14 files changed, 302 insertions, 1 deletions

diff --git a/modules/certbot/manifests/init.pp b/modules/certbot/manifests/init.pp
new file mode 100644
index 0000000..a08e0a5
--- /dev/null
+++ b/modules/certbot/manifests/init.pp
@@ -0,0 +1,2 @@
+class certbot {
+}
diff --git a/modules/nginx/files/mime.types.paste b/modules/nginx/files/mime.types.paste
new file mode 100644
index 0000000..a32e153
--- /dev/null
+++ b/modules/nginx/files/mime.types.paste
@@ -0,0 +1,57 @@
+types {
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+
+    application/java-archive              jar war ear;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-xpinstall               xpi;
+    application/zip                       zip;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              eot;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/x-flv                           flv;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}
+# vim:ft=nginx
diff --git a/modules/nginx/files/nginx.conf b/modules/nginx/files/nginx.conf
new file mode 100644
index 0000000..895330e
--- /dev/null
+++ b/modules/nginx/files/nginx.conf
@@ -0,0 +1,16 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile           on;
+    gzip               on;
+    keepalive_timeout  65;
+
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/modules/nginx/files/ssl b/modules/nginx/files/ssl
new file mode 100644
index 0000000..f6a7f77
--- /dev/null
+++ b/modules/nginx/files/ssl
@@ -0,0 +1,11 @@
+ssl                        on;
+ssl_certificate            /etc/letsencrypt/live/tozt.net/fullchain.pem;
+ssl_certificate_key        /etc/letsencrypt/live/tozt.net/privkey.pem;
+ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers                'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_dhparam                /etc/nginx/dhparam.pem;
+ssl_prefer_server_ciphers  on;
+ssl_stapling               on;
+ssl_stapling_verify        on;
+
+# vim:ft=nginx
diff --git a/modules/nginx/manifests/config.pp b/modules/nginx/manifests/config.pp
new file mode 100644
index 0000000..42b5f99
--- /dev/null
+++ b/modules/nginx/manifests/config.pp
@@ -0,0 +1,19 @@
+class nginx::config {
+  file {
+    "/etc/nginx/sites-available":
+      ensure => directory;
+    "/etc/nginx/sites-enabled":
+      ensure => directory;
+    "/etc/nginx/ssl":
+      source => 'puppet:///modules/nginx/ssl';
+    "/etc/nginx/mime.types.paste":
+      source => 'puppet:///modules/nginx/mime.types.paste';
+    "/etc/nginx/nginx.conf":
+      source => 'puppet:///modules/nginx/nginx.conf';
+  }
+
+  exec { 'openssl dhparam -out /etc/nginx/dhparam.pem 4096':
+    path => '/usr/bin',
+    creates => '/etc/nginx/dhparam.pem';
+  }
+}
diff --git a/modules/nginx/manifests/init.pp b/modules/nginx/manifests/init.pp
index e3e6b70..505c847 100644
--- a/modules/nginx/manifests/init.pp
+++ b/modules/nginx/manifests/init.pp
@@ -1,2 +1,9 @@
 class nginx {
+  include certbot
+
+  include nginx::install
+  include nginx::config
+  include nginx::service
+
+  nginx::install -> nginx::config -> nginx::service
 }
diff --git a/modules/nginx/manifests/install.pp b/modules/nginx/manifests/install.pp
new file mode 100644
index 0000000..680b0ab
--- /dev/null
+++ b/modules/nginx/manifests/install.pp
@@ -0,0 +1,5 @@
+class nginx::install {
+  package { ['nginx', 'openssl']:
+    ensure => installed;
+  }
+}
diff --git a/modules/nginx/manifests/service.pp b/modules/nginx/manifests/service.pp
new file mode 100644
index 0000000..bd09c64
--- /dev/null
+++ b/modules/nginx/manifests/service.pp
@@ -0,0 +1,5 @@
+class nginx::service {
+  service { 'nginx':
+    ensure => running;
+  }
+}
diff --git a/modules/nginx/manifests/site.pp b/modules/nginx/manifests/site.pp
new file mode 100644
index 0000000..dc25bb3
--- /dev/null
+++ b/modules/nginx/manifests/site.pp
@@ -0,0 +1,15 @@
+define nginx::site($content=undef, $source=undef, $enabled=true) {
+  include nginx
+
+  file { "/etc/nginx/sites-available/$name":
+    source => $source,
+    content => $content;
+  }
+
+  if $enabled {
+    file { "/etc/nginx/sites-enabled/$name":
+      ensure => link,
+      target => "../sites-available/$name";
+    }
+  }
+}
diff --git a/modules/tozt/files/nginx/blog.conf b/modules/tozt/files/nginx/blog.conf
new file mode 100644
index 0000000..b1af3b6
--- /dev/null
+++ b/modules/tozt/files/nginx/blog.conf
@@ -0,0 +1,28 @@
+server {
+    listen       80;
+    server_name  blog.tozt.net;
+
+    access_log   /var/log/nginx/blog.access.log;
