"
|
|
|
|
done
|
|
|
|
|
|
|
|
# Install vhost.
|
|
|
|
require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \
|
|
|
|
--source "$vhost_conf" \
|
|
|
|
--mode 0644
|