actually, let's make this shared again

9 files changed, 158 insertions, 0 deletions

diff --git a/modules/nginx/files/dhparam.pem b/modules/nginx/files/dhparam.pem
new file mode 100644
index 0000000..4aa2270
--- /dev/null
+++ b/modules/nginx/files/dhparam.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA2Ch/tJWN/Hm/Go2T9Ok542zBAJJxmrIn8ghj/etM1uVQ8viqqDy/
+2RRswFeVJE8S5tf7W7+rPWVp1NzK7Fbxn1eb0r/MdnwgCkzBK2YcbQ6skZZz7lyd
+SXXac4YrdkaG60Bm2WtmHs73pptbxBTkt55yAdTyhm8fvVZewAn2a8GRgn/X9Nb6
+YcpbLa6yh0TA1YP/CckMN5yxI761IXpKXuDMMz/PjI9xK2NSXRCgknrHa71w7E9U
+x86EyeA8VB2baZ2ct0KlaK5MaFPLSSCPBQYxigCvH6apH+U9pho4YSdZL3wLjtzO
+mN7Z8FdhPr2P/Dk0HI4Y2LzJiAQoU2t7zMrGb4y/27zFrApUed6q1lbvJW46g+o0
+zy3fe1nwZ9Ibq0TA6FH0S+FRrSYrJEN1vqosoGJjLJteyddqLV8d6XRhrZaCJmWq
+itlqbYlnbK+rlxlJyuDC6wLMTxa/zYMvYSM0Ez8KKDLh3GNMqiEbccCuS77gvPKP
+hj4Gy0jslUSYSjJebot+wIQsGmAnL5CozEXdGMVahoqZWcqRRGsoVM/3vZ53uLgL
+Cs027wnvkeAnX1sxV/KnrovpVPISkQvG0awCZkjroKMRq33fgymvvvcHo7pGcef+
+7S0XsFBit8LrBT1XGx3VknC8XZ6hAACY1FDMth2J4dx8kqVnd2PH1dMCAQI=
+-----END DH PARAMETERS-----
diff --git a/modules/nginx/files/mime.types.paste b/modules/nginx/files/mime.types.paste
new file mode 100644
index 0000000..a32e153
--- /dev/null
+++ b/modules/nginx/files/mime.types.paste
@@ -0,0 +1,57 @@
+types {
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+
+    application/java-archive              jar war ear;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-xpinstall               xpi;
+    application/zip                       zip;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              eot;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/x-flv                           flv;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}
+# vim:ft=nginx
diff --git a/modules/nginx/files/nginx.conf b/modules/nginx/files/nginx.conf
new file mode 100644
index 0000000..895330e
--- /dev/null
+++ b/modules/nginx/files/nginx.conf
@@ -0,0 +1,16 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile           on;
+    gzip               on;
+    keepalive_timeout  65;
+
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/modules/nginx/files/ssl b/modules/nginx/files/ssl
new file mode 100644
index 0000000..6248ac8
--- /dev/null
+++ b/modules/nginx/files/ssl
@@ -0,0 +1,12 @@
+ssl                        on;
+ssl_certificate            /media/persistent/certbot/live/tozt.net/fullchain.pem;
+ssl_certificate_key        /media/persistent/certbot/live/tozt.net/privkey.pem;
+ssl_protocols              TLSv1.1 TLSv1.2;
+ssl_ciphers                'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+ssl_dhparam                /etc/nginx/dhparam.pem;
+ssl_prefer_server_ciphers  on;
+ssl_session_cache          shared:SSL:10m;
+ssl_stapling               on;
+ssl_stapling_verify        on;
+
+# vim:ft=nginx
diff --git a/modules/nginx/manifests/config.pp b/modules/nginx/manifests/config.pp
new file mode 100644
index 0000000..8a95edd
--- /dev/null
+++ b/modules/nginx/manifests/config.pp
@@ -0,0 +1,18 @@
+class nginx::config {
+  include haveged
+
+  file {
+    "/etc/nginx/sites-available":
+      ensure => directory;
+    "/etc/nginx/sites-enabled":
+      ensure => directory;
+    "/etc/nginx/ssl":
+      source => 'puppet:///modules/nginx/ssl';
+    "/etc/nginx/mime.types.paste":
+      source => 'puppet:///modules/nginx/mime.types.paste';
+    "/etc/nginx/nginx.conf":
+      source => 'puppet:///modules/nginx/nginx.conf';
+    "/etc/nginx/dhparam.pem":
+      source => 'puppet:///modules/nginx/dhparam.pem';
+  }
+}
diff --git a/modules/nginx/manifests/init.pp b/modules/nginx/manifests/init.pp
new file mode 100644
index 0000000..611be52
--- /dev/null
+++ b/modules/nginx/manifests/init.pp
@@ -0,0 +1,11 @@
+class nginx {
+  contain nginx::install
+  contain nginx::config
+  contain nginx::service
+
+  Class['nginx::install'] -> Class['nginx::config']
+
+  Class['nginx::config'] ~> Class['nginx::service']
+  Class['nginx::install'] ~> Class['nginx::service']
+  Nginx::Site<| |> ~> Class['nginx::service']
+}
diff --git a/modules/nginx/manifests/install.pp b/modules/nginx/manifests/install.pp
new file mode 100644
index 0000000..680b0ab
--- /dev/null
+++ b/modules/nginx/manifests/install.pp
@@ -0,0 +1,5 @@
+class nginx::install {
+  package { ['nginx', 'openssl']:
+    ensure => installed;
+  }
+}
diff --git a/modules/nginx/manifests/service.pp b/modules/nginx/manifests/service.pp
new file mode 100644
index 0000000..f03364f
--- /dev/null
+++ b/modules/nginx/manifests/service.pp
@@ -0,0 +1,6 @@
+class nginx::service {
+  service { 'nginx':
+    ensure => running,
+    enable => true;
+  }
+}
diff --git a/modules/nginx/manifests/site.pp b/modules/nginx/manifests/site.pp
new file mode 100644
index 0000000..130a086
--- /dev/null
+++ b/modules/nginx/manifests/site.pp
@@ -0,0 +1,20 @@
+define nginx::site($content=undef, $source=undef, $enabled=true) {
+  include nginx
+
+  file { "/etc/nginx/sites-available/$name":
+    source => $source,
+    content => $content;
+  }
+
+  if $enabled {
+    file { "/etc/nginx/sites-enabled/$name":
+      ensure => link,
+      target => "../sites-available/$name";
+    }
+  }
+  else {
+    file { "/etc/nginx/sites-enabled/$name":
+      ensure => absent;
+    }
+  }
+}