+    error_log    /var/log/nginx/blog.error.log;
+
+    location / {
+        root   /home/doy/blog;
+        index  index.html;
+    }
+}
+
+server {
+    listen       443;
+    server_name  blog.tozt.net;
+
+    access_log  /var/log/nginx/blog.access.log;
+    error_log   /var/log/nginx/blog.error.log;
+
+    include ssl;
+
+    location / {
+        root   /home/doy/blog;
+        index  index.html;
+    }
+}
+# vim:ft=nginx
diff --git a/modules/tozt/files/nginx/doy.conf b/modules/tozt/files/nginx/doy.conf
new file mode 100644
index 0000000..071f3a4
--- /dev/null
+++ b/modules/tozt/files/nginx/doy.conf
@@ -0,0 +1,42 @@
+server {
+    listen       80 default;
+    server_name  tozt.net;
+
+    access_log  /var/log/nginx/doy.access.log;
+    error_log   /var/log/nginx/doy.error.log;
+
+    location / {
+        root   /home/doy/public_html;
+        index  index.html index.htm;
+    }
+
+    location /recipes/ {
+        root          /home/doy/public_html;
+        index         index.html index.htm;
+        default_type  text/plain;
+        autoindex     on;
+    }
+}
+
+server {
+    listen       443 default;
+    server_name  tozt.net;
+
+    access_log  /var/log/nginx/doy.access.log;
+    error_log   /var/log/nginx/doy.error.log;
+
+    include ssl;
+
+    location / {
+        root   /home/doy/public_html;
+        index  index.html index.htm;
+    }
+
+    location /recipes/ {
+        root          /home/doy/public_html;
+        index         index.html index.htm;
+        default_type  text/plain;
+        autoindex     on;
+    }
+}
+# vim:ft=nginx
diff --git a/modules/tozt/files/nginx/mail.conf b/modules/tozt/files/nginx/mail.conf
new file mode 100644
index 0000000..5af975a
--- /dev/null
+++ b/modules/tozt/files/nginx/mail.conf
@@ -0,0 +1,35 @@
+server {
+    listen       80;
+    server_name  mail.tozt.net;
+
+    access_log  /var/log/nginx/mail.access.log;
+    error_log   /var/log/nginx/mail.error.log;
+
+    rewrite      ^(.*) https://$host$1 permanent;
+}
+
+server {
+    listen       443;
+    server_name  mail.tozt.net;
+
+    access_log  /var/log/nginx/mail.access.log;
+    error_log   /var/log/nginx/mail.error.log;
+
+    include ssl;
+    add_header  Strict-Transport-Security max-age=15768000;
+
+    location / {
+        root   /usr/share/webapps/roundcubemail;
+        index  index.php index.html index.htm;
+    }
+
+    location ~ \.php$ {
+        root   /usr/share/webapps/roundcubemail;
+        fastcgi_pass   127.0.0.1:9000;
+        fastcgi_index  index.php;
+        fastcgi_param  SCRIPT_FILENAME  /usr/share/webapps/roundcubemail$fastcgi_script_name;
+        fastcgi_param  HTTPS            on;
+        include        fastcgi_params;
+    }
+}
+# vim:ft=nginx
diff --git a/modules/tozt/files/nginx/paste.conf b/modules/tozt/files/nginx/paste.conf
new file mode 100644
index 0000000..3b98aaf
--- /dev/null
+++ b/modules/tozt/files/nginx/paste.conf
@@ -0,0 +1,34 @@
+server {
+    listen       80;
+    server_name  paste.tozt.net;
+
+    access_log   /var/log/nginx/paste.access.log;
+    error_log    /var/log/nginx/paste.error.log;
+
+    include      /etc/nginx/mime.types.paste;
+
+    root         /home/doy/paste;
+    default_type text/plain;
+    gzip_types   text/plain;
+
+    location / { }
+}
+
+server {
+    listen       443;
+    server_name  paste.tozt.net;
+
+    access_log  /var/log/nginx/paste.access.log;
+    error_log   /var/log/nginx/paste.error.log;
+
+    include ssl;
+
+    include      /etc/nginx/mime.types.paste;
+
+    root         /home/doy/paste;
+    default_type text/plain;
+    gzip_types   text/plain;
+
+    location / { }
+}
+# vim:ft=nginx
diff --git a/modules/tozt/manifests/site.pp b/modules/tozt/manifests/site.pp
index ef7fcae..c71ba76 100644
--- a/modules/tozt/manifests/site.pp
+++ b/modules/tozt/manifests/site.pp
@@ -1,3 +1,28 @@
 class tozt::site {
-  include nginx
+  nginx::site {
+    "blog":
+      source => 'puppet:///modules/tozt/nginx/blog.conf';
+    "doy":
+      source => 'puppet:///modules/tozt/nginx/doy.conf';
+    "mail":
+      source => 'puppet:///modules/tozt/nginx/mail.conf';
+    "paste":
+      source => 'puppet:///modules/tozt/nginx/paste.conf';
+  }
+
+  file {
+    [
+      '/home/doy/blog',
+      '/home/doy/public_html',
+      '/home/doy/paste',
+    ]:
+    ensure => directory,
+    owner => 'doy',
+    group => 'doy',
+    require => [
+      User['doy'],
+      Group['doy'],
+      File['/home/doy'],
+    ];
+  }
 